[JSC] Rename runWebAssembly to runWebAssemblySuite
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Rename runWebAssembly to runWebAssemblySuite
4         https://bugs.webkit.org/show_bug.cgi?id=184703
5
6         Reviewed by JF Bastien.
7
8         And add runWebAssembly as a command to simplely run wasm modules.
9
10         * wasm.yaml:
11
12 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
13
14         [WebAssembly][Modules] Implement function import from wasm modules
15         https://bugs.webkit.org/show_bug.cgi?id=184689
16
17         Reviewed by JF Bastien.
18
19         * wasm.yaml:
20         * wasm/modules/js-wasm-cycle.js: Added.
21         * wasm/modules/js-wasm-cycle/entry.js: Added.
22         (from.string_appeared_here.export.return42):
23         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
24         * wasm/modules/js-wasm-cycle/sum.wat: Added.
25         * wasm/modules/run-from-wasm.wasm: Added.
26         * wasm/modules/run-from-wasm.wat: Added.
27         * wasm/modules/run-from-wasm/check.js: Added.
28         (export.check):
29         * wasm/modules/wasm-imports-js-exports.js: Added.
30         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
31         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
32         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
33         (export.sum):
34         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
35         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
36         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
37         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
38         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
39         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
40         * wasm/modules/wasm-imports-wasm-exports.js: Added.
41         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
42         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
43         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
44         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
45         * wasm/modules/wasm-js-cycle.js: Added.
46         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
47         * wasm/modules/wasm-js-cycle/entry.wat: Added.
48         * wasm/modules/wasm-js-cycle/sum.js: Added.
49         (from.string_appeared_here.export.sum):
50         * wasm/modules/wasm-wasm-cycle.js: Added.
51         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
52         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
53         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
54         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
55
56 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
57
58         [WebAssembly][Modules] Prototype wasm import
59         https://bugs.webkit.org/show_bug.cgi?id=184600
60
61         Reviewed by JF Bastien.
62
63         Add wasm and wat files since module loader want to load wasm files from FS.
64         Currently, importing the other modules from wasm is not supported.
65
66         * wasm.yaml:
67         * wasm/modules/constant.wasm: Added.
68         * wasm/modules/constant.wat: Added.
69         * wasm/modules/js-wasm-function-namespace.js: Added.
70         (assert.throws):
71         * wasm/modules/js-wasm-function.js: Added.
72         (assert.throws):
73         * wasm/modules/js-wasm-global-namespace.js: Added.
74         (assert.throws):
75         * wasm/modules/js-wasm-global.js: Added.
76         (assert.throws):
77         * wasm/modules/js-wasm-memory-namespace.js: Added.
78         (assert.throws):
79         * wasm/modules/js-wasm-memory.js: Added.
80         (assert.throws):
81         * wasm/modules/js-wasm-start.js: Added.
82         (then):
83         * wasm/modules/js-wasm-table-namespace.js: Added.
84         (assert.throws):
85         * wasm/modules/js-wasm-table.js: Added.
86         (assert.throws):
87         * wasm/modules/memory.wasm: Added.
88         * wasm/modules/memory.wat: Added.
89         * wasm/modules/start.wasm: Added.
90         * wasm/modules/start.wat: Added.
91         * wasm/modules/sum.wasm: Added.
92         * wasm/modules/sum.wat: Added.
93         * wasm/modules/table.wasm: Added.
94         * wasm/modules/table.wat: Added.
95
96 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
97
98         Function.prototype.caller shouldn't return generator bodies
99         https://bugs.webkit.org/show_bug.cgi?id=184630
100
101         Reviewed by Yusuke Suzuki.
102
103         * stress/function-caller-async-arrow-function-body.js: Added.
104         * stress/function-caller-async-function-body.js: Added.
105         * stress/function-caller-async-generator-body.js: Added.
106         * stress/function-caller-generator-body.js: Added.
107         * stress/function-caller-generator-method-body.js: Added.
108
109 2018-04-12  Tomas Popela  <tpopela@redhat.com>
110
111         Unreviewed, skip JIT tests if it isn't enabled
112
113         See https://bugs.webkit.org/show_bug.cgi?id=182730.
114
115         * stress/big-int-spec-to-primitive.js:
116         * stress/big-int-spec-to-this.js:
117
118 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
119
120         [ESNext][BigInt] Add support for BigInt in SpeculatedType
121         https://bugs.webkit.org/show_bug.cgi?id=182470
122
123         Reviewed by Saam Barati.
124
125         * stress/big-int-spec-to-primitive.js: Added.
126         * stress/big-int-spec-to-this.js: Added.
127         * stress/big-int-strict-equals-jit.js: Added.
128         * stress/big-int-strict-spec-to-this.js: Added.
129         * stress/big-int-type-of-proven-type.js: Added.
130
131 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
132
133         DFG AI and clobberize should agree with each other
134         https://bugs.webkit.org/show_bug.cgi?id=184440
135
136         Reviewed by Saam Barati.
137         
138         Add tests for all of the bugs I fixed.
139
140         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
141         (foo):
142         * stress/new-typed-array-cse-effects.js: Added.
143         (foo):
144         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
145         (foo.theO):
146         (foo):
147         * stress/string-from-char-code-change-structure-not-dead.js: Added.
148         (foo):
149         (i.valueOf):
150         (weirdValue.valueOf):
151         * stress/string-from-char-code-change-structure.js: Added.
152         (foo):
153         (i.valueOf):
154         (weirdValue.valueOf):
155
156 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
157
158         Fix errant Test262 files CRLF to LF for consistency with the original source
159         https://bugs.webkit.org/show_bug.cgi?id=184425
160
161         Reviewed by Yusuke Suzuki.
162
163         * test262/test/built-ins/Math/acosh/nan-returns.js:
164         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
165         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
166         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
167         * test262/test/built-ins/Math/cbrt/prop-desc.js:
168         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
169         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
170         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
171         * test262/test/built-ins/Math/log2/log2-basicTests.js:
172         * test262/test/built-ins/Math/sign/sign-specialVals.js:
173         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
174         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
175         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
176         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
177
178 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
179
180         Unreviewed, remove incorrect entry in test262.yaml
181         https://bugs.webkit.org/show_bug.cgi?id=184266
182
183         * test262.yaml:
184
185 2018-04-08  Valerie Young  <valerie@bocoup.com>
186
187         [JSC] Update Test262 to April 6 version
188         https://bugs.webkit.org/show_bug.cgi?id=184266
189
190         Rubber stamped by Yusuke Suzuki.
191
192 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
193
194         [JSC] Introduce op_get_by_id_direct
195         https://bugs.webkit.org/show_bug.cgi?id=183970
196
197         Reviewed by Filip Pizlo.
198
199         * stress/generator-prototype-copy.js: Added.
200         (gen):
201         (catch):
202         Adopted JF's tests.
203
204         * stress/generator-type-check.js: Added.
205         (shouldThrow):
206         (foo2):
207         (i.shouldThrow):
208         * stress/get-by-id-direct-getter.js: Added.
209         (shouldBe):
210         (shouldThrow):
211         (obj.get hello):
212         (builtin.createBuiltin):
213         (obj2.get length):
214         * stress/get-by-id-direct.js: Added.
215         (shouldBe):
216         (shouldThrow):
217         (builtin.createBuiltin):
218         * test262.yaml:
219         We fixed long-standing spec compatibility issue.
220         As a result, this patch makes several test262 tests passed!
221
222
223 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
224
225         Unreviewed, annotate test with @skip if $memoryLimited
226         https://bugs.webkit.org/show_bug.cgi?id=183894
227
228         * stress/json-stringified-overflow.js:
229
230 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
231
232         Add svn:eol-style to line-terminator-normalisation-CR.js
233         https://bugs.webkit.org/show_bug.cgi?id=184341
234
235         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
236
237 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
238
239         Unreviewed, remove errant LF from existing test262 test for CR line endings.
240
241         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
242
243 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
244
245         Unreviewed, rolling out r230320.
246
247         Revert fix, as the root cause lies elsewhere.
248
249         Reverted changeset:
250
251         "[test262] Mark line-terminator-normalisation-CR.js as a
252         binary file."
253         https://bugs.webkit.org/show_bug.cgi?id=184341
254         https://trac.webkit.org/changeset/230320
255
256 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
257
258         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
259         https://bugs.webkit.org/show_bug.cgi?id=184341
260
261         Reviewed by Yusuke Suzuki.
262
263         This test is all about CR line endings, but `svn-apply` can't deal with them.
264         Treating the file as binary ensures that its contents never are never shown in a diff.
265
266         * .gitattributes: Added.
267
268 2018-04-05  Robin Morisset  <rmorisset@apple.com>
269
270         Fix testcase (missing try/catch).
271         https://bugs.webkit.org/show_bug.cgi?id=183657
272
273         Unreviewed.
274
275         * stress/large-unshift-splice.js
276
277 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
278
279         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
280         https://bugs.webkit.org/show_bug.cgi?id=184319
281
282         Reviewed by Saam Barati.
283
284         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
285         (foo):
286         (bar):
287         * stress/array-push-nan-to-double-array.js: Added.
288         (foo):
289         (bar):
290
291 2018-04-03  Mark Lam  <mark.lam@apple.com>
292
293         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
294         https://bugs.webkit.org/show_bug.cgi?id=184284
295
296         Reviewed by Saam Barati.
297
298         * stress/js-fixed-array-out-of-memory.js:
299
300 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
301
302         JSC crash in JIT code with for-of loop and Array/Set iterators
303         https://bugs.webkit.org/show_bug.cgi?id=183174
304
305         Reviewed by Saam Barati.
306
307         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
308         (foo):
309         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
310         (f):
311
312 2018-03-30  JF Bastien  <jfbastien@apple.com>
313
314         WebAssembly: support DataView compilation
315         https://bugs.webkit.org/show_bug.cgi?id=183342
316
317         Reviewed by Mark Lam.
318
319         Test WebAssembly compilation using a DataView with offset.
320
321         * wasm/regress/183342.js: Added.
322         (attempt.catch):
323
324 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
325
326         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
327         https://bugs.webkit.org/show_bug.cgi?id=184189
328
329         Reviewed by JF Bastien.
330
331         * stress/load-hole-from-scope-into-live-var.js: Added.
332         (result.eval.try.switch):
333         (catch):
334
335 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
336
337         Unreviewed, rolling out r230102.
338
339         Caused assertion failures on JSC bots.
340
341         Reverted changeset:
342
343         "A stack overflow in the parsing of a builtin (called by
344         createExecutable) cause a crash instead of a catchable js
345         exception"
346         https://bugs.webkit.org/show_bug.cgi?id=184074
347         https://trac.webkit.org/changeset/230102
348
349 2018-03-30  Robin Morisset  <rmorisset@apple.com>
350
351         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
352         https://bugs.webkit.org/show_bug.cgi?id=183812
353
354         Reviewed by Keith Miller.
355
356         * stress/inlining-unreachable-non-tail.js: Added.
357         (foo.):
358         (foo):
359
360 2018-03-30  Robin Morisset  <rmorisset@apple.com>
361
362         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
363         https://bugs.webkit.org/show_bug.cgi?id=184074
364         <rdar://problem/37165897>
365
366         Reviewed by Keith Miller.
367
368         * stress/stack-overflow-while-parsing-builtin.js: Added.
369         (f):
370
371 2018-03-30  Robin Morisset  <rmorisset@apple.com>
372
373         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
374         https://bugs.webkit.org/show_bug.cgi?id=183657
375
376         Reviewed by Keith Miller.
377
378         * stress/large-unshift-splice.js: Added.
379         (make_contig_arr):
380
381 2018-03-28  Robin Morisset  <rmorisset@apple.com>
382
383         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
384         https://bugs.webkit.org/show_bug.cgi?id=183894
385
386         Reviewed by Saam Barati.
387
388         * stress/json-stringified-overflow.js: Added.
389         (catch):
390
391 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
392
393         DFG should know that CreateThis can be effectful
394         https://bugs.webkit.org/show_bug.cgi?id=184013
395
396         Reviewed by Saam Barati.
397
398         * stress/create-this-property-change.js: Added.
399         (Foo):
400         (RealBar):
401         (get if):
402         * stress/create-this-structure-change-without-cse.js: Added.
403         (Foo):
404         (RealBar):
405         (get if):
406         * stress/create-this-structure-change.js: Added.
407         (Foo):
408         (RealBar):
409         (get if):
410
411 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
412
413         [DFG] Introduces fused compare and jump
414         https://bugs.webkit.org/show_bug.cgi?id=177100
415
416         Reviewed by Mark Lam.
417
418         * stress/fused-jeq-slow.js: Added.
419         (shouldBe):
420         (testJEQ):
421         (testJNEQB):
422         (testJEQB):
423         (testJNEQF):
424         (testJEQF):
425         * stress/fused-jeq.js: Added.
426         (shouldBe):
427         (testJEQ):
428         (testJNEQB):
429         (testJEQB):
430         (testJNEQF):
431         (testJEQF):
432         * stress/fused-jstricteq-slow.js: Added.
433         (shouldBe):
434         (testJSTRICTEQ):
435         (testJNSTRICTEQB):
436         (testJSTRICTEQB):
437         (testJNSTRICTEQF):
438         (testJSTRICTEQF):
439         * stress/fused-jstricteq.js: Added.
440         (shouldBe):
441         (testJSTRICTEQ):
442         (testJNSTRICTEQB):
443         (testJSTRICTEQB):
444         (testJNSTRICTEQF):
445         (testJSTRICTEQF):
446
447 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
448
449         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
450         https://bugs.webkit.org/show_bug.cgi?id=183559
451
452         Reviewed by Mark Lam.
453
454         * stress/double-to-string-in-loop-removed.js: Added.
455         (test):
456         * stress/int32-to-string-in-loop-removed.js: Added.
457         (test):
458         * stress/int52-to-string-in-loop-removed.js: Added.
459         (test):
460
461 2018-03-22  Michael Saboff  <msaboff@apple.com>
462
463         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
464         https://bugs.webkit.org/show_bug.cgi?id=183901
465
466         Reviewed by Keith Miller.
467
468         New test.
469
470         * stress/array-reverse-doesnt-clobber.js: Added.
471         (testArrayReverse):
472         (createArrayOfArrays):
473         (createArrayStorage):
474
475 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
476
477         ScopedArguments should do poisoning and index masking
478         https://bugs.webkit.org/show_bug.cgi?id=183863
479
480         Reviewed by Mark Lam.
481         
482         Adds another stress test of scoped arguments.
483
484         * stress/scoped-arguments-test.js: Added.
485         (foo):
486
487 2018-03-20  Saam Barati  <sbarati@apple.com>
488
489         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
490         https://bugs.webkit.org/show_bug.cgi?id=183795
491         <rdar://problem/38298694>
492
493         Reviewed by JF Bastien.
494
495         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
496         (foo):
497         (bar):
498
499 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
500
501         [DFG][FTL] Add vectorLengthHint for NewArray
502         https://bugs.webkit.org/show_bug.cgi?id=183694
503
504         Reviewed by Saam Barati.
505
506         * stress/vector-length-hint-array-constructor.js: Added.
507         (shouldBe):
508         (test):
509         * stress/vector-length-hint-new-array.js: Added.
510         (shouldBe):
511         (test):
512
513 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
514
515         [DFG][FTL] Make ArraySlice(0) code tight
516         https://bugs.webkit.org/show_bug.cgi?id=183590
517
518         Reviewed by Saam Barati.
519
520         * stress/array-slice-with-zero.js: Added.
521         (shouldBe):
522         (test):
523         (test2):
524         * stress/array-slice-zero-args.js: Added.
525         (shouldBe):
526         (test):
527
528 2018-03-14  Caitlin Potter  <caitp@igalia.com>
529
530         [JSC] fix order of evaluation for ClassDefinitionEvaluation
531         https://bugs.webkit.org/show_bug.cgi?id=183523
532
533         Reviewed by Keith Miller.
534
535         Computed property names need to be evaluated in source order during class
536         definition evaluation, as it's observable (and specified to work this way).
537
538         This change improves compatibility with Chromium.
539
540         * stress/class_elements.js: Added.
541         (test):
542         (test.C.prototype.effect):
543         (test.C.effect):
544         (test.C.prototype.get effect):
545         (test.C.prototype.set effect):
546         (test.C):
547
548 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
549
550         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
551         https://bugs.webkit.org/show_bug.cgi?id=183310
552
553         Reviewed by Filip Pizlo.
554
555         * stress/ai-create-this-to-new-object-fire.js: Added.
556         (assert):
557         (test):
558         (func):
559         (check):
560         (test.body.A):
561         (test.body.B):
562         (test.body):
563         * stress/ai-create-this-to-new-object.js: Added.
