[ESNext][BigInt] Implement support for "*" operation
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
2
3         [ESNext][BigInt] Implement support for "*" operation
4         https://bugs.webkit.org/show_bug.cgi?id=183721
5
6         Reviewed by Saam Barati.
7
8         * bigIntTests.yaml:
9         * stress/big-int-mul-jit.js: Added.
10         * stress/big-int-mul-to-primitive-precedence.js: Added.
11         * stress/big-int-mul-to-primitive.js: Added.
12         * stress/big-int-mul-type-error.js: Added.
13         * stress/big-int-mul-wrapped-value.js: Added.
14         * stress/big-int-multiplication.js: Added.
15         * stress/big-int-multiply-memory-stress.js: Added.
16
17 2018-04-25  Robin Morisset  <rmorisset@apple.com>
18
19         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
20         https://bugs.webkit.org/show_bug.cgi?id=184773
21         <rdar://problem/37773612>
22
23         Reviewed by Filip Pizlo.
24
25         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
26         so I decided to add it to the stress tests nonetheless.
27
28         * stress/create-rest-while-having-a-bad-time.js: Added.
29         (f):
30         (g):
31         (h):
32
33 2018-04-25  Keith Miller  <keith_miller@apple.com>
34
35         Add missing scope release to functionProtoFuncToString
36         https://bugs.webkit.org/show_bug.cgi?id=184995
37
38         Reviewed by Saam Barati.
39
40         * stress/function-toString-arrow.js: Added.
41         (async):
42
43 2018-04-24  Keith Miller  <keith_miller@apple.com>
44
45         fromCharCode is missing some exception checks
46         https://bugs.webkit.org/show_bug.cgi?id=184952
47
48         Reviewed by Saam Barati.
49
50         * stress/fromCharCode-exception-check.js: Added.
51         (get catch):
52
53 2018-04-24  Mark Lam  <mark.lam@apple.com>
54
55         Gardening: test fix after r230863.
56         https://bugs.webkit.org/show_bug.cgi?id=184846
57         <rdar://problem/39390672>
58
59         Not reviewed.
60
61         * stress/json-stringified-overflow-2.js:
62         (catch):
63         * stress/json-stringified-overflow.js:
64         (catch):
65
66 2018-04-20  JF Bastien  <jfbastien@apple.com>
67
68         Handle more JSON stringify OOM
69         https://bugs.webkit.org/show_bug.cgi?id=184846
70         <rdar://problem/39390672>
71
72         Reviewed by Mark Lam.
73
74         * stress/json-stringified-overflow-2.js: Added. Same as the one
75         below, but with a bigger input which will trigger a different code
76         path.
77         (catch):
78         * stress/json-stringified-overflow.js: Modify the test to only
79         catch OOM on stringification. not on string creation.
80
81 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
82
83         [WebAssembly][Modules] Import tables in wasm modules
84         https://bugs.webkit.org/show_bug.cgi?id=184738
85
86         Reviewed by JF Bastien.
87
88         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
89         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
90         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
91         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
92         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
93         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
94         * wasm/modules/wasm-imports-wasm-exports.js:
95         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
96         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
97         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
98         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
99
100 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
101
102         [WebAssembly][Modules] Import globals from wasm modules
103         https://bugs.webkit.org/show_bug.cgi?id=184736
104
105         Reviewed by JF Bastien.
106
107         * wasm.yaml:
108         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
109         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
110         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
111         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
112         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
113         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
114         * wasm/modules/wasm-imports-wasm-exports.js:
115         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
116         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
117         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
118         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
119
120 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
121
122         Unreviewed, reland r230697, r230720, and r230724.
123         https://bugs.webkit.org/show_bug.cgi?id=184600
124
125         * wasm.yaml:
126         * wasm/modules/constant.wasm: Added.
127         * wasm/modules/constant.wat: Added.
128         * wasm/modules/default-import-star-error.js: Added.
129         (then):
130         * wasm/modules/default-import-star-error/entry.wasm: Added.
131         * wasm/modules/default-import-star-error/entry.wat: Added.
132         * wasm/modules/default-import-star-error/t0.js: Added.
133         * wasm/modules/default-import-star-error/t1.js: Added.
134         * wasm/modules/default-import-star-error/t2.js: Added.
135         (export.default.Cocoa):
136         * wasm/modules/js-wasm-cycle.js: Added.
137         * wasm/modules/js-wasm-cycle/entry.js: Added.
138         (from.string_appeared_here.export.return42):
139         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
140         * wasm/modules/js-wasm-cycle/sum.wat: Added.
141         * wasm/modules/js-wasm-function-namespace.js: Added.
142         (assert.throws):
143         * wasm/modules/js-wasm-function.js: Added.
144         (assert.throws):
145         * wasm/modules/js-wasm-global-namespace.js: Added.
146         (assert.throws):
147         * wasm/modules/js-wasm-global.js: Added.
148         (assert.throws):
149         * wasm/modules/js-wasm-memory-namespace.js: Added.
150         (assert.throws):
151         * wasm/modules/js-wasm-memory.js: Added.
152         (assert.throws):
153         * wasm/modules/js-wasm-start.js: Added.
154         (then):
155         * wasm/modules/js-wasm-table-namespace.js: Added.
156         (assert.throws):
157         * wasm/modules/js-wasm-table.js: Added.
158         (assert.throws):
159         * wasm/modules/memory.wasm: Added.
160         * wasm/modules/memory.wat: Added.
161         * wasm/modules/run-from-wasm.wasm: Added.
162         * wasm/modules/run-from-wasm.wat: Added.
163         * wasm/modules/run-from-wasm/check.js: Added.
164         (export.check):
165         * wasm/modules/start.wasm: Added.
166         * wasm/modules/start.wat: Added.
167         * wasm/modules/sum.wasm: Added.
168         * wasm/modules/sum.wat: Added.
169         * wasm/modules/table.wasm: Added.
170         * wasm/modules/table.wat: Added.
171         * wasm/modules/wasm-imports-js-exports.js: Added.
172         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
173         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
174         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
175         (export.sum):
176         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
177         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
178         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
179         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
180         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
181         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
182         * wasm/modules/wasm-imports-wasm-exports.js: Added.
183         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
184         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
185         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
186         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
187         * wasm/modules/wasm-js-cycle.js: Added.
188         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
189         * wasm/modules/wasm-js-cycle/entry.wat: Added.
190         * wasm/modules/wasm-js-cycle/sum.js: Added.
191         (from.string_appeared_here.export.sum):
192         * wasm/modules/wasm-wasm-cycle.js: Added.
193         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
194         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
195         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
196         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
197
198 2018-04-17  Commit Queue  <commit-queue@webkit.org>
199
200         Unreviewed, rolling out r230697, r230720, and r230724.
201         https://bugs.webkit.org/show_bug.cgi?id=184717
202
203         These caused multiple failures on the Test262 testers.
204         (Requested by mlewis13 on #webkit).
205
206         Reverted changesets:
207
208         "[WebAssembly][Modules] Prototype wasm import"
209         https://bugs.webkit.org/show_bug.cgi?id=184600
210         https://trac.webkit.org/changeset/230697
211
212         "[WebAssembly][Modules] Implement function import from wasm
213         modules"
214         https://bugs.webkit.org/show_bug.cgi?id=184689
215         https://trac.webkit.org/changeset/230720
216
217         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
218         https://bugs.webkit.org/show_bug.cgi?id=184703
219         https://trac.webkit.org/changeset/230724
220
221 2018-04-17  JF Bastien  <jfbastien@apple.com>
222
223         A put is not an ExistingProperty put when we transition a structure because of an attributes change
224         https://bugs.webkit.org/show_bug.cgi?id=184706
225         <rdar://problem/38871451>
226
227         Reviewed by Saam Barati.
228
229         * stress/put-by-id-direct-strict-transition.js: Added.
230         (const.foo):
231         (j.const.obj.set hello):
232         * stress/put-by-id-direct-transition.js: Added.
233         (const.foo):
234         (j.const.obj.set hello):
235         * stress/put-getter-setter-by-id-strict-transition.js: Added.
236         (const.foo):
237         (j.const.obj.set hello):
238         * stress/put-getter-setter-by-id-transition.js: Added.
239         (const.foo):
240         (j.const.obj.set hello):
241
242 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
243
244         PutStackSinkingPhase should know that KillStack means ConflictingFlush
245         https://bugs.webkit.org/show_bug.cgi?id=184672
246
247         Reviewed by Michael Saboff.
248
249         * stress/sink-put-stack-over-kill-stack.js: Added.
250         (avocado_1):
251         (apricot_0):
252         (__c_0):
253         (banana_2):
254
255 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
256
257         [JSC] Rename runWebAssembly to runWebAssemblySuite
258         https://bugs.webkit.org/show_bug.cgi?id=184703
259
260         Reviewed by JF Bastien.
261
262         And add runWebAssembly as a command to simplely run wasm modules.
263
264         * wasm.yaml:
265
266 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
267
268         [WebAssembly][Modules] Implement function import from wasm modules
269         https://bugs.webkit.org/show_bug.cgi?id=184689
270
271         Reviewed by JF Bastien.
272
273         * wasm.yaml:
274         * wasm/modules/js-wasm-cycle.js: Added.
275         * wasm/modules/js-wasm-cycle/entry.js: Added.
276         (from.string_appeared_here.export.return42):
277         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
278         * wasm/modules/js-wasm-cycle/sum.wat: Added.
279         * wasm/modules/run-from-wasm.wasm: Added.
280         * wasm/modules/run-from-wasm.wat: Added.
281         * wasm/modules/run-from-wasm/check.js: Added.
282         (export.check):
283         * wasm/modules/wasm-imports-js-exports.js: Added.
284         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
285         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
286         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
287         (export.sum):
288         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
289         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
290         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
291         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
292         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
293         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
294         * wasm/modules/wasm-imports-wasm-exports.js: Added.
295         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
296         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
297         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
298         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
299         * wasm/modules/wasm-js-cycle.js: Added.
300         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
301         * wasm/modules/wasm-js-cycle/entry.wat: Added.
302         * wasm/modules/wasm-js-cycle/sum.js: Added.
303         (from.string_appeared_here.export.sum):
304         * wasm/modules/wasm-wasm-cycle.js: Added.
305         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
306         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
307         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
308         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
309
310 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
311
312         [WebAssembly][Modules] Prototype wasm import
313         https://bugs.webkit.org/show_bug.cgi?id=184600
314
315         Reviewed by JF Bastien.
316
317         Add wasm and wat files since module loader want to load wasm files from FS.
318         Currently, importing the other modules from wasm is not supported.
319
320         * wasm.yaml:
321         * wasm/modules/constant.wasm: Added.
322         * wasm/modules/constant.wat: Added.
323         * wasm/modules/js-wasm-function-namespace.js: Added.
324         (assert.throws):
325         * wasm/modules/js-wasm-function.js: Added.
326         (assert.throws):
327         * wasm/modules/js-wasm-global-namespace.js: Added.
328         (assert.throws):
329         * wasm/modules/js-wasm-global.js: Added.
330         (assert.throws):
331         * wasm/modules/js-wasm-memory-namespace.js: Added.
332         (assert.throws):
333         * wasm/modules/js-wasm-memory.js: Added.
334         (assert.throws):
335         * wasm/modules/js-wasm-start.js: Added.
336         (then):
337         * wasm/modules/js-wasm-table-namespace.js: Added.
338         (assert.throws):
339         * wasm/modules/js-wasm-table.js: Added.
340         (assert.throws):
341         * wasm/modules/memory.wasm: Added.
342         * wasm/modules/memory.wat: Added.
343         * wasm/modules/start.wasm: Added.
344         * wasm/modules/start.wat: Added.
345         * wasm/modules/sum.wasm: Added.
346         * wasm/modules/sum.wat: Added.
347         * wasm/modules/table.wasm: Added.
348         * wasm/modules/table.wat: Added.
349
350 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
351
352         Function.prototype.caller shouldn't return generator bodies
353         https://bugs.webkit.org/show_bug.cgi?id=184630
354
355         Reviewed by Yusuke Suzuki.
356
357         * stress/function-caller-async-arrow-function-body.js: Added.
358         * stress/function-caller-async-function-body.js: Added.
359         * stress/function-caller-async-generator-body.js: Added.
360         * stress/function-caller-generator-body.js: Added.
361         * stress/function-caller-generator-method-body.js: Added.
362
363 2018-04-12  Tomas Popela  <tpopela@redhat.com>
364
365         Unreviewed, skip JIT tests if it isn't enabled
366
367         See https://bugs.webkit.org/show_bug.cgi?id=182730.
368
369         * stress/big-int-spec-to-primitive.js:
370         * stress/big-int-spec-to-this.js:
371
372 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
373
374         [ESNext][BigInt] Add support for BigInt in SpeculatedType
375         https://bugs.webkit.org/show_bug.cgi?id=182470
376
377         Reviewed by Saam Barati.
378
379         * stress/big-int-spec-to-primitive.js: Added.
380         * stress/big-int-spec-to-this.js: Added.
381         * stress/big-int-strict-equals-jit.js: Added.
382         * stress/big-int-strict-spec-to-this.js: Added.
383         * stress/big-int-type-of-proven-type.js: Added.
384
385 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
386
387         DFG AI and clobberize should agree with each other
388         https://bugs.webkit.org/show_bug.cgi?id=184440
389
390         Reviewed by Saam Barati.
391         
392         Add tests for all of the bugs I fixed.
393
394         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
395         (foo):
396         * stress/new-typed-array-cse-effects.js: Added.
397         (foo):
398         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
399         (foo.theO):
400         (foo):
401         * stress/string-from-char-code-change-structure-not-dead.js: Added.
402         (foo):
403         (i.valueOf):
404         (weirdValue.valueOf):
405         * stress/string-from-char-code-change-structure.js: Added.
406         (foo):
407         (i.valueOf):
408         (weirdValue.valueOf):
409
410 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
411
412         Fix errant Test262 files CRLF to LF for consistency with the original source
413         https://bugs.webkit.org/show_bug.cgi?id=184425
414
415         Reviewed by Yusuke Suzuki.
416
417         * test262/test/built-ins/Math/acosh/nan-returns.js:
418         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
419         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
420         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
421         * test262/test/built-ins/Math/cbrt/prop-desc.js:
422         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
423         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
424         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
425         * test262/test/built-ins/Math/log2/log2-basicTests.js:
426         * test262/test/built-ins/Math/sign/sign-specialVals.js:
427         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
428         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
429         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
430         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
431
432 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
433
434         Unreviewed, remove incorrect entry in test262.yaml
435         https://bugs.webkit.org/show_bug.cgi?id=184266
436
437         * test262.yaml:
438
439 2018-04-08  Valerie Young  <valerie@bocoup.com>
440
441         [JSC] Update Test262 to April 6 version
442         https://bugs.webkit.org/show_bug.cgi?id=184266
443
444         Rubber stamped by Yusuke Suzuki.
445
446 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
447
448         [JSC] Introduce op_get_by_id_direct
449         https://bugs.webkit.org/show_bug.cgi?id=183970
450
451         Reviewed by Filip Pizlo.
452
453         * stress/generator-prototype-copy.js: Added.
454         (gen):
455         (catch):
456         Adopted JF's tests.
457
458         * stress/generator-type-check.js: Added.
459         (shouldThrow):
460         (foo2):
461         (i.shouldThrow):
462         * stress/get-by-id-direct-getter.js: Added.
463         (shouldBe):
464         (shouldThrow):
465         (obj.get hello):
466         (builtin.createBuiltin):
467         (obj2.get length):
468         * stress/get-by-id-direct.js: Added.
469         (shouldBe):
470         (shouldThrow):
471         (builtin.createBuiltin):
472         * test262.yaml:
473         We fixed long-standing spec compatibility issue.
474         As a result, this patch makes several test262 tests passed!
475
476
477 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
478
479         Unreviewed, annotate test with @skip if $memoryLimited
480         https://bugs.webkit.org/show_bug.cgi?id=183894
481
482         * stress/json-stringified-overflow.js:
483
484 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
485
486         Add svn:eol-style to line-terminator-normalisation-CR.js
487         https://bugs.webkit.org/show_bug.cgi?id=184341
488
489         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
490
491 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
492
493         Unreviewed, remove errant LF from existing test262 test for CR line endings.
494
495         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
496
497 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
498
499         Unreviewed, rolling out r230320.
500
501         Revert fix, as the root cause lies elsewhere.
502
503         Reverted changeset:
504
505         "[test262] Mark line-terminator-normalisation-CR.js as a
506         binary file."
507         https://bugs.webkit.org/show_bug.cgi?id=184341
508         https://trac.webkit.org/changeset/230320
509
510 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
511
512         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
513         https://bugs.webkit.org/show_bug.cgi?id=184341
514
515         Reviewed by Yusuke Suzuki.
516
517         This test is all about CR line endings, but `svn-apply` can't deal with them.
518         Treating the file as binary ensures that its contents never are never shown in a diff.
519
520         * .gitattributes: Added.
