[JSC] Update Test262 to April 6 version
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-08  Valerie Young  <valerie@bocoup.com>
2
3         [JSC] Update Test262 to April 6 version
4         https://bugs.webkit.org/show_bug.cgi?id=184266
5
6         Rubber stamped by Yusuke Suzuki.
7
8 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
9
10         [JSC] Introduce op_get_by_id_direct
11         https://bugs.webkit.org/show_bug.cgi?id=183970
12
13         Reviewed by Filip Pizlo.
14
15         * stress/generator-prototype-copy.js: Added.
16         (gen):
17         (catch):
18         Adopted JF's tests.
19
20         * stress/generator-type-check.js: Added.
21         (shouldThrow):
22         (foo2):
23         (i.shouldThrow):
24         * stress/get-by-id-direct-getter.js: Added.
25         (shouldBe):
26         (shouldThrow):
27         (obj.get hello):
28         (builtin.createBuiltin):
29         (obj2.get length):
30         * stress/get-by-id-direct.js: Added.
31         (shouldBe):
32         (shouldThrow):
33         (builtin.createBuiltin):
34         * test262.yaml:
35         We fixed long-standing spec compatibility issue.
36         As a result, this patch makes several test262 tests passed!
37
38
39 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
40
41         Unreviewed, annotate test with @skip if $memoryLimited
42         https://bugs.webkit.org/show_bug.cgi?id=183894
43
44         * stress/json-stringified-overflow.js:
45
46 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
47
48         Add svn:eol-style to line-terminator-normalisation-CR.js
49         https://bugs.webkit.org/show_bug.cgi?id=184341
50
51         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
52
53 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
54
55         Unreviewed, remove errant LF from existing test262 test for CR line endings.
56
57         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
58
59 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
60
61         Unreviewed, rolling out r230320.
62
63         Revert fix, as the root cause lies elsewhere.
64
65         Reverted changeset:
66
67         "[test262] Mark line-terminator-normalisation-CR.js as a
68         binary file."
69         https://bugs.webkit.org/show_bug.cgi?id=184341
70         https://trac.webkit.org/changeset/230320
71
72 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
73
74         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
75         https://bugs.webkit.org/show_bug.cgi?id=184341
76
77         Reviewed by Yusuke Suzuki.
78
79         This test is all about CR line endings, but `svn-apply` can't deal with them.
80         Treating the file as binary ensures that its contents never are never shown in a diff.
81
82         * .gitattributes: Added.
83
84 2018-04-05  Robin Morisset  <rmorisset@apple.com>
85
86         Fix testcase (missing try/catch).
87         https://bugs.webkit.org/show_bug.cgi?id=183657
88
89         Unreviewed.
90
91         * stress/large-unshift-splice.js
92
93 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
94
95         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
96         https://bugs.webkit.org/show_bug.cgi?id=184319
97
98         Reviewed by Saam Barati.
99
100         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
101         (foo):
102         (bar):
103         * stress/array-push-nan-to-double-array.js: Added.
104         (foo):
105         (bar):
106
107 2018-04-03  Mark Lam  <mark.lam@apple.com>
108
109         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
110         https://bugs.webkit.org/show_bug.cgi?id=184284
111
112         Reviewed by Saam Barati.
113
114         * stress/js-fixed-array-out-of-memory.js:
115
116 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
117
118         JSC crash in JIT code with for-of loop and Array/Set iterators
119         https://bugs.webkit.org/show_bug.cgi?id=183174
120
121         Reviewed by Saam Barati.
122
123         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
124         (foo):
125         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
126         (f):
127
128 2018-03-30  JF Bastien  <jfbastien@apple.com>
129
130         WebAssembly: support DataView compilation
131         https://bugs.webkit.org/show_bug.cgi?id=183342
132
133         Reviewed by Mark Lam.
134
135         Test WebAssembly compilation using a DataView with offset.
136
137         * wasm/regress/183342.js: Added.
138         (attempt.catch):
139
140 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
141
142         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
143         https://bugs.webkit.org/show_bug.cgi?id=184189
144
145         Reviewed by JF Bastien.
146
147         * stress/load-hole-from-scope-into-live-var.js: Added.
148         (result.eval.try.switch):
149         (catch):
150
151 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
152
153         Unreviewed, rolling out r230102.
154
155         Caused assertion failures on JSC bots.
156
157         Reverted changeset:
158
159         "A stack overflow in the parsing of a builtin (called by
160         createExecutable) cause a crash instead of a catchable js
161         exception"
162         https://bugs.webkit.org/show_bug.cgi?id=184074
163         https://trac.webkit.org/changeset/230102
164
165 2018-03-30  Robin Morisset  <rmorisset@apple.com>
166
167         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
168         https://bugs.webkit.org/show_bug.cgi?id=183812
169
170         Reviewed by Keith Miller.
171
172         * stress/inlining-unreachable-non-tail.js: Added.