564         (assert):
565         (test):
566         (func):
567         (check):
568         (test.body.A):
569         (test.body.B):
570         (test.body):
571
572 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
573
574         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
575         https://bugs.webkit.org/show_bug.cgi?id=181848
576
577         Reviewed by Sam Weinig.
578
579         * microbenchmarks/regexp-u-global-es5.js: Added.
580         (fn):
581         * microbenchmarks/regexp-u-global-es6.js: Added.
582         (fn):
583         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
584         (shouldBe):
585         (test):
586         (i.switch):
587         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
588         (shouldBe):
589         (test):
590
591 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
592
593         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
594         https://bugs.webkit.org/show_bug.cgi?id=183334
595
596         Reviewed by Žan Doberšek.
597
598         * stress/var-injection-cache-invalidation.js:
599
600 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
601
602         [ARM] Disable tests that run out of memory
603         https://bugs.webkit.org/show_bug.cgi?id=182699
604
605         Reviewed by Žan Doberšek.
606
607         Skip tests that run of of memory. Do not run
608         modules/module-jit-reachability.js without LLInt to prevent
609         running out of executable memory.
610
611         * modules.yaml:
612         * modules/module-jit-reachability.js:
613         * stress/has-own-property-name-cache-string-keys.js:
614         * stress/has-own-property-name-cache-symbol-keys.js:
615
616 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
617
618         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
619         https://bugs.webkit.org/show_bug.cgi?id=183173
620
621         Reviewed by Saam Barati.
622
623         * stress/async-arrow-function-in-class-heritage.js: Added.
624         (testSyntax):
625         (testSyntaxError):
626         (SyntaxError):
627
628 2018-03-01  Saam Barati  <sbarati@apple.com>
629
630         We need to clear cached structures when having a bad time
631         https://bugs.webkit.org/show_bug.cgi?id=183256
632         <rdar://problem/36245022>
633
634         Reviewed by Mark Lam.
635
636         * stress/having-a-bad-time-with-derived-arrays.js: Added.
637         (assert):
638         (defineSetter):
639         (iterate):
640         (doSlice):
641
642 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
643
644         JSC crash with `import("")`
645         https://bugs.webkit.org/show_bug.cgi?id=183175
646
647         Reviewed by Saam Barati.
648
649         * stress/import-with-empty-string.js: Added.
650
651 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
652
653         Unreviewed, skip FTL tests if FTL is disabled
654         https://bugs.webkit.org/show_bug.cgi?id=183071
655
656         * stress/has-indexed-property-array-storage-ftl.js:
657         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
658
659 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
660
661         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
662         https://bugs.webkit.org/show_bug.cgi?id=182965
663
664         Reviewed by Saam Barati.
665
666         * stress/put-by-val-array-storage.js: Added.
667         (shouldBe):
668         (testArrayStorageInBounds):
669         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
670         (shouldBe):
671         (testInt32.createBuiltin):
672         (set for):
673         * stress/put-by-val-slow-put-array-storage.js: Added.
674         (shouldBe):
675         (testArrayStorageInBounds):
676
677 2018-02-26  Saam Barati  <sbarati@apple.com>
678
679         validateStackAccess should not validate if the offset is within the stack bounds
680         https://bugs.webkit.org/show_bug.cgi?id=183067
681         <rdar://problem/37749988>
682
683         Reviewed by Mark Lam.
684
685         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
686         (assert):
687         (test.a):
688         (test.b):
689         (test):
690
691 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
692
693         Unreviewed, skip FTL tests if FTL is disabled
694         https://bugs.webkit.org/show_bug.cgi?id=183071
695
696         * stress/has-indexed-property-array-storage-ftl.js:
697         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
698
699 2018-02-23  Saam Barati  <sbarati@apple.com>
700
701         Make Number.isInteger an intrinsic
702         https://bugs.webkit.org/show_bug.cgi?id=183088
703
704         Reviewed by JF Bastien.
705
706         * stress/number-is-integer-intrinsic.js: Added.
707
708 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
709
710         WebAssembly: cache memory address / size on instance
711         https://bugs.webkit.org/show_bug.cgi?id=177305
712
713         Reviewed by JF Bastien.
714
715         * wasm/function-tests/memory-reuse.js: Added.
716         (createWasmInstance):
717         (doCheckTrap):
718         (doMemoryGrow):
719         (doCheck):
720         (checkWasmInstancesWithSharedMemory):
721
722 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
723
724         [JSC] Implement $vm.ftlTrue function for FTL testing
725         https://bugs.webkit.org/show_bug.cgi?id=183071
726
727         Reviewed by Mark Lam.
728
729         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
730         (foo):
731         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
732         (foo):
733         * stress/dead-fiat-value-to-int52.js:
734         (foo):
735         * stress/dead-osr-entry-value.js:
736         (foo):
737         * stress/fiat-value-to-int52-then-exit-not-double.js:
738         (foo):
739         * stress/fiat-value-to-int52-then-exit-not-int52.js:
740         (foo):
741         * stress/fiat-value-to-int52-then-fail-to-fold.js:
742         (foo):
743         * stress/fiat-value-to-int52-then-fold.js:
744         (foo):
745         * stress/fiat-value-to-int52.js:
746         (foo):
747         * stress/fold-based-on-int32-proof-mul-branch.js:
748         (foo):
749         * stress/fold-profiled-call-to-call.js:
750         (foo):
751         * stress/fold-to-double-constant-then-exit.js:
752         (foo):
753         * stress/fold-to-int52-constant-then-exit.js:
754         (foo):
755         * stress/fold-to-primitive-in-cfa.js:
756         (foo):
757         * stress/fold-to-primitive-to-identity-in-cfa.js:
758         (foo):
759         * stress/has-indexed-property-array-storage-ftl.js: Added.
760         (shouldBe):
761         (test1):
762         (test2):
763         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
764         (shouldBe):
765         (test1):
766         (test2):
767         * stress/int52-ai-add-then-filter-int32.js:
768         (foo):
769         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
770         (foo):
771         * stress/int52-ai-mul-then-filter-int32.js:
772         (foo):
773         * stress/int52-ai-neg-then-filter-int32.js:
774         (foo):
775         * stress/int52-ai-sub-then-filter-int32.js:
776         (foo):
777         * stress/licm-pre-header-cannot-exit-nested.js:
778         (foo):
779         * stress/licm-pre-header-cannot-exit.js:
780         (foo):
781         * stress/sparse-array-entry-update-144067.js:
782         (useMemoryToTriggerGCs):
783         * stress/test-spec-misc.js:
784         (foo):
785         * stress/tricky-array-bounds-checks.js:
786         (foo):
787
788 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
789
790         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
791         https://bugs.webkit.org/show_bug.cgi?id=182792
792
793         Reviewed by Mark Lam.
794
795         * stress/has-indexed-property-array-storage.js: Added.
796         (shouldBe):
797         (test1):
798         (test2):
799         * stress/has-indexed-property-slow-put-array-storage.js: Added.
800         (shouldBe):
801         (test1):
802         (test2):
803
804 2018-02-20  Saam Barati  <sbarati@apple.com>
805
806         DFG::VarargsForwardingPhase should eliminate getting argument length
807         https://bugs.webkit.org/show_bug.cgi?id=182959
808
809         Reviewed by Keith Miller.
810
811         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
812
813 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
814
815         [FTL] Support ArrayPush for ArrayStorage
816         https://bugs.webkit.org/show_bug.cgi?id=182782
817
818         Reviewed by Saam Barati.
819
820         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
821
822         * stress/array-push-array-storage-beyond-int32.js: Added.
823         (shouldBe):
824         (test):
825         * stress/array-push-array-storage.js: Added.
826         (shouldBe):
827         (test):
828         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
829         (shouldBe):
830         (test):
831         * stress/array-push-multiple-storage-continuous.js: Added.
832         (shouldBe):
833         (test):
834
835 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
836
837         [FTL] Support ArrayPop for ArrayStorage
838         https://bugs.webkit.org/show_bug.cgi?id=182783
839
840         Reviewed by Saam Barati.
841
842         * stress/array-pop-array-storage.js: Added.
843         (shouldBe):
844         (test):
845
846 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
847
848         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
849         https://bugs.webkit.org/show_bug.cgi?id=182731
850
851         Reviewed by Saam Barati.
852
853         * stress/arrayify-array-storage-array.js: Added.
854         (shouldBe):
855         (testArrayStorage):
856         * stress/arrayify-array-storage-non-array.js: Added.
857         (shouldBe):
858         (testArrayStorage):
859         * stress/arrayify-array-storage.js: Added.
860         (shouldBe):
861         (testArrayStorage):
862         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
863         (shouldBe):
864         (testArrayStorage):
865         * stress/arrayify-slow-put-array-storage.js: Added.
866         (shouldBe):
867         (testArrayStorage):
868
869 2018-02-19  Saam Barati  <sbarati@apple.com>
870
871         Don't use JSFunction's allocation profile when getting the prototype can be effectful
872         https://bugs.webkit.org/show_bug.cgi?id=182942
873         <rdar://problem/37584764>
874
875         Reviewed by Mark Lam.
876
877         * stress/get-prototype-create-this-effectful.js: Added.
878
879 2018-02-16  Saam Barati  <sbarati@apple.com>
880
881         Fix bugs from r228411
882         https://bugs.webkit.org/show_bug.cgi?id=182851
883         <rdar://problem/37577732>
884
885         Reviewed by JF Bastien.
886
887         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
888
889 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
890
891         Unreviewed, roll out r228366 since it did not progress anything.
892
893         * stress/gc-error-stack.js: Removed.
894         * stress/no-gc-error-stack.js: Removed.
895
896 2018-02-15  Tomas Popela  <tpopela@redhat.com>
897
898         Many stress tests fail with JIT disabled
899         https://bugs.webkit.org/show_bug.cgi?id=182730
900
901         Reviewed by Saam Barati.
902
903         These tests are broken by design if the JIT is disabled - they test
904         the return value of numberOfDFGCompiles(), which is always set to
905         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
906
907         * stress/arith-abs-on-various-types.js:
908         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
909         * stress/arith-acos-on-various-types.js:
910         * stress/arith-acosh-on-various-types.js:
911         * stress/arith-asin-on-various-types.js:
912         * stress/arith-asinh-on-various-types.js:
913         * stress/arith-atan-on-various-types.js:
914         * stress/arith-atanh-on-various-types.js:
915         * stress/arith-cbrt-on-various-types.js:
916         * stress/arith-ceil-on-various-types.js:
917         * stress/arith-clz32-on-various-types.js:
918         * stress/arith-cos-on-various-types.js:
919         * stress/arith-cosh-on-various-types.js:
920         * stress/arith-expm1-on-various-types.js:
921         * stress/arith-floor-on-various-types.js:
922         * stress/arith-fround-on-various-types.js:
923         * stress/arith-log-on-various-types.js:
924         * stress/arith-log10-on-various-types.js:
925         * stress/arith-log2-on-various-types.js:
926         * stress/arith-negate-on-various-types.js:
927         * stress/arith-round-on-various-types.js:
928         * stress/arith-sin-on-various-types.js:
929         * stress/arith-sinh-on-various-types.js:
930         * stress/arith-sqrt-on-various-types.js:
931         * stress/arith-tan-on-various-types.js:
932         * stress/arith-tanh-on-various-types.js:
933         * stress/arith-trunc-on-various-types.js:
934         * stress/compare-strict-eq-on-various-types.js:
935
936 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
937
938         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
939
940         Unreviewed test gardening.
941
942         * stress/new-largeish-contiguous-array-with-size.js:
943
944 2018-02-14  Saam Barati  <sbarati@apple.com>
945
946         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
947         https://bugs.webkit.org/show_bug.cgi?id=182801
948
949         Reviewed by Keith Miller.
950
951         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
952
953 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
954
955         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
956         https://bugs.webkit.org/show_bug.cgi?id=182526
957
958         Unreviewed test gardening.
959
960         * stress/activation-sink-default-value-tdz-error.js:
961
962 2018-02-13  Saam Barati  <sbarati@apple.com>
963
964         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
965         https://bugs.webkit.org/show_bug.cgi?id=182755
966         <rdar://problem/37080864>
967
968         Reviewed by Keith Miller.
969
970         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
971         (test1.o.get 10005):
972         (test1):
973         (test2.o.get 1000):
974         (test2):
975
976 2018-02-13  Caitlin Potter  <caitp@igalia.com>
977
978         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
979         https://bugs.webkit.org/show_bug.cgi?id=182717
980
981         Reviewed by Yusuke Suzuki.
982
983         https://github.com/tc39/ecma262/pull/890 imposes a change to template
984         literals, to allow template callsite arrays to be collected when the
985         code containing the tagged template call is collected. This spec change
986         has received concensus and been ratified.
987
988         This change eliminates the eternal map associating template contents
989         with arrays.
990
991         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
992         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
993         * stress/tagged-templates-identity.js:
994         * stress/template-string-tags-eval.js:
995         * test262.yaml:
996
997 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
998
999         Support GetArrayLength on ArrayStorage in the FTL
1000         https://bugs.webkit.org/show_bug.cgi?id=182625
1001
1002         Reviewed by Saam Barati.
1003
1004         * stress/array-storage-length.js: Added.
1005         (shouldBe):
1006         (testInBound):
1007         (testUncountable):
1008         (testSlowPutInBound):
1009         (testSlowPutUncountable):
1010         * stress/undecided-length.js: Added.
1011         (shouldBe):
1012         (test2):
1013
1014 2018-02-12  Saam Barati  <sbarati@apple.com>
1015
1016         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1017         https://bugs.webkit.org/show_bug.cgi?id=182706
1018         <rdar://problem/36833681>
1019
1020         Reviewed by Filip Pizlo.
1021
1022         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1023         (effects):
1024         (foo):
1025
1026 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1027
1028         Don't waste memory for error.stack
1029         https://bugs.webkit.org/show_bug.cgi?id=182656
1030
1031         Reviewed by Saam Barati.
1032         
1033         Tests the policy.
1034
1035         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1036         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1037
1038 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1039
1040         [JSC] Update Test262 to Feb 9 version
1041         https://bugs.webkit.org/show_bug.cgi?id=182468
1042
1043         Reviewed by Saam Barati.
1044
1045 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1046
1047         Unreviewed, fix invalid line terminator in old test262 file part 2
1048         https://bugs.webkit.org/show_bug.cgi?id=182468
1049
1050         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1051
1052 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1053
1054         Unreviewed, fix invalid line terminator in old test262 file
1055         https://bugs.webkit.org/show_bug.cgi?id=182468
1056
1057         * test262/test/language/literals/regexp/7.8.5-1.js:
1058
1059 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1060
1061         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1062         https://bugs.webkit.org/show_bug.cgi?id=182440
1063
1064         Reviewed by Darin Adler.
1065
1066         * stress/array-flatmap.js: Added.
1067         (shouldBe):
1068         (shouldBeArray):
1069         (shouldThrow):
1070         (var):
1071         * stress/array-flatten.js: Added.
1072         (shouldBe):
1073         (shouldBeArray):
1074         * test262.yaml:
1075         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1076         (3.flatMap):
1077         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1078
1079 2018-02-06  Keith Miller  <keith_miller@apple.com>
1080
1081         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1082         https://bugs.webkit.org/show_bug.cgi?id=182549
1083         <rdar://problem/36189995>
1084
1085         Reviewed by Saam Barati.
1086
1087         * stress/var-injection-cache-invalidation.js: Added.
1088         (allocateLotsOfThings):
1089         (test):
1090
1091 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1092
1093         Unreviewed, follow up for test262 update
1094         https://bugs.webkit.org/show_bug.cgi?id=182288
1095
1096         * test262.yaml:
1097
1098 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1099
1100         Update test262 to Jan 30 version
1101         https://bugs.webkit.org/show_bug.cgi?id=182288
1102
1103         Unreviewed test gardening.
1104
1105         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1106
1107 2018-02-02  Saam Barati  <sbarati@apple.com>
1108
1109         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1110         https://bugs.webkit.org/show_bug.cgi?id=182368
1111         <rdar://problem/36932466>
1112
1113         Reviewed by Mark Lam.
1114
1115         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1116         (runNearStackLimit.t):
1117         (runNearStackLimit):
1118         (try.runNearStackLimit):
1119         (catch):
1120
1121 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1122
1123         Update test262 to Jan 30 version
1124         https://bugs.webkit.org/show_bug.cgi?id=182288
1125
1126         Rubber stamped by Saam Barati.
1127
1128         This patch updates test262 to the latest one, Jan 30 version.
1129         Since added and changed files are too many, we cannot create ChangeLog.
1130         The following files are changed.
1131
1132         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1133         including some special line terminators (like u2028, u2029).