521
522 2018-04-05  Robin Morisset  <rmorisset@apple.com>
523
524         Fix testcase (missing try/catch).
525         https://bugs.webkit.org/show_bug.cgi?id=183657
526
527         Unreviewed.
528
529         * stress/large-unshift-splice.js
530
531 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
532
533         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
534         https://bugs.webkit.org/show_bug.cgi?id=184319
535
536         Reviewed by Saam Barati.
537
538         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
539         (foo):
540         (bar):
541         * stress/array-push-nan-to-double-array.js: Added.
542         (foo):
543         (bar):
544
545 2018-04-03  Mark Lam  <mark.lam@apple.com>
546
547         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
548         https://bugs.webkit.org/show_bug.cgi?id=184284
549
550         Reviewed by Saam Barati.
551
552         * stress/js-fixed-array-out-of-memory.js:
553
554 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
555
556         JSC crash in JIT code with for-of loop and Array/Set iterators
557         https://bugs.webkit.org/show_bug.cgi?id=183174
558
559         Reviewed by Saam Barati.
560
561         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
562         (foo):
563         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
564         (f):
565
566 2018-03-30  JF Bastien  <jfbastien@apple.com>
567
568         WebAssembly: support DataView compilation
569         https://bugs.webkit.org/show_bug.cgi?id=183342
570
571         Reviewed by Mark Lam.
572
573         Test WebAssembly compilation using a DataView with offset.
574
575         * wasm/regress/183342.js: Added.
576         (attempt.catch):
577
578 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
579
580         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
581         https://bugs.webkit.org/show_bug.cgi?id=184189
582
583         Reviewed by JF Bastien.
584
585         * stress/load-hole-from-scope-into-live-var.js: Added.
586         (result.eval.try.switch):
587         (catch):
588
589 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
590
591         Unreviewed, rolling out r230102.
592
593         Caused assertion failures on JSC bots.
594
595         Reverted changeset:
596
597         "A stack overflow in the parsing of a builtin (called by
598         createExecutable) cause a crash instead of a catchable js
599         exception"
600         https://bugs.webkit.org/show_bug.cgi?id=184074
601         https://trac.webkit.org/changeset/230102
602
603 2018-03-30  Robin Morisset  <rmorisset@apple.com>
604
605         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
606         https://bugs.webkit.org/show_bug.cgi?id=183812
607
608         Reviewed by Keith Miller.
609
610         * stress/inlining-unreachable-non-tail.js: Added.
611         (foo.):
612         (foo):
613
614 2018-03-30  Robin Morisset  <rmorisset@apple.com>
615
616         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
617         https://bugs.webkit.org/show_bug.cgi?id=184074
618         <rdar://problem/37165897>
619
620         Reviewed by Keith Miller.
621
622         * stress/stack-overflow-while-parsing-builtin.js: Added.
623         (f):
624
625 2018-03-30  Robin Morisset  <rmorisset@apple.com>
626
627         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
628         https://bugs.webkit.org/show_bug.cgi?id=183657
629
630         Reviewed by Keith Miller.
631
632         * stress/large-unshift-splice.js: Added.
633         (make_contig_arr):
634
635 2018-03-28  Robin Morisset  <rmorisset@apple.com>
636
637         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
638         https://bugs.webkit.org/show_bug.cgi?id=183894
639
640         Reviewed by Saam Barati.
641
642         * stress/json-stringified-overflow.js: Added.
643         (catch):
644
645 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
646
647         DFG should know that CreateThis can be effectful
648         https://bugs.webkit.org/show_bug.cgi?id=184013
649
650         Reviewed by Saam Barati.
651
652         * stress/create-this-property-change.js: Added.
653         (Foo):
654         (RealBar):
655         (get if):
656         * stress/create-this-structure-change-without-cse.js: Added.
657         (Foo):
658         (RealBar):
659         (get if):
660         * stress/create-this-structure-change.js: Added.
661         (Foo):
662         (RealBar):
663         (get if):
664
665 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
666
667         [DFG] Introduces fused compare and jump
668         https://bugs.webkit.org/show_bug.cgi?id=177100
669
670         Reviewed by Mark Lam.
671
672         * stress/fused-jeq-slow.js: Added.
673         (shouldBe):
674         (testJEQ):
675         (testJNEQB):
676         (testJEQB):
677         (testJNEQF):
678         (testJEQF):
679         * stress/fused-jeq.js: Added.
680         (shouldBe):
681         (testJEQ):
682         (testJNEQB):
683         (testJEQB):
684         (testJNEQF):
685         (testJEQF):
686         * stress/fused-jstricteq-slow.js: Added.
687         (shouldBe):
688         (testJSTRICTEQ):
689         (testJNSTRICTEQB):
690         (testJSTRICTEQB):
691         (testJNSTRICTEQF):
692         (testJSTRICTEQF):
693         * stress/fused-jstricteq.js: Added.
694         (shouldBe):
695         (testJSTRICTEQ):
696         (testJNSTRICTEQB):
697         (testJSTRICTEQB):
698         (testJNSTRICTEQF):
699         (testJSTRICTEQF):
700
701 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
702
703         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
704         https://bugs.webkit.org/show_bug.cgi?id=183559
705
706         Reviewed by Mark Lam.
707
708         * stress/double-to-string-in-loop-removed.js: Added.
709         (test):
710         * stress/int32-to-string-in-loop-removed.js: Added.
711         (test):
712         * stress/int52-to-string-in-loop-removed.js: Added.
713         (test):
714
715 2018-03-22  Michael Saboff  <msaboff@apple.com>
716
717         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
718         https://bugs.webkit.org/show_bug.cgi?id=183901
719
720         Reviewed by Keith Miller.
721
722         New test.
723
724         * stress/array-reverse-doesnt-clobber.js: Added.
725         (testArrayReverse):
726         (createArrayOfArrays):
727         (createArrayStorage):
728
729 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
730
731         ScopedArguments should do poisoning and index masking
732         https://bugs.webkit.org/show_bug.cgi?id=183863
733
734         Reviewed by Mark Lam.
735         
736         Adds another stress test of scoped arguments.
737
738         * stress/scoped-arguments-test.js: Added.
739         (foo):
740
741 2018-03-20  Saam Barati  <sbarati@apple.com>
742
743         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
744         https://bugs.webkit.org/show_bug.cgi?id=183795
745         <rdar://problem/38298694>
746
747         Reviewed by JF Bastien.
748
749         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
750         (foo):
751         (bar):
752
753 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
754
755         [DFG][FTL] Add vectorLengthHint for NewArray
756         https://bugs.webkit.org/show_bug.cgi?id=183694
757
758         Reviewed by Saam Barati.
759
760         * stress/vector-length-hint-array-constructor.js: Added.
761         (shouldBe):
762         (test):
763         * stress/vector-length-hint-new-array.js: Added.
764         (shouldBe):
765         (test):
766
767 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
768
769         [DFG][FTL] Make ArraySlice(0) code tight
770         https://bugs.webkit.org/show_bug.cgi?id=183590
771
772         Reviewed by Saam Barati.
773
774         * stress/array-slice-with-zero.js: Added.
775         (shouldBe):
776         (test):
777         (test2):
778         * stress/array-slice-zero-args.js: Added.
779         (shouldBe):
780         (test):
781
782 2018-03-14  Caitlin Potter  <caitp@igalia.com>
783
784         [JSC] fix order of evaluation for ClassDefinitionEvaluation
785         https://bugs.webkit.org/show_bug.cgi?id=183523
786
787         Reviewed by Keith Miller.
788
789         Computed property names need to be evaluated in source order during class
790         definition evaluation, as it's observable (and specified to work this way).
791
792         This change improves compatibility with Chromium.
793
794         * stress/class_elements.js: Added.
795         (test):
796         (test.C.prototype.effect):
797         (test.C.effect):
798         (test.C.prototype.get effect):
799         (test.C.prototype.set effect):
800         (test.C):
801
802 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
803
804         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
805         https://bugs.webkit.org/show_bug.cgi?id=183310
806
807         Reviewed by Filip Pizlo.
808
809         * stress/ai-create-this-to-new-object-fire.js: Added.
810         (assert):
811         (test):
812         (func):
813         (check):
814         (test.body.A):
815         (test.body.B):
816         (test.body):
817         * stress/ai-create-this-to-new-object.js: Added.
818         (assert):
819         (test):
820         (func):
821         (check):
822         (test.body.A):
823         (test.body.B):
824         (test.body):
825
826 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
827
828         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
829         https://bugs.webkit.org/show_bug.cgi?id=181848
830
831         Reviewed by Sam Weinig.
832
833         * microbenchmarks/regexp-u-global-es5.js: Added.
834         (fn):
835         * microbenchmarks/regexp-u-global-es6.js: Added.
836         (fn):
837         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
838         (shouldBe):
839         (test):
840         (i.switch):
841         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
842         (shouldBe):
843         (test):
844
845 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
846
847         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
848         https://bugs.webkit.org/show_bug.cgi?id=183334
849
850         Reviewed by Žan Doberšek.
851
852         * stress/var-injection-cache-invalidation.js:
853
854 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
855
856         [ARM] Disable tests that run out of memory
857         https://bugs.webkit.org/show_bug.cgi?id=182699
858
859         Reviewed by Žan Doberšek.
860
861         Skip tests that run of of memory. Do not run
862         modules/module-jit-reachability.js without LLInt to prevent
863         running out of executable memory.
864
865         * modules.yaml:
866         * modules/module-jit-reachability.js:
867         * stress/has-own-property-name-cache-string-keys.js:
868         * stress/has-own-property-name-cache-symbol-keys.js:
869
870 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
871
872         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
873         https://bugs.webkit.org/show_bug.cgi?id=183173
874
875         Reviewed by Saam Barati.
876
877         * stress/async-arrow-function-in-class-heritage.js: Added.
878         (testSyntax):
879         (testSyntaxError):
880         (SyntaxError):
881
882 2018-03-01  Saam Barati  <sbarati@apple.com>
883
884         We need to clear cached structures when having a bad time
885         https://bugs.webkit.org/show_bug.cgi?id=183256
886         <rdar://problem/36245022>
887
888         Reviewed by Mark Lam.
889
890         * stress/having-a-bad-time-with-derived-arrays.js: Added.
891         (assert):
892         (defineSetter):
893         (iterate):
894         (doSlice):
895
896 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
897
898         JSC crash with `import("")`
899         https://bugs.webkit.org/show_bug.cgi?id=183175
900
901         Reviewed by Saam Barati.
902
903         * stress/import-with-empty-string.js: Added.
904
905 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
906
907         Unreviewed, skip FTL tests if FTL is disabled
908         https://bugs.webkit.org/show_bug.cgi?id=183071
909
910         * stress/has-indexed-property-array-storage-ftl.js:
911         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
912
913 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
914
915         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
916         https://bugs.webkit.org/show_bug.cgi?id=182965
917
918         Reviewed by Saam Barati.
919
920         * stress/put-by-val-array-storage.js: Added.
921         (shouldBe):
922         (testArrayStorageInBounds):
923         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
924         (shouldBe):
925         (testInt32.createBuiltin):
926         (set for):
927         * stress/put-by-val-slow-put-array-storage.js: Added.
928         (shouldBe):
929         (testArrayStorageInBounds):
930
931 2018-02-26  Saam Barati  <sbarati@apple.com>
932
933         validateStackAccess should not validate if the offset is within the stack bounds
934         https://bugs.webkit.org/show_bug.cgi?id=183067
935         <rdar://problem/37749988>
936
937         Reviewed by Mark Lam.
938
939         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
940         (assert):
941         (test.a):
942         (test.b):
943         (test):
944
945 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
946
947         Unreviewed, skip FTL tests if FTL is disabled
948         https://bugs.webkit.org/show_bug.cgi?id=183071
949
950         * stress/has-indexed-property-array-storage-ftl.js:
951         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
952
953 2018-02-23  Saam Barati  <sbarati@apple.com>
954
955         Make Number.isInteger an intrinsic
956         https://bugs.webkit.org/show_bug.cgi?id=183088
957
958         Reviewed by JF Bastien.
959
960         * stress/number-is-integer-intrinsic.js: Added.
961
962 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
963
964         WebAssembly: cache memory address / size on instance
965         https://bugs.webkit.org/show_bug.cgi?id=177305
966
967         Reviewed by JF Bastien.
968
969         * wasm/function-tests/memory-reuse.js: Added.
970         (createWasmInstance):
971         (doCheckTrap):
972         (doMemoryGrow):
973         (doCheck):
974         (checkWasmInstancesWithSharedMemory):
975
976 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
977
978         [JSC] Implement $vm.ftlTrue function for FTL testing
979         https://bugs.webkit.org/show_bug.cgi?id=183071
980
981         Reviewed by Mark Lam.
982
983         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
984         (foo):
985         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
986         (foo):
987         * stress/dead-fiat-value-to-int52.js:
988         (foo):
989         * stress/dead-osr-entry-value.js:
990         (foo):
991         * stress/fiat-value-to-int52-then-exit-not-double.js:
992         (foo):
993         * stress/fiat-value-to-int52-then-exit-not-int52.js:
994         (foo):
995         * stress/fiat-value-to-int52-then-fail-to-fold.js:
996         (foo):
997         * stress/fiat-value-to-int52-then-fold.js:
998         (foo):
999         * stress/fiat-value-to-int52.js:
1000         (foo):
1001         * stress/fold-based-on-int32-proof-mul-branch.js:
1002         (foo):
1003         * stress/fold-profiled-call-to-call.js:
1004         (foo):
1005         * stress/fold-to-double-constant-then-exit.js:
1006         (foo):
1007         * stress/fold-to-int52-constant-then-exit.js:
1008         (foo):
1009         * stress/fold-to-primitive-in-cfa.js:
1010         (foo):
1011         * stress/fold-to-primitive-to-identity-in-cfa.js:
1012         (foo):
1013         * stress/has-indexed-property-array-storage-ftl.js: Added.
1014         (shouldBe):
1015         (test1):
1016         (test2):
1017         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1018         (shouldBe):
1019         (test1):
1020         (test2):
1021         * stress/int52-ai-add-then-filter-int32.js:
1022         (foo):
1023         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1024         (foo):
1025         * stress/int52-ai-mul-then-filter-int32.js:
1026         (foo):
1027         * stress/int52-ai-neg-then-filter-int32.js:
1028         (foo):
1029         * stress/int52-ai-sub-then-filter-int32.js:
1030         (foo):
1031         * stress/licm-pre-header-cannot-exit-nested.js:
1032         (foo):
1033         * stress/licm-pre-header-cannot-exit.js:
1034         (foo):
1035         * stress/sparse-array-entry-update-144067.js:
1036         (useMemoryToTriggerGCs):
1037         * stress/test-spec-misc.js:
1038         (foo):
1039         * stress/tricky-array-bounds-checks.js:
1040         (foo):
1041
1042 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1043
1044         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1045         https://bugs.webkit.org/show_bug.cgi?id=182792
1046
1047         Reviewed by Mark Lam.
1048
1049         * stress/has-indexed-property-array-storage.js: Added.
1050         (shouldBe):
1051         (test1):
1052         (test2):
1053         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1054         (shouldBe):
1055         (test1):
1056         (test2):
1057
1058 2018-02-20  Saam Barati  <sbarati@apple.com>
1059
1060         DFG::VarargsForwardingPhase should eliminate getting argument length
1061         https://bugs.webkit.org/show_bug.cgi?id=182959
1062
1063         Reviewed by Keith Miller.
1064
1065         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1066
1067 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1068
1069         [FTL] Support ArrayPush for ArrayStorage
1070         https://bugs.webkit.org/show_bug.cgi?id=182782
1071
1072         Reviewed by Saam Barati.
1073
1074         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1075
1076         * stress/array-push-array-storage-beyond-int32.js: Added.
1077         (shouldBe):
1078         (test):
1079         * stress/array-push-array-storage.js: Added.
1080         (shouldBe):
1081         (test):
1082         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1083         (shouldBe):
1084         (test):
1085         * stress/array-push-multiple-storage-continuous.js: Added.
1086         (shouldBe):
1087         (test):
1088
1089 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1090
1091         [FTL] Support ArrayPop for ArrayStorage
1092         https://bugs.webkit.org/show_bug.cgi?id=182783
1093
1094         Reviewed by Saam Barati.
1095
1096         * stress/array-pop-array-storage.js: Added.
1097         (shouldBe):
1098         (test):
1099
1100 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1101
1102         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1103         https://bugs.webkit.org/show_bug.cgi?id=182731
1104
1105         Reviewed by Saam Barati.
1106
1107         * stress/arrayify-array-storage-array.js: Added.