173         (foo.):
174         (foo):
175
176 2018-03-30  Robin Morisset  <rmorisset@apple.com>
177
178         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
179         https://bugs.webkit.org/show_bug.cgi?id=184074
180         <rdar://problem/37165897>
181
182         Reviewed by Keith Miller.
183
184         * stress/stack-overflow-while-parsing-builtin.js: Added.
185         (f):
186
187 2018-03-30  Robin Morisset  <rmorisset@apple.com>
188
189         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
190         https://bugs.webkit.org/show_bug.cgi?id=183657
191
192         Reviewed by Keith Miller.
193
194         * stress/large-unshift-splice.js: Added.
195         (make_contig_arr):
196
197 2018-03-28  Robin Morisset  <rmorisset@apple.com>
198
199         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
200         https://bugs.webkit.org/show_bug.cgi?id=183894
201
202         Reviewed by Saam Barati.
203
204         * stress/json-stringified-overflow.js: Added.
205         (catch):
206
207 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
208
209         DFG should know that CreateThis can be effectful
210         https://bugs.webkit.org/show_bug.cgi?id=184013
211
212         Reviewed by Saam Barati.
213
214         * stress/create-this-property-change.js: Added.
215         (Foo):
216         (RealBar):
217         (get if):
218         * stress/create-this-structure-change-without-cse.js: Added.
219         (Foo):
220         (RealBar):
221         (get if):
222         * stress/create-this-structure-change.js: Added.
223         (Foo):
224         (RealBar):
225         (get if):
226
227 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
228
229         [DFG] Introduces fused compare and jump
230         https://bugs.webkit.org/show_bug.cgi?id=177100
231
232         Reviewed by Mark Lam.
233
234         * stress/fused-jeq-slow.js: Added.
235         (shouldBe):
236         (testJEQ):
237         (testJNEQB):
238         (testJEQB):
239         (testJNEQF):
240         (testJEQF):
241         * stress/fused-jeq.js: Added.
242         (shouldBe):
243         (testJEQ):
244         (testJNEQB):
245         (testJEQB):
246         (testJNEQF):
247         (testJEQF):
248         * stress/fused-jstricteq-slow.js: Added.
249         (shouldBe):
250         (testJSTRICTEQ):
251         (testJNSTRICTEQB):
252         (testJSTRICTEQB):
253         (testJNSTRICTEQF):
254         (testJSTRICTEQF):
255         * stress/fused-jstricteq.js: Added.
256         (shouldBe):
257         (testJSTRICTEQ):
258         (testJNSTRICTEQB):
259         (testJSTRICTEQB):
260         (testJNSTRICTEQF):
261         (testJSTRICTEQF):
262
263 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
264
265         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
266         https://bugs.webkit.org/show_bug.cgi?id=183559
267
268         Reviewed by Mark Lam.
269
270         * stress/double-to-string-in-loop-removed.js: Added.
271         (test):
272         * stress/int32-to-string-in-loop-removed.js: Added.
273         (test):
274         * stress/int52-to-string-in-loop-removed.js: Added.
275         (test):
276
277 2018-03-22  Michael Saboff  <msaboff@apple.com>
278
279         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
280         https://bugs.webkit.org/show_bug.cgi?id=183901
281
282         Reviewed by Keith Miller.
283
284         New test.
285
286         * stress/array-reverse-doesnt-clobber.js: Added.
287         (testArrayReverse):
288         (createArrayOfArrays):
289         (createArrayStorage):
290
291 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
292
293         ScopedArguments should do poisoning and index masking
294         https://bugs.webkit.org/show_bug.cgi?id=183863
295
296         Reviewed by Mark Lam.
297         
298         Adds another stress test of scoped arguments.
299
300         * stress/scoped-arguments-test.js: Added.
301         (foo):
302
303 2018-03-20  Saam Barati  <sbarati@apple.com>
304
305         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
306         https://bugs.webkit.org/show_bug.cgi?id=183795
307         <rdar://problem/38298694>
308
309         Reviewed by JF Bastien.
310
311         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
312         (foo):
313         (bar):
314
315 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
316
317         [DFG][FTL] Add vectorLengthHint for NewArray
318         https://bugs.webkit.org/show_bug.cgi?id=183694
319
320         Reviewed by Saam Barati.
321
322         * stress/vector-length-hint-array-constructor.js: Added.