1134
1135         * test262.yaml:
1136         * test262/test262-Revision.txt:
1137         * test262/*:
1138
1139 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1140
1141         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1142         https://bugs.webkit.org/show_bug.cgi?id=182411
1143
1144         Reviewed by Carlos Alberto Lopez Perez.
1145
1146         This is skipped only on arm memory limited platforms. Until recently
1147         it was not a problem on MIPS as the butterfly was not initialized. But
1148         since r227435, the butterfly is initialized in that test and therefore
1149         memory is allocated, and the test typically takes around 512M, which
1150         means it generally gets OOM-killed on the MIPS buildbot.
1151
1152         * mozilla/mozilla-tests.yaml:
1153
1154 2018-02-01  Mark Lam  <mark.lam@apple.com>
1155
1156         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1157         https://bugs.webkit.org/show_bug.cgi?id=182419
1158         <rdar://problem/37044945>
1159
1160         Reviewed by Saam Barati.
1161
1162         * stress/regress-182419.js: Added.
1163
1164 2018-02-01  Keith Miller  <keith_miller@apple.com>
1165
1166         Fix crashes due to mishandling custom sections.
1167         https://bugs.webkit.org/show_bug.cgi?id=182404
1168         <rdar://problem/36935863>
1169
1170         Reviewed by Saam Barati.
1171
1172         * wasm/Builder.js:
1173         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1174         * wasm/js-api/validate.js:
1175         (assert.truthy):
1176
1177 2018-01-31  Saam Barati  <sbarati@apple.com>
1178
1179         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1180         https://bugs.webkit.org/show_bug.cgi?id=182074
1181         <rdar://problem/36846261>
1182
1183         Reviewed by Mark Lam.
1184
1185         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1186         (assert):
1187         (let.func):
1188         (let.o.foo):
1189         (varFunc):
1190
1191 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1192
1193         Unreviewed, update test262 expects
1194         https://bugs.webkit.org/show_bug.cgi?id=182232
1195
1196         * test262.yaml:
1197
1198 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1199
1200         [JSC] Implement trimStart and trimEnd
1201         https://bugs.webkit.org/show_bug.cgi?id=182233
1202
1203         Reviewed by Mark Lam.
1204
1205         * stress/trim.js: Added.
1206         (shouldBe):
1207         (startTest):
1208         (endTest):
1209         (trimTest):
1210
1211 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1212
1213         [JSC] Relax line terminators in String to make JSON subset of JS
1214         https://bugs.webkit.org/show_bug.cgi?id=182232
1215
1216         Reviewed by Keith Miller.
1217
1218         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1219         * stress/relaxed-line-terminators-in-string.js: Added.
1220         (shouldBe):
1221
1222 2018-01-29  Michael Saboff  <msaboff@apple.com>
1223
1224         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1225         https://bugs.webkit.org/show_bug.cgi?id=182249
1226
1227         Reviewed by Keith Miller.
1228
1229         New regression test.
1230
1231         * stress/compare-clobber-untypeduse.js: Added.
1232
1233 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1234
1235         Unreviewed, rolling out r227725.
1236
1237         This caused internal failures.
1238
1239         Reverted changeset:
1240
1241         "JSC Sampling Profiler: Detect tester and testee when sampling
1242         in RegExp JIT"
1243         https://bugs.webkit.org/show_bug.cgi?id=152729
1244         https://trac.webkit.org/changeset/227725
1245
1246 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1247
1248         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1249         https://bugs.webkit.org/show_bug.cgi?id=152729
1250
1251         Reviewed by Saam Barati.
1252
1253         * stress/sampling-profiler-regexp.js: Added.
1254         (platformSupportsSamplingProfiler.test):
1255         (platformSupportsSamplingProfiler.baz):
1256         (platformSupportsSamplingProfiler):
1257
1258 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1259
1260         [DFG][FTL] WeakMap#set should have DFG node
1261         https://bugs.webkit.org/show_bug.cgi?id=180015
1262
1263         Reviewed by Saam Barati.
1264
1265         * stress/weakmap-set-change-get.js: Added.
1266         (shouldBe):
1267         (test):
1268         * stress/weakmap-set-cse.js: Added.
1269         (shouldBe):
1270         (test):
1271         * stress/weakset-add-change-get.js: Added.
1272         (shouldBe):
1273         * stress/weakset-add-cse.js: Added.
1274         (shouldBe):
1275
1276 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1277
1278         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1279         https://bugs.webkit.org/show_bug.cgi?id=182213
1280
1281         Reviewed by Mark Lam.
1282
1283         * stress/int32-min-to-string.js: Added.
1284         (shouldBe):
1285         (test2):
1286         (test4):
1287         (test8):
1288         (test16):
1289         (test32):
1290         * stress/zero-to-string.js: Added.
1291         (shouldBe):
1292         (test2):
1293         (test4):
1294         (test8):
1295         (test16):
1296         (test32):
1297
1298 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1299
1300         Add more module scope related tests with code evaluation by string
1301         https://bugs.webkit.org/show_bug.cgi?id=181983
1302
1303         Reviewed by Sam Weinig.
1304
1305         Add more module scope related tests. When the original tests are landed,
1306         we do not have browser integration. This patch adds more module scope tests
1307         with dynamically created script evaluation. We add tests with Function
1308         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1309
1310         * modules/scopes-eval.js: Added.
1311         (shouldBe):
1312         * modules/scopes.js:
1313         (shouldBe):
1314
1315 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1316
1317         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1318
1319         * microbenchmarks/array-push-3.js: Removed.
1320         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1321         * microbenchmarks/double-to-int32.js: Removed.
1322         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1323         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1324         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1325         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1326         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1327         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1328         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1329         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1330         * microbenchmarks/map-constant-key.js: Removed.
1331         * microbenchmarks/nested-function-parsing.js: Removed.
1332         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1333         * microbenchmarks/spread-large-array.js: Removed.
1334         * microbenchmarks/string-add-constant-folding.js: Removed.
1335         * microbenchmarks/to-lower-case.js: Removed.
1336         * microbenchmarks/undefined-property-access.js: Removed.
1337         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1338         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1339         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1340         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1341         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1342         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1343         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1344         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1345         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1346         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1347         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1348         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1349         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1350         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1351         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1352         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1353         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1354         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1355
1356 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1357
1358         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1359         https://bugs.webkit.org/show_bug.cgi?id=181739
1360         <rdar://problem/36627662>
1361
1362         Reviewed by Saam Barati.
1363
1364         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1365         (foo):
1366         (bar):
1367
1368 2018-01-22  Michael Saboff  <msaboff@apple.com>
1369
1370         DFG abstract interpreter needs to properly model effects of some Math ops
1371         https://bugs.webkit.org/show_bug.cgi?id=181886
1372
1373         Reviewed by Saam Barati.
1374
1375         New regression test.
1376
1377         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1378         (test):
1379
1380 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1381
1382         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1383         https://bugs.webkit.org/show_bug.cgi?id=181182
1384
1385         Reviewed by Darin Adler.
1386
1387         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1388         * stress/big-int-prototype-to-string-exception.js: Added.
1389         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1390         * stress/number-prototype-to-string-cast-overflow.js: Added.
1391         * stress/number-prototype-to-string-exception.js: Added.
1392         * stress/number-prototype-to-string-wrong-values.js: Added.
1393
1394 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1395
1396         Disable Atomics when SharedArrayBuffer isn’t enabled
1397         https://bugs.webkit.org/show_bug.cgi?id=181572
1398
1399         Unreviewed test gardening.
1400
1401         * test262.yaml: Skip tests that fail after this change.
1402
1403 2018-01-19  Saam Barati  <sbarati@apple.com>
1404
1405         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1406         https://bugs.webkit.org/show_bug.cgi?id=181877
1407         <rdar://problem/36630552>
1408
1409         Reviewed by Mark Lam.
1410
1411         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1412         (runNearStackLimit):
1413         (f1):
1414         (f2):
1415         (f3):
1416         (i.catch):
1417         (i.try.runNearStackLimit):
1418         (catch):
1419
1420 2018-01-19  Saam Barati  <sbarati@apple.com>
1421
1422         Spread's effects are modeled incorrectly both in AI and in Clobberize
1423         https://bugs.webkit.org/show_bug.cgi?id=181867
1424         <rdar://problem/36290415>
1425
1426         Reviewed by Michael Saboff.
1427
1428         * stress/ai-needs-to-model-spreads-effects.js: Added.
1429         (try.p.Symbol.iterator):
1430         (try.go):
1431         (catch):
1432         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1433         (assert):
1434         (foo):
1435         (a.Symbol.iterator):
1436
1437 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1438
1439         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1440         https://bugs.webkit.org/show_bug.cgi?id=181535
1441
1442         * stress/inserted-recovery-with-set-last-index.js:
1443
1444 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1445
1446         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1447         https://bugs.webkit.org/show_bug.cgi?id=181535
1448
1449         Reviewed by Saam Barati.
1450
1451         * stress/inserted-recovery-with-set-last-index.js: Added.
1452         (shouldBe):
1453         (foo):
1454         * stress/materialize-regexp-at-osr-exit.js: Added.
1455         (shouldBe):
1456         (test):
1457         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1458         (shouldBe):
1459         (test):
1460         * stress/materialize-regexp-cyclic-regexp.js: Added.
1461         (shouldBe):
1462         (test):
1463         (i.switch):
1464         * stress/materialize-regexp-cyclic.js: Added.
1465         (shouldBe):
1466         (test):
1467         (i.switch):
1468         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1469         (bar):
1470         (foo):
1471         (test):
1472         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1473         (bar):
1474         (foo):
1475         (test):
1476         * stress/materialize-regexp.js: Added.
1477         (shouldBe):
1478         (test):
1479         * stress/phantom-regexp-regexp-exec.js: Added.
1480         (shouldBe):
1481         (test):
1482         * stress/phantom-regexp-string-match.js: Added.
1483         (shouldBe):
1484         (test):
1485         * stress/regexp-last-index-sinking.js: Added.
1486         (shouldBe):
1487         (test):
1488
1489 2018-01-17  Saam Barati  <sbarati@apple.com>
1490
1491         Disable Atomics when SharedArrayBuffer isn’t enabled
1492         https://bugs.webkit.org/show_bug.cgi?id=181572
1493         <rdar://problem/36553206>
1494
1495         Reviewed by Michael Saboff.
1496
1497         * stress/isLockFree.js:
1498
1499 2018-01-17  Saam Barati  <sbarati@apple.com>
1500
1501         DFG::Node::convertToConstant needs to clear the varargs flags
1502         https://bugs.webkit.org/show_bug.cgi?id=181697
1503         <rdar://problem/36497332>
1504
1505         Reviewed by Yusuke Suzuki.
1506
1507         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1508         (doIndexOf):
1509         (bar):
1510         (i.bar):
1511
1512 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1513
1514         Unreviewed, rolling out r226937.
1515
1516         Tests added with this change are failing due to a missing
1517         exception check.
1518
1519         Reverted changeset:
1520
1521         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1522         double to int32_t"
1523         https://bugs.webkit.org/show_bug.cgi?id=181182
1524         https://trac.webkit.org/changeset/226937
1525
1526 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1527
1528         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1529         https://bugs.webkit.org/show_bug.cgi?id=181182
1530
1531         Reviewed by Darin Adler.
1532
1533         * bigIntTests.yaml:
1534         * stress/big-int-constructor.js:
1535         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1536         (assert):
1537         (assertThrowRangeError):
1538         * stress/number-prototype-to-string-cast-overflow.js: Added.
1539         (assert):
1540         (assertThrowRangeError):
1541
1542 2018-01-12  Saam Barati  <sbarati@apple.com>
1543
1544         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1545         https://bugs.webkit.org/show_bug.cgi?id=181177
1546         <rdar://problem/36205704>
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1551         (runNearStackLimit.t):
1552         (runNearStackLimit):
1553         (test.f):
1554         (test):
1555
1556 2018-01-12  Saam Barati  <sbarati@apple.com>
1557
1558         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1559         https://bugs.webkit.org/show_bug.cgi?id=181562
1560         <rdar://problem/36445624>
1561
1562         Reviewed by Yusuke Suzuki.
1563
1564         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1565         (f):
1566         (foo):
1567
1568 2018-01-11  Saam Barati  <sbarati@apple.com>
1569
1570         When inserting Unreachable in byte code parser we need to flush all the right things
1571         https://bugs.webkit.org/show_bug.cgi?id=181509
1572         <rdar://problem/36423110>
1573
1574         Reviewed by Mark Lam.
1575
1576         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1577
1578 2018-01-11  Saam Barati  <sbarati@apple.com>
1579
1580         JITMathIC code in the FTL is wrong when code gets duplicated
1581         https://bugs.webkit.org/show_bug.cgi?id=181525
1582         <rdar://problem/36351993>
1583
1584         Reviewed by Michael Saboff and Keith Miller.
1585
1586         * stress/allow-math-ic-b3-code-duplication.js: Added.
1587
1588 2018-01-11  Saam Barati  <sbarati@apple.com>
1589
1590         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1591         https://bugs.webkit.org/show_bug.cgi?id=181508
1592
1593         Reviewed by Yusuke Suzuki.
1594
1595         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1596         (assert):
1597         (test1.foo):
1598         (test1):
1599         (test2.foo):
1600         (test2):
1601
1602 2018-01-09  Mark Lam  <mark.lam@apple.com>
1603
1604         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1605         https://bugs.webkit.org/show_bug.cgi?id=181388
1606         <rdar://problem/36349351>
1607
1608         Reviewed by Saam Barati.
1609
1610         * stress/regress-181388.js: Added.
1611
1612 2018-01-08  JF Bastien  <jfbastien@apple.com>
1613
1614         WebAssembly: mask indexed accesses to Table
1615         https://bugs.webkit.org/show_bug.cgi?id=181412
1616         <rdar://problem/36363236>
1617
1618         Reviewed by Saam Barati.
1619
1620         Update error messages.
1621
1622         * wasm/js-api/table.js:
1623         (assert.throws.WebAssembly.Table.prototype.grow):
1624
1625 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1626
1627         Disable SharedArrayBuffer tests missed in r226386.
1628         https://bugs.webkit.org/show_bug.cgi?id=181266
1629
1630         Unreviewed test gardening.
1631
1632         * test262.yaml:
1633
1634 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1635
1636         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1637         https://bugs.webkit.org/show_bug.cgi?id=181321
1638
1639         Reviewed by Saam Barati.
1640
1641         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1642         (shouldBe):
1643         (testFunction):
1644         * test262.yaml:
1645
1646 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1647
1648         Unreviewed, attempt to fix test262 after r226386.
1649
1650         * test262.yaml:
1651
1652 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1653
1654         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1655         https://bugs.webkit.org/show_bug.cgi?id=179911
1656
1657         Reviewed by Saam Barati.
1658
1659         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1660
1661         * stress/map-set-change-get.js: Added.
1662         (shouldBe):
1663         (test):
1664         * stress/map-set-create-bucket.js: Added.
1665         (shouldBe):
1666         (test):
1667         * stress/set-add-create-bucket.js: Added.
1668         (shouldBe):
1669
1670 2018-01-03  Michael Saboff  <msaboff@apple.com>
1671
1672         Disable SharedArrayBuffers from Web API
1673         https://bugs.webkit.org/show_bug.cgi?id=181266
1674
1675         Reviewed by Saam Barati.
1676
1677         Disabled SharedArrayBuffer tests.
1678
1679         * stress/SharedArrayBuffer-opt.js:
1680         * stress/SharedArrayBuffer.js:
1681         * stress/array-buffer-byte-length.js:
1682         * stress/atomics-add-uint32.js:
1683         * stress/atomics-known-int-use.js:
1684         * stress/atomics-neg-zero.js:
1685         * stress/atomics-store-return.js:
1686         * stress/lars-sab-workers.js:
1687         * stress/regress-159779-1.js:
1688         * stress/regress-159779-2.js:
1689         * stress/regress-170473.js:
1690         * test262.yaml:
1691
1692 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1693
1694         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1695         https://bugs.webkit.org/show_bug.cgi?id=181258
1696
1697         Reviewed by Antonio Gomes.
1698
1699         * stress/big-int-constructor-gc.js:
1700         * stress/big-int-constructor-oom.js:
1701
1702 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1703
1704         Inlining of a function that ends in op_unreachable crashes
1705         https://bugs.webkit.org/show_bug.cgi?id=181027
1706
1707         Reviewed by Filip Pizlo.
1708
1709         * stress/inlining-unreachable.js: Added.
1710         (bar):
1711         (baz):
1712         (i.catch):
1713
1714 2018-01-02  Saam Barati  <sbarati@apple.com>
1715
1716         Incorrect assertion inside AccessCase
1717         https://bugs.webkit.org/show_bug.cgi?id=181200
1718         <rdar://problem/35494754>
1719
1720         Reviewed by Yusuke Suzuki.
1721
1722         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1723         (ctor):
1724         (theFunc):
1725         (run):
1726
1727 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1728
1729         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1730         https://bugs.webkit.org/show_bug.cgi?id=175359
1731
1732         Reviewed by Yusuke Suzuki.
1733
1734         * bigIntTests.yaml:
1735         * stress/big-int-as-key.js: Added.