1108         (shouldBe):
1109         (testArrayStorage):
1110         * stress/arrayify-array-storage-non-array.js: Added.
1111         (shouldBe):
1112         (testArrayStorage):
1113         * stress/arrayify-array-storage.js: Added.
1114         (shouldBe):
1115         (testArrayStorage):
1116         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1117         (shouldBe):
1118         (testArrayStorage):
1119         * stress/arrayify-slow-put-array-storage.js: Added.
1120         (shouldBe):
1121         (testArrayStorage):
1122
1123 2018-02-19  Saam Barati  <sbarati@apple.com>
1124
1125         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1126         https://bugs.webkit.org/show_bug.cgi?id=182942
1127         <rdar://problem/37584764>
1128
1129         Reviewed by Mark Lam.
1130
1131         * stress/get-prototype-create-this-effectful.js: Added.
1132
1133 2018-02-16  Saam Barati  <sbarati@apple.com>
1134
1135         Fix bugs from r228411
1136         https://bugs.webkit.org/show_bug.cgi?id=182851
1137         <rdar://problem/37577732>
1138
1139         Reviewed by JF Bastien.
1140
1141         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1142
1143 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1144
1145         Unreviewed, roll out r228366 since it did not progress anything.
1146
1147         * stress/gc-error-stack.js: Removed.
1148         * stress/no-gc-error-stack.js: Removed.
1149
1150 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1151
1152         Many stress tests fail with JIT disabled
1153         https://bugs.webkit.org/show_bug.cgi?id=182730
1154
1155         Reviewed by Saam Barati.
1156
1157         These tests are broken by design if the JIT is disabled - they test
1158         the return value of numberOfDFGCompiles(), which is always set to
1159         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1160
1161         * stress/arith-abs-on-various-types.js:
1162         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1163         * stress/arith-acos-on-various-types.js:
1164         * stress/arith-acosh-on-various-types.js:
1165         * stress/arith-asin-on-various-types.js:
1166         * stress/arith-asinh-on-various-types.js:
1167         * stress/arith-atan-on-various-types.js:
1168         * stress/arith-atanh-on-various-types.js:
1169         * stress/arith-cbrt-on-various-types.js:
1170         * stress/arith-ceil-on-various-types.js:
1171         * stress/arith-clz32-on-various-types.js:
1172         * stress/arith-cos-on-various-types.js:
1173         * stress/arith-cosh-on-various-types.js:
1174         * stress/arith-expm1-on-various-types.js:
1175         * stress/arith-floor-on-various-types.js:
1176         * stress/arith-fround-on-various-types.js:
1177         * stress/arith-log-on-various-types.js:
1178         * stress/arith-log10-on-various-types.js:
1179         * stress/arith-log2-on-various-types.js:
1180         * stress/arith-negate-on-various-types.js:
1181         * stress/arith-round-on-various-types.js:
1182         * stress/arith-sin-on-various-types.js:
1183         * stress/arith-sinh-on-various-types.js:
1184         * stress/arith-sqrt-on-various-types.js:
1185         * stress/arith-tan-on-various-types.js:
1186         * stress/arith-tanh-on-various-types.js:
1187         * stress/arith-trunc-on-various-types.js:
1188         * stress/compare-strict-eq-on-various-types.js:
1189
1190 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1191
1192         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1193
1194         Unreviewed test gardening.
1195
1196         * stress/new-largeish-contiguous-array-with-size.js:
1197
1198 2018-02-14  Saam Barati  <sbarati@apple.com>
1199
1200         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1201         https://bugs.webkit.org/show_bug.cgi?id=182801
1202
1203         Reviewed by Keith Miller.
1204
1205         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1206
1207 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1208
1209         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1210         https://bugs.webkit.org/show_bug.cgi?id=182526
1211
1212         Unreviewed test gardening.
1213
1214         * stress/activation-sink-default-value-tdz-error.js:
1215
1216 2018-02-13  Saam Barati  <sbarati@apple.com>
1217
1218         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1219         https://bugs.webkit.org/show_bug.cgi?id=182755
1220         <rdar://problem/37080864>
1221
1222         Reviewed by Keith Miller.
1223
1224         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1225         (test1.o.get 10005):
1226         (test1):
1227         (test2.o.get 1000):
1228         (test2):
1229
1230 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1231
1232         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1233         https://bugs.webkit.org/show_bug.cgi?id=182717
1234
1235         Reviewed by Yusuke Suzuki.
1236
1237         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1238         literals, to allow template callsite arrays to be collected when the
1239         code containing the tagged template call is collected. This spec change
1240         has received concensus and been ratified.
1241
1242         This change eliminates the eternal map associating template contents
1243         with arrays.
1244
1245         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1246         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1247         * stress/tagged-templates-identity.js:
1248         * stress/template-string-tags-eval.js:
1249         * test262.yaml:
1250
1251 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1252
1253         Support GetArrayLength on ArrayStorage in the FTL
1254         https://bugs.webkit.org/show_bug.cgi?id=182625
1255
1256         Reviewed by Saam Barati.
1257
1258         * stress/array-storage-length.js: Added.
1259         (shouldBe):
1260         (testInBound):
1261         (testUncountable):
1262         (testSlowPutInBound):
1263         (testSlowPutUncountable):
1264         * stress/undecided-length.js: Added.
1265         (shouldBe):
1266         (test2):
1267
1268 2018-02-12  Saam Barati  <sbarati@apple.com>
1269
1270         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1271         https://bugs.webkit.org/show_bug.cgi?id=182706
1272         <rdar://problem/36833681>
1273
1274         Reviewed by Filip Pizlo.
1275
1276         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1277         (effects):
1278         (foo):
1279
1280 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1281
1282         Don't waste memory for error.stack
1283         https://bugs.webkit.org/show_bug.cgi?id=182656
1284
1285         Reviewed by Saam Barati.
1286         
1287         Tests the policy.
1288
1289         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1290         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1291
1292 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1293
1294         [JSC] Update Test262 to Feb 9 version
1295         https://bugs.webkit.org/show_bug.cgi?id=182468
1296
1297         Reviewed by Saam Barati.
1298
1299 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1300
1301         Unreviewed, fix invalid line terminator in old test262 file part 2
1302         https://bugs.webkit.org/show_bug.cgi?id=182468
1303
1304         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1305
1306 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1307
1308         Unreviewed, fix invalid line terminator in old test262 file
1309         https://bugs.webkit.org/show_bug.cgi?id=182468
1310
1311         * test262/test/language/literals/regexp/7.8.5-1.js:
1312
1313 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1314
1315         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1316         https://bugs.webkit.org/show_bug.cgi?id=182440
1317
1318         Reviewed by Darin Adler.
1319
1320         * stress/array-flatmap.js: Added.
1321         (shouldBe):
1322         (shouldBeArray):
1323         (shouldThrow):
1324         (var):
1325         * stress/array-flatten.js: Added.
1326         (shouldBe):
1327         (shouldBeArray):
1328         * test262.yaml:
1329         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1330         (3.flatMap):
1331         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1332
1333 2018-02-06  Keith Miller  <keith_miller@apple.com>
1334
1335         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1336         https://bugs.webkit.org/show_bug.cgi?id=182549
1337         <rdar://problem/36189995>
1338
1339         Reviewed by Saam Barati.
1340
1341         * stress/var-injection-cache-invalidation.js: Added.
1342         (allocateLotsOfThings):
1343         (test):
1344
1345 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1346
1347         Unreviewed, follow up for test262 update
1348         https://bugs.webkit.org/show_bug.cgi?id=182288
1349
1350         * test262.yaml:
1351
1352 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1353
1354         Update test262 to Jan 30 version
1355         https://bugs.webkit.org/show_bug.cgi?id=182288
1356
1357         Unreviewed test gardening.
1358
1359         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1360
1361 2018-02-02  Saam Barati  <sbarati@apple.com>
1362
1363         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1364         https://bugs.webkit.org/show_bug.cgi?id=182368
1365         <rdar://problem/36932466>
1366
1367         Reviewed by Mark Lam.
1368
1369         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1370         (runNearStackLimit.t):
1371         (runNearStackLimit):
1372         (try.runNearStackLimit):
1373         (catch):
1374
1375 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1376
1377         Update test262 to Jan 30 version
1378         https://bugs.webkit.org/show_bug.cgi?id=182288
1379
1380         Rubber stamped by Saam Barati.
1381
1382         This patch updates test262 to the latest one, Jan 30 version.
1383         Since added and changed files are too many, we cannot create ChangeLog.
1384         The following files are changed.
1385
1386         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1387         including some special line terminators (like u2028, u2029).
1388
1389         * test262.yaml:
1390         * test262/test262-Revision.txt:
1391         * test262/*:
1392
1393 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1394
1395         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1396         https://bugs.webkit.org/show_bug.cgi?id=182411
1397
1398         Reviewed by Carlos Alberto Lopez Perez.
1399
1400         This is skipped only on arm memory limited platforms. Until recently
1401         it was not a problem on MIPS as the butterfly was not initialized. But
1402         since r227435, the butterfly is initialized in that test and therefore
1403         memory is allocated, and the test typically takes around 512M, which
1404         means it generally gets OOM-killed on the MIPS buildbot.
1405
1406         * mozilla/mozilla-tests.yaml:
1407
1408 2018-02-01  Mark Lam  <mark.lam@apple.com>
1409
1410         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1411         https://bugs.webkit.org/show_bug.cgi?id=182419
1412         <rdar://problem/37044945>
1413
1414         Reviewed by Saam Barati.
1415
1416         * stress/regress-182419.js: Added.
1417
1418 2018-02-01  Keith Miller  <keith_miller@apple.com>
1419
1420         Fix crashes due to mishandling custom sections.
1421         https://bugs.webkit.org/show_bug.cgi?id=182404
1422         <rdar://problem/36935863>
1423
1424         Reviewed by Saam Barati.
1425
1426         * wasm/Builder.js:
1427         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1428         * wasm/js-api/validate.js:
1429         (assert.truthy):
1430
1431 2018-01-31  Saam Barati  <sbarati@apple.com>
1432
1433         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1434         https://bugs.webkit.org/show_bug.cgi?id=182074
1435         <rdar://problem/36846261>
1436
1437         Reviewed by Mark Lam.
1438
1439         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1440         (assert):
1441         (let.func):
1442         (let.o.foo):
1443         (varFunc):
1444
1445 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1446
1447         Unreviewed, update test262 expects
1448         https://bugs.webkit.org/show_bug.cgi?id=182232
1449
1450         * test262.yaml:
1451
1452 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1453
1454         [JSC] Implement trimStart and trimEnd
1455         https://bugs.webkit.org/show_bug.cgi?id=182233
1456
1457         Reviewed by Mark Lam.
1458
1459         * stress/trim.js: Added.
1460         (shouldBe):
1461         (startTest):
1462         (endTest):
1463         (trimTest):
1464
1465 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1466
1467         [JSC] Relax line terminators in String to make JSON subset of JS
1468         https://bugs.webkit.org/show_bug.cgi?id=182232
1469
1470         Reviewed by Keith Miller.
1471
1472         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1473         * stress/relaxed-line-terminators-in-string.js: Added.
1474         (shouldBe):
1475
1476 2018-01-29  Michael Saboff  <msaboff@apple.com>
1477
1478         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1479         https://bugs.webkit.org/show_bug.cgi?id=182249
1480
1481         Reviewed by Keith Miller.
1482
1483         New regression test.
1484
1485         * stress/compare-clobber-untypeduse.js: Added.
1486
1487 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1488
1489         Unreviewed, rolling out r227725.
1490
1491         This caused internal failures.
1492
1493         Reverted changeset:
1494
1495         "JSC Sampling Profiler: Detect tester and testee when sampling
1496         in RegExp JIT"
1497         https://bugs.webkit.org/show_bug.cgi?id=152729
1498         https://trac.webkit.org/changeset/227725
1499
1500 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1501
1502         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1503         https://bugs.webkit.org/show_bug.cgi?id=152729
1504
1505         Reviewed by Saam Barati.
1506
1507         * stress/sampling-profiler-regexp.js: Added.
1508         (platformSupportsSamplingProfiler.test):
1509         (platformSupportsSamplingProfiler.baz):
1510         (platformSupportsSamplingProfiler):
1511
1512 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1513
1514         [DFG][FTL] WeakMap#set should have DFG node
1515         https://bugs.webkit.org/show_bug.cgi?id=180015
1516
1517         Reviewed by Saam Barati.
1518
1519         * stress/weakmap-set-change-get.js: Added.
1520         (shouldBe):
1521         (test):
1522         * stress/weakmap-set-cse.js: Added.
1523         (shouldBe):
1524         (test):
1525         * stress/weakset-add-change-get.js: Added.
1526         (shouldBe):
1527         * stress/weakset-add-cse.js: Added.
1528         (shouldBe):
1529
1530 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1531
1532         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1533         https://bugs.webkit.org/show_bug.cgi?id=182213
1534
1535         Reviewed by Mark Lam.
1536
1537         * stress/int32-min-to-string.js: Added.
1538         (shouldBe):
1539         (test2):
1540         (test4):
1541         (test8):
1542         (test16):
1543         (test32):
1544         * stress/zero-to-string.js: Added.
1545         (shouldBe):
1546         (test2):
1547         (test4):
1548         (test8):
1549         (test16):
1550         (test32):
1551
1552 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1553
1554         Add more module scope related tests with code evaluation by string
1555         https://bugs.webkit.org/show_bug.cgi?id=181983
1556
1557         Reviewed by Sam Weinig.
1558
1559         Add more module scope related tests. When the original tests are landed,
1560         we do not have browser integration. This patch adds more module scope tests
1561         with dynamically created script evaluation. We add tests with Function
1562         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1563
1564         * modules/scopes-eval.js: Added.
1565         (shouldBe):
1566         * modules/scopes.js:
1567         (shouldBe):
1568
1569 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1570
1571         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1572
1573         * microbenchmarks/array-push-3.js: Removed.
1574         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1575         * microbenchmarks/double-to-int32.js: Removed.
1576         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1577         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1578         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1579         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1580         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1581         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1582         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1583         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1584         * microbenchmarks/map-constant-key.js: Removed.
1585         * microbenchmarks/nested-function-parsing.js: Removed.
1586         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1587         * microbenchmarks/spread-large-array.js: Removed.
1588         * microbenchmarks/string-add-constant-folding.js: Removed.
1589         * microbenchmarks/to-lower-case.js: Removed.
1590         * microbenchmarks/undefined-property-access.js: Removed.
1591         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1592         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1593         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1594         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1595         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1596         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1597         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1598         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1599         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1600         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1601         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1602         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1603         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1604         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1605         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1606         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1607         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1608         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1609
1610 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1611
1612         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1613         https://bugs.webkit.org/show_bug.cgi?id=181739
1614         <rdar://problem/36627662>
1615
1616         Reviewed by Saam Barati.
1617
1618         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1619         (foo):
1620         (bar):
1621
1622 2018-01-22  Michael Saboff  <msaboff@apple.com>
1623
1624         DFG abstract interpreter needs to properly model effects of some Math ops
1625         https://bugs.webkit.org/show_bug.cgi?id=181886
1626
1627         Reviewed by Saam Barati.
1628
1629         New regression test.
1630
1631         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1632         (test):
1633
1634 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1635
1636         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1637         https://bugs.webkit.org/show_bug.cgi?id=181182
1638
1639         Reviewed by Darin Adler.
1640
1641         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1642         * stress/big-int-prototype-to-string-exception.js: Added.
1643         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1644         * stress/number-prototype-to-string-cast-overflow.js: Added.
1645         * stress/number-prototype-to-string-exception.js: Added.
1646         * stress/number-prototype-to-string-wrong-values.js: Added.
1647
1648 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1649
1650         Disable Atomics when SharedArrayBuffer isn’t enabled
1651         https://bugs.webkit.org/show_bug.cgi?id=181572
1652
1653         Unreviewed test gardening.
1654
1655         * test262.yaml: Skip tests that fail after this change.
1656
1657 2018-01-19  Saam Barati  <sbarati@apple.com>
1658
1659         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1660         https://bugs.webkit.org/show_bug.cgi?id=181877
1661         <rdar://problem/36630552>
1662
1663         Reviewed by Mark Lam.
1664
1665         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1666         (runNearStackLimit):
1667         (f1):
1668         (f2):
1669         (f3):
1670         (i.catch):
1671         (i.try.runNearStackLimit):
1672         (catch):
1673
1674 2018-01-19  Saam Barati  <sbarati@apple.com>
1675
1676         Spread's effects are modeled incorrectly both in AI and in Clobberize
1677         https://bugs.webkit.org/show_bug.cgi?id=181867
1678         <rdar://problem/36290415>
1679
1680         Reviewed by Michael Saboff.
1681
1682         * stress/ai-needs-to-model-spreads-effects.js: Added.