323         (shouldBe):
324         (test):
325         * stress/vector-length-hint-new-array.js: Added.
326         (shouldBe):
327         (test):
328
329 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
330
331         [DFG][FTL] Make ArraySlice(0) code tight
332         https://bugs.webkit.org/show_bug.cgi?id=183590
333
334         Reviewed by Saam Barati.
335
336         * stress/array-slice-with-zero.js: Added.
337         (shouldBe):
338         (test):
339         (test2):
340         * stress/array-slice-zero-args.js: Added.
341         (shouldBe):
342         (test):
343
344 2018-03-14  Caitlin Potter  <caitp@igalia.com>
345
346         [JSC] fix order of evaluation for ClassDefinitionEvaluation
347         https://bugs.webkit.org/show_bug.cgi?id=183523
348
349         Reviewed by Keith Miller.
350
351         Computed property names need to be evaluated in source order during class
352         definition evaluation, as it's observable (and specified to work this way).
353
354         This change improves compatibility with Chromium.
355
356         * stress/class_elements.js: Added.
357         (test):
358         (test.C.prototype.effect):
359         (test.C.effect):
360         (test.C.prototype.get effect):
361         (test.C.prototype.set effect):
362         (test.C):
363
364 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
365
366         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
367         https://bugs.webkit.org/show_bug.cgi?id=183310
368
369         Reviewed by Filip Pizlo.
370
371         * stress/ai-create-this-to-new-object-fire.js: Added.
372         (assert):
373         (test):
374         (func):
375         (check):
376         (test.body.A):
377         (test.body.B):
378         (test.body):
379         * stress/ai-create-this-to-new-object.js: Added.
380         (assert):
381         (test):
382         (func):
383         (check):
384         (test.body.A):
385         (test.body.B):
386         (test.body):
387
388 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
389
390         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
391         https://bugs.webkit.org/show_bug.cgi?id=181848
392
393         Reviewed by Sam Weinig.
394
395         * microbenchmarks/regexp-u-global-es5.js: Added.
396         (fn):
397         * microbenchmarks/regexp-u-global-es6.js: Added.
398         (fn):
399         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
400         (shouldBe):
401         (test):
402         (i.switch):
403         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
404         (shouldBe):
405         (test):
406
407 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
408
409         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
410         https://bugs.webkit.org/show_bug.cgi?id=183334
411
412         Reviewed by Žan Doberšek.
413
414         * stress/var-injection-cache-invalidation.js:
415
416 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
417
418         [ARM] Disable tests that run out of memory
419         https://bugs.webkit.org/show_bug.cgi?id=182699
420
421         Reviewed by Žan Doberšek.
422
423         Skip tests that run of of memory. Do not run
424         modules/module-jit-reachability.js without LLInt to prevent
425         running out of executable memory.
426
427         * modules.yaml:
428         * modules/module-jit-reachability.js:
429         * stress/has-own-property-name-cache-string-keys.js:
430         * stress/has-own-property-name-cache-symbol-keys.js:
431
432 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
433
434         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
435         https://bugs.webkit.org/show_bug.cgi?id=183173
436
437         Reviewed by Saam Barati.
438
439         * stress/async-arrow-function-in-class-heritage.js: Added.
440         (testSyntax):
441         (testSyntaxError):
442         (SyntaxError):
443
444 2018-03-01  Saam Barati  <sbarati@apple.com>
445
446         We need to clear cached structures when having a bad time
447         https://bugs.webkit.org/show_bug.cgi?id=183256
448         <rdar://problem/36245022>
449
450         Reviewed by Mark Lam.
451
452         * stress/having-a-bad-time-with-derived-arrays.js: Added.
453         (assert):
454         (defineSetter):
455         (iterate):
456         (doSlice):
457
458 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
459
460         JSC crash with `import("")`
461         https://bugs.webkit.org/show_bug.cgi?id=183175
462
463         Reviewed by Saam Barati.
464
465         * stress/import-with-empty-string.js: Added.
466
467 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
468
469         Unreviewed, skip FTL tests if FTL is disabled
470         https://bugs.webkit.org/show_bug.cgi?id=183071
471
472         * stress/has-indexed-property-array-storage-ftl.js:
473         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
474
475 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
476
477         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
478         https://bugs.webkit.org/show_bug.cgi?id=182965
479
480         Reviewed by Saam Barati.
481
482         * stress/put-by-val-array-storage.js: Added.