1736         * stress/big-int-constructor-gc.js: Added.
1737         * stress/big-int-constructor-oom.js: Added.
1738         * stress/big-int-constructor-properties.js: Added.
1739         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1740         * stress/big-int-constructor-prototype.js: Added.
1741         * stress/big-int-constructor.js: Added.
1742         * stress/big-int-function-apply.js:
1743         * stress/big-int-length.js: Added.
1744         * stress/big-int-prop-descriptor.js: Added.
1745         * stress/big-int-proto-constructor.js: Added.
1746         * stress/big-int-proto-name.js: Added.
1747         * stress/big-int-prototype-properties.js: Added.
1748         * stress/big-int-prototype-proto.js: Added.
1749         * stress/big-int-prototype-value-of.js: Added.
1750         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1751         * stress/big-int-prototype-to-string-apply.js: Added.
1752         * stress/big-int-to-object.js: Added.
1753         * stress/big-int-to-string.js: Added.
1754
1755 2017-12-28  Saam Barati  <sbarati@apple.com>
1756
1757         Assertion used to determine if something is an async generator is wrong
1758         https://bugs.webkit.org/show_bug.cgi?id=181168
1759         <rdar://problem/35640560>
1760
1761         Reviewed by Yusuke Suzuki.
1762
1763         * stress/async-generator-assertion.js: Added.
1764
1765 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1766
1767         Skip stress/splay-flash-access tests on memory limited platforms
1768         https://bugs.webkit.org/show_bug.cgi?id=181086
1769
1770         Reviewed by Carlos Alberto Lopez Perez.
1771
1772         These tests use about 185M of memory, and occasionally get OOM-killed
1773         on memory limited platforms.
1774
1775         * stress/splay-flash-access-1ms.js:
1776         * stress/splay-flash-access.js:
1777
1778 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1779
1780         Skip slow jsc tests on embedded platforms
1781         https://bugs.webkit.org/show_bug.cgi?id=180937
1782
1783         Reviewed by Carlos Alberto Lopez Perez.
1784
1785         The tests typeProfiler/deltablue-for-of.js and
1786         typeProfiler/getter-richards.js take a very long time in the
1787         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1788         thus always timeout. They should be skipped on these platforms.
1789
1790         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1791         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1792
1793 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1794
1795         [JSC] Do not check isValid() in op_new_regexp
1796         https://bugs.webkit.org/show_bug.cgi?id=180970
1797
1798         Reviewed by Saam Barati.
1799
1800         * stress/regexp-syntax-error-invalid-flags.js: Added.
1801         (shouldThrow):
1802
1803 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1804
1805         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1806         https://bugs.webkit.org/show_bug.cgi?id=180712
1807
1808         Reviewed by Michael Catanzaro.
1809
1810         stress/call-apply-exponential-bytecode-size.js crashes if the
1811         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1812         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1813         should skip the test on other platforms.
1814
1815         * stress/call-apply-exponential-bytecode-size.js:
1816
1817 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1818
1819         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1820         https://bugs.webkit.org/show_bug.cgi?id=179762
1821
1822         Reviewed by Saam Barati.
1823
1824         * stress/call-varargs-double-new-array-buffer.js: Added.
1825         (assert):
1826         (bar):
1827         (foo):
1828         * stress/call-varargs-spread-new-array-buffer.js: Added.
1829         (assert):
1830         (bar):
1831         (foo):
1832         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1833         (assert):
1834         (bar):
1835         (foo):
1836         * stress/forward-varargs-double-new-array-buffer.js: Added.
1837         (assert):
1838         (test.baz):
1839         (test.bar):
1840         (test.foo):
1841         (test):
1842         * stress/new-array-buffer-sinking-osrexit.js: Added.
1843         (target):
1844         (test):
1845         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1846         (shouldBe):
1847         (test):
1848         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1849         (shouldBe):
1850         (target):
1851         (test):
1852         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1853         (assert):
1854         (test1.bar):
1855         (test1.foo):
1856         (test1):
1857         (test2.bar):
1858         (test2.foo):
1859         (test3.baz):
1860         (test3.bar):
1861         (test3.foo):
1862         (test4.baz):
1863         (test4.bar):
1864         (test4.foo):
1865         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1866         (assert):
1867         (test.baz):
1868         (test.bar):
1869         (test.foo):
1870         (test):
1871         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1872         (assert):
1873         (baz):
1874         (bar):
1875         (effects):
1876         (foo):
1877
1878 2017-12-14  Saam Barati  <sbarati@apple.com>
1879
1880         The CleanUp after LICM is erroneously removing a Check
1881         https://bugs.webkit.org/show_bug.cgi?id=180852
1882         <rdar://problem/36063494>
1883
1884         Reviewed by Filip Pizlo.
1885
1886         * stress/dont-run-cleanup-after-licm.js: Added.
1887
1888 2017-12-14  Michael Saboff  <msaboff@apple.com>
1889
1890         REGRESSION (r225695): Repro crash on yahoo login page
1891         https://bugs.webkit.org/show_bug.cgi?id=180761
1892
1893         Reviewed by JF Bastien.
1894
1895         New regression test.
1896
1897         * stress/regress-180761.js: Added.
1898
1899 2017-12-13  Keith Miller  <keith_miller@apple.com>
1900
1901         JSObjects should have a mask for loading indexed properties
1902         https://bugs.webkit.org/show_bug.cgi?id=180768
1903
1904         Reviewed by Mark Lam.
1905
1906         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1907         (test):
1908
1909 2017-12-13  Saam Barati  <sbarati@apple.com>
1910
1911         Arrow functions need their own structure because they have different properties than sloppy functions
1912         https://bugs.webkit.org/show_bug.cgi?id=180779
1913         <rdar://problem/35814591>
1914
1915         Reviewed by Mark Lam.
1916
1917         * stress/arrow-function-needs-its-own-structure.js: Added.
1918         (assert):
1919         (readPrototype):
1920         (noInline.let.f1):
1921         (noInline):
1922
1923 2017-12-13  Saam Barati  <sbarati@apple.com>
1924
1925         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1926         https://bugs.webkit.org/show_bug.cgi?id=163579
1927         <rdar://problem/35455798>
1928
1929         Reviewed by Mark Lam.
1930
1931         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1932         (assert):
1933         (test1):
1934         (i.test1):
1935         (i.test1.C):
1936         (i.test1.async.foo):
1937         (i.test1.foo):
1938         (test2):
1939
1940 2017-12-13  Saam Barati  <sbarati@apple.com>
1941
1942         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1943         https://bugs.webkit.org/show_bug.cgi?id=180734
1944         <rdar://problem/35640547>
1945
1946         Reviewed by Yusuke Suzuki.
1947
1948         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1949         (__isPropertyOfType):
1950         (__getProperties):
1951         (__getObjects):
1952         (__getRandomObject):
1953         (theClass.):
1954         (theClass):
1955         (childClass):
1956         (counter.catch):
1957
1958 2017-12-12  Saam Barati  <sbarati@apple.com>
1959
1960         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1961         https://bugs.webkit.org/show_bug.cgi?id=180725
1962         <rdar://problem/35970511>
1963
1964         Reviewed by Michael Saboff.
1965
1966         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1967         (f1):
1968         (f2):
1969         (let.o2.valueOf):
1970
1971 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1972
1973         [JSC] Implement optimized WeakMap and WeakSet
1974         https://bugs.webkit.org/show_bug.cgi?id=179929
1975
1976         Reviewed by Saam Barati.
1977
1978         * microbenchmarks/weak-map-key.js:
1979         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1980         (assert):
1981         (objectKey):
1982         (let.start.Date.now):
1983         * stress/basic-weakmap.js: Added.
1984         (shouldBe):
1985         (test):
1986         * stress/basic-weakset.js: Added.
1987         (shouldBe):
1988         (test.set new):
1989         * stress/weakmap-cse-set-break.js: Added.
1990         (shouldBe):
1991         (test):
1992         * stress/weakmap-cse.js: Added.
1993         (shouldBe):
1994         (test):
1995         * stress/weakmap-gc.js: Added.
1996         (test):
1997         * stress/weakset-cse-add-break.js: Added.
1998         (shouldBe):
1999         (test.set new):
2000         * stress/weakset-cse.js: Added.
2001         (shouldBe):
2002         (test.set new):
2003         * stress/weakset-gc.js: Added.
2004         (test.set add):
2005         (test.set new):
2006         (test):
2007
2008 2017-12-12  Saam Barati  <sbarati@apple.com>
2009
2010         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2011         https://bugs.webkit.org/show_bug.cgi?id=180723
2012         <rdar://problem/35859726>
2013
2014         Reviewed by JF Bastien.
2015
2016         * stress/get-my-argument-by-val-constant-folding.js: Added.
2017         (test):
2018         (catch):
2019
2020 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2021
2022         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2023         https://bugs.webkit.org/show_bug.cgi?id=179000
2024
2025         Reviewed by Darin Adler and Yusuke Suzuki.
2026
2027         * bigIntTests.yaml: Added.
2028         * stress/big-int-literal-line-terminator.js: Added.
2029         * stress/big-int-literals.js: Added.
2030         * stress/big-int-operations-error.js: Added.
2031         * stress/big-int-type-of.js: Added.
2032         * stress/big-int-white-space-trailing-leading.js: Added.
2033         * stress/big-int-function-apply.js: Added.
2034
2035 2017-12-11  Saam Barati  <sbarati@apple.com>
2036
2037         We need to disableCaching() in ErrorInstance when we materialize properties
2038         https://bugs.webkit.org/show_bug.cgi?id=180343
2039         <rdar://problem/35833002>
2040
2041         Reviewed by Mark Lam.
2042
2043         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2044         (assert):
2045         (makeError):
2046         (storeToStack):
2047         (storeToStackAlreadyMaterialized):
2048
2049 2017-12-05  JF Bastien  <jfbastien@apple.com>
2050
2051         WebAssembly: don't eagerly checksum
2052         https://bugs.webkit.org/show_bug.cgi?id=180441
2053         <rdar://problem/35156628>
2054
2055         Reviewed by Saam Barati.
2056
2057         Checksum is now disabled, so tests only have <?> as the module
2058         name.
2059
2060         * wasm/function-tests/nameSection.js:
2061         * wasm/function-tests/stack-overflow.js:
2062         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2063         (assertOverflows.assertThrows):
2064         (assertOverflows):
2065         * wasm/function-tests/stack-trace.js:
2066
2067 2017-12-04  JF Bastien  <jfbastien@apple.com>
2068
2069         Proxy all functions, except the $ objects
2070         https://bugs.webkit.org/show_bug.cgi?id=180375
2071
2072         Reviewed by Saam Barati.
2073
2074         It looks like this test may have broken some executions because I
2075         call some internal objects. Explicitly ignore objects whose name
2076         starts with "$" because it's a bad idea anyways.
2077
2078         * stress/proxy-all-the-parameters.js:
2079         (generateObjects):
2080         (get throw):
2081
2082 2017-12-04  Saam Barati  <sbarati@apple.com>
2083
2084         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2085         https://bugs.webkit.org/show_bug.cgi?id=180366
2086         <rdar://problem/35685877>
2087
2088         Reviewed by Michael Saboff.
2089
2090         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2091         (theParent):
2092         (test1.base.getParentStaticValue):
2093         (test1.base):
2094         (test1.__v_24888.prototype.set prop):
2095         (test1.__v_24888):
2096         (test2.base.getParentStaticValue):
2097         (test2.base):
2098         (test2.__v_24888.prototype.set prop):
2099         (test2.__v_24888):
2100         (test2):
2101
2102 2017-12-01  JF Bastien  <jfbastien@apple.com>
2103
2104         Try proxying all function arguments
2105         https://bugs.webkit.org/show_bug.cgi?id=180306
2106
2107         Reviewed by Saam Barati.
2108
2109         * stress/proxy-all-the-parameters.js: Added.
2110         (isPropertyOfType):
2111         (getProperties):
2112         (generateObjects):
2113         (getObjects):
2114         (getFunctions):
2115         (get throw):
2116         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2117
2118 2017-12-01  JF Bastien  <jfbastien@apple.com>
2119
2120         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2121         https://bugs.webkit.org/show_bug.cgi?id=180297
2122         <rdar://problem/35745556>
2123
2124         Reviewed by Mark Lam.
2125
2126         * stress/math-exceptions.js: Added.
2127         (get try):
2128         (catch):
2129
2130 2017-12-01  JF Bastien  <jfbastien@apple.com>
2131
2132         JavaScriptCore: add test for weird class static getters
2133         https://bugs.webkit.org/show_bug.cgi?id=180281
2134         <rdar://problem/35592139>
2135
2136         Reviewed by Mark Lam.
2137
2138         I fixed a bug for it in r224927 and didn't add a test. Do so.
2139
2140         * stress/class-static-get-weird.js: Added.
2141         (c.prototype.get name):
2142         (c):
2143         (c.prototype.get arguments):
2144         (c.prototype.get caller):
2145         (c.prototype.get length):
2146
2147 2017-12-01  Saam Barati  <sbarati@apple.com>
2148
2149         Having a bad time needs to handle ArrayClass indexing type as well
2150         https://bugs.webkit.org/show_bug.cgi?id=180274
2151         <rdar://problem/35667869>
2152
2153         Reviewed by Keith Miller and Mark Lam.
2154
2155         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2156         (assert):
2157         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2158         (assert):
2159
2160 2017-12-01  JF Bastien  <jfbastien@apple.com>
2161
2162         WebAssembly: restore cached stack limit after out-call
2163         https://bugs.webkit.org/show_bug.cgi?id=179106
2164         <rdar://problem/35337525>
2165
2166         Reviewed by Saam Barati.
2167
2168         * wasm/function-tests/double-instance.js: Added.
2169         (const.imp.boom):
2170         (const.imp.get callAnother):
2171
2172 2017-11-30  JF Bastien  <jfbastien@apple.com>
2173
2174         WebAssembly: improve stack trace
2175         https://bugs.webkit.org/show_bug.cgi?id=179343
2176
2177         Reviewed by Saam Barati.
2178
2179         Update the tests to follow the new format. Notably, SHA1 module
2180         hash is now included in traces, and stubs are properly identified.
2181
2182         * wasm/assert.js: Add an assertion which matches regular expressions.
2183         * wasm/function-tests/nameSection.js:
2184         * wasm/function-tests/stack-overflow.js:
2185         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2186         (assertOverflows.assertThrows.wasm.1):
2187         (assertOverflows.assertThrows.wasm.0):
2188         (assertOverflows.assertThrows):
2189         (assertOverflows):
2190         * wasm/function-tests/stack-trace.js:
2191         (import.Builder.from.string_appeared_here.assert): Deleted.
2192         * wasm/function-tests/trap-after-cross-instance-call.js:
2193         (wasmFrameCountFromError):
2194         * wasm/function-tests/trap-load-2.js:
2195         (wasmFrameCountFromError):
2196         * wasm/function-tests/trap-load.js:
2197         (wasmFrameCountFromError):
2198
2199 2017-11-30  Mark Lam  <mark.lam@apple.com>
2200
2201         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2202         https://bugs.webkit.org/show_bug.cgi?id=180219
2203         <rdar://problem/35696536>
2204
2205         Reviewed by Filip Pizlo.
2206
2207         * stress/regress-180219.js: Added.
2208
2209 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2210
2211         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2212         https://bugs.webkit.org/show_bug.cgi?id=180190
2213
2214         Reviewed by Mark Lam.
2215
2216         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2217         (shouldBe):
2218         (test1):
2219         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2220         (shouldBe):
2221         (test1):
2222         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2223         (shouldBe):
2224         (test1):
2225         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2226         (shouldBe):
2227         (test1):
2228         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2229         (shouldBe):
2230         (test1):
2231         * stress/operation-in-may-have-negative-int32.js: Added.
2232         (shouldBe):
2233         (test2):
2234         * stress/operation-in-negative-int32-cast.js: Added.
2235         (shouldBe):
2236         (test1):
2237
2238 2017-11-28  JF Bastien  <jfbastien@apple.com>
2239
2240         Strict and sloppy functions shouldn't share structure
2241         https://bugs.webkit.org/show_bug.cgi?id=180103
2242         <rdar://problem/35667847>
2243
2244         Reviewed by Saam Barati.
2245
2246         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2247         because the IC was wrong.
2248         (foo):
2249         (bar):
2250         (baz):
2251         (catch):
2252         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2253         in this patch, but may as well test odd strict mode corner cases.