1683         (try.p.Symbol.iterator):
1684         (try.go):
1685         (catch):
1686         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1687         (assert):
1688         (foo):
1689         (a.Symbol.iterator):
1690
1691 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1692
1693         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1694         https://bugs.webkit.org/show_bug.cgi?id=181535
1695
1696         * stress/inserted-recovery-with-set-last-index.js:
1697
1698 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1699
1700         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1701         https://bugs.webkit.org/show_bug.cgi?id=181535
1702
1703         Reviewed by Saam Barati.
1704
1705         * stress/inserted-recovery-with-set-last-index.js: Added.
1706         (shouldBe):
1707         (foo):
1708         * stress/materialize-regexp-at-osr-exit.js: Added.
1709         (shouldBe):
1710         (test):
1711         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1712         (shouldBe):
1713         (test):
1714         * stress/materialize-regexp-cyclic-regexp.js: Added.
1715         (shouldBe):
1716         (test):
1717         (i.switch):
1718         * stress/materialize-regexp-cyclic.js: Added.
1719         (shouldBe):
1720         (test):
1721         (i.switch):
1722         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1723         (bar):
1724         (foo):
1725         (test):
1726         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1727         (bar):
1728         (foo):
1729         (test):
1730         * stress/materialize-regexp.js: Added.
1731         (shouldBe):
1732         (test):
1733         * stress/phantom-regexp-regexp-exec.js: Added.
1734         (shouldBe):
1735         (test):
1736         * stress/phantom-regexp-string-match.js: Added.
1737         (shouldBe):
1738         (test):
1739         * stress/regexp-last-index-sinking.js: Added.
1740         (shouldBe):
1741         (test):
1742
1743 2018-01-17  Saam Barati  <sbarati@apple.com>
1744
1745         Disable Atomics when SharedArrayBuffer isn’t enabled
1746         https://bugs.webkit.org/show_bug.cgi?id=181572
1747         <rdar://problem/36553206>
1748
1749         Reviewed by Michael Saboff.
1750
1751         * stress/isLockFree.js:
1752
1753 2018-01-17  Saam Barati  <sbarati@apple.com>
1754
1755         DFG::Node::convertToConstant needs to clear the varargs flags
1756         https://bugs.webkit.org/show_bug.cgi?id=181697
1757         <rdar://problem/36497332>
1758
1759         Reviewed by Yusuke Suzuki.
1760
1761         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1762         (doIndexOf):
1763         (bar):
1764         (i.bar):
1765
1766 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1767
1768         Unreviewed, rolling out r226937.
1769
1770         Tests added with this change are failing due to a missing
1771         exception check.
1772
1773         Reverted changeset:
1774
1775         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1776         double to int32_t"
1777         https://bugs.webkit.org/show_bug.cgi?id=181182
1778         https://trac.webkit.org/changeset/226937
1779
1780 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1781
1782         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1783         https://bugs.webkit.org/show_bug.cgi?id=181182
1784
1785         Reviewed by Darin Adler.
1786
1787         * bigIntTests.yaml:
1788         * stress/big-int-constructor.js:
1789         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1790         (assert):
1791         (assertThrowRangeError):
1792         * stress/number-prototype-to-string-cast-overflow.js: Added.
1793         (assert):
1794         (assertThrowRangeError):
1795
1796 2018-01-12  Saam Barati  <sbarati@apple.com>
1797
1798         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1799         https://bugs.webkit.org/show_bug.cgi?id=181177
1800         <rdar://problem/36205704>
1801
1802         Reviewed by Yusuke Suzuki.
1803
1804         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1805         (runNearStackLimit.t):
1806         (runNearStackLimit):
1807         (test.f):
1808         (test):
1809
1810 2018-01-12  Saam Barati  <sbarati@apple.com>
1811
1812         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1813         https://bugs.webkit.org/show_bug.cgi?id=181562
1814         <rdar://problem/36445624>
1815
1816         Reviewed by Yusuke Suzuki.
1817
1818         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1819         (f):
1820         (foo):
1821
1822 2018-01-11  Saam Barati  <sbarati@apple.com>
1823
1824         When inserting Unreachable in byte code parser we need to flush all the right things
1825         https://bugs.webkit.org/show_bug.cgi?id=181509
1826         <rdar://problem/36423110>
1827
1828         Reviewed by Mark Lam.
1829
1830         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1831
1832 2018-01-11  Saam Barati  <sbarati@apple.com>
1833
1834         JITMathIC code in the FTL is wrong when code gets duplicated
1835         https://bugs.webkit.org/show_bug.cgi?id=181525
1836         <rdar://problem/36351993>
1837
1838         Reviewed by Michael Saboff and Keith Miller.
1839
1840         * stress/allow-math-ic-b3-code-duplication.js: Added.
1841
1842 2018-01-11  Saam Barati  <sbarati@apple.com>
1843
1844         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1845         https://bugs.webkit.org/show_bug.cgi?id=181508
1846
1847         Reviewed by Yusuke Suzuki.
1848
1849         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1850         (assert):
1851         (test1.foo):
1852         (test1):
1853         (test2.foo):
1854         (test2):
1855
1856 2018-01-09  Mark Lam  <mark.lam@apple.com>
1857
1858         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1859         https://bugs.webkit.org/show_bug.cgi?id=181388
1860         <rdar://problem/36349351>
1861
1862         Reviewed by Saam Barati.
1863
1864         * stress/regress-181388.js: Added.
1865
1866 2018-01-08  JF Bastien  <jfbastien@apple.com>
1867
1868         WebAssembly: mask indexed accesses to Table
1869         https://bugs.webkit.org/show_bug.cgi?id=181412
1870         <rdar://problem/36363236>
1871
1872         Reviewed by Saam Barati.
1873
1874         Update error messages.
1875
1876         * wasm/js-api/table.js:
1877         (assert.throws.WebAssembly.Table.prototype.grow):
1878
1879 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1880
1881         Disable SharedArrayBuffer tests missed in r226386.
1882         https://bugs.webkit.org/show_bug.cgi?id=181266
1883
1884         Unreviewed test gardening.
1885
1886         * test262.yaml:
1887
1888 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1889
1890         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1891         https://bugs.webkit.org/show_bug.cgi?id=181321
1892
1893         Reviewed by Saam Barati.
1894
1895         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1896         (shouldBe):
1897         (testFunction):
1898         * test262.yaml:
1899
1900 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1901
1902         Unreviewed, attempt to fix test262 after r226386.
1903
1904         * test262.yaml:
1905
1906 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1907
1908         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1909         https://bugs.webkit.org/show_bug.cgi?id=179911
1910
1911         Reviewed by Saam Barati.
1912
1913         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1914
1915         * stress/map-set-change-get.js: Added.
1916         (shouldBe):
1917         (test):
1918         * stress/map-set-create-bucket.js: Added.
1919         (shouldBe):
1920         (test):
1921         * stress/set-add-create-bucket.js: Added.
1922         (shouldBe):
1923
1924 2018-01-03  Michael Saboff  <msaboff@apple.com>
1925
1926         Disable SharedArrayBuffers from Web API
1927         https://bugs.webkit.org/show_bug.cgi?id=181266
1928
1929         Reviewed by Saam Barati.
1930
1931         Disabled SharedArrayBuffer tests.
1932
1933         * stress/SharedArrayBuffer-opt.js:
1934         * stress/SharedArrayBuffer.js:
1935         * stress/array-buffer-byte-length.js:
1936         * stress/atomics-add-uint32.js:
1937         * stress/atomics-known-int-use.js:
1938         * stress/atomics-neg-zero.js:
1939         * stress/atomics-store-return.js:
1940         * stress/lars-sab-workers.js:
1941         * stress/regress-159779-1.js:
1942         * stress/regress-159779-2.js:
1943         * stress/regress-170473.js:
1944         * test262.yaml:
1945
1946 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1947
1948         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1949         https://bugs.webkit.org/show_bug.cgi?id=181258
1950
1951         Reviewed by Antonio Gomes.
1952
1953         * stress/big-int-constructor-gc.js:
1954         * stress/big-int-constructor-oom.js:
1955
1956 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1957
1958         Inlining of a function that ends in op_unreachable crashes
1959         https://bugs.webkit.org/show_bug.cgi?id=181027
1960
1961         Reviewed by Filip Pizlo.
1962
1963         * stress/inlining-unreachable.js: Added.
1964         (bar):
1965         (baz):
1966         (i.catch):
1967
1968 2018-01-02  Saam Barati  <sbarati@apple.com>
1969
1970         Incorrect assertion inside AccessCase
1971         https://bugs.webkit.org/show_bug.cgi?id=181200
1972         <rdar://problem/35494754>
1973
1974         Reviewed by Yusuke Suzuki.
1975
1976         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1977         (ctor):
1978         (theFunc):
1979         (run):
1980
1981 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1982
1983         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1984         https://bugs.webkit.org/show_bug.cgi?id=175359
1985
1986         Reviewed by Yusuke Suzuki.
1987
1988         * bigIntTests.yaml:
1989         * stress/big-int-as-key.js: Added.
1990         * stress/big-int-constructor-gc.js: Added.
1991         * stress/big-int-constructor-oom.js: Added.
1992         * stress/big-int-constructor-properties.js: Added.
1993         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1994         * stress/big-int-constructor-prototype.js: Added.
1995         * stress/big-int-constructor.js: Added.
1996         * stress/big-int-function-apply.js:
1997         * stress/big-int-length.js: Added.
1998         * stress/big-int-prop-descriptor.js: Added.
1999         * stress/big-int-proto-constructor.js: Added.
2000         * stress/big-int-proto-name.js: Added.
2001         * stress/big-int-prototype-properties.js: Added.
2002         * stress/big-int-prototype-proto.js: Added.
2003         * stress/big-int-prototype-value-of.js: Added.
2004         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2005         * stress/big-int-prototype-to-string-apply.js: Added.
2006         * stress/big-int-to-object.js: Added.
2007         * stress/big-int-to-string.js: Added.
2008
2009 2017-12-28  Saam Barati  <sbarati@apple.com>
2010
2011         Assertion used to determine if something is an async generator is wrong
2012         https://bugs.webkit.org/show_bug.cgi?id=181168
2013         <rdar://problem/35640560>
2014
2015         Reviewed by Yusuke Suzuki.
2016
2017         * stress/async-generator-assertion.js: Added.
2018
2019 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2020
2021         Skip stress/splay-flash-access tests on memory limited platforms
2022         https://bugs.webkit.org/show_bug.cgi?id=181086
2023
2024         Reviewed by Carlos Alberto Lopez Perez.
2025
2026         These tests use about 185M of memory, and occasionally get OOM-killed
2027         on memory limited platforms.
2028
2029         * stress/splay-flash-access-1ms.js:
2030         * stress/splay-flash-access.js:
2031
2032 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2033
2034         Skip slow jsc tests on embedded platforms
2035         https://bugs.webkit.org/show_bug.cgi?id=180937
2036
2037         Reviewed by Carlos Alberto Lopez Perez.
2038
2039         The tests typeProfiler/deltablue-for-of.js and
2040         typeProfiler/getter-richards.js take a very long time in the
2041         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2042         thus always timeout. They should be skipped on these platforms.
2043
2044         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2045         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2046
2047 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2048
2049         [JSC] Do not check isValid() in op_new_regexp
2050         https://bugs.webkit.org/show_bug.cgi?id=180970
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/regexp-syntax-error-invalid-flags.js: Added.
2055         (shouldThrow):
2056
2057 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2058
2059         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2060         https://bugs.webkit.org/show_bug.cgi?id=180712
2061
2062         Reviewed by Michael Catanzaro.
2063
2064         stress/call-apply-exponential-bytecode-size.js crashes if the
2065         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2066         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2067         should skip the test on other platforms.
2068
2069         * stress/call-apply-exponential-bytecode-size.js:
2070
2071 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2072
2073         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2074         https://bugs.webkit.org/show_bug.cgi?id=179762
2075
2076         Reviewed by Saam Barati.
2077
2078         * stress/call-varargs-double-new-array-buffer.js: Added.
2079         (assert):
2080         (bar):
2081         (foo):
2082         * stress/call-varargs-spread-new-array-buffer.js: Added.
2083         (assert):
2084         (bar):
2085         (foo):
2086         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2087         (assert):
2088         (bar):
2089         (foo):
2090         * stress/forward-varargs-double-new-array-buffer.js: Added.
2091         (assert):
2092         (test.baz):
2093         (test.bar):
2094         (test.foo):
2095         (test):
2096         * stress/new-array-buffer-sinking-osrexit.js: Added.
2097         (target):
2098         (test):
2099         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2100         (shouldBe):
2101         (test):
2102         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2103         (shouldBe):
2104         (target):
2105         (test):
2106         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2107         (assert):
2108         (test1.bar):
2109         (test1.foo):
2110         (test1):
2111         (test2.bar):
2112         (test2.foo):
2113         (test3.baz):
2114         (test3.bar):
2115         (test3.foo):
2116         (test4.baz):
2117         (test4.bar):
2118         (test4.foo):
2119         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2120         (assert):
2121         (test.baz):
2122         (test.bar):
2123         (test.foo):
2124         (test):
2125         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2126         (assert):
2127         (baz):
2128         (bar):
2129         (effects):
2130         (foo):
2131
2132 2017-12-14  Saam Barati  <sbarati@apple.com>
2133
2134         The CleanUp after LICM is erroneously removing a Check
2135         https://bugs.webkit.org/show_bug.cgi?id=180852
2136         <rdar://problem/36063494>
2137
2138         Reviewed by Filip Pizlo.
2139
2140         * stress/dont-run-cleanup-after-licm.js: Added.
2141
2142 2017-12-14  Michael Saboff  <msaboff@apple.com>
2143
2144         REGRESSION (r225695): Repro crash on yahoo login page
2145         https://bugs.webkit.org/show_bug.cgi?id=180761
2146
2147         Reviewed by JF Bastien.
2148
2149         New regression test.
2150
2151         * stress/regress-180761.js: Added.
2152
2153 2017-12-13  Keith Miller  <keith_miller@apple.com>
2154
2155         JSObjects should have a mask for loading indexed properties
2156         https://bugs.webkit.org/show_bug.cgi?id=180768
2157
2158         Reviewed by Mark Lam.
2159
2160         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2161         (test):
2162
2163 2017-12-13  Saam Barati  <sbarati@apple.com>
2164
2165         Arrow functions need their own structure because they have different properties than sloppy functions
2166         https://bugs.webkit.org/show_bug.cgi?id=180779
2167         <rdar://problem/35814591>
2168
2169         Reviewed by Mark Lam.
2170
2171         * stress/arrow-function-needs-its-own-structure.js: Added.
2172         (assert):
2173         (readPrototype):
2174         (noInline.let.f1):
2175         (noInline):
2176
2177 2017-12-13  Saam Barati  <sbarati@apple.com>
2178
2179         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2180         https://bugs.webkit.org/show_bug.cgi?id=163579
2181         <rdar://problem/35455798>
2182
2183         Reviewed by Mark Lam.
2184
2185         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2186         (assert):
2187         (test1):
2188         (i.test1):
2189         (i.test1.C):
2190         (i.test1.async.foo):
2191         (i.test1.foo):
2192         (test2):
2193
2194 2017-12-13  Saam Barati  <sbarati@apple.com>
2195
2196         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2197         https://bugs.webkit.org/show_bug.cgi?id=180734
2198         <rdar://problem/35640547>
2199
2200         Reviewed by Yusuke Suzuki.
2201
2202         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2203         (__isPropertyOfType):
2204         (__getProperties):
2205         (__getObjects):
2206         (__getRandomObject):
2207         (theClass.):
2208         (theClass):
2209         (childClass):
2210         (counter.catch):
2211
2212 2017-12-12  Saam Barati  <sbarati@apple.com>
2213
2214         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2215         https://bugs.webkit.org/show_bug.cgi?id=180725
2216         <rdar://problem/35970511>
2217
2218         Reviewed by Michael Saboff.
2219
2220         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2221         (f1):
2222         (f2):
2223         (let.o2.valueOf):
2224
2225 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2226
2227         [JSC] Implement optimized WeakMap and WeakSet
2228         https://bugs.webkit.org/show_bug.cgi?id=179929
2229
2230         Reviewed by Saam Barati.
2231
2232         * microbenchmarks/weak-map-key.js:
2233         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2234         (assert):
2235         (objectKey):
2236         (let.start.Date.now):
2237         * stress/basic-weakmap.js: Added.
2238         (shouldBe):
2239         (test):
2240         * stress/basic-weakset.js: Added.
2241         (shouldBe):
2242         (test.set new):
2243         * stress/weakmap-cse-set-break.js: Added.