483         (shouldBe):
484         (testArrayStorageInBounds):
485         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
486         (shouldBe):
487         (testInt32.createBuiltin):
488         (set for):
489         * stress/put-by-val-slow-put-array-storage.js: Added.
490         (shouldBe):
491         (testArrayStorageInBounds):
492
493 2018-02-26  Saam Barati  <sbarati@apple.com>
494
495         validateStackAccess should not validate if the offset is within the stack bounds
496         https://bugs.webkit.org/show_bug.cgi?id=183067
497         <rdar://problem/37749988>
498
499         Reviewed by Mark Lam.
500
501         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
502         (assert):
503         (test.a):
504         (test.b):
505         (test):
506
507 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
508
509         Unreviewed, skip FTL tests if FTL is disabled
510         https://bugs.webkit.org/show_bug.cgi?id=183071
511
512         * stress/has-indexed-property-array-storage-ftl.js:
513         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
514
515 2018-02-23  Saam Barati  <sbarati@apple.com>
516
517         Make Number.isInteger an intrinsic
518         https://bugs.webkit.org/show_bug.cgi?id=183088
519
520         Reviewed by JF Bastien.
521
522         * stress/number-is-integer-intrinsic.js: Added.
523
524 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
525
526         WebAssembly: cache memory address / size on instance
527         https://bugs.webkit.org/show_bug.cgi?id=177305
528
529         Reviewed by JF Bastien.
530
531         * wasm/function-tests/memory-reuse.js: Added.
532         (createWasmInstance):
533         (doCheckTrap):
534         (doMemoryGrow):
535         (doCheck):
536         (checkWasmInstancesWithSharedMemory):
537
538 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
539
540         [JSC] Implement $vm.ftlTrue function for FTL testing
541         https://bugs.webkit.org/show_bug.cgi?id=183071
542
543         Reviewed by Mark Lam.
544
545         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
546         (foo):
547         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
548         (foo):
549         * stress/dead-fiat-value-to-int52.js:
550         (foo):
551         * stress/dead-osr-entry-value.js:
552         (foo):
553         * stress/fiat-value-to-int52-then-exit-not-double.js:
554         (foo):
555         * stress/fiat-value-to-int52-then-exit-not-int52.js:
556         (foo):
557         * stress/fiat-value-to-int52-then-fail-to-fold.js:
558         (foo):
559         * stress/fiat-value-to-int52-then-fold.js:
560         (foo):
561         * stress/fiat-value-to-int52.js:
562         (foo):
563         * stress/fold-based-on-int32-proof-mul-branch.js:
564         (foo):
565         * stress/fold-profiled-call-to-call.js:
566         (foo):
567         * stress/fold-to-double-constant-then-exit.js:
568         (foo):
569         * stress/fold-to-int52-constant-then-exit.js:
570         (foo):
571         * stress/fold-to-primitive-in-cfa.js:
572         (foo):
573         * stress/fold-to-primitive-to-identity-in-cfa.js:
574         (foo):
575         * stress/has-indexed-property-array-storage-ftl.js: Added.
576         (shouldBe):
577         (test1):
578         (test2):
579         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
580         (shouldBe):
581         (test1):
582         (test2):
583         * stress/int52-ai-add-then-filter-int32.js:
584         (foo):
585         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
586         (foo):
587         * stress/int52-ai-mul-then-filter-int32.js:
588         (foo):
589         * stress/int52-ai-neg-then-filter-int32.js:
590         (foo):
591         * stress/int52-ai-sub-then-filter-int32.js:
592         (foo):
593         * stress/licm-pre-header-cannot-exit-nested.js:
594         (foo):
595         * stress/licm-pre-header-cannot-exit.js:
596         (foo):
597         * stress/sparse-array-entry-update-144067.js:
598         (useMemoryToTriggerGCs):
599         * stress/test-spec-misc.js:
600         (foo):
601         * stress/tricky-array-bounds-checks.js:
602         (foo):
603
604 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
605
606         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
607         https://bugs.webkit.org/show_bug.cgi?id=182792
608
609         Reviewed by Mark Lam.
610
611         * stress/has-indexed-property-array-storage.js: Added.
612         (shouldBe):
613         (test1):
614         (test2):
615         * stress/has-indexed-property-slow-put-array-storage.js: Added.
616         (shouldBe):
617         (test1):
618         (test2):
619
620 2018-02-20  Saam Barati  <sbarati@apple.com>
621
622         DFG::VarargsForwardingPhase should eliminate getting argument length
623         https://bugs.webkit.org/show_bug.cgi?id=182959
624
625         Reviewed by Keith Miller.
626
627         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
628
629 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
630
631         [FTL] Support ArrayPush for ArrayStorage
632         https://bugs.webkit.org/show_bug.cgi?id=182782
633
634         Reviewed by Saam Barati.
635
636         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
637
638         * stress/array-push-array-storage-beyond-int32.js: Added.