2254         (bar):
2255         (baz):
2256         (catch):
2257         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2258         (foo):
2259         (bar):
2260         (baz):
2261         (catch):
2262         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2263         next file, but with invalidation of the FunctionExecutable's
2264         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2265         slower path.
2266         (foo):
2267         (bar.const.x):
2268         (bar.const.y):
2269         (bar):
2270         (catch):
2271         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2272         strict nesting works correctly.
2273         (foo):
2274         (bar.baz):
2275         (bar):
2276         * stress/strict-function-structure.js: Added. The test used to
2277         assert in objectProtoFuncHasOwnProperty.
2278         (foo):
2279         (bar):
2280         (baz):
2281         * stress/strict-nested-function-structure.js: Added. Nesting.
2282         (foo):
2283         (bar):
2284         (baz.boo):
2285         (baz):
2286
2287 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2288
2289         The recursive tail call optimisation is wrong on closures
2290         https://bugs.webkit.org/show_bug.cgi?id=179835
2291
2292         Reviewed by Saam Barati.
2293
2294         * stress/closure-recursive-tail-call.js: Added.
2295         (makeClosure):
2296
2297 2017-11-27  JF Bastien  <jfbastien@apple.com>
2298
2299         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2300         https://bugs.webkit.org/show_bug.cgi?id=180051
2301         <rdar://problem/35614371>
2302
2303         Reviewed by Saam Barati.
2304
2305         * stress/rest-parameter-negative.js: Added.
2306         (__f_5484):
2307         (catch):
2308         (__f_5485):
2309         (__v_22598.catch):
2310
2311 2017-11-27  Saam Barati  <sbarati@apple.com>
2312
2313         Spread can escape when CreateRest does not
2314         https://bugs.webkit.org/show_bug.cgi?id=180057
2315         <rdar://problem/35676119>
2316
2317         Reviewed by JF Bastien.
2318
2319         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2320         (assert):
2321         (getProperties):
2322         (theFunc):
2323         (let.obj.valueOf):
2324
2325 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2326
2327         [DFG] Add NormalizeMapKey DFG IR
2328         https://bugs.webkit.org/show_bug.cgi?id=179912
2329
2330         Reviewed by Saam Barati.
2331
2332         * stress/map-untyped-normalize-cse.js: Added.
2333         (shouldBe):
2334         (test):
2335         * stress/map-untyped-normalize.js: Added.
2336         (shouldBe):
2337         (test):
2338         * stress/set-untyped-normalize-cse.js: Added.
2339         (shouldBe):
2340         (set return.set has.set has):
2341         * stress/set-untyped-normalize.js: Added.
2342         (shouldBe):
2343         (set return.set has):
2344
2345 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         [FTL] Support DeleteById and DeleteByVal
2348         https://bugs.webkit.org/show_bug.cgi?id=180022
2349
2350         Reviewed by Saam Barati.
2351
2352         * stress/delete-by-id.js: Added.
2353         (shouldBe):
2354         (test1):
2355         (test2):
2356         * stress/delete-by-val-ftl.js: Added.
2357         (shouldBe):
2358         (test1):
2359         (test2):
2360
2361 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2362
2363         [DFG] Introduce {Set,Map,WeakMap}Fields
2364         https://bugs.webkit.org/show_bug.cgi?id=179925
2365
2366         Reviewed by Saam Barati.
2367
2368         * stress/map-set-clobber-map-get.js: Added.
2369         (shouldBe):
2370         (test):
2371         * stress/map-set-does-not-clobber-set-has.js: Added.
2372         (shouldBe):
2373         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2374         (shouldBe):
2375         (test):
2376         * stress/set-add-clobber-set-has.js: Added.
2377         (shouldBe):
2378         * stress/set-add-does-not-clobber-map-get.js: Added.
2379         (shouldBe):
2380
2381 2017-11-24  Mark Lam  <mark.lam@apple.com>
2382
2383         Move unsafe jsc shell test functions to the $vm object.
2384         https://bugs.webkit.org/show_bug.cgi?id=179980
2385
2386         Reviewed by Yusuke Suzuki.
2387
2388         * controlFlowProfiler/driver/driver.js:
2389         * controlFlowProfiler/execution-count.js:
2390         * controlFlowProfiler/if-statement.js:
2391         * controlFlowProfiler/loop-statements.js:
2392         * controlFlowProfiler/switch-statements.js:
2393         * controlFlowProfiler/test-jit.js:
2394         * exceptionFuzz/3d-cube.js:
2395         * exceptionFuzz/date-format-xparb.js:
2396         * exceptionFuzz/earley-boyer.js:
2397         * heapProfiler/basic-edges.js:
2398         * heapProfiler/property-edge-types.js:
2399         * microbenchmarks/try-get-by-id-basic.js:
2400         * microbenchmarks/try-get-by-id-polymorphic.js:
2401         * modules/namespace-object-try-get.js:
2402         * stress/argument-count-bytecode.js:
2403         * stress/argument-intrinsic-basic.js:
2404         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2405         * stress/argument-intrinsic-inlining-with-result-escape.js:
2406         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2407         * stress/argument-intrinsic-inlining-with-vararg.js:
2408         * stress/argument-intrinsic-nested-inlining.js:
2409         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2410         * stress/argument-intrinsic-with-stack-write.js:
2411         * stress/arity-mismatch-get-argument.js:
2412         * stress/array-message-passing.js:
2413         * stress/array-push-with-force-exit.js:
2414         * stress/check-dom-with-signature.js:
2415         * stress/check-sub-class.js:
2416         * stress/compare-eq-incomplete-profile.js:
2417         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2418         * stress/do-eval-virtual-call-correctly.js:
2419         * stress/dom-jit-with-poly-proto.js:
2420         * stress/domjit-exception-ic.js:
2421         * stress/domjit-exception.js:
2422         * stress/domjit-getter-complex-with-incorrect-object.js:
2423         * stress/domjit-getter-complex.js:
2424         * stress/domjit-getter-poly.js:
2425         * stress/domjit-getter-proto.js:
2426         * stress/domjit-getter-super-poly.js:
2427         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2428         * stress/domjit-getter-type-check.js:
2429         * stress/domjit-getter.js:
2430         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2431         * stress/for-in-proxy-target-changed-structure.js:
2432         * stress/for-in-proxy.js:
2433         * stress/generational-opaque-roots.js:
2434         * stress/global-const-redeclaration-setting-2.js:
2435         * stress/global-const-redeclaration-setting-3.js:
2436         * stress/global-const-redeclaration-setting-4.js:
2437         * stress/global-const-redeclaration-setting-5.js:
2438         * stress/global-const-redeclaration-setting.js:
2439         * stress/import-basic.js:
2440         * stress/import-from-eval.js:
2441         * stress/import-reject-with-exception.js:
2442         * stress/import-syntax.js:
2443         * stress/impure-get-own-property-slot-inline-cache.js:
2444         * stress/is-constructor.js:
2445         * stress/istypedarrayview-intrinsic.js:
2446         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2447         * stress/jsc-test-functions-should-be-more-robust.js:
2448         * stress/object-toString-with-proxy.js:
2449         * stress/poly-proto-custom-value-and-accessor.js:
2450         * stress/proxy-inline-cache.js:
2451         * stress/re-execute-error-module.js:
2452         * stress/regress-150532.js:
2453         * stress/regress-156992.js:
2454         * stress/regress-179619.js:
2455         * stress/resources/shadow-chicken-support.js:
2456         * stress/runtime-array.js:
2457         * stress/sampling-profiler-microtasks.js:
2458         * stress/shadow-chicken-enabled.js:
2459         * stress/spread-correct-global-object-on-exception.js:
2460         * stress/super-get-by-id.js:
2461         * stress/tailCallForwardArguments.js:
2462         * stress/to-object-intrinsic-boolean-edge.js:
2463         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2464         * stress/to-object-intrinsic-number-edge.js:
2465         * stress/to-object-intrinsic-object-edge.js:
2466         * stress/to-object-intrinsic-string-edge.js:
2467         * stress/to-object-intrinsic-symbol-edge.js:
2468         * stress/to-object-intrinsic.js:
2469         * stress/try-catch-custom-getter-as-get-by-id.js:
2470         * stress/try-get-by-id-poly-proto.js:
2471         * stress/try-get-by-id-should-spill-registers-dfg.js:
2472         * stress/try-get-by-id.js:
2473         * typeProfiler/arrow-functions.js:
2474         * typeProfiler/basic.js:
2475         * typeProfiler/captured.js:
2476         * typeProfiler/classes.js:
2477         * typeProfiler/dfg-jit-optimizations.js:
2478         * typeProfiler/dictionary-mode.js:
2479         * typeProfiler/es6-block-scoping.js:
2480         * typeProfiler/es6-classes.js:
2481         * typeProfiler/inheritance.js:
2482         * typeProfiler/int52-dfg.js:
2483         * typeProfiler/loop.js:
2484         * typeProfiler/optional-fields.js:
2485         * typeProfiler/overflow.js:
2486         * typeProfiler/return.js:
2487         * typeProfiler/symbol.js:
2488         * typeProfiler/weird-prototype-chain.js:
2489
2490 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2491
2492         [DFG][FTL] Support MapSet / SetAdd intrinsics
2493         https://bugs.webkit.org/show_bug.cgi?id=179858
2494
2495         Reviewed by Saam Barati.
2496
2497         * microbenchmarks/map-has-and-set.js: Added.
2498         (test):
2499         * stress/map-set-check-failure.js: Added.
2500         (shouldBe):
2501         (shouldThrow):
2502         (target):
2503         * stress/map-set-cse.js: Added.
2504         (shouldBe):
2505         (test):
2506         * stress/set-add-check-failure.js: Added.
2507         (shouldBe):
2508         (shouldThrow):
2509         (set shouldThrow):
2510         * stress/set-add-cse.js: Added.
2511         (shouldBe):
2512
2513 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2514
2515         [JSC] Allow poly proto for intrinsic getters
2516         https://bugs.webkit.org/show_bug.cgi?id=179550
2517
2518         Reviewed by Saam Barati.
2519
2520         This change is also tested by existing tests.
2521
2522             1. stress/intrinsic-getter-with-poly-proto.js
2523             2. stress/poly-proto-intrinsic-getter-correctness.js
2524
2525         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2526         (shouldBe):
2527         (makePolyProtoObject.foo.C):
2528         (makePolyProtoObject.foo):
2529         (makePolyProtoObject):
2530         (target):
2531         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2532         (shouldBe):
2533         (makePolyProtoObject.foo.C):
2534         (makePolyProtoObject.foo):
2535         (makePolyProtoObject):
2536         (target):
2537
2538 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2539
2540         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2541         https://bugs.webkit.org/show_bug.cgi?id=179744
2542
2543         Reviewed by Michael Catanzaro.
2544
2545         This test uses too much memory for our buildbots on these platforms
2546         and gets OOM-killed.
2547
2548         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2549         Skip if $memoryLimited and linux.
2550
2551 2017-11-17  JF Bastien  <jfbastien@apple.com>
2552
2553         WebAssembly JS API: throw when a promise can't be created
2554         https://bugs.webkit.org/show_bug.cgi?id=179826
2555         <rdar://problem/35455813>
2556
2557         Reviewed by Mark Lam.
2558
2559         Test WebAssembly.{compile,instantiate} where promise creation
2560         fails because of a stack overflow.
2561
2562         * wasm/js-api/promise-stack-overflow.js: Added.
2563         (const.runNearStackLimit.f.const.t):
2564         (async.testCompile):
2565         (async.testInstantiate):
2566
2567 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2568
2569         Unreviewed, mark regress-178385.js as memory exhausting
2570
2571         * stress/regress-178385.js:
2572
2573 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2574
2575         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2576
2577         Unreviewed test gardening.
2578
2579         * test262.yaml:
2580
2581 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2582
2583         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2584         https://bugs.webkit.org/show_bug.cgi?id=179763
2585         <rdar://problem/35550513>
2586
2587         Reviewed by Keith Miller.
2588
2589         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2590
2591         * stress/tdz-this-in-try-catch.js: Added.
2592         (__v_6388):
2593         (__v_6392):
2594
2595 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2596
2597         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2598         https://bugs.webkit.org/show_bug.cgi?id=179594
2599
2600         Reviewed by Saam Barati.
2601
2602         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2603         (shouldBe):
2604         (args):
2605         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2606         (shouldBe):
2607         (args):
2608
2609 2017-11-14  Saam Barati  <sbarati@apple.com>
2610
2611         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2612         https://bugs.webkit.org/show_bug.cgi?id=179639
2613         <rdar://problem/35513018>
2614
2615         Reviewed by JF Bastien.
2616
2617         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2618         (escape):
2619         (i.func):
2620
2621 2017-11-13  Mark Lam  <mark.lam@apple.com>
2622
2623         Add more overflow check book-keeping for MarkedArgumentBuffer.
2624         https://bugs.webkit.org/show_bug.cgi?id=179634
2625         <rdar://problem/35492517>
2626
2627         Reviewed by Saam Barati.
2628
2629         * stress/regress-179634.js: Added.
2630
2631 2017-11-13  Mark Lam  <mark.lam@apple.com>
2632
2633         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2634         https://bugs.webkit.org/show_bug.cgi?id=179619
2635         <rdar://problem/35492518>
2636
2637         Reviewed by Saam Barati.
2638
2639         * stress/regress-179619.js: Added.
2640
2641 2017-11-12  Mark Lam  <mark.lam@apple.com>
2642
2643         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2644         https://bugs.webkit.org/show_bug.cgi?id=179562
2645         <rdar://problem/35467022>
2646
2647         Reviewed by Saam Barati.
2648
2649         * regress-179562.js: Added.
2650
2651 2017-11-08  Saam Barati  <sbarati@apple.com>
2652
2653         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2654         https://bugs.webkit.org/show_bug.cgi?id=177792
2655
2656         Reviewed by Yusuke Suzuki.
2657
2658         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2659         (assert):
2660         (foo.Foo.prototype.ensureX):
2661         (foo.Foo):
2662         (foo):
2663         (access):
2664
2665 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2666
2667         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2668         https://bugs.webkit.org/show_bug.cgi?id=178592
2669
2670         Unreviewed test gardening.
2671
2672         * test262.yaml:
2673
2674 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2675
2676         Turn recursive tail calls into loops
2677         https://bugs.webkit.org/show_bug.cgi?id=176601
2678
2679         Reviewed by Saam Barati.
2680
2681         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2682
2683         Add some simple test that computes factorial in several ways, and other trivial computations.
2684         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2685         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2686         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2687         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2688
2689         * stress/inline-call-to-recursive-tail-call.js: Added.
2690         (factorial.aux):
2691         (factorial):
2692         (factorial2.aux2):
2693         (factorial2.id):
2694         (factorial2):
2695         (factorial3.aux3):
2696         (factorial3):
2697         (aux4):
2698         (factorial4):
2699         (foo):
2700         (auxBar):
2701         (bar):
2702         (test):
2703
2704 2017-11-07  Mark Lam  <mark.lam@apple.com>
2705
2706         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2707         https://bugs.webkit.org/show_bug.cgi?id=179355
2708         <rdar://problem/35263053>
2709
2710         Reviewed by Saam Barati.
2711
2712         * stress/regress-179355.js: Added.
2713
2714 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2715
2716         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2717         https://bugs.webkit.org/show_bug.cgi?id=144458
2718
2719         Reviewed by Saam Barati.
2720
2721         * microbenchmarks/dfg-internal-function-call.js: Added.
2722         (target):
2723         * microbenchmarks/dfg-internal-function-construct.js: Added.
2724         (target):
2725         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2726         (target):
2727         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2728         (target):
2729         * stress/dfg-internal-function-call.js: Added.
2730         (shouldBe):
2731         (target):
2732         * stress/dfg-internal-function-construct.js: Added.
2733         (shouldBe):
2734         (target):
2735         * stress/internal-function-call.js: Added.
2736         (shouldBe):
2737         * stress/internal-function-construct.js: Added.
2738         (shouldBe):
2739
2740 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2741
2742         [Win] Skip stress/regress-178385.js.
2743         https://bugs.webkit.org/show_bug.cgi?id=179298
2744
2745         Unreviewed test gardening.
2746
2747         * stress/regress-178385.js:
2748
2749 2017-11-03  Keith Miller  <keith_miller@apple.com>
2750
2751         Add test for ic with side effects
2752         https://bugs.webkit.org/show_bug.cgi?id=179268
2753
2754         Reviewed by Saam Barati.
2755
2756         * stress/put-inline-cache-side-effects.js: Added.
2757         (let.i.of.objs.keys):
2758         (f):
2759
2760 2017-11-03  Mark Lam  <mark.lam@apple.com>
2761
2762         CachedCall (and its clients) needs overflow checks.
2763         https://bugs.webkit.org/show_bug.cgi?id=179185
2764
2765         Reviewed by JF Bastien.
2766
2767         * stress/regress-179185.js: Added.