2244         (shouldBe):
2245         (test):
2246         * stress/weakmap-cse.js: Added.
2247         (shouldBe):
2248         (test):
2249         * stress/weakmap-gc.js: Added.
2250         (test):
2251         * stress/weakset-cse-add-break.js: Added.
2252         (shouldBe):
2253         (test.set new):
2254         * stress/weakset-cse.js: Added.
2255         (shouldBe):
2256         (test.set new):
2257         * stress/weakset-gc.js: Added.
2258         (test.set add):
2259         (test.set new):
2260         (test):
2261
2262 2017-12-12  Saam Barati  <sbarati@apple.com>
2263
2264         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2265         https://bugs.webkit.org/show_bug.cgi?id=180723
2266         <rdar://problem/35859726>
2267
2268         Reviewed by JF Bastien.
2269
2270         * stress/get-my-argument-by-val-constant-folding.js: Added.
2271         (test):
2272         (catch):
2273
2274 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2275
2276         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2277         https://bugs.webkit.org/show_bug.cgi?id=179000
2278
2279         Reviewed by Darin Adler and Yusuke Suzuki.
2280
2281         * bigIntTests.yaml: Added.
2282         * stress/big-int-literal-line-terminator.js: Added.
2283         * stress/big-int-literals.js: Added.
2284         * stress/big-int-operations-error.js: Added.
2285         * stress/big-int-type-of.js: Added.
2286         * stress/big-int-white-space-trailing-leading.js: Added.
2287         * stress/big-int-function-apply.js: Added.
2288
2289 2017-12-11  Saam Barati  <sbarati@apple.com>
2290
2291         We need to disableCaching() in ErrorInstance when we materialize properties
2292         https://bugs.webkit.org/show_bug.cgi?id=180343
2293         <rdar://problem/35833002>
2294
2295         Reviewed by Mark Lam.
2296
2297         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2298         (assert):
2299         (makeError):
2300         (storeToStack):
2301         (storeToStackAlreadyMaterialized):
2302
2303 2017-12-05  JF Bastien  <jfbastien@apple.com>
2304
2305         WebAssembly: don't eagerly checksum
2306         https://bugs.webkit.org/show_bug.cgi?id=180441
2307         <rdar://problem/35156628>
2308
2309         Reviewed by Saam Barati.
2310
2311         Checksum is now disabled, so tests only have <?> as the module
2312         name.
2313
2314         * wasm/function-tests/nameSection.js:
2315         * wasm/function-tests/stack-overflow.js:
2316         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2317         (assertOverflows.assertThrows):
2318         (assertOverflows):
2319         * wasm/function-tests/stack-trace.js:
2320
2321 2017-12-04  JF Bastien  <jfbastien@apple.com>
2322
2323         Proxy all functions, except the $ objects
2324         https://bugs.webkit.org/show_bug.cgi?id=180375
2325
2326         Reviewed by Saam Barati.
2327
2328         It looks like this test may have broken some executions because I
2329         call some internal objects. Explicitly ignore objects whose name
2330         starts with "$" because it's a bad idea anyways.
2331
2332         * stress/proxy-all-the-parameters.js:
2333         (generateObjects):
2334         (get throw):
2335
2336 2017-12-04  Saam Barati  <sbarati@apple.com>
2337
2338         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2339         https://bugs.webkit.org/show_bug.cgi?id=180366
2340         <rdar://problem/35685877>
2341
2342         Reviewed by Michael Saboff.
2343
2344         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2345         (theParent):
2346         (test1.base.getParentStaticValue):
2347         (test1.base):
2348         (test1.__v_24888.prototype.set prop):
2349         (test1.__v_24888):
2350         (test2.base.getParentStaticValue):
2351         (test2.base):
2352         (test2.__v_24888.prototype.set prop):
2353         (test2.__v_24888):
2354         (test2):
2355
2356 2017-12-01  JF Bastien  <jfbastien@apple.com>
2357
2358         Try proxying all function arguments
2359         https://bugs.webkit.org/show_bug.cgi?id=180306
2360
2361         Reviewed by Saam Barati.
2362
2363         * stress/proxy-all-the-parameters.js: Added.
2364         (isPropertyOfType):
2365         (getProperties):
2366         (generateObjects):
2367         (getObjects):
2368         (getFunctions):
2369         (get throw):
2370         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2371
2372 2017-12-01  JF Bastien  <jfbastien@apple.com>
2373
2374         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2375         https://bugs.webkit.org/show_bug.cgi?id=180297
2376         <rdar://problem/35745556>
2377
2378         Reviewed by Mark Lam.
2379
2380         * stress/math-exceptions.js: Added.
2381         (get try):
2382         (catch):
2383
2384 2017-12-01  JF Bastien  <jfbastien@apple.com>
2385
2386         JavaScriptCore: add test for weird class static getters
2387         https://bugs.webkit.org/show_bug.cgi?id=180281
2388         <rdar://problem/35592139>
2389
2390         Reviewed by Mark Lam.
2391
2392         I fixed a bug for it in r224927 and didn't add a test. Do so.
2393
2394         * stress/class-static-get-weird.js: Added.
2395         (c.prototype.get name):
2396         (c):
2397         (c.prototype.get arguments):
2398         (c.prototype.get caller):
2399         (c.prototype.get length):
2400
2401 2017-12-01  Saam Barati  <sbarati@apple.com>
2402
2403         Having a bad time needs to handle ArrayClass indexing type as well
2404         https://bugs.webkit.org/show_bug.cgi?id=180274
2405         <rdar://problem/35667869>
2406
2407         Reviewed by Keith Miller and Mark Lam.
2408
2409         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2410         (assert):
2411         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2412         (assert):
2413
2414 2017-12-01  JF Bastien  <jfbastien@apple.com>
2415
2416         WebAssembly: restore cached stack limit after out-call
2417         https://bugs.webkit.org/show_bug.cgi?id=179106
2418         <rdar://problem/35337525>
2419
2420         Reviewed by Saam Barati.
2421
2422         * wasm/function-tests/double-instance.js: Added.
2423         (const.imp.boom):
2424         (const.imp.get callAnother):
2425
2426 2017-11-30  JF Bastien  <jfbastien@apple.com>
2427
2428         WebAssembly: improve stack trace
2429         https://bugs.webkit.org/show_bug.cgi?id=179343
2430
2431         Reviewed by Saam Barati.
2432
2433         Update the tests to follow the new format. Notably, SHA1 module
2434         hash is now included in traces, and stubs are properly identified.
2435
2436         * wasm/assert.js: Add an assertion which matches regular expressions.
2437         * wasm/function-tests/nameSection.js:
2438         * wasm/function-tests/stack-overflow.js:
2439         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2440         (assertOverflows.assertThrows.wasm.1):
2441         (assertOverflows.assertThrows.wasm.0):
2442         (assertOverflows.assertThrows):
2443         (assertOverflows):
2444         * wasm/function-tests/stack-trace.js:
2445         (import.Builder.from.string_appeared_here.assert): Deleted.
2446         * wasm/function-tests/trap-after-cross-instance-call.js:
2447         (wasmFrameCountFromError):
2448         * wasm/function-tests/trap-load-2.js:
2449         (wasmFrameCountFromError):
2450         * wasm/function-tests/trap-load.js:
2451         (wasmFrameCountFromError):
2452
2453 2017-11-30  Mark Lam  <mark.lam@apple.com>
2454
2455         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2456         https://bugs.webkit.org/show_bug.cgi?id=180219
2457         <rdar://problem/35696536>
2458
2459         Reviewed by Filip Pizlo.
2460
2461         * stress/regress-180219.js: Added.
2462
2463 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2464
2465         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2466         https://bugs.webkit.org/show_bug.cgi?id=180190
2467
2468         Reviewed by Mark Lam.
2469
2470         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2471         (shouldBe):
2472         (test1):
2473         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2474         (shouldBe):
2475         (test1):
2476         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2477         (shouldBe):
2478         (test1):
2479         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2480         (shouldBe):
2481         (test1):
2482         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2483         (shouldBe):
2484         (test1):
2485         * stress/operation-in-may-have-negative-int32.js: Added.
2486         (shouldBe):
2487         (test2):
2488         * stress/operation-in-negative-int32-cast.js: Added.
2489         (shouldBe):
2490         (test1):
2491
2492 2017-11-28  JF Bastien  <jfbastien@apple.com>
2493
2494         Strict and sloppy functions shouldn't share structure
2495         https://bugs.webkit.org/show_bug.cgi?id=180103
2496         <rdar://problem/35667847>
2497
2498         Reviewed by Saam Barati.
2499
2500         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2501         because the IC was wrong.
2502         (foo):
2503         (bar):
2504         (baz):
2505         (catch):
2506         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2507         in this patch, but may as well test odd strict mode corner cases.
2508         (bar):
2509         (baz):
2510         (catch):
2511         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2512         (foo):
2513         (bar):
2514         (baz):
2515         (catch):
2516         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2517         next file, but with invalidation of the FunctionExecutable's
2518         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2519         slower path.
2520         (foo):
2521         (bar.const.x):
2522         (bar.const.y):
2523         (bar):
2524         (catch):
2525         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2526         strict nesting works correctly.
2527         (foo):
2528         (bar.baz):
2529         (bar):
2530         * stress/strict-function-structure.js: Added. The test used to
2531         assert in objectProtoFuncHasOwnProperty.
2532         (foo):
2533         (bar):
2534         (baz):
2535         * stress/strict-nested-function-structure.js: Added. Nesting.
2536         (foo):
2537         (bar):
2538         (baz.boo):
2539         (baz):
2540
2541 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2542
2543         The recursive tail call optimisation is wrong on closures
2544         https://bugs.webkit.org/show_bug.cgi?id=179835
2545
2546         Reviewed by Saam Barati.
2547
2548         * stress/closure-recursive-tail-call.js: Added.
2549         (makeClosure):
2550
2551 2017-11-27  JF Bastien  <jfbastien@apple.com>
2552
2553         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2554         https://bugs.webkit.org/show_bug.cgi?id=180051
2555         <rdar://problem/35614371>
2556
2557         Reviewed by Saam Barati.
2558
2559         * stress/rest-parameter-negative.js: Added.
2560         (__f_5484):
2561         (catch):
2562         (__f_5485):
2563         (__v_22598.catch):
2564
2565 2017-11-27  Saam Barati  <sbarati@apple.com>
2566
2567         Spread can escape when CreateRest does not
2568         https://bugs.webkit.org/show_bug.cgi?id=180057
2569         <rdar://problem/35676119>
2570
2571         Reviewed by JF Bastien.
2572
2573         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2574         (assert):
2575         (getProperties):
2576         (theFunc):
2577         (let.obj.valueOf):
2578
2579 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2580
2581         [DFG] Add NormalizeMapKey DFG IR
2582         https://bugs.webkit.org/show_bug.cgi?id=179912
2583
2584         Reviewed by Saam Barati.
2585
2586         * stress/map-untyped-normalize-cse.js: Added.
2587         (shouldBe):
2588         (test):
2589         * stress/map-untyped-normalize.js: Added.
2590         (shouldBe):
2591         (test):
2592         * stress/set-untyped-normalize-cse.js: Added.
2593         (shouldBe):
2594         (set return.set has.set has):
2595         * stress/set-untyped-normalize.js: Added.
2596         (shouldBe):
2597         (set return.set has):
2598
2599 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2600
2601         [FTL] Support DeleteById and DeleteByVal
2602         https://bugs.webkit.org/show_bug.cgi?id=180022
2603
2604         Reviewed by Saam Barati.
2605
2606         * stress/delete-by-id.js: Added.
2607         (shouldBe):
2608         (test1):
2609         (test2):
2610         * stress/delete-by-val-ftl.js: Added.
2611         (shouldBe):
2612         (test1):
2613         (test2):
2614
2615 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2616
2617         [DFG] Introduce {Set,Map,WeakMap}Fields
2618         https://bugs.webkit.org/show_bug.cgi?id=179925
2619
2620         Reviewed by Saam Barati.
2621
2622         * stress/map-set-clobber-map-get.js: Added.
2623         (shouldBe):
2624         (test):
2625         * stress/map-set-does-not-clobber-set-has.js: Added.
2626         (shouldBe):
2627         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2628         (shouldBe):
2629         (test):
2630         * stress/set-add-clobber-set-has.js: Added.
2631         (shouldBe):
2632         * stress/set-add-does-not-clobber-map-get.js: Added.
2633         (shouldBe):
2634
2635 2017-11-24  Mark Lam  <mark.lam@apple.com>
2636
2637         Move unsafe jsc shell test functions to the $vm object.
2638         https://bugs.webkit.org/show_bug.cgi?id=179980
2639
2640         Reviewed by Yusuke Suzuki.
2641
2642         * controlFlowProfiler/driver/driver.js:
2643         * controlFlowProfiler/execution-count.js:
2644         * controlFlowProfiler/if-statement.js:
2645         * controlFlowProfiler/loop-statements.js:
2646         * controlFlowProfiler/switch-statements.js:
2647         * controlFlowProfiler/test-jit.js:
2648         * exceptionFuzz/3d-cube.js:
2649         * exceptionFuzz/date-format-xparb.js:
2650         * exceptionFuzz/earley-boyer.js:
2651         * heapProfiler/basic-edges.js:
2652         * heapProfiler/property-edge-types.js:
2653         * microbenchmarks/try-get-by-id-basic.js:
2654         * microbenchmarks/try-get-by-id-polymorphic.js:
2655         * modules/namespace-object-try-get.js:
2656         * stress/argument-count-bytecode.js:
2657         * stress/argument-intrinsic-basic.js:
2658         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2659         * stress/argument-intrinsic-inlining-with-result-escape.js:
2660         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2661         * stress/argument-intrinsic-inlining-with-vararg.js:
2662         * stress/argument-intrinsic-nested-inlining.js:
2663         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2664         * stress/argument-intrinsic-with-stack-write.js:
2665         * stress/arity-mismatch-get-argument.js:
2666         * stress/array-message-passing.js:
2667         * stress/array-push-with-force-exit.js:
2668         * stress/check-dom-with-signature.js:
2669         * stress/check-sub-class.js:
2670         * stress/compare-eq-incomplete-profile.js:
2671         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2672         * stress/do-eval-virtual-call-correctly.js:
2673         * stress/dom-jit-with-poly-proto.js:
2674         * stress/domjit-exception-ic.js:
2675         * stress/domjit-exception.js:
2676         * stress/domjit-getter-complex-with-incorrect-object.js:
2677         * stress/domjit-getter-complex.js:
2678         * stress/domjit-getter-poly.js:
2679         * stress/domjit-getter-proto.js:
2680         * stress/domjit-getter-super-poly.js:
2681         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2682         * stress/domjit-getter-type-check.js:
2683         * stress/domjit-getter.js:
2684         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2685         * stress/for-in-proxy-target-changed-structure.js:
2686         * stress/for-in-proxy.js:
2687         * stress/generational-opaque-roots.js:
2688         * stress/global-const-redeclaration-setting-2.js:
2689         * stress/global-const-redeclaration-setting-3.js:
2690         * stress/global-const-redeclaration-setting-4.js:
2691         * stress/global-const-redeclaration-setting-5.js:
2692         * stress/global-const-redeclaration-setting.js:
2693         * stress/import-basic.js:
2694         * stress/import-from-eval.js:
2695         * stress/import-reject-with-exception.js:
2696         * stress/import-syntax.js:
2697         * stress/impure-get-own-property-slot-inline-cache.js:
2698         * stress/is-constructor.js:
2699         * stress/istypedarrayview-intrinsic.js:
2700         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2701         * stress/jsc-test-functions-should-be-more-robust.js:
2702         * stress/object-toString-with-proxy.js:
2703         * stress/poly-proto-custom-value-and-accessor.js:
2704         * stress/proxy-inline-cache.js:
2705         * stress/re-execute-error-module.js:
2706         * stress/regress-150532.js:
2707         * stress/regress-156992.js:
2708         * stress/regress-179619.js:
2709         * stress/resources/shadow-chicken-support.js:
2710         * stress/runtime-array.js:
2711         * stress/sampling-profiler-microtasks.js:
2712         * stress/shadow-chicken-enabled.js:
2713         * stress/spread-correct-global-object-on-exception.js:
2714         * stress/super-get-by-id.js:
2715         * stress/tailCallForwardArguments.js:
2716         * stress/to-object-intrinsic-boolean-edge.js:
2717         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2718         * stress/to-object-intrinsic-number-edge.js:
2719         * stress/to-object-intrinsic-object-edge.js:
2720         * stress/to-object-intrinsic-string-edge.js:
2721         * stress/to-object-intrinsic-symbol-edge.js:
2722         * stress/to-object-intrinsic.js:
2723         * stress/try-catch-custom-getter-as-get-by-id.js:
2724         * stress/try-get-by-id-poly-proto.js:
2725         * stress/try-get-by-id-should-spill-registers-dfg.js:
2726         * stress/try-get-by-id.js:
2727         * typeProfiler/arrow-functions.js:
2728         * typeProfiler/basic.js:
2729         * typeProfiler/captured.js:
2730         * typeProfiler/classes.js:
2731         * typeProfiler/dfg-jit-optimizations.js:
2732         * typeProfiler/dictionary-mode.js:
2733         * typeProfiler/es6-block-scoping.js:
2734         * typeProfiler/es6-classes.js:
2735         * typeProfiler/inheritance.js:
2736         * typeProfiler/int52-dfg.js:
2737         * typeProfiler/loop.js:
2738         * typeProfiler/optional-fields.js:
2739         * typeProfiler/overflow.js:
2740         * typeProfiler/return.js:
2741         * typeProfiler/symbol.js:
2742         * typeProfiler/weird-prototype-chain.js:
2743
2744 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2745
2746         [DFG][FTL] Support MapSet / SetAdd intrinsics
2747         https://bugs.webkit.org/show_bug.cgi?id=179858
2748
2749         Reviewed by Saam Barati.
2750
2751         * microbenchmarks/map-has-and-set.js: Added.