639         (shouldBe):
640         (test):
641         * stress/array-push-array-storage.js: Added.
642         (shouldBe):
643         (test):
644         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
645         (shouldBe):
646         (test):
647         * stress/array-push-multiple-storage-continuous.js: Added.
648         (shouldBe):
649         (test):
650
651 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
652
653         [FTL] Support ArrayPop for ArrayStorage
654         https://bugs.webkit.org/show_bug.cgi?id=182783
655
656         Reviewed by Saam Barati.
657
658         * stress/array-pop-array-storage.js: Added.
659         (shouldBe):
660         (test):
661
662 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
663
664         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
665         https://bugs.webkit.org/show_bug.cgi?id=182731
666
667         Reviewed by Saam Barati.
668
669         * stress/arrayify-array-storage-array.js: Added.
670         (shouldBe):
671         (testArrayStorage):
672         * stress/arrayify-array-storage-non-array.js: Added.
673         (shouldBe):
674         (testArrayStorage):
675         * stress/arrayify-array-storage.js: Added.
676         (shouldBe):
677         (testArrayStorage):
678         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
679         (shouldBe):
680         (testArrayStorage):
681         * stress/arrayify-slow-put-array-storage.js: Added.
682         (shouldBe):
683         (testArrayStorage):
684
685 2018-02-19  Saam Barati  <sbarati@apple.com>
686
687         Don't use JSFunction's allocation profile when getting the prototype can be effectful
688         https://bugs.webkit.org/show_bug.cgi?id=182942
689         <rdar://problem/37584764>
690
691         Reviewed by Mark Lam.
692
693         * stress/get-prototype-create-this-effectful.js: Added.
694
695 2018-02-16  Saam Barati  <sbarati@apple.com>
696
697         Fix bugs from r228411
698         https://bugs.webkit.org/show_bug.cgi?id=182851
699         <rdar://problem/37577732>
700
701         Reviewed by JF Bastien.
702
703         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
704
705 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
706
707         Unreviewed, roll out r228366 since it did not progress anything.
708
709         * stress/gc-error-stack.js: Removed.
710         * stress/no-gc-error-stack.js: Removed.
711
712 2018-02-15  Tomas Popela  <tpopela@redhat.com>
713
714         Many stress tests fail with JIT disabled
715         https://bugs.webkit.org/show_bug.cgi?id=182730
716
717         Reviewed by Saam Barati.
718
719         These tests are broken by design if the JIT is disabled - they test
720         the return value of numberOfDFGCompiles(), which is always set to
721         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
722
723         * stress/arith-abs-on-various-types.js:
724         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
725         * stress/arith-acos-on-various-types.js:
726         * stress/arith-acosh-on-various-types.js:
727         * stress/arith-asin-on-various-types.js:
728         * stress/arith-asinh-on-various-types.js:
729         * stress/arith-atan-on-various-types.js:
730         * stress/arith-atanh-on-various-types.js:
731         * stress/arith-cbrt-on-various-types.js:
732         * stress/arith-ceil-on-various-types.js:
733         * stress/arith-clz32-on-various-types.js:
734         * stress/arith-cos-on-various-types.js:
735         * stress/arith-cosh-on-various-types.js:
736         * stress/arith-expm1-on-various-types.js:
737         * stress/arith-floor-on-various-types.js:
738         * stress/arith-fround-on-various-types.js:
739         * stress/arith-log-on-various-types.js:
740         * stress/arith-log10-on-various-types.js:
741         * stress/arith-log2-on-various-types.js:
742         * stress/arith-negate-on-various-types.js:
743         * stress/arith-round-on-various-types.js:
744         * stress/arith-sin-on-various-types.js:
745         * stress/arith-sinh-on-various-types.js:
746         * stress/arith-sqrt-on-various-types.js:
747         * stress/arith-tan-on-various-types.js:
748         * stress/arith-tanh-on-various-types.js:
749         * stress/arith-trunc-on-various-types.js:
750         * stress/compare-strict-eq-on-various-types.js:
751
752 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
753
754         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
755
756         Unreviewed test gardening.
757
758         * stress/new-largeish-contiguous-array-with-size.js:
759
760 2018-02-14  Saam Barati  <sbarati@apple.com>
761
762         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
763         https://bugs.webkit.org/show_bug.cgi?id=182801
764
765         Reviewed by Keith Miller.
766
767         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
768
769 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
770
771         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
772         https://bugs.webkit.org/show_bug.cgi?id=182526
773
774         Unreviewed test gardening.
775
776         * stress/activation-sink-default-value-tdz-error.js:
777
778 2018-02-13  Saam Barati  <sbarati@apple.com>
779
780         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
781         https://bugs.webkit.org/show_bug.cgi?id=182755
782         <rdar://problem/37080864>
783
784         Reviewed by Keith Miller.
785
786         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
787         (test1.o.get 10005):
788         (test1):
789         (test2.o.get 1000):
790         (test2):
791
792 2018-02-13  Caitlin Potter  <caitp@igalia.com>
793
794         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
795         https://bugs.webkit.org/show_bug.cgi?id=182717
796
797         Reviewed by Yusuke Suzuki.
798
799         https://github.com/tc39/ecma262/pull/890 imposes a change to template
800         literals, to allow template callsite arrays to be collected when the
801         code containing the tagged template call is collected. This spec change
802         has received concensus and been ratified.
803
804         This change eliminates the eternal map associating template contents
805         with arrays.
806
807         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
808         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
809         * stress/tagged-templates-identity.js:
810         * stress/template-string-tags-eval.js:
811         * test262.yaml:
812
813 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
814
815         Support GetArrayLength on ArrayStorage in the FTL
816         https://bugs.webkit.org/show_bug.cgi?id=182625
817
818         Reviewed by Saam Barati.
819
820         * stress/array-storage-length.js: Added.
821         (shouldBe):
822         (testInBound):
823         (testUncountable):
824         (testSlowPutInBound):
825         (testSlowPutUncountable):
826         * stress/undecided-length.js: Added.
827         (shouldBe):
828         (test2):
829
830 2018-02-12  Saam Barati  <sbarati@apple.com>
831
832         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
833         https://bugs.webkit.org/show_bug.cgi?id=182706
834         <rdar://problem/36833681>
835
836         Reviewed by Filip Pizlo.
837
838         * stress/get-array-length-phantom-new-array-buffer.js: Added.
839         (effects):
840         (foo):
841
842 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
843
844         Don't waste memory for error.stack
845         https://bugs.webkit.org/show_bug.cgi?id=182656
846
847         Reviewed by Saam Barati.
848         
849         Tests the policy.
850
851         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
852         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
853
854 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
855
856         [JSC] Update Test262 to Feb 9 version
857         https://bugs.webkit.org/show_bug.cgi?id=182468
858
859         Reviewed by Saam Barati.
860
861 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
862
863         Unreviewed, fix invalid line terminator in old test262 file part 2
864         https://bugs.webkit.org/show_bug.cgi?id=182468
865
866         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
867
868 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
869
870         Unreviewed, fix invalid line terminator in old test262 file
871         https://bugs.webkit.org/show_bug.cgi?id=182468
872
873         * test262/test/language/literals/regexp/7.8.5-1.js:
874
875 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
876
877         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
878         https://bugs.webkit.org/show_bug.cgi?id=182440
879
880         Reviewed by Darin Adler.
881
882         * stress/array-flatmap.js: Added.
883         (shouldBe):
884         (shouldBeArray):
885         (shouldThrow):
886         (var):
887         * stress/array-flatten.js: Added.
888         (shouldBe):
889         (shouldBeArray):
890         * test262.yaml:
891         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
892         (3.flatMap):
893         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
894
895 2018-02-06  Keith Miller  <keith_miller@apple.com>
896
897         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
898         https://bugs.webkit.org/show_bug.cgi?id=182549
899         <rdar://problem/36189995>
900
901         Reviewed by Saam Barati.
902
903         * stress/var-injection-cache-invalidation.js: Added.
904         (allocateLotsOfThings):
905         (test):
906
907 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
908
909         Unreviewed, follow up for test262 update
910         https://bugs.webkit.org/show_bug.cgi?id=182288
911
912         * test262.yaml:
913
914 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
915
916         Update test262 to Jan 30 version
917         https://bugs.webkit.org/show_bug.cgi?id=182288
918
919         Unreviewed test gardening.
920
921         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
922
923 2018-02-02  Saam Barati  <sbarati@apple.com>
924
925         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
926         https://bugs.webkit.org/show_bug.cgi?id=182368
927         <rdar://problem/36932466>
928
929         Reviewed by Mark Lam.
930
931         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
932         (runNearStackLimit.t):
933         (runNearStackLimit):
934         (try.runNearStackLimit):
935         (catch):
936
937 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
938
939         Update test262 to Jan 30 version
940         https://bugs.webkit.org/show_bug.cgi?id=182288
941
942         Rubber stamped by Saam Barati.
943
944         This patch updates test262 to the latest one, Jan 30 version.
945         Since added and changed files are too many, we cannot create ChangeLog.
946         The following files are changed.
947
948         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
949         including some special line terminators (like u2028, u2029).