2768
2769 2017-11-02  Michael Saboff  <msaboff@apple.com>
2770
2771         DFG needs to handle code motion of code in for..in loop bodies
2772         https://bugs.webkit.org/show_bug.cgi?id=179212
2773
2774         Reviewed by Keith Miller.
2775
2776         New regression test.
2777
2778         * stress/for-in-side-effects.js: Added.
2779         (getPrototypeOf):
2780         (reset):
2781         (testWithoutFTL.f):
2782         (testWithoutFTL):
2783         (testWithFTL.f):
2784         (testWithFTL):
2785
2786 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2787
2788         AI does not correctly model the clobber case of ArithClz32
2789         https://bugs.webkit.org/show_bug.cgi?id=179188
2790
2791         Reviewed by Michael Saboff.
2792
2793         * stress/arith-clz32-effects.js: Added.
2794         (foo):
2795         (valueOf):
2796
2797 2017-11-01  Michael Saboff  <msaboff@apple.com>
2798
2799         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2800         https://bugs.webkit.org/show_bug.cgi?id=179140
2801
2802         Reviewed by Saam Barati.
2803
2804         New regression test.
2805
2806         * stress/regress-179140.js: Added.
2807         (testWithoutFTL):
2808         (testWithFTL):
2809
2810 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2811
2812         [JSC] Introduce @toObject
2813         https://bugs.webkit.org/show_bug.cgi?id=178726
2814
2815         Reviewed by Saam Barati.
2816
2817         * stress/array-copywithin.js:
2818         (shouldThrow):
2819         * stress/object-constructor-boolean-edge.js: Added.
2820         (shouldBe):
2821         (test):
2822         * stress/object-constructor-global.js: Added.
2823         (shouldBe):
2824         * stress/object-constructor-null-edge.js: Added.
2825         (shouldBe):
2826         (test):
2827         * stress/object-constructor-number-edge.js: Added.
2828         (shouldBe):
2829         (test):
2830         * stress/object-constructor-object-edge.js: Added.
2831         (shouldBe):
2832         (test):
2833         (i.arg):
2834         * stress/object-constructor-string-edge.js: Added.
2835         (shouldBe):
2836         (test):
2837         * stress/object-constructor-symbol-edge.js: Added.
2838         (shouldBe):
2839         (test):
2840         * stress/object-constructor-undefined-edge.js: Added.
2841         (shouldBe):
2842         (test):
2843         * stress/symbol-array-from.js: Added.
2844         (shouldBe):
2845         * stress/to-object-intrinsic-boolean-edge.js: Added.
2846         (shouldBe):
2847         (builtin.createBuiltin):
2848         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2849         (shouldThrow):
2850         * stress/to-object-intrinsic-number-edge.js: Added.
2851         (shouldBe):
2852         (builtin.createBuiltin):
2853         * stress/to-object-intrinsic-object-edge.js: Added.
2854         (shouldBe):
2855         (builtin.createBuiltin):
2856         (i.arg):
2857         * stress/to-object-intrinsic-string-edge.js: Added.
2858         (shouldBe):
2859         (builtin.createBuiltin):
2860         * stress/to-object-intrinsic-symbol-edge.js: Added.
2861         (shouldBe):
2862         (builtin.createBuiltin):
2863         * stress/to-object-intrinsic.js: Added.
2864         (shouldBe):
2865         (shouldThrow):
2866         (builtin.createBuiltin):
2867
2868 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2869
2870         [DFG][FTL] Introduce StringSlice
2871         https://bugs.webkit.org/show_bug.cgi?id=178934
2872
2873         Reviewed by Saam Barati.
2874
2875         * microbenchmarks/string-slice-empty.js: Added.
2876         (slice):
2877         * microbenchmarks/string-slice-one-char.js: Added.
2878         (slice):
2879         * microbenchmarks/string-slice.js: Added.
2880         (slice):
2881
2882 2017-10-26  Michael Saboff  <msaboff@apple.com>
2883
2884         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2885         https://bugs.webkit.org/show_bug.cgi?id=178890
2886
2887         Reviewed by Keith Miller.
2888
2889         New regression test.
2890
2891         * stress/regress-178890.js: Added.
2892
2893 2017-10-26  Mark Lam  <mark.lam@apple.com>
2894
2895         JSRopeString::RopeBuilder::append() should check for overflows.
2896         https://bugs.webkit.org/show_bug.cgi?id=178385
2897         <rdar://problem/35027468>
2898
2899         Reviewed by Saam Barati.
2900
2901         * stress/regress-178385.js: Added.
2902
2903 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2904
2905         Unreviewed, rolling out r223961.
2906
2907         The change that required this has been rolled out.
2908
2909         Reverted changeset:
2910
2911         "Mark test262.yaml/test262/test/language/statements/try/tco-
2912         catch.js as passing."
2913         https://bugs.webkit.org/show_bug.cgi?id=178592
2914         https://trac.webkit.org/changeset/223961
2915
2916 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2917
2918         Unreviewed, rolling out r223691 and r223729.
2919         https://bugs.webkit.org/show_bug.cgi?id=178834
2920
2921         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2922         by rniwa on #webkit).
2923
2924         Reverted changesets:
2925
2926         "Turn recursive tail calls into loops"
2927         https://bugs.webkit.org/show_bug.cgi?id=176601
2928         https://trac.webkit.org/changeset/223691
2929
2930         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2931         comparison is always false due to limited range of data type
2932         [-Wtype-limits]"
2933         https://bugs.webkit.org/show_bug.cgi?id=178543
2934         https://trac.webkit.org/changeset/223729
2935
2936 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2937
2938         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2939         https://bugs.webkit.org/show_bug.cgi?id=178592
2940
2941         Unreviewed test gardening.
2942
2943         * test262.yaml:
2944
2945 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2946
2947         [FTL] Support NewStringObject
2948         https://bugs.webkit.org/show_bug.cgi?id=178737
2949
2950         Reviewed by Saam Barati.
2951
2952         * stress/new-string-object.js: Added.
2953         (shouldBe):
2954         (test):
2955
2956 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2957
2958         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2959         https://bugs.webkit.org/show_bug.cgi?id=178308
2960
2961         Reviewed by Mark Lam.
2962
2963         * test262.yaml:
2964
2965 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2966
2967         [JSC] Use fastJoin in Array#toString
2968         https://bugs.webkit.org/show_bug.cgi?id=178062
2969
2970         Reviewed by Darin Adler.
2971
2972         * microbenchmarks/contiguous-array-to-string.js: Added.
2973         (target):
2974         * microbenchmarks/double-array-to-string.js: Added.
2975         (target):
2976         * microbenchmarks/int32-array-to-string.js: Added.
2977         (target):
2978
2979 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2980
2981         stress/check-string-ident.js is improperly skipped
2982         https://bugs.webkit.org/show_bug.cgi?id=178642
2983
2984         Reviewed by Saam Barati.
2985
2986         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2987         since it enforces the run-jsc-stress-tests script to still set up the
2988         test to run, despite the skip directive that's used before.
2989
2990 2017-10-20  Mark Lam  <mark.lam@apple.com>
2991
2992         Add a test case for r214334.
2993         https://bugs.webkit.org/show_bug.cgi?id=169941
2994         <rdar://problem/31221258>
2995
2996         Reviewed by JF Bastien.
2997
2998         * stress/regress-169941.js: Added.
2999
3000 2017-10-19  JF Bastien  <jfbastien@apple.com>
3001
3002         WebAssembly: no VM / JS version of everything but Instance
3003         https://bugs.webkit.org/show_bug.cgi?id=177473
3004
3005         Reviewed by Filip Pizlo, Saam Barati.
3006
3007         - Exceeding max on memory growth now returns a range error as per
3008         spec. This is a (very minor) breaking change: it used to throw OOM
3009         error. Update the corresponding test.
3010
3011         * wasm/js-api/memory-grow.js:
3012         (assertEq):
3013         * wasm/js-api/table.js:
3014         (assert.throws):
3015
3016 2017-10-19  Mark Lam  <mark.lam@apple.com>
3017
3018         Stringifier::appendStringifiedValue() is missing an exception check.
3019         https://bugs.webkit.org/show_bug.cgi?id=178386
3020         <rdar://problem/35027610>
3021
3022         Reviewed by Saam Barati.
3023
3024         * stress/regress-178386.js: Added.
3025
3026 2017-10-19  Michael Saboff  <msaboff@apple.com>
3027
3028         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3029         https://bugs.webkit.org/show_bug.cgi?id=178521
3030
3031         Reviewed by JF Bastien.
3032
3033         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3034         now passes with the current version (5.0) of the Emoji spec.
3035
3036 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3037
3038         Turn recursive tail calls into loops
3039         https://bugs.webkit.org/show_bug.cgi?id=176601
3040
3041         Reviewed by Saam Barati.
3042
3043         Add some simple test that computes factorial in several ways, and other trivial computations.
3044         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3045         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3046         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3047         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3048
3049         * stress/inline-call-to-recursive-tail-call.js: Added.
3050         (factorial.aux):
3051         (factorial):
3052         (factorial2.aux):
3053         (factorial2.id):
3054         (factorial2):
3055         (factorial3.aux):
3056         (factorial3):
3057         (aux):
3058         (factorial4):
3059         (test):
3060
3061 2017-10-18  Mark Lam  <mark.lam@apple.com>
3062
3063         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3064         https://bugs.webkit.org/show_bug.cgi?id=177600
3065         <rdar://problem/34710985>
3066
3067         Reviewed by Saam Barati.
3068
3069         * stress/regress-177600.js: Added.
3070
3071 2017-10-18  Mark Lam  <mark.lam@apple.com>
3072
3073         The compiler should always register a structure when it adds its transitionWatchPointSet.
3074         https://bugs.webkit.org/show_bug.cgi?id=178420
3075         <rdar://problem/34814024>
3076
3077         Reviewed by Saam Barati and Filip Pizlo.
3078
3079         * stress/regress-178420.js: Added.
3080         (new.Array.10000.map):
3081
3082 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3083
3084         [JSC] __proto__ getter should be fast
3085         https://bugs.webkit.org/show_bug.cgi?id=178067
3086
3087         Reviewed by Saam Barati.
3088
3089         * stress/dfg-object-proto-accessor.js: Added.
3090         (shouldBe):
3091         (shouldThrow):
3092         (target):
3093         * stress/dfg-object-proto-getter.js: Added.
3094         (shouldBe):
3095         (shouldThrow):
3096         (target):
3097         * stress/dfg-object-prototype-of.js: Added.
3098         (shouldBe):
3099         (shouldThrow):
3100         (target):
3101         * stress/dfg-reflect-get-prototype-of.js: Added.
3102         (shouldBe):
3103         (shouldThrow):
3104         (target):
3105         * stress/intrinsic-getter-with-poly-proto.js: Added.
3106         (shouldBe):
3107         (makePolyProtoObject.foo.C):
3108         (makePolyProtoObject.foo):
3109         (makePolyProtoObject):
3110         (target):
3111         * stress/object-get-prototype-of-filtered.js: Added.
3112         (shouldBe):
3113         (shouldThrow):
3114         (target):
3115         (i.Cocoa):
3116         * stress/object-get-prototype-of-mono-proto.js: Added.
3117         (shouldBe):
3118         (makePolyProtoObject.foo.C):
3119         (makePolyProtoObject.foo):
3120         (makePolyProtoObject):
3121         (target):
3122         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3123         (shouldBe):
3124         (makePolyProtoObject.foo.C):
3125         (makePolyProtoObject.foo):
3126         (makePolyProtoObject):
3127         (target):
3128         * stress/object-get-prototype-of-poly-proto.js: Added.
3129         (shouldBe):
3130         (makePolyProtoObject.foo.C):
3131         (makePolyProtoObject.foo):
3132         (makePolyProtoObject):
3133         (target):
3134         * stress/object-proto-getter-filtered.js: Added.
3135         (shouldBe):
3136         (shouldThrow):
3137         (target):
3138         (i.Cocoa):
3139         * stress/object-proto-getter-poly-mono-proto.js: Added.
3140         (shouldBe):
3141         (makePolyProtoObject.foo.C):
3142         (makePolyProtoObject.foo):
3143         (makePolyProtoObject):
3144         (target):
3145         * stress/object-proto-getter-poly-proto.js: Added.
3146         (shouldBe):
3147         (makePolyProtoObject.foo.C):
3148         (makePolyProtoObject.foo):
3149         (makePolyProtoObject):
3150         (target):
3151         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3152         * stress/string-proto.js: Added.
3153         (shouldBe):
3154         (target):
3155
3156 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3157
3158         Unreviewed, rolling out r223523.
3159
3160         A test for this change is failing on debug JSC bots.
3161
3162         Reverted changeset:
3163
3164         "[JSC] __proto__ getter should be fast"
3165         https://bugs.webkit.org/show_bug.cgi?id=178067
3166         https://trac.webkit.org/changeset/223523
3167
3168 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3169
3170         [JSC] __proto__ getter should be fast
3171         https://bugs.webkit.org/show_bug.cgi?id=178067
3172
3173         Reviewed by Saam Barati.
3174
3175         * stress/dfg-object-proto-accessor.js: Added.
3176         (shouldBe):
3177         (shouldThrow):
3178         (target):
3179         * stress/dfg-object-proto-getter.js: Added.
3180         (shouldBe):
3181         (shouldThrow):
3182         (target):
3183         * stress/dfg-object-prototype-of.js: Added.
3184         (shouldBe):
3185         (shouldThrow):
3186         (target):
3187         * stress/dfg-reflect-get-prototype-of.js: Added.
3188         (shouldBe):
3189         (shouldThrow):
3190         (target):
3191         * stress/object-get-prototype-of-filtered.js: Added.
3192         (shouldBe):
3193         (shouldThrow):
3194         (target):
3195         (i.Cocoa):
3196         * stress/object-get-prototype-of-mono-proto.js: Added.
3197         (shouldBe):
3198         (makePolyProtoObject.foo.C):
3199         (makePolyProtoObject.foo):
3200         (makePolyProtoObject):
3201         (target):
3202         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3203         (shouldBe):
3204         (makePolyProtoObject.foo.C):
3205         (makePolyProtoObject.foo):
3206         (makePolyProtoObject):
3207         (target):
3208         * stress/object-get-prototype-of-poly-proto.js: Added.
3209         (shouldBe):
3210         (makePolyProtoObject.foo.C):
3211         (makePolyProtoObject.foo):
3212         (makePolyProtoObject):
3213         (target):
3214         * stress/object-proto-getter-filtered.js: Added.
3215         (shouldBe):
3216         (shouldThrow):
3217         (target):
3218         (i.Cocoa):
3219         * stress/object-proto-getter-poly-mono-proto.js: Added.
3220         (shouldBe):
3221         (makePolyProtoObject.foo.C):
3222         (makePolyProtoObject.foo):
3223         (makePolyProtoObject):
3224         (target):
3225         * stress/object-proto-getter-poly-proto.js: Added.
3226         (shouldBe):
3227         (makePolyProtoObject.foo.C):
3228         (makePolyProtoObject.foo):
3229         (makePolyProtoObject):
3230         (target):
3231         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3232         * stress/string-proto.js: Added.
3233         (shouldBe):
3234         (target):
3235
3236 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3237
3238         Reland "Add Above/Below comparisons for UInt32 patterns"
3239         https://bugs.webkit.org/show_bug.cgi?id=177281
3240
3241         Reviewed by Saam Barati.
3242
3243         * stress/uint32-comparison-jump.js: Added.
3244         (shouldBe):
3245         (above):
3246         (aboveOrEqual):
3247         (below):
3248         (belowOrEqual):
3249         (notAbove):
3250         (notAboveOrEqual):
3251         (notBelow):
3252         (notBelowOrEqual):
3253         * stress/uint32-comparison.js: Added.
3254         (shouldBe):
3255         (above):
3256         (aboveOrEqual):
3257         (below):
3258         (belowOrEqual):
3259         (aboveTest):
3260         (aboveOrEqualTest):
3261         (belowTest):
3262         (belowOrEqualTest):
3263
3264 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3265
3266         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3267         https://bugs.webkit.org/show_bug.cgi?id=178210
3268
3269         Reviewed by Saam Barati.
3270
3271         * wasm/function-tests/trap-from-start-async.js:
3272         (async.StartTrapsAsync):
3273         * wasm/function-tests/trap-from-start.js:
3274         (StartTraps):
3275         * wasm/js-api/web-assembly-function.js:
3276         (assert.eq.Object.getPrototypeOf):
3277         * wasm/js-api/wrapper-function.js:
3278         (return.new.WebAssembly.Module):
3279         (assert.throws.makeInstance): Deleted.