2752         (test):
2753         * stress/map-set-check-failure.js: Added.
2754         (shouldBe):
2755         (shouldThrow):
2756         (target):
2757         * stress/map-set-cse.js: Added.
2758         (shouldBe):
2759         (test):
2760         * stress/set-add-check-failure.js: Added.
2761         (shouldBe):
2762         (shouldThrow):
2763         (set shouldThrow):
2764         * stress/set-add-cse.js: Added.
2765         (shouldBe):
2766
2767 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2768
2769         [JSC] Allow poly proto for intrinsic getters
2770         https://bugs.webkit.org/show_bug.cgi?id=179550
2771
2772         Reviewed by Saam Barati.
2773
2774         This change is also tested by existing tests.
2775
2776             1. stress/intrinsic-getter-with-poly-proto.js
2777             2. stress/poly-proto-intrinsic-getter-correctness.js
2778
2779         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2780         (shouldBe):
2781         (makePolyProtoObject.foo.C):
2782         (makePolyProtoObject.foo):
2783         (makePolyProtoObject):
2784         (target):
2785         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2786         (shouldBe):
2787         (makePolyProtoObject.foo.C):
2788         (makePolyProtoObject.foo):
2789         (makePolyProtoObject):
2790         (target):
2791
2792 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2793
2794         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2795         https://bugs.webkit.org/show_bug.cgi?id=179744
2796
2797         Reviewed by Michael Catanzaro.
2798
2799         This test uses too much memory for our buildbots on these platforms
2800         and gets OOM-killed.
2801
2802         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2803         Skip if $memoryLimited and linux.
2804
2805 2017-11-17  JF Bastien  <jfbastien@apple.com>
2806
2807         WebAssembly JS API: throw when a promise can't be created
2808         https://bugs.webkit.org/show_bug.cgi?id=179826
2809         <rdar://problem/35455813>
2810
2811         Reviewed by Mark Lam.
2812
2813         Test WebAssembly.{compile,instantiate} where promise creation
2814         fails because of a stack overflow.
2815
2816         * wasm/js-api/promise-stack-overflow.js: Added.
2817         (const.runNearStackLimit.f.const.t):
2818         (async.testCompile):
2819         (async.testInstantiate):
2820
2821 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2822
2823         Unreviewed, mark regress-178385.js as memory exhausting
2824
2825         * stress/regress-178385.js:
2826
2827 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2828
2829         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2830
2831         Unreviewed test gardening.
2832
2833         * test262.yaml:
2834
2835 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2836
2837         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2838         https://bugs.webkit.org/show_bug.cgi?id=179763
2839         <rdar://problem/35550513>
2840
2841         Reviewed by Keith Miller.
2842
2843         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2844
2845         * stress/tdz-this-in-try-catch.js: Added.
2846         (__v_6388):
2847         (__v_6392):
2848
2849 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2850
2851         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2852         https://bugs.webkit.org/show_bug.cgi?id=179594
2853
2854         Reviewed by Saam Barati.
2855
2856         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2857         (shouldBe):
2858         (args):
2859         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2860         (shouldBe):
2861         (args):
2862
2863 2017-11-14  Saam Barati  <sbarati@apple.com>
2864
2865         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2866         https://bugs.webkit.org/show_bug.cgi?id=179639
2867         <rdar://problem/35513018>
2868
2869         Reviewed by JF Bastien.
2870
2871         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2872         (escape):
2873         (i.func):
2874
2875 2017-11-13  Mark Lam  <mark.lam@apple.com>
2876
2877         Add more overflow check book-keeping for MarkedArgumentBuffer.
2878         https://bugs.webkit.org/show_bug.cgi?id=179634
2879         <rdar://problem/35492517>
2880
2881         Reviewed by Saam Barati.
2882
2883         * stress/regress-179634.js: Added.
2884
2885 2017-11-13  Mark Lam  <mark.lam@apple.com>
2886
2887         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2888         https://bugs.webkit.org/show_bug.cgi?id=179619
2889         <rdar://problem/35492518>
2890
2891         Reviewed by Saam Barati.
2892
2893         * stress/regress-179619.js: Added.
2894
2895 2017-11-12  Mark Lam  <mark.lam@apple.com>
2896
2897         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2898         https://bugs.webkit.org/show_bug.cgi?id=179562
2899         <rdar://problem/35467022>
2900
2901         Reviewed by Saam Barati.
2902
2903         * regress-179562.js: Added.
2904
2905 2017-11-08  Saam Barati  <sbarati@apple.com>
2906
2907         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2908         https://bugs.webkit.org/show_bug.cgi?id=177792
2909
2910         Reviewed by Yusuke Suzuki.
2911
2912         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2913         (assert):
2914         (foo.Foo.prototype.ensureX):
2915         (foo.Foo):
2916         (foo):
2917         (access):
2918
2919 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2920
2921         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2922         https://bugs.webkit.org/show_bug.cgi?id=178592
2923
2924         Unreviewed test gardening.
2925
2926         * test262.yaml:
2927
2928 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2929
2930         Turn recursive tail calls into loops
2931         https://bugs.webkit.org/show_bug.cgi?id=176601
2932
2933         Reviewed by Saam Barati.
2934
2935         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2936
2937         Add some simple test that computes factorial in several ways, and other trivial computations.
2938         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2939         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2940         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2941         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2942
2943         * stress/inline-call-to-recursive-tail-call.js: Added.
2944         (factorial.aux):
2945         (factorial):
2946         (factorial2.aux2):
2947         (factorial2.id):
2948         (factorial2):
2949         (factorial3.aux3):
2950         (factorial3):
2951         (aux4):
2952         (factorial4):
2953         (foo):
2954         (auxBar):
2955         (bar):
2956         (test):
2957
2958 2017-11-07  Mark Lam  <mark.lam@apple.com>
2959
2960         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2961         https://bugs.webkit.org/show_bug.cgi?id=179355
2962         <rdar://problem/35263053>
2963
2964         Reviewed by Saam Barati.
2965
2966         * stress/regress-179355.js: Added.
2967
2968 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2969
2970         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2971         https://bugs.webkit.org/show_bug.cgi?id=144458
2972
2973         Reviewed by Saam Barati.
2974
2975         * microbenchmarks/dfg-internal-function-call.js: Added.
2976         (target):
2977         * microbenchmarks/dfg-internal-function-construct.js: Added.
2978         (target):
2979         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2980         (target):
2981         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2982         (target):
2983         * stress/dfg-internal-function-call.js: Added.
2984         (shouldBe):
2985         (target):
2986         * stress/dfg-internal-function-construct.js: Added.
2987         (shouldBe):
2988         (target):
2989         * stress/internal-function-call.js: Added.
2990         (shouldBe):
2991         * stress/internal-function-construct.js: Added.
2992         (shouldBe):
2993
2994 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2995
2996         [Win] Skip stress/regress-178385.js.
2997         https://bugs.webkit.org/show_bug.cgi?id=179298
2998
2999         Unreviewed test gardening.
3000
3001         * stress/regress-178385.js:
3002
3003 2017-11-03  Keith Miller  <keith_miller@apple.com>
3004
3005         Add test for ic with side effects
3006         https://bugs.webkit.org/show_bug.cgi?id=179268
3007
3008         Reviewed by Saam Barati.
3009
3010         * stress/put-inline-cache-side-effects.js: Added.
3011         (let.i.of.objs.keys):
3012         (f):
3013
3014 2017-11-03  Mark Lam  <mark.lam@apple.com>
3015
3016         CachedCall (and its clients) needs overflow checks.
3017         https://bugs.webkit.org/show_bug.cgi?id=179185
3018
3019         Reviewed by JF Bastien.
3020
3021         * stress/regress-179185.js: Added.
3022
3023 2017-11-02  Michael Saboff  <msaboff@apple.com>
3024
3025         DFG needs to handle code motion of code in for..in loop bodies
3026         https://bugs.webkit.org/show_bug.cgi?id=179212
3027
3028         Reviewed by Keith Miller.
3029
3030         New regression test.
3031
3032         * stress/for-in-side-effects.js: Added.
3033         (getPrototypeOf):
3034         (reset):
3035         (testWithoutFTL.f):
3036         (testWithoutFTL):
3037         (testWithFTL.f):
3038         (testWithFTL):
3039
3040 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3041
3042         AI does not correctly model the clobber case of ArithClz32
3043         https://bugs.webkit.org/show_bug.cgi?id=179188
3044
3045         Reviewed by Michael Saboff.
3046
3047         * stress/arith-clz32-effects.js: Added.
3048         (foo):
3049         (valueOf):
3050
3051 2017-11-01  Michael Saboff  <msaboff@apple.com>
3052
3053         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3054         https://bugs.webkit.org/show_bug.cgi?id=179140
3055
3056         Reviewed by Saam Barati.
3057
3058         New regression test.
3059
3060         * stress/regress-179140.js: Added.
3061         (testWithoutFTL):
3062         (testWithFTL):
3063
3064 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3065
3066         [JSC] Introduce @toObject
3067         https://bugs.webkit.org/show_bug.cgi?id=178726
3068
3069         Reviewed by Saam Barati.
3070
3071         * stress/array-copywithin.js:
3072         (shouldThrow):
3073         * stress/object-constructor-boolean-edge.js: Added.
3074         (shouldBe):
3075         (test):
3076         * stress/object-constructor-global.js: Added.
3077         (shouldBe):
3078         * stress/object-constructor-null-edge.js: Added.
3079         (shouldBe):
3080         (test):
3081         * stress/object-constructor-number-edge.js: Added.
3082         (shouldBe):
3083         (test):
3084         * stress/object-constructor-object-edge.js: Added.
3085         (shouldBe):
3086         (test):
3087         (i.arg):
3088         * stress/object-constructor-string-edge.js: Added.
3089         (shouldBe):
3090         (test):
3091         * stress/object-constructor-symbol-edge.js: Added.
3092         (shouldBe):
3093         (test):
3094         * stress/object-constructor-undefined-edge.js: Added.
3095         (shouldBe):
3096         (test):
3097         * stress/symbol-array-from.js: Added.
3098         (shouldBe):
3099         * stress/to-object-intrinsic-boolean-edge.js: Added.
3100         (shouldBe):
3101         (builtin.createBuiltin):
3102         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3103         (shouldThrow):
3104         * stress/to-object-intrinsic-number-edge.js: Added.
3105         (shouldBe):
3106         (builtin.createBuiltin):
3107         * stress/to-object-intrinsic-object-edge.js: Added.
3108         (shouldBe):
3109         (builtin.createBuiltin):
3110         (i.arg):
3111         * stress/to-object-intrinsic-string-edge.js: Added.
3112         (shouldBe):
3113         (builtin.createBuiltin):
3114         * stress/to-object-intrinsic-symbol-edge.js: Added.
3115         (shouldBe):
3116         (builtin.createBuiltin):
3117         * stress/to-object-intrinsic.js: Added.
3118         (shouldBe):
3119         (shouldThrow):
3120         (builtin.createBuiltin):
3121
3122 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3123
3124         [DFG][FTL] Introduce StringSlice
3125         https://bugs.webkit.org/show_bug.cgi?id=178934
3126
3127         Reviewed by Saam Barati.
3128
3129         * microbenchmarks/string-slice-empty.js: Added.
3130         (slice):
3131         * microbenchmarks/string-slice-one-char.js: Added.
3132         (slice):
3133         * microbenchmarks/string-slice.js: Added.
3134         (slice):
3135
3136 2017-10-26  Michael Saboff  <msaboff@apple.com>
3137
3138         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3139         https://bugs.webkit.org/show_bug.cgi?id=178890
3140
3141         Reviewed by Keith Miller.
3142
3143         New regression test.
3144
3145         * stress/regress-178890.js: Added.
3146
3147 2017-10-26  Mark Lam  <mark.lam@apple.com>
3148
3149         JSRopeString::RopeBuilder::append() should check for overflows.
3150         https://bugs.webkit.org/show_bug.cgi?id=178385
3151         <rdar://problem/35027468>
3152
3153         Reviewed by Saam Barati.
3154
3155         * stress/regress-178385.js: Added.
3156
3157 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3158
3159         Unreviewed, rolling out r223961.
3160
3161         The change that required this has been rolled out.
3162
3163         Reverted changeset:
3164
3165         "Mark test262.yaml/test262/test/language/statements/try/tco-
3166         catch.js as passing."
3167         https://bugs.webkit.org/show_bug.cgi?id=178592
3168         https://trac.webkit.org/changeset/223961
3169
3170 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3171
3172         Unreviewed, rolling out r223691 and r223729.
3173         https://bugs.webkit.org/show_bug.cgi?id=178834
3174
3175         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3176         by rniwa on #webkit).
3177
3178         Reverted changesets:
3179
3180         "Turn recursive tail calls into loops"
3181         https://bugs.webkit.org/show_bug.cgi?id=176601
3182         https://trac.webkit.org/changeset/223691
3183
3184         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3185         comparison is always false due to limited range of data type
3186         [-Wtype-limits]"
3187         https://bugs.webkit.org/show_bug.cgi?id=178543
3188         https://trac.webkit.org/changeset/223729
3189
3190 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3191
3192         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3193         https://bugs.webkit.org/show_bug.cgi?id=178592
3194
3195         Unreviewed test gardening.
3196
3197         * test262.yaml:
3198
3199 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3200
3201         [FTL] Support NewStringObject
3202         https://bugs.webkit.org/show_bug.cgi?id=178737
3203
3204         Reviewed by Saam Barati.
3205
3206         * stress/new-string-object.js: Added.
3207         (shouldBe):
3208         (test):
3209
3210 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3211
3212         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3213         https://bugs.webkit.org/show_bug.cgi?id=178308
3214
3215         Reviewed by Mark Lam.
3216
3217         * test262.yaml:
3218
3219 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3220
3221         [JSC] Use fastJoin in Array#toString
3222         https://bugs.webkit.org/show_bug.cgi?id=178062
3223
3224         Reviewed by Darin Adler.
3225
3226         * microbenchmarks/contiguous-array-to-string.js: Added.
3227         (target):
3228         * microbenchmarks/double-array-to-string.js: Added.
3229         (target):
3230         * microbenchmarks/int32-array-to-string.js: Added.
3231         (target):
3232
3233 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3234
3235         stress/check-string-ident.js is improperly skipped
3236         https://bugs.webkit.org/show_bug.cgi?id=178642
3237
3238         Reviewed by Saam Barati.
3239
3240         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3241         since it enforces the run-jsc-stress-tests script to still set up the
3242         test to run, despite the skip directive that's used before.
3243
3244 2017-10-20  Mark Lam  <mark.lam@apple.com>
3245
3246         Add a test case for r214334.
3247         https://bugs.webkit.org/show_bug.cgi?id=169941
3248         <rdar://problem/31221258>
3249
3250         Reviewed by JF Bastien.
3251
3252         * stress/regress-169941.js: Added.
3253
3254 2017-10-19  JF Bastien  <jfbastien@apple.com>
3255
3256         WebAssembly: no VM / JS version of everything but Instance
3257         https://bugs.webkit.org/show_bug.cgi?id=177473
3258
3259         Reviewed by Filip Pizlo, Saam Barati.
3260
3261         - Exceeding max on memory growth now returns a range error as per
3262         spec. This is a (very minor) breaking change: it used to throw OOM
3263         error. Update the corresponding test.