950
951         * test262.yaml:
952         * test262/test262-Revision.txt:
953         * test262/*:
954
955 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
956
957         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
958         https://bugs.webkit.org/show_bug.cgi?id=182411
959
960         Reviewed by Carlos Alberto Lopez Perez.
961
962         This is skipped only on arm memory limited platforms. Until recently
963         it was not a problem on MIPS as the butterfly was not initialized. But
964         since r227435, the butterfly is initialized in that test and therefore
965         memory is allocated, and the test typically takes around 512M, which
966         means it generally gets OOM-killed on the MIPS buildbot.
967
968         * mozilla/mozilla-tests.yaml:
969
970 2018-02-01  Mark Lam  <mark.lam@apple.com>
971
972         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
973         https://bugs.webkit.org/show_bug.cgi?id=182419
974         <rdar://problem/37044945>
975
976         Reviewed by Saam Barati.
977
978         * stress/regress-182419.js: Added.
979
980 2018-02-01  Keith Miller  <keith_miller@apple.com>
981
982         Fix crashes due to mishandling custom sections.
983         https://bugs.webkit.org/show_bug.cgi?id=182404
984         <rdar://problem/36935863>
985
986         Reviewed by Saam Barati.
987
988         * wasm/Builder.js:
989         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
990         * wasm/js-api/validate.js:
991         (assert.truthy):
992
993 2018-01-31  Saam Barati  <sbarati@apple.com>
994
995         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
996         https://bugs.webkit.org/show_bug.cgi?id=182074
997         <rdar://problem/36846261>
998
999         Reviewed by Mark Lam.
1000
1001         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1002         (assert):
1003         (let.func):
1004         (let.o.foo):
1005         (varFunc):
1006
1007 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1008
1009         Unreviewed, update test262 expects
1010         https://bugs.webkit.org/show_bug.cgi?id=182232
1011
1012         * test262.yaml:
1013
1014 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1015
1016         [JSC] Implement trimStart and trimEnd
1017         https://bugs.webkit.org/show_bug.cgi?id=182233
1018
1019         Reviewed by Mark Lam.
1020
1021         * stress/trim.js: Added.
1022         (shouldBe):
1023         (startTest):
1024         (endTest):
1025         (trimTest):
1026
1027 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1028
1029         [JSC] Relax line terminators in String to make JSON subset of JS
1030         https://bugs.webkit.org/show_bug.cgi?id=182232
1031
1032         Reviewed by Keith Miller.
1033
1034         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1035         * stress/relaxed-line-terminators-in-string.js: Added.
1036         (shouldBe):
1037
1038 2018-01-29  Michael Saboff  <msaboff@apple.com>
1039
1040         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1041         https://bugs.webkit.org/show_bug.cgi?id=182249
1042
1043         Reviewed by Keith Miller.
1044
1045         New regression test.
1046
1047         * stress/compare-clobber-untypeduse.js: Added.
1048
1049 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1050
1051         Unreviewed, rolling out r227725.
1052
1053         This caused internal failures.
1054
1055         Reverted changeset:
1056
1057         "JSC Sampling Profiler: Detect tester and testee when sampling
1058         in RegExp JIT"
1059         https://bugs.webkit.org/show_bug.cgi?id=152729
1060         https://trac.webkit.org/changeset/227725
1061
1062 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1065         https://bugs.webkit.org/show_bug.cgi?id=152729
1066
1067         Reviewed by Saam Barati.
1068
1069         * stress/sampling-profiler-regexp.js: Added.
1070         (platformSupportsSamplingProfiler.test):
1071         (platformSupportsSamplingProfiler.baz):
1072         (platformSupportsSamplingProfiler):
1073
1074 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1075
1076         [DFG][FTL] WeakMap#set should have DFG node
1077         https://bugs.webkit.org/show_bug.cgi?id=180015
1078
1079         Reviewed by Saam Barati.
1080
1081         * stress/weakmap-set-change-get.js: Added.
1082         (shouldBe):
1083         (test):
1084         * stress/weakmap-set-cse.js: Added.
1085         (shouldBe):
1086         (test):
1087         * stress/weakset-add-change-get.js: Added.
1088         (shouldBe):
1089         * stress/weakset-add-cse.js: Added.