3280         (assert.throws.Bar): Deleted.
3281         (assert.throws): Deleted.
3282
3283 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3284
3285         Enable gigacage on iOS
3286         https://bugs.webkit.org/show_bug.cgi?id=177586
3287
3288         Reviewed by JF Bastien.
3289         
3290         Add tests for when Gigacage gets runtime disabled.
3291
3292         * stress/disable-gigacage-arrays.js: Added.
3293         (foo):
3294         * stress/disable-gigacage-strings.js: Added.
3295         (foo):
3296         * stress/disable-gigacage-typed-arrays.js: Added.
3297         (foo):
3298
3299 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3300
3301         import.meta should not be assignable
3302         https://bugs.webkit.org/show_bug.cgi?id=178202
3303
3304         Reviewed by Saam Barati.
3305
3306         * modules/import-meta-assignment.js: Added.
3307         (shouldThrow):
3308         (SyntaxError.import.meta.can.shouldThrow):
3309
3310 2017-10-11  Saam Barati  <sbarati@apple.com>
3311
3312         Unreviewed. Actually skip certain type profiler tests in debug.
3313
3314         * typeProfiler.yaml:
3315         * typeProfiler/deltablue-for-of.js:
3316         * typeProfiler/getter-richards.js:
3317
3318 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3319
3320         Unreviewed, rolling out r223113 and r223121.
3321         https://bugs.webkit.org/show_bug.cgi?id=178182
3322
3323         Reintroduced 20% regression on Kraken (Requested by rniwa on
3324         #webkit).
3325
3326         Reverted changesets:
3327
3328         "Enable gigacage on iOS"
3329         https://bugs.webkit.org/show_bug.cgi?id=177586
3330         https://trac.webkit.org/changeset/223113
3331
3332         "Use one virtual allocation for all gigacages and their
3333         runways"
3334         https://bugs.webkit.org/show_bug.cgi?id=178050
3335         https://trac.webkit.org/changeset/223121
3336
3337 2017-10-11  Michael Saboff  <msaboff@apple.com>
3338
3339         Disable test262 named capture group tests with direct unicode names and with references before definitions
3340         https://bugs.webkit.org/show_bug.cgi?id=178177
3341
3342         Reviewed by Keith Miller.
3343
3344         Bugs to track fixing these test are:
3345         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3346             "Add support in named capture group identifiers for direct surrogate pairs"
3347         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3348             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3349
3350         * test262.yaml:
3351
3352 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3353
3354         Object properties are undefined in super.call() but not in this.call()
3355         https://bugs.webkit.org/show_bug.cgi?id=177230
3356
3357         Reviewed by Saam Barati.
3358
3359         * stress/super-call-function-subclass.js: Added.
3360         (assert):
3361         (A.prototype.t):
3362         (A):
3363         * stress/super-dot-call-and-apply.js: Added.
3364         (assert):
3365         (A):
3366         (A.prototype.call):
3367         (A.prototype.apply):
3368         (B.prototype.testSuper):
3369         (B):
3370         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3371         (D.prototype.testSuper):
3372         (D):
3373
3374 2017-10-10  Saam Barati  <sbarati@apple.com>
3375
3376         The prototype cache should be aware of the Executable it generates a Structure for
3377         https://bugs.webkit.org/show_bug.cgi?id=177907
3378
3379         Reviewed by Filip Pizlo.
3380
3381         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3382         (assert):
3383         (foo.C):
3384         (foo):
3385         (bar.C):
3386         (bar):
3387         (access):
3388         (makeLongChain):
3389         (accessY):
3390
3391 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3392
3393         `async` should be able to be used as an imported binding name
3394         https://bugs.webkit.org/show_bug.cgi?id=176573
3395
3396         Reviewed by Saam Barati.
3397
3398         * modules/import-default-async.js: Added.
3399         * modules/import-named-async-as.js: Added.
3400         * modules/import-named-async.js: Added.
3401         * modules/import-named-async/target.js: Added.
3402         * modules/import-namespace-async.js: Added.
3403         * test262.yaml:
3404
3405 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3406
3407         Enable gigacage on iOS
3408         https://bugs.webkit.org/show_bug.cgi?id=177586
3409
3410         Reviewed by JF Bastien.
3411         
3412         Add tests for when Gigacage gets runtime disabled.
3413
3414         * stress/disable-gigacage-arrays.js: Added.
3415         (foo):
3416         * stress/disable-gigacage-strings.js: Added.
3417         (foo):
3418         * stress/disable-gigacage-typed-arrays.js: Added.
3419         (foo):
3420
3421 2017-10-09  Michael Saboff  <msaboff@apple.com>
3422
3423         Implement RegExp Unicode property escapes
3424         https://bugs.webkit.org/show_bug.cgi?id=172069
3425
3426         Reviewed by JF Bastien.
3427
3428         Enabled Unicode Property tests.
3429
3430         * test262.yaml:
3431
3432 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3433
3434         Unreviewed, rolling out r223015 and r223025.
3435         https://bugs.webkit.org/show_bug.cgi?id=178093
3436
3437         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3438         #webkit).
3439
3440         Reverted changesets:
3441
3442         "Enable gigacage on iOS"
3443         https://bugs.webkit.org/show_bug.cgi?id=177586
3444         http://trac.webkit.org/changeset/223015
3445
3446         "Unreviewed, disable Gigacage on ARM64 Linux"
3447         https://bugs.webkit.org/show_bug.cgi?id=177586
3448         http://trac.webkit.org/changeset/223025
3449
3450 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3451
3452         Update expectations for test262 tests that pass after r223043.
3453         https://bugs.webkit.org/show_bug.cgi?id=176685
3454
3455         Unreviewed test gardening.
3456
3457         * test262.yaml:
3458
3459 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3460
3461         Unreviewed, rolling out r223022.
3462
3463         This change introduced 18 test262 failures.
3464
3465         Reverted changeset:
3466
3467         "`async` should be able to be used as an imported binding
3468         name"
3469         https://bugs.webkit.org/show_bug.cgi?id=176573
3470         http://trac.webkit.org/changeset/223022
3471
3472 2017-10-09  Saam Barati  <sbarati@apple.com>
3473
3474         3 poly-proto JSC tests timing out on debug after r222827
3475         https://bugs.webkit.org/show_bug.cgi?id=177880
3476         <rdar://problem/34817122>
3477
3478         Unreviewed.
3479
3480         I'm skipping these type profiler tests on debug since they are long running.
3481
3482         * typeProfiler/deltablue-for-of.js:
3483         * typeProfiler/getter-richards.js:
3484
3485 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3486
3487         Safari 10 /11 problem with if (!await get(something)).
3488         https://bugs.webkit.org/show_bug.cgi?id=176685
3489
3490         Reviewed by Saam Barati.
3491
3492         * stress/async-await-basic.js:
3493         (awaitEpression.async):
3494         * stress/async-await-syntax.js:
3495         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3496         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3497
3498 2017-10-08  Saam Barati  <sbarati@apple.com>
3499
3500         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3501
3502         * typeProfiler/deltablue-for-of.js:
3503         * typeProfiler/getter-richards.js:
3504
3505 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3506
3507         `async` should be able to be used as an imported binding name
3508         https://bugs.webkit.org/show_bug.cgi?id=176573
3509
3510         Reviewed by Darin Adler.
3511
3512         * modules/import-default-async.js: Added.
3513         * modules/import-named-async-as.js: Added.
3514         * modules/import-named-async.js: Added.
3515         * modules/import-named-async/target.js: Added.
3516         * modules/import-namespace-async.js: Added.
3517
3518 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3519
3520         Enable gigacage on iOS
3521         https://bugs.webkit.org/show_bug.cgi?id=177586
3522
3523         Reviewed by JF Bastien.
3524         
3525         Add tests for when Gigacage gets runtime disabled.
3526
3527         * stress/disable-gigacage-arrays.js: Added.
3528         (foo):
3529         * stress/disable-gigacage-strings.js: Added.
3530         (foo):
3531         * stress/disable-gigacage-typed-arrays.js: Added.
3532         (foo):
3533
3534 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3535
3536         Unreviewed, rolling out r222791 and r222873.
3537         https://bugs.webkit.org/show_bug.cgi?id=178031
3538
3539         Caused crashes with workers/wasm LayoutTests (Requested by
3540         ryanhaddad on #webkit).
3541
3542         Reverted changesets:
3543
3544         "WebAssembly: no VM / JS version of everything but Instance"
3545         https://bugs.webkit.org/show_bug.cgi?id=177473
3546         http://trac.webkit.org/changeset/222791
3547
3548         "WebAssembly: address no VM / JS follow-ups"
3549         https://bugs.webkit.org/show_bug.cgi?id=177887
3550         http://trac.webkit.org/changeset/222873
3551
3552 2017-10-05  Saam Barati  <sbarati@apple.com>
3553
3554         Make sure all prototypes under poly proto get added into the VM's prototype map
3555         https://bugs.webkit.org/show_bug.cgi?id=177909
3556
3557         Reviewed by Keith Miller.
3558
3559         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3560         (assert):
3561         (foo.C):
3562         (foo):
3563         (set x):
3564
3565 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3566
3567         [JSC] Introduce import.meta
3568         https://bugs.webkit.org/show_bug.cgi?id=177703
3569
3570         Reviewed by Filip Pizlo.
3571
3572         * modules/import-meta-syntax.js: Added.
3573         (shouldThrow):
3574         (shouldNotThrow):
3575         * modules/import-meta.js: Added.
3576         * modules/import-meta/cocoa.js: Added.
3577         * modules/resources/assert.js:
3578         (export.shouldNotThrow):
3579         * stress/import-syntax.js:
3580
3581 2017-10-04  Saam Barati  <sbarati@apple.com>
3582
3583         Make pertinent AccessCases watch the poly proto watchpoint
3584         https://bugs.webkit.org/show_bug.cgi?id=177765
3585
3586         Reviewed by Keith Miller.
3587
3588         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3589         (assert):
3590         (foo.C):
3591         (foo):
3592         (validate):
3593         * stress/poly-proto-clear-stub.js: Added.
3594         (assert):
3595         (foo.C):
3596         (foo):
3597
3598 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3599
3600         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3601
3602         Unreviewed test gardening.
3603
3604         * test262.yaml:
3605
3606 2017-10-04  Saam Barati  <sbarati@apple.com>
3607
3608         3 poly-proto JSC tests timing out on debug after r222827
3609         https://bugs.webkit.org/show_bug.cgi?id=177880
3610
3611         Rubber stamped by Mark Lam.
3612
3613         * microbenchmarks/poly-proto-access.js:
3614         * typeProfiler/deltablue-for-of.js:
3615         * typeProfiler/getter-richards.js:
3616
3617 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3618
3619         Unreviewed, marking tco-catch.js as a failure after test262 update
3620         https://bugs.webkit.org/show_bug.cgi?id=177859
3621
3622         * test262.yaml:
3623
3624 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3625
3626         Unreviewed, marking one async iterator test262 test failed
3627         https://bugs.webkit.org/show_bug.cgi?id=177859
3628
3629         * test262.yaml:
3630
3631 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3632
3633         [Test262] Update Test262 to Oct 4 version
3634         https://bugs.webkit.org/show_bug.cgi?id=177859
3635
3636         Reviewed by Sam Weinig.
3637
3638         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3639         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3640
3641         * test262.yaml:
3642         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3643         (checkSequence):
3644         * test262/harness/typeCoercion.js:
3645         (testCoercibleToIndexZero):
3646         (testCoercibleToIndexOne):
3647         (testCoercibleToIndexFromIndex):
3648         (testNotCoercibleToIndex.testPrimitiveValue):
3649         (testNotCoercibleToInteger):
3650         (testCoercibleToBigIntZero.testPrimitiveValue):
3651         (testCoercibleToBigIntZero):
3652         (testCoercibleToBigIntOne.testPrimitiveValue):
3653         (testCoercibleToBigIntOne):
3654         (testPrimitiveValue):
3655         (testCoercibleToBigIntFromBigInt):
3656         (testNotCoercibleToBigInt.testPrimitiveValue):
3657         (testNotCoercibleToBigInt.testStringValue):
3658         (testNotCoercibleToBigInt):
3659         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3660         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3661         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3662         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3663         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3664         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3665         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3666         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3667         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3668         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3669         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3670         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3671         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3672         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3673         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3674         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3675         (testCoercibleToBigIntZero):
3676         (testCoercibleToBigIntOne):
3677         (testNotCoercibleToBigInt):
3678         (MyError): Deleted.
3679         (valueOf): Deleted.
3680         (toString): Deleted.
3681         (Symbol.toPrimitive): Deleted.
3682         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3683         (testCoercibleToIndexZero):
3684         (testCoercibleToIndexOne):
3685         (testNotCoercibleToIndex):
3686         (MyError): Deleted.
3687         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3688         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3689         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3690         (BigInt.asIntN.valueOf): Deleted.
3691         (BigInt.asIntN.toString): Deleted.
3692         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3693         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3694         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3695         (testCoercibleToBigIntZero):
3696         (testCoercibleToBigIntOne):
3697         (testNotCoercibleToBigInt):
3698         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3699         (testCoercibleToIndexZero):
3700         (testCoercibleToIndexOne):
3701         (testNotCoercibleToIndex):
3702         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3703         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3704         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3705         (bits.valueOf):
3706         (bigint.valueOf):
3707         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3708         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3709         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3710         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3711         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3712         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3713         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3714         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3715         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3716         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3717         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3718         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3719         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3720         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3721         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3722         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3723         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3724         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3725         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3726         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3727         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3728         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3729         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3730         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3731         (replacer):
3732         (BigInt.prototype.toJSON):
3733         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3734         (replacer):
3735         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3736         (BigInt.prototype.toJSON):
3737         * test262/test/built-ins/JSON/stringify/bigint.js:
3738         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3739         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3740         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3741         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3742         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3743         * test262/test/built-ins/Object/proto-from-ctor.js:
3744         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3745         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3746         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3747         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3748         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3749         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3750         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3751         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3752         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3753         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3754         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3755         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3756         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3757         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3758         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3759         * test262/test/built-ins/Proxy/get-fn-realm.js:
3760         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3761         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3762         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3763         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3764         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3765         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3766         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3767         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3768         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3769         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3770         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3771         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3772         (i6.replace):
3773         (i6b.replace):
3774         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3775         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3776         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3777         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3778         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3779         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3780         * test262/test/built-ins/RegExp/u180e.js: Added.
3781         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3782         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3783         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3784         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3785         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3786         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3787         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3788         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3789         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3790         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3791         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3792         * test262/test/built-ins/String/prototype/endsWith/length.js:
3793         * test262/test/built-ins/String/prototype/endsWith/name.js:
3794         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3795         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3796         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3797         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3798         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3799         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3800         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3801         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3802         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3803         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3804         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3805         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3806         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3807         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3808         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3809         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3810         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3811         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3812         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3813         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3814         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3815         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3816         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3817         * test262/test/built-ins/String/prototype/includes/includes.js:
3818         * test262/test/built-ins/String/prototype/includes/length.js:
3819         * test262/test/built-ins/String/prototype/includes/name.js:
3820         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3821         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3822         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3823         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3824         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3825         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3826         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3827         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3828         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3829         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3830         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3831         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3832         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3833         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3834         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3835         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3836         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3837         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3838         * test262/test/built-ins/String/prototype/trim/u180e.js:
3839         * test262/test/built-ins/Symbol/for/cross-realm.js:
3840         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3841         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3842         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3843         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3844         * test262/test/built-ins/Symbol/match/cross-realm.js:
3845         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3846         * test262/test/built-ins/Symbol/search/cross-realm.js:
3847         * test262/test/built-ins/Symbol/species/cross-realm.js:
3848         * test262/test/built-ins/Symbol/split/cross-realm.js:
3849         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3850         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3851         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3852         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3853         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3854         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3855         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3856         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3857         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3858         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3859         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3860         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3861         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3862         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3863         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3864         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3865         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3866         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3867         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3868         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3869         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3870         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3871         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3872         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3873         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3874         * test262/test/language/eval-code/indirect/realm.js:
3875         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3876         (o.get z):
3877         (o.get a):
3878         * test262/test/language/expressions/call/eval-realm-indirect.js:
3879         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3880         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3881         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3882         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3883         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3884         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3885         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3886         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3887         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3888         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3889         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3890         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3891         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3892         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3893         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3894         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3895         * test262/test/language/expressions/less-than/bigint-and-number.js:
3896         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3897         * test262/test/language/expressions/super/realm.js:
3898         * test262/test/language/expressions/tagged-template/cache-realm.js:
3899         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3900         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3901         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3902         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3903         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3904         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3905         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3906         (o.get z):
3907         (o.get a):
3908         * test262/test/language/statements/for-of/iterator-next-reference.js:
3909         (next):
3910         (iterator.next): Deleted.