3264
3265         * wasm/js-api/memory-grow.js:
3266         (assertEq):
3267         * wasm/js-api/table.js:
3268         (assert.throws):
3269
3270 2017-10-19  Mark Lam  <mark.lam@apple.com>
3271
3272         Stringifier::appendStringifiedValue() is missing an exception check.
3273         https://bugs.webkit.org/show_bug.cgi?id=178386
3274         <rdar://problem/35027610>
3275
3276         Reviewed by Saam Barati.
3277
3278         * stress/regress-178386.js: Added.
3279
3280 2017-10-19  Michael Saboff  <msaboff@apple.com>
3281
3282         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3283         https://bugs.webkit.org/show_bug.cgi?id=178521
3284
3285         Reviewed by JF Bastien.
3286
3287         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3288         now passes with the current version (5.0) of the Emoji spec.
3289
3290 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3291
3292         Turn recursive tail calls into loops
3293         https://bugs.webkit.org/show_bug.cgi?id=176601
3294
3295         Reviewed by Saam Barati.
3296
3297         Add some simple test that computes factorial in several ways, and other trivial computations.
3298         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3299         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3300         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3301         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3302
3303         * stress/inline-call-to-recursive-tail-call.js: Added.
3304         (factorial.aux):
3305         (factorial):
3306         (factorial2.aux):
3307         (factorial2.id):
3308         (factorial2):
3309         (factorial3.aux):
3310         (factorial3):
3311         (aux):
3312         (factorial4):
3313         (test):
3314
3315 2017-10-18  Mark Lam  <mark.lam@apple.com>
3316
3317         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3318         https://bugs.webkit.org/show_bug.cgi?id=177600
3319         <rdar://problem/34710985>
3320
3321         Reviewed by Saam Barati.
3322
3323         * stress/regress-177600.js: Added.
3324
3325 2017-10-18  Mark Lam  <mark.lam@apple.com>
3326
3327         The compiler should always register a structure when it adds its transitionWatchPointSet.
3328         https://bugs.webkit.org/show_bug.cgi?id=178420
3329         <rdar://problem/34814024>
3330
3331         Reviewed by Saam Barati and Filip Pizlo.
3332
3333         * stress/regress-178420.js: Added.
3334         (new.Array.10000.map):
3335
3336 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3337
3338         [JSC] __proto__ getter should be fast
3339         https://bugs.webkit.org/show_bug.cgi?id=178067
3340
3341         Reviewed by Saam Barati.
3342
3343         * stress/dfg-object-proto-accessor.js: Added.
3344         (shouldBe):
3345         (shouldThrow):
3346         (target):
3347         * stress/dfg-object-proto-getter.js: Added.
3348         (shouldBe):
3349         (shouldThrow):
3350         (target):
3351         * stress/dfg-object-prototype-of.js: Added.
3352         (shouldBe):
3353         (shouldThrow):
3354         (target):
3355         * stress/dfg-reflect-get-prototype-of.js: Added.
3356         (shouldBe):
3357         (shouldThrow):
3358         (target):
3359         * stress/intrinsic-getter-with-poly-proto.js: Added.
3360         (shouldBe):
3361         (makePolyProtoObject.foo.C):
3362         (makePolyProtoObject.foo):
3363         (makePolyProtoObject):
3364         (target):
3365         * stress/object-get-prototype-of-filtered.js: Added.
3366         (shouldBe):
3367         (shouldThrow):
3368         (target):
3369         (i.Cocoa):
3370         * stress/object-get-prototype-of-mono-proto.js: Added.
3371         (shouldBe):
3372         (makePolyProtoObject.foo.C):
3373         (makePolyProtoObject.foo):
3374         (makePolyProtoObject):
3375         (target):
3376         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3377         (shouldBe):
3378         (makePolyProtoObject.foo.C):
3379         (makePolyProtoObject.foo):
3380         (makePolyProtoObject):
3381         (target):
3382         * stress/object-get-prototype-of-poly-proto.js: Added.
3383         (shouldBe):
3384         (makePolyProtoObject.foo.C):
3385         (makePolyProtoObject.foo):
3386         (makePolyProtoObject):
3387         (target):
3388         * stress/object-proto-getter-filtered.js: Added.
3389         (shouldBe):
3390         (shouldThrow):
3391         (target):
3392         (i.Cocoa):
3393         * stress/object-proto-getter-poly-mono-proto.js: Added.
3394         (shouldBe):
3395         (makePolyProtoObject.foo.C):
3396         (makePolyProtoObject.foo):
3397         (makePolyProtoObject):
3398         (target):
3399         * stress/object-proto-getter-poly-proto.js: Added.
3400         (shouldBe):
3401         (makePolyProtoObject.foo.C):
3402         (makePolyProtoObject.foo):
3403         (makePolyProtoObject):
3404         (target):
3405         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3406         * stress/string-proto.js: Added.
3407         (shouldBe):
3408         (target):
3409
3410 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3411
3412         Unreviewed, rolling out r223523.
3413
3414         A test for this change is failing on debug JSC bots.
3415
3416         Reverted changeset:
3417
3418         "[JSC] __proto__ getter should be fast"
3419         https://bugs.webkit.org/show_bug.cgi?id=178067
3420         https://trac.webkit.org/changeset/223523
3421
3422 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3423
3424         [JSC] __proto__ getter should be fast
3425         https://bugs.webkit.org/show_bug.cgi?id=178067
3426
3427         Reviewed by Saam Barati.
3428
3429         * stress/dfg-object-proto-accessor.js: Added.
3430         (shouldBe):
3431         (shouldThrow):
3432         (target):
3433         * stress/dfg-object-proto-getter.js: Added.
3434         (shouldBe):
3435         (shouldThrow):
3436         (target):
3437         * stress/dfg-object-prototype-of.js: Added.
3438         (shouldBe):
3439         (shouldThrow):
3440         (target):
3441         * stress/dfg-reflect-get-prototype-of.js: Added.
3442         (shouldBe):
3443         (shouldThrow):
3444         (target):
3445         * stress/object-get-prototype-of-filtered.js: Added.
3446         (shouldBe):
3447         (shouldThrow):
3448         (target):
3449         (i.Cocoa):
3450         * stress/object-get-prototype-of-mono-proto.js: Added.
3451         (shouldBe):
3452         (makePolyProtoObject.foo.C):
3453         (makePolyProtoObject.foo):
3454         (makePolyProtoObject):
3455         (target):
3456         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3457         (shouldBe):
3458         (makePolyProtoObject.foo.C):
3459         (makePolyProtoObject.foo):
3460         (makePolyProtoObject):
3461         (target):
3462         * stress/object-get-prototype-of-poly-proto.js: Added.
3463         (shouldBe):
3464         (makePolyProtoObject.foo.C):
3465         (makePolyProtoObject.foo):
3466         (makePolyProtoObject):
3467         (target):
3468         * stress/object-proto-getter-filtered.js: Added.
3469         (shouldBe):
3470         (shouldThrow):
3471         (target):
3472         (i.Cocoa):
3473         * stress/object-proto-getter-poly-mono-proto.js: Added.
3474         (shouldBe):
3475         (makePolyProtoObject.foo.C):
3476         (makePolyProtoObject.foo):
3477         (makePolyProtoObject):
3478         (target):
3479         * stress/object-proto-getter-poly-proto.js: Added.
3480         (shouldBe):
3481         (makePolyProtoObject.foo.C):
3482         (makePolyProtoObject.foo):
3483         (makePolyProtoObject):
3484         (target):
3485         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3486         * stress/string-proto.js: Added.
3487         (shouldBe):
3488         (target):
3489
3490 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3491
3492         Reland "Add Above/Below comparisons for UInt32 patterns"
3493         https://bugs.webkit.org/show_bug.cgi?id=177281
3494
3495         Reviewed by Saam Barati.
3496
3497         * stress/uint32-comparison-jump.js: Added.
3498         (shouldBe):
3499         (above):
3500         (aboveOrEqual):
3501         (below):
3502         (belowOrEqual):
3503         (notAbove):
3504         (notAboveOrEqual):
3505         (notBelow):
3506         (notBelowOrEqual):
3507         * stress/uint32-comparison.js: Added.
3508         (shouldBe):
3509         (above):
3510         (aboveOrEqual):
3511         (below):
3512         (belowOrEqual):
3513         (aboveTest):
3514         (aboveOrEqualTest):
3515         (belowTest):
3516         (belowOrEqualTest):
3517
3518 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3519
3520         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3521         https://bugs.webkit.org/show_bug.cgi?id=178210
3522
3523         Reviewed by Saam Barati.
3524
3525         * wasm/function-tests/trap-from-start-async.js:
3526         (async.StartTrapsAsync):
3527         * wasm/function-tests/trap-from-start.js:
3528         (StartTraps):
3529         * wasm/js-api/web-assembly-function.js:
3530         (assert.eq.Object.getPrototypeOf):
3531         * wasm/js-api/wrapper-function.js:
3532         (return.new.WebAssembly.Module):
3533         (assert.throws.makeInstance): Deleted.
3534         (assert.throws.Bar): Deleted.
3535         (assert.throws): Deleted.
3536
3537 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3538
3539         Enable gigacage on iOS
3540         https://bugs.webkit.org/show_bug.cgi?id=177586
3541
3542         Reviewed by JF Bastien.
3543         
3544         Add tests for when Gigacage gets runtime disabled.
3545
3546         * stress/disable-gigacage-arrays.js: Added.
3547         (foo):
3548         * stress/disable-gigacage-strings.js: Added.
3549         (foo):
3550         * stress/disable-gigacage-typed-arrays.js: Added.
3551         (foo):
3552
3553 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3554
3555         import.meta should not be assignable
3556         https://bugs.webkit.org/show_bug.cgi?id=178202
3557
3558         Reviewed by Saam Barati.
3559
3560         * modules/import-meta-assignment.js: Added.
3561         (shouldThrow):
3562         (SyntaxError.import.meta.can.shouldThrow):
3563
3564 2017-10-11  Saam Barati  <sbarati@apple.com>
3565
3566         Unreviewed. Actually skip certain type profiler tests in debug.
3567
3568         * typeProfiler.yaml:
3569         * typeProfiler/deltablue-for-of.js:
3570         * typeProfiler/getter-richards.js:
3571
3572 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3573
3574         Unreviewed, rolling out r223113 and r223121.
3575         https://bugs.webkit.org/show_bug.cgi?id=178182
3576
3577         Reintroduced 20% regression on Kraken (Requested by rniwa on
3578         #webkit).
3579
3580         Reverted changesets:
3581
3582         "Enable gigacage on iOS"
3583         https://bugs.webkit.org/show_bug.cgi?id=177586
3584         https://trac.webkit.org/changeset/223113
3585
3586         "Use one virtual allocation for all gigacages and their
3587         runways"
3588         https://bugs.webkit.org/show_bug.cgi?id=178050
3589         https://trac.webkit.org/changeset/223121
3590
3591 2017-10-11  Michael Saboff  <msaboff@apple.com>
3592
3593         Disable test262 named capture group tests with direct unicode names and with references before definitions
3594         https://bugs.webkit.org/show_bug.cgi?id=178177
3595
3596         Reviewed by Keith Miller.
3597
3598         Bugs to track fixing these test are:
3599         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3600             "Add support in named capture group identifiers for direct surrogate pairs"
3601         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3602             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3603
3604         * test262.yaml:
3605
3606 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3607
3608         Object properties are undefined in super.call() but not in this.call()
3609         https://bugs.webkit.org/show_bug.cgi?id=177230
3610
3611         Reviewed by Saam Barati.
3612
3613         * stress/super-call-function-subclass.js: Added.
3614         (assert):
3615         (A.prototype.t):
3616         (A):
3617         * stress/super-dot-call-and-apply.js: Added.
3618         (assert):
3619         (A):
3620         (A.prototype.call):
3621         (A.prototype.apply):
3622         (B.prototype.testSuper):
3623         (B):
3624         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3625         (D.prototype.testSuper):
3626         (D):
3627
3628 2017-10-10  Saam Barati  <sbarati@apple.com>
3629
3630         The prototype cache should be aware of the Executable it generates a Structure for
3631         https://bugs.webkit.org/show_bug.cgi?id=177907
3632
3633         Reviewed by Filip Pizlo.
3634
3635         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3636         (assert):
3637         (foo.C):
3638         (foo):
3639         (bar.C):
3640         (bar):
3641         (access):
3642         (makeLongChain):
3643         (accessY):
3644
3645 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3646
3647         `async` should be able to be used as an imported binding name
3648         https://bugs.webkit.org/show_bug.cgi?id=176573
3649
3650         Reviewed by Saam Barati.
3651
3652         * modules/import-default-async.js: Added.
3653         * modules/import-named-async-as.js: Added.
3654         * modules/import-named-async.js: Added.
3655         * modules/import-named-async/target.js: Added.
3656         * modules/import-namespace-async.js: Added.
3657         * test262.yaml:
3658
3659 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3660
3661         Enable gigacage on iOS
3662         https://bugs.webkit.org/show_bug.cgi?id=177586
3663
3664         Reviewed by JF Bastien.
3665         
3666         Add tests for when Gigacage gets runtime disabled.
3667
3668         * stress/disable-gigacage-arrays.js: Added.
3669         (foo):
3670         * stress/disable-gigacage-strings.js: Added.
3671         (foo):
3672         * stress/disable-gigacage-typed-arrays.js: Added.
3673         (foo):
3674
3675 2017-10-09  Michael Saboff  <msaboff@apple.com>
3676
3677         Implement RegExp Unicode property escapes
3678         https://bugs.webkit.org/show_bug.cgi?id=172069
3679
3680         Reviewed by JF Bastien.
3681
3682         Enabled Unicode Property tests.
3683
3684         * test262.yaml:
3685
3686 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3687
3688         Unreviewed, rolling out r223015 and r223025.
3689         https://bugs.webkit.org/show_bug.cgi?id=178093
3690
3691         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3692         #webkit).
3693
3694         Reverted changesets:
3695
3696         "Enable gigacage on iOS"
3697         https://bugs.webkit.org/show_bug.cgi?id=177586
3698         http://trac.webkit.org/changeset/223015
3699
3700         "Unreviewed, disable Gigacage on ARM64 Linux"
3701         https://bugs.webkit.org/show_bug.cgi?id=177586
3702         http://trac.webkit.org/changeset/223025
3703
3704 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3705
3706         Update expectations for test262 tests that pass after r223043.
3707         https://bugs.webkit.org/show_bug.cgi?id=176685
3708
3709         Unreviewed test gardening.
3710
3711         * test262.yaml:
3712
3713 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3714
3715         Unreviewed, rolling out r223022.
3716
3717         This change introduced 18 test262 failures.
3718
3719         Reverted changeset:
3720
3721         "`async` should be able to be used as an imported binding
3722         name"
3723         https://bugs.webkit.org/show_bug.cgi?id=176573
3724         http://trac.webkit.org/changeset/223022
3725
3726 2017-10-09  Saam Barati  <sbarati@apple.com>
3727
3728         3 poly-proto JSC tests timing out on debug after r222827
3729         https://bugs.webkit.org/show_bug.cgi?id=177880
3730         <rdar://problem/34817122>
3731
3732         Unreviewed.
3733
3734         I'm skipping these type profiler tests on debug since they are long running.
3735
3736         * typeProfiler/deltablue-for-of.js:
3737         * typeProfiler/getter-richards.js:
3738
3739 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3740
3741         Safari 10 /11 problem with if (!await get(something)).
3742         https://bugs.webkit.org/show_bug.cgi?id=176685
3743
3744         Reviewed by Saam Barati.
3745
3746         * stress/async-await-basic.js:
3747         (awaitEpression.async):
3748         * stress/async-await-syntax.js:
3749         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3750         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3751
3752 2017-10-08  Saam Barati  <sbarati@apple.com>
3753
3754         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3755
3756         * typeProfiler/deltablue-for-of.js:
3757         * typeProfiler/getter-richards.js:
3758
3759 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3760
3761         `async` should be able to be used as an imported binding name
3762         https://bugs.webkit.org/show_bug.cgi?id=176573
3763
3764         Reviewed by Darin Adler.
3765
3766         * modules/import-default-async.js: Added.
3767         * modules/import-named-async-as.js: Added.
3768         * modules/import-named-async.js: Added.
3769         * modules/import-named-async/target.js: Added.
3770         * modules/import-namespace-async.js: Added.
3771
3772 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3773
3774         Enable gigacage on iOS
3775         https://bugs.webkit.org/show_bug.cgi?id=177586
3776
3777         Reviewed by JF Bastien.
3778         
3779         Add tests for when Gigacage gets runtime disabled.
3780
3781         * stress/disable-gigacage-arrays.js: Added.
3782         (foo):
3783         * stress/disable-gigacage-strings.js: Added.
3784         (foo):
3785         * stress/disable-gigacage-typed-arrays.js: Added.