3911         (x.of.iterable.): Deleted.
3912         (x.of.iterable.get return): Deleted.
3913         (x.of.iterable.iterator.next): Deleted.
3914         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3915         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3916         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3917         * test262/test/language/white-space/mongolian-vowel-separator.js:
3918         * test262/test262-Revision.txt:
3919
3920 2017-10-03  Saam Barati  <sbarati@apple.com>
3921
3922         Implement polymorphic prototypes
3923         https://bugs.webkit.org/show_bug.cgi?id=176391
3924
3925         Reviewed by Filip Pizlo.
3926
3927         * microbenchmarks/poly-proto-access.js: Added.
3928         (assert):
3929         (foo.C):
3930         (foo.C.prototype.get bar):
3931         (foo):
3932         (bar):
3933         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3934         (assert):
3935         (makePolyProtoObject.foo.C):
3936         (makePolyProtoObject.foo):
3937         (makePolyProtoObject):
3938         (performSet):
3939         * microbenchmarks/poly-proto-setter-speed.js: Added.
3940         (assert):
3941         (makePolyProtoObject.foo.C):
3942         (makePolyProtoObject.foo.C.prototype.set p):
3943         (makePolyProtoObject.foo):
3944         (makePolyProtoObject):
3945         (performSet):
3946         * stress/constructor-with-return.js:
3947         (i.tests.forEach.Constructor):
3948         (i.tests.forEach):
3949         (tests.forEach.Constructor): Deleted.
3950         (tests.forEach): Deleted.
3951         * stress/dom-jit-with-poly-proto.js: Added.
3952         (assert):
3953         (makePolyProtoObject.foo.C):
3954         (makePolyProtoObject.foo):
3955         (makePolyProtoObject):
3956         (validate):
3957         * stress/poly-proto-custom-value-and-accessor.js: Added.
3958         (assert):
3959         (makePolyProtoObject.foo.C):
3960         (makePolyProtoObject.foo):
3961         (makePolyProtoObject):
3962         (items.forEach):
3963         (set get for):
3964         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3965         (assert):
3966         (makePolyProtoObject.foo.C):
3967         (makePolyProtoObject.foo):
3968         (makePolyProtoObject):
3969         (foo):
3970         * stress/poly-proto-miss.js: Added.
3971         (makePolyProtoInstanceWithNullPrototype.foo.C):
3972         (makePolyProtoInstanceWithNullPrototype.foo):
3973         (makePolyProtoInstanceWithNullPrototype):
3974         (assert):
3975         (validate):
3976         * stress/poly-proto-op-in-caching.js: Added.
3977         (assert):
3978         (makePolyProtoObject.foo.C):
3979         (makePolyProtoObject.foo):
3980         (makePolyProtoObject):
3981         (validate):
3982         (validate2):
3983         * stress/poly-proto-put-transition.js: Added.
3984         (assert):
3985         (makePolyProtoObject.foo.C):
3986         (makePolyProtoObject.foo):
3987         (makePolyProtoObject):
3988         (performSet):
3989         (i.obj.__proto__.set p):
3990         * stress/poly-proto-set-prototype.js: Added.
3991         (assert):
3992         (let.alternateProto.get x):
3993         (let.alternateProto2.get y):
3994         (let.alternateProto2.get x):
3995         (foo.C):
3996         (foo):
3997         (validate):
3998         * stress/poly-proto-setter.js: Added.
3999         (assert):
4000         (makePolyProtoObject.foo.C):
4001         (makePolyProtoObject.foo.C.prototype.set p):
4002         (makePolyProtoObject.foo.C.prototype.get p):
4003         (makePolyProtoObject.foo):
4004         (makePolyProtoObject):
4005         (performSet):
4006         * stress/poly-proto-using-inheritance.js: Added.
4007         (assert):
4008         (foo.C):
4009         (foo.C.prototype.get baz):
4010         (foo):
4011         (bar.C):
4012         (bar):
4013         (validate):
4014         * stress/primitive-poly-proto.js: Added.
4015         (makePolyProtoInstance.foo.C):
4016         (makePolyProtoInstance.foo):
4017         (makePolyProtoInstance):
4018         (assert):
4019         (validate):
4020         * stress/prototype-is-not-js-object.js: Added.
4021         (foo.bar):
4022         (foo):
4023         (assert):
4024         (validate):
4025         * stress/try-get-by-id-poly-proto.js: Added.
4026         (assert):
4027         (makePolyProtoObject.foo.C):
4028         (makePolyProtoObject.foo):
4029         (makePolyProtoObject):
4030         (tryGetByIdText):
4031         (x.__proto__.get bar):
4032         (validate):
4033         * typeProfiler/overflow.js:
4034
4035 2017-10-03  JF Bastien  <jfbastien@apple.com>
4036
4037         WebAssembly: no VM / JS version of everything but Instance
4038         https://bugs.webkit.org/show_bug.cgi?id=177473
4039
4040         Reviewed by Filip Pizlo.
4041
4042         - Exceeding max on memory growth now returns a range error as per
4043         spec. This is a (very minor) breaking change: it used to throw OOM
4044         error. Update the corresponding test.
4045
4046         * wasm/js-api/memory-grow.js:
4047         (assertEq):
4048         * wasm/js-api/table.js:
4049         (assert.throws):
4050
4051 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
4052
4053         Skip JSC test stress/regress-159779-2.js on debug.
4054         https://bugs.webkit.org/show_bug.cgi?id=177204
4055
4056         Unreviewed test gardening.
4057
4058         * stress/regress-159779-2.js:
4059
4060 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
4061
4062         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
4063         https://bugs.webkit.org/show_bug.cgi?id=175642
4064
4065         Reviewed by Darin Adler.
4066
4067         * ChakraCore/test/Function/apply3.baseline-jsc:
4068
4069 2017-10-01  Commit Queue  <commit-queue@webkit.org>
4070
4071         Unreviewed, rolling out r222564.
4072         https://bugs.webkit.org/show_bug.cgi?id=177720
4073
4074         "It regressed JetStream by 2% on iOS caused by a 50%
4075         regression on the bigfib subtest" (Requested by saamyjoon on
4076         #webkit).
4077
4078         Reverted changeset:
4079
4080         "Add Above/Below comparisons for UInt32 patterns"
4081         https://bugs.webkit.org/show_bug.cgi?id=177281
4082         http://trac.webkit.org/changeset/222564
4083
4084 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4085
4086         [DFG] Support ArrayPush with multiple args
4087         https://bugs.webkit.org/show_bug.cgi?id=175823
4088
4089         Reviewed by Saam Barati.
4090
4091         * microbenchmarks/array-push-0.js: Added.
4092         (arrayPush0):
4093         * microbenchmarks/array-push-1.js: Added.
4094         (arrayPush1):
4095         * microbenchmarks/array-push-2.js: Added.
4096         (arrayPush2):
4097         * microbenchmarks/array-push-3.js: Added.
4098         (arrayPush3):
4099         * stress/array-push-multiple-contiguous.js: Added.
4100         (shouldBe):
4101         (test):
4102         * stress/array-push-multiple-double-nan.js: Added.
4103         (shouldBe):
4104         (test):
4105         * stress/array-push-multiple-double.js: Added.
4106         (shouldBe):
4107         (test):
4108         * stress/array-push-multiple-int32.js: Added.
4109         (shouldBe):
4110         (test):
4111         * stress/array-push-multiple-many-contiguous.js: Added.
4112         (shouldBe):
4113         (test):
4114         * stress/array-push-multiple-many-double.js: Added.
4115         (shouldBe):
4116         (test):
4117         * stress/array-push-multiple-many-int32.js: Added.
4118         (shouldBe):
4119         (test):
4120         * stress/array-push-multiple-many-storage.js: Added.
4121         (shouldBe):
4122         (test):
4123         * stress/array-push-multiple-storage.js: Added.
4124         (shouldBe):
4125         (test):
4126         * stress/array-push-with-force-exit.js: Added.
4127         (target.createBuiltin):
4128
4129 2017-09-29  Saam Barati  <sbarati@apple.com>
4130
4131         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4132         https://bugs.webkit.org/show_bug.cgi?id=177639
4133
4134         Reviewed by Geoffrey Garen.
4135
4136         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4137         (assert):
4138         (Class):
4139         (items.forEach):
4140         (set get for):
4141
4142 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4143
4144         Unreviewed, rolling out r222563, r222565, and r222581.
4145         https://bugs.webkit.org/show_bug.cgi?id=177675
4146
4147         "It causes a crash when playing youtube videos" (Requested by
4148         saamyjoon on #webkit).
4149
4150         Reverted changesets:
4151
4152         "[DFG] Support ArrayPush with multiple args"
4153         https://bugs.webkit.org/show_bug.cgi?id=175823
4154         http://trac.webkit.org/changeset/222563
4155
4156         "Unreviewed, build fix after r222563"
4157         https://bugs.webkit.org/show_bug.cgi?id=175823
4158         http://trac.webkit.org/changeset/222565
4159
4160         "Unreviewed, fix x86 breaking due to exhausted registers"
4161         https://bugs.webkit.org/show_bug.cgi?id=175823
4162         http://trac.webkit.org/changeset/222581
4163
4164 2017-09-28  Mark Lam  <mark.lam@apple.com>
4165
4166         test262: Unexpected passes after r222617 and r222618.
4167         https://bugs.webkit.org/show_bug.cgi?id=177622
4168         <rdar://problem/34725960>
4169
4170         Reviewed by Saam Barati.
4171
4172         Update test262.yaml for tests that are now passing.
4173
4174         * test262.yaml:
4175
4176 2017-09-27  Michael Saboff  <msaboff@apple.com>
4177
4178         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4179         https://bugs.webkit.org/show_bug.cgi?id=177570
4180
4181         Reviewed by Filip Pizlo.
4182
4183         New regression test.
4184
4185         * stress/regress-177570.js: Added.
4186
4187 2017-09-28  Michael Saboff  <msaboff@apple.com>
4188
4189         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4190         https://bugs.webkit.org/show_bug.cgi?id=177423
4191
4192         Reviewed by Mark Lam.
4193
4194         Updated regression test.
4195
4196         * stress/regress-177423.js:
4197         (catch):
4198
4199 2017-09-27  Mark Lam  <mark.lam@apple.com>
4200
4201         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4202         https://bugs.webkit.org/show_bug.cgi?id=177584
4203         <rdar://problem/34463903>
4204
4205         Reviewed by Saam Barati.
4206
4207         * stress/regress-177584.js: Added.
4208         (assertEqual):
4209         (Array.prototype.Symbol.species):
4210
4211 2017-09-27  Saam Barati  <sbarati@apple.com>
4212
4213         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4214         https://bugs.webkit.org/show_bug.cgi?id=177523
4215
4216         Reviewed by Mark Lam.
4217
4218         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4219         (assert):
4220         (Test):
4221         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4222         (addMethods):
4223         (i.Test.prototype.propName):
4224
4225 2017-09-27  Mark Lam  <mark.lam@apple.com>
4226
4227         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4228         https://bugs.webkit.org/show_bug.cgi?id=177423
4229         <rdar://problem/34621320>
4230
4231         Reviewed by Keith Miller.
4232
4233         * stress/regress-177423.js: Added.
4234
4235 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4236
4237         Add Above/Below comparisons for UInt32 patterns
4238         https://bugs.webkit.org/show_bug.cgi?id=177281
4239
4240         Reviewed by Saam Barati.
4241
4242         * stress/uint32-comparison-jump.js: Added.
4243         (shouldBe):
4244         (above):
4245         (aboveOrEqual):
4246         (below):
4247         (belowOrEqual):
4248         (notAbove):
4249         (notAboveOrEqual):
4250         (notBelow):
4251         (notBelowOrEqual):
4252         * stress/uint32-comparison.js: Added.
4253         (shouldBe):
4254         (above):
4255         (aboveOrEqual):
4256         (below):
4257         (belowOrEqual):
4258         (aboveTest):
4259         (aboveOrEqualTest):
4260         (belowTest):
4261         (belowOrEqualTest):
4262
4263 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
4264
4265         [DFG] Support ArrayPush with multiple args
4266         https://bugs.webkit.org/show_bug.cgi?id=175823
4267
4268         Reviewed by Saam Barati.
4269
4270         * microbenchmarks/array-push-0.js: Added.
4271         (arrayPush0):
4272         * microbenchmarks/array-push-1.js: Added.
4273         (arrayPush1):
4274         * microbenchmarks/array-push-2.js: Added.
4275         (arrayPush2):
4276         * microbenchmarks/array-push-3.js: Added.
4277         (arrayPush3):
4278         * stress/array-push-multiple-contiguous.js: Added.
4279         (shouldBe):
4280         (test):
4281         * stress/array-push-multiple-double-nan.js: Added.
4282         (shouldBe):
4283         (test):
4284         * stress/array-push-multiple-double.js: Added.
4285         (shouldBe):
4286         (test):
4287         * stress/array-push-multiple-int32.js: Added.
4288         (shouldBe):
4289         (test):
4290         * stress/array-push-multiple-many-contiguous.js: Added.
4291         (shouldBe):
4292         (test):
4293         * stress/array-push-multiple-many-double.js: Added.
4294         (shouldBe):
4295         (test):
4296         * stress/array-push-multiple-many-int32.js: Added.
4297         (shouldBe):
4298         (test):
4299         * stress/array-push-multiple-many-storage.js: Added.
4300         (shouldBe):
4301         (test):
4302         * stress/array-push-multiple-storage.js: Added.
4303         (shouldBe):
4304         (test):
4305
4306 2017-09-26  Commit Queue  <commit-queue@webkit.org>
4307
4308         Unreviewed, rolling out r222518.
4309         https://bugs.webkit.org/show_bug.cgi?id=177507
4310
4311         Break the High Sierra build (Requested by yusukesuzuki on
4312         #webkit).
4313
4314         Reverted changeset:
4315
4316         "Add Above/Below comparisons for UInt32 patterns"
4317         https://bugs.webkit.org/show_bug.cgi?id=177281
4318         http://trac.webkit.org/changeset/222518
4319
4320 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4321
4322         Add Above/Below comparisons for UInt32 patterns
4323         https://bugs.webkit.org/show_bug.cgi?id=177281
4324
4325         Reviewed by Saam Barati.
4326
4327         * stress/uint32-comparison-jump.js: Added.
4328         (shouldBe):
4329         (above):
4330         (aboveOrEqual):
4331         (below):
4332         (belowOrEqual):
4333         (notAbove):
4334         (notAboveOrEqual):
4335         (notBelow):
4336         (notBelowOrEqual):
4337         * stress/uint32-comparison.js: Added.
4338         (shouldBe):
4339         (above):
4340         (aboveOrEqual):
4341         (below):
4342         (belowOrEqual):
4343         (aboveTest):
4344         (aboveOrEqualTest):
4345         (belowTest):
4346         (belowOrEqualTest):
4347
4348 2017-09-23  Keith Miller  <keith_miller@apple.com>
4349
4350         Fix infinite looping test262 test
4351         https://bugs.webkit.org/show_bug.cgi?id=177412
4352
4353         Reviewed by Yusuke Suzuki.
4354
4355         This test was poorly designed since failing it would cause the vm
4356         to inifinite loop. I've fixed it locally and will fix it on github pending
4357         the results of next weeks tc39 meeting.
4358
4359         * test262.yaml:
4360         * test262/test/language/statements/for-of/iterator-next-reference.js:
4361
4362 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
4363
4364         test262: $.agent became $262.agent in test262 update
4365         https://bugs.webkit.org/show_bug.cgi?id=177407
4366
4367         Reviewed by Yusuke Suzuki.
4368
4369         * test262.yaml:
4370         ~320 tests pass now that we correctly make $262 available.
4371
4372 2017-09-22  Keith Miller  <keith_miller@apple.com>
4373
4374         Speculatively change iteration protocall to use the same next function
4375         https://bugs.webkit.org/show_bug.cgi?id=175653
4376
4377         Reviewed by Saam Barati.
4378
4379         Change test to match the new iteration behavior.
4380
4381         * stress/spread-optimized-properly.js:
4382
4383 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4384
4385         [DFG][FTL] Profile array vector length for array allocation
4386         https://bugs.webkit.org/show_bug.cgi?id=177051
4387
4388         Reviewed by Saam Barati.
4389
4390         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4391         (target):
4392
4393 2017-09-22  Commit Queue  <commit-queue@webkit.org>
4394
4395         Unreviewed, rolling out r222380.
4396         https://bugs.webkit.org/show_bug.cgi?id=177352
4397
4398         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
4399         #webkit).
4400
4401         Reverted changeset:
4402
4403         "[DFG][FTL] Profile array vector length for array allocation"