3786         (foo):
3787
3788 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3789
3790         Unreviewed, rolling out r222791 and r222873.
3791         https://bugs.webkit.org/show_bug.cgi?id=178031
3792
3793         Caused crashes with workers/wasm LayoutTests (Requested by
3794         ryanhaddad on #webkit).
3795
3796         Reverted changesets:
3797
3798         "WebAssembly: no VM / JS version of everything but Instance"
3799         https://bugs.webkit.org/show_bug.cgi?id=177473
3800         http://trac.webkit.org/changeset/222791
3801
3802         "WebAssembly: address no VM / JS follow-ups"
3803         https://bugs.webkit.org/show_bug.cgi?id=177887
3804         http://trac.webkit.org/changeset/222873
3805
3806 2017-10-05  Saam Barati  <sbarati@apple.com>
3807
3808         Make sure all prototypes under poly proto get added into the VM's prototype map
3809         https://bugs.webkit.org/show_bug.cgi?id=177909
3810
3811         Reviewed by Keith Miller.
3812
3813         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3814         (assert):
3815         (foo.C):
3816         (foo):
3817         (set x):
3818
3819 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3820
3821         [JSC] Introduce import.meta
3822         https://bugs.webkit.org/show_bug.cgi?id=177703
3823
3824         Reviewed by Filip Pizlo.
3825
3826         * modules/import-meta-syntax.js: Added.
3827         (shouldThrow):
3828         (shouldNotThrow):
3829         * modules/import-meta.js: Added.
3830         * modules/import-meta/cocoa.js: Added.
3831         * modules/resources/assert.js:
3832         (export.shouldNotThrow):
3833         * stress/import-syntax.js:
3834
3835 2017-10-04  Saam Barati  <sbarati@apple.com>
3836
3837         Make pertinent AccessCases watch the poly proto watchpoint
3838         https://bugs.webkit.org/show_bug.cgi?id=177765
3839
3840         Reviewed by Keith Miller.
3841
3842         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3843         (assert):
3844         (foo.C):
3845         (foo):
3846         (validate):
3847         * stress/poly-proto-clear-stub.js: Added.
3848         (assert):
3849         (foo.C):
3850         (foo):
3851
3852 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3853
3854         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3855
3856         Unreviewed test gardening.
3857
3858         * test262.yaml:
3859
3860 2017-10-04  Saam Barati  <sbarati@apple.com>
3861
3862         3 poly-proto JSC tests timing out on debug after r222827
3863         https://bugs.webkit.org/show_bug.cgi?id=177880
3864
3865         Rubber stamped by Mark Lam.
3866
3867         * microbenchmarks/poly-proto-access.js:
3868         * typeProfiler/deltablue-for-of.js:
3869         * typeProfiler/getter-richards.js:
3870
3871 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3872
3873         Unreviewed, marking tco-catch.js as a failure after test262 update
3874         https://bugs.webkit.org/show_bug.cgi?id=177859
3875
3876         * test262.yaml:
3877
3878 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3879
3880         Unreviewed, marking one async iterator test262 test failed
3881         https://bugs.webkit.org/show_bug.cgi?id=177859
3882
3883         * test262.yaml:
3884
3885 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3886
3887         [Test262] Update Test262 to Oct 4 version
3888         https://bugs.webkit.org/show_bug.cgi?id=177859
3889
3890         Reviewed by Sam Weinig.
3891
3892         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3893         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3894
3895         * test262.yaml:
3896         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3897         (checkSequence):
3898         * test262/harness/typeCoercion.js:
3899         (testCoercibleToIndexZero):
3900         (testCoercibleToIndexOne):
3901         (testCoercibleToIndexFromIndex):
3902         (testNotCoercibleToIndex.testPrimitiveValue):
3903         (testNotCoercibleToInteger):
3904         (testCoercibleToBigIntZero.testPrimitiveValue):
3905         (testCoercibleToBigIntZero):
3906         (testCoercibleToBigIntOne.testPrimitiveValue):
3907         (testCoercibleToBigIntOne):
3908         (testPrimitiveValue):
3909         (testCoercibleToBigIntFromBigInt):
3910         (testNotCoercibleToBigInt.testPrimitiveValue):
3911         (testNotCoercibleToBigInt.testStringValue):
3912         (testNotCoercibleToBigInt):
3913         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3914         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3915         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3916         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3917         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3918         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3919         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3920         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3921         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3922         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3923         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3924         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3925         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3926         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3927         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3928         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3929         (testCoercibleToBigIntZero):
3930         (testCoercibleToBigIntOne):
3931         (testNotCoercibleToBigInt):
3932         (MyError): Deleted.
3933         (valueOf): Deleted.
3934         (toString): Deleted.
3935         (Symbol.toPrimitive): Deleted.
3936         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3937         (testCoercibleToIndexZero):
3938         (testCoercibleToIndexOne):
3939         (testNotCoercibleToIndex):
3940         (MyError): Deleted.
3941         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3942         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3943         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3944         (BigInt.asIntN.valueOf): Deleted.
3945         (BigInt.asIntN.toString): Deleted.
3946         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3947         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3948         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3949         (testCoercibleToBigIntZero):
3950         (testCoercibleToBigIntOne):
3951         (testNotCoercibleToBigInt):
3952         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3953         (testCoercibleToIndexZero):
3954         (testCoercibleToIndexOne):
3955         (testNotCoercibleToIndex):
3956         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3957         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3958         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3959         (bits.valueOf):
3960         (bigint.valueOf):
3961         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3962         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3963         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3964         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3965         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3966         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3967         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3968         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3969         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3970         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3971         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3972         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3973         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3974         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3975         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3976         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3977         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3978         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3979         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3980         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3981         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3982         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3983         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3984         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3985         (replacer):
3986         (BigInt.prototype.toJSON):
3987         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3988         (replacer):
3989         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3990         (BigInt.prototype.toJSON):
3991         * test262/test/built-ins/JSON/stringify/bigint.js:
3992         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3993         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3994         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3995         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3996         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3997         * test262/test/built-ins/Object/proto-from-ctor.js:
3998         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3999         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4000         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4001         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4002         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4003         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4004         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4005         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4006         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4007         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4008         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4009         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4010         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4011         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4012         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4013         * test262/test/built-ins/Proxy/get-fn-realm.js:
4014         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4015         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4016         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4017         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4018         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4019         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4020         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4021         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4022         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4023         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4024         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4025         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4026         (i6.replace):
4027         (i6b.replace):
4028         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4029         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4030         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4031         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4032         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4033         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4034         * test262/test/built-ins/RegExp/u180e.js: Added.
4035         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4036         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4037         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4038         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4039         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4040         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4041         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4042         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4043         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4044         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4045         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4046         * test262/test/built-ins/String/prototype/endsWith/length.js:
4047         * test262/test/built-ins/String/prototype/endsWith/name.js:
4048         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4049         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4050         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4051         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4052         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4053         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4054         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4055         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4056         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4057         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4058         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4059         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4060         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4061         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4062         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4063         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4064         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4065         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4066         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4067         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4068         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4069         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4070         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4071         * test262/test/built-ins/String/prototype/includes/includes.js:
4072         * test262/test/built-ins/String/prototype/includes/length.js:
4073         * test262/test/built-ins/String/prototype/includes/name.js:
4074         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4075         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4076         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4077         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4078         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4079         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4080         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4081         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4082         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4083         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4084         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4085         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4086         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4087         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4088         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4089         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4090         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4091         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4092         * test262/test/built-ins/String/prototype/trim/u180e.js:
4093         * test262/test/built-ins/Symbol/for/cross-realm.js:
4094         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4095         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4096         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4097         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4098         * test262/test/built-ins/Symbol/match/cross-realm.js:
4099         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4100         * test262/test/built-ins/Symbol/search/cross-realm.js:
4101         * test262/test/built-ins/Symbol/species/cross-realm.js:
4102         * test262/test/built-ins/Symbol/split/cross-realm.js:
4103         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4104         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4105         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4106         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4107         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4108         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4109         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4110         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4111         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4112         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4113         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4114         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4115         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4116         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4117         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4118         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4119         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4120         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4121         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4122         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4123         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4124         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4125         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4126         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4127         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4128         * test262/test/language/eval-code/indirect/realm.js:
4129         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4130         (o.get z):
4131         (o.get a):
4132         * test262/test/language/expressions/call/eval-realm-indirect.js:
4133         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4134         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4135         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4136         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4137         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4138         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4139         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4140         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4141         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4142         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4143         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4144         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4145         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4146         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4147         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4148         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4149         * test262/test/language/expressions/less-than/bigint-and-number.js:
4150         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4151         * test262/test/language/expressions/super/realm.js:
4152         * test262/test/language/expressions/tagged-template/cache-realm.js:
4153         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4154         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4155         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4156         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4157         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4158         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4159         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4160         (o.get z):
4161         (o.get a):
4162         * test262/test/language/statements/for-of/iterator-next-reference.js:
4163         (next):
4164         (iterator.next): Deleted.
4165         (x.of.iterable.): Deleted.
4166         (x.of.iterable.get return): Deleted.
4167         (x.of.iterable.iterator.next): Deleted.
4168         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4169         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4170         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4171         * test262/test/language/white-space/mongolian-vowel-separator.js:
4172         * test262/test262-Revision.txt:
4173
4174 2017-10-03  Saam Barati  <sbarati@apple.com>
4175
4176         Implement polymorphic prototypes
4177         https://bugs.webkit.org/show_bug.cgi?id=176391
4178
4179         Reviewed by Filip Pizlo.
4180
4181         * microbenchmarks/poly-proto-access.js: Added.
4182         (assert):
4183         (foo.C):
4184         (foo.C.prototype.get bar):
4185         (foo):
4186         (bar):
4187         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
4188         (assert):
4189         (makePolyProtoObject.foo.C):
4190         (makePolyProtoObject.foo):
4191         (makePolyProtoObject):
4192         (performSet):
4193         * microbenchmarks/poly-proto-setter-speed.js: Added.
4194         (assert):
4195         (makePolyProtoObject.foo.C):
4196         (makePolyProtoObject.foo.C.prototype.set p):
4197         (makePolyProtoObject.foo):
4198         (makePolyProtoObject):
4199         (performSet):
4200         * stress/constructor-with-return.js:
4201         (i.tests.forEach.Constructor):
4202         (i.tests.forEach):
4203         (tests.forEach.Constructor): Deleted.
4204         (tests.forEach): Deleted.
4205         * stress/dom-jit-with-poly-proto.js: Added.
4206         (assert):
4207         (makePolyProtoObject.foo.C):
4208         (makePolyProtoObject.foo):
4209         (makePolyProtoObject):
4210         (validate):
4211         * stress/poly-proto-custom-value-and-accessor.js: Added.
4212         (assert):
4213         (makePolyProtoObject.foo.C):
4214         (makePolyProtoObject.foo):
4215         (makePolyProtoObject):
4216         (items.forEach):
4217         (set get for):
4218         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
4219         (assert):
4220         (makePolyProtoObject.foo.C):
4221         (makePolyProtoObject.foo):
4222         (makePolyProtoObject):
4223         (foo):
4224         * stress/poly-proto-miss.js: Added.
4225         (makePolyProtoInstanceWithNullPrototype.foo.C):
4226         (makePolyProtoInstanceWithNullPrototype.foo):
4227         (makePolyProtoInstanceWithNullPrototype):
4228         (assert):
4229         (validate):
4230         * stress/poly-proto-op-in-caching.js: Added.
4231         (assert):
4232         (makePolyProtoObject.foo.C):
4233         (makePolyProtoObject.foo):
4234         (makePolyProtoObject):
4235         (validate):
4236         (validate2):
4237         * stress/poly-proto-put-transition.js: Added.
4238         (assert):
4239         (makePolyProtoObject.foo.C):
4240         (makePolyProtoObject.foo):
4241         (makePolyProtoObject):
4242         (performSet):
4243         (i.obj.__proto__.set p):
4244         * stress/poly-proto-set-prototype.js: Added.
4245         (assert):
4246         (let.alternateProto.get x):
4247         (let.alternateProto2.get y):
4248         (let.alternateProto2.get x):
4249         (foo.C):
4250         (foo):
4251         (validate):
4252         * stress/poly-proto-setter.js: Added.
4253         (assert):
4254         (makePolyProtoObject.foo.C):
4255         (makePolyProtoObject.foo.C.prototype.set p):
4256         (makePolyProtoObject.foo.C.prototype.get p):
4257         (makePolyProtoObject.foo):
4258         (makePolyProtoObject):
4259         (performSet):
4260         * stress/poly-proto-using-inheritance.js: Added.
4261         (assert):
4262         (foo.C):
4263         (foo.C.prototype.get baz):
4264         (foo):
4265         (bar.C):
4266         (bar):
4267         (validate):
4268         * stress/primitive-poly-proto.js: Added.
4269         (makePolyProtoInstance.foo.C):
4270         (makePolyProtoInstance.foo):
4271         (makePolyProtoInstance):
4272         (assert):
4273         (validate):
4274         * stress/prototype-is-not-js-object.js: Added.
4275         (foo.bar):
4276         (foo):
4277         (assert):
4278         (validate):
4279         * stress/try-get-by-id-poly-proto.js: Added.
4280         (assert):
4281         (makePolyProtoObject.foo.C):
4282         (makePolyProtoObject.foo):
4283         (makePolyProtoObject):
4284         (tryGetByIdText):
4285         (x.__proto__.get bar):
4286         (validate):
4287         * typeProfiler/overflow.js:
4288
4289 2017-10-03  JF Bastien  <jfbastien@apple.com>
4290
4291         WebAssembly: no VM / JS version of everything but Instance
4292         https://bugs.webkit.org/show_bug.cgi?id=177473
4293
4294         Reviewed by Filip Pizlo.
4295
4296         - Exceeding max on memory growth now returns a range error as per
4297         spec. This is a (very minor) breaking change: it used to throw OOM
4298         error. Update the corresponding test.
4299
4300         * wasm/js-api/memory-grow.js:
4301         (assertEq):
4302         * wasm/js-api/table.js:
4303         (assert.throws):
4304
4305 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
4306
4307         Skip JSC test stress/regress-159779-2.js on debug.
4308         https://bugs.webkit.org/show_bug.cgi?id=177204
4309
4310         Unreviewed test gardening.
4311
4312         * stress/regress-159779-2.js:
4313
4314 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
4315
4316         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
4317         https://bugs.webkit.org/show_bug.cgi?id=175642
4318
4319         Reviewed by Darin Adler.
4320
4321         * ChakraCore/test/Function/apply3.baseline-jsc:
4322
4323 2017-10-01  Commit Queue  <commit-queue@webkit.org>
4324
4325         Unreviewed, rolling out r222564.
4326         https://bugs.webkit.org/show_bug.cgi?id=177720
4327
4328         "It regressed JetStream by 2% on iOS caused by a 50%
4329         regression on the bigfib subtest" (Requested by saamyjoon on
4330         #webkit).
4331
4332         Reverted changeset:
4333
4334         "Add Above/Below comparisons for UInt32 patterns"
4335         https://bugs.webkit.org/show_bug.cgi?id=177281
4336         http://trac.webkit.org/changeset/222564
4337
4338 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4339
4340         [DFG] Support ArrayPush with multiple args
4341         https://bugs.webkit.org/show_bug.cgi?id=175823
4342
4343         Reviewed by Saam Barati.
4344
4345         * microbenchmarks/array-push-0.js: Added.
4346         (arrayPush0):
4347         * microbenchmarks/array-push-1.js: Added.
4348         (arrayPush1):
4349         * microbenchmarks/array-push-2.js: Added.
4350         (arrayPush2):
4351         * microbenchmarks/array-push-3.js: Added.
4352         (arrayPush3):
4353         * stress/array-push-multiple-contiguous.js: Added.
4354         (shouldBe):
4355         (test):
4356         * stress/array-push-multiple-double-nan.js: Added.
4357         (shouldBe):
4358         (test):
4359         * stress/array-push-multiple-double.js: Added.
4360         (shouldBe):
4361         (test):
4362         * stress/array-push-multiple-int32.js: Added.
4363         (shouldBe):
4364         (test):
4365         * stress/array-push-multiple-many-contiguous.js: Added.
4366         (shouldBe):
4367         (test):
4368         * stress/array-push-multiple-many-double.js: Added.
4369         (shouldBe):
4370         (test):
4371         * stress/array-push-multiple-many-int32.js: Added.
4372         (shouldBe):
4373         (test):
4374         * stress/array-push-multiple-many-storage.js: Added.
4375         (shouldBe):
4376         (test):
4377         * stress/array-push-multiple-storage.js: Added.
4378         (shouldBe):
4379         (test):
4380         * stress/array-push-with-force-exit.js: Added.
4381         (target.createBuiltin):
4382
4383 2017-09-29  Saam Barati  <sbarati@apple.com>
4384
4385         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4386         https://bugs.webkit.org/show_bug.cgi?id=177639