1090         (shouldBe):
1091
1092 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1093
1094         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1095         https://bugs.webkit.org/show_bug.cgi?id=182213
1096
1097         Reviewed by Mark Lam.
1098
1099         * stress/int32-min-to-string.js: Added.
1100         (shouldBe):
1101         (test2):
1102         (test4):
1103         (test8):
1104         (test16):
1105         (test32):
1106         * stress/zero-to-string.js: Added.
1107         (shouldBe):
1108         (test2):
1109         (test4):
1110         (test8):
1111         (test16):
1112         (test32):
1113
1114 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1115
1116         Add more module scope related tests with code evaluation by string
1117         https://bugs.webkit.org/show_bug.cgi?id=181983
1118
1119         Reviewed by Sam Weinig.
1120
1121         Add more module scope related tests. When the original tests are landed,
1122         we do not have browser integration. This patch adds more module scope tests
1123         with dynamically created script evaluation. We add tests with Function
1124         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1125
1126         * modules/scopes-eval.js: Added.
1127         (shouldBe):
1128         * modules/scopes.js:
1129         (shouldBe):
1130
1131 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1132
1133         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1134
1135         * microbenchmarks/array-push-3.js: Removed.
1136         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1137         * microbenchmarks/double-to-int32.js: Removed.
1138         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1139         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1140         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1141         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1142         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1143         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1144         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1145         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1146         * microbenchmarks/map-constant-key.js: Removed.
1147         * microbenchmarks/nested-function-parsing.js: Removed.
1148         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1149         * microbenchmarks/spread-large-array.js: Removed.
1150         * microbenchmarks/string-add-constant-folding.js: Removed.
1151         * microbenchmarks/to-lower-case.js: Removed.
1152         * microbenchmarks/undefined-property-access.js: Removed.
1153         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1154         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1155         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1156         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1157         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1158         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1159         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1160         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1161         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1162         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1163         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1164         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1165         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1166         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1167         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1168         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1169         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1170         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1171
1172 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1173
1174         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1175         https://bugs.webkit.org/show_bug.cgi?id=181739
1176         <rdar://problem/36627662>
1177
1178         Reviewed by Saam Barati.
1179
1180         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1181         (foo):
1182         (bar):
1183
1184 2018-01-22  Michael Saboff  <msaboff@apple.com>
1185
1186         DFG abstract interpreter needs to properly model effects of some Math ops
1187         https://bugs.webkit.org/show_bug.cgi?id=181886
1188
1189         Reviewed by Saam Barati.
1190
1191         New regression test.
1192
1193         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1194         (test):
1195
1196 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1197
1198         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1199         https://bugs.webkit.org/show_bug.cgi?id=181182
1200
1201         Reviewed by Darin Adler.
1202
1203         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1204         * stress/big-int-prototype-to-string-exception.js: Added.
1205         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1206         * stress/number-prototype-to-string-cast-overflow.js: Added.
1207         * stress/number-prototype-to-string-exception.js: Added.
1208         * stress/number-prototype-to-string-wrong-values.js: Added.
1209
1210 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1211
1212         Disable Atomics when SharedArrayBuffer isn’t enabled
1213         https://bugs.webkit.org/show_bug.cgi?id=181572
1214
1215         Unreviewed test gardening.
1216
1217         * test262.yaml: Skip tests that fail after this change.
1218
1219 2018-01-19  Saam Barati  <sbarati@apple.com>
1220
1221         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1222         https://bugs.webkit.org/show_bug.cgi?id=181877
1223         <rdar://problem/36630552>
1224
1225         Reviewed by Mark Lam.
1226
1227         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1228         (runNearStackLimit):
1229         (f1):
1230         (f2):
1231         (f3):
1232         (i.catch):
1233         (i.try.runNearStackLimit):
1234         (catch):
1235
1236 2018-01-19  Saam Barati  <sbarati@apple.com>
1237
1238         Spread's effects are modeled incorrectly both in AI and in Clobberize
1239         https://bugs.webkit.org/show_bug.cgi?id=181867
1240         <rdar://problem/36290415>
1241
1242         Reviewed by Michael Saboff.
1243
1244         * stress/ai-needs-to-model-spreads-effects.js: Added.
1245         (try.p.Symbol.iterator):
1246         (try.go):
1247         (catch):
1248         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1249         (assert):
1250         (foo):
1251         (a.Symbol.iterator):
1252
1253 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1254
1255         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1256         https://bugs.webkit.org/show_bug.cgi?id=181535
1257
1258         * stress/inserted-recovery-with-set-last-index.js:
1259
1260 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1261
1262         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1263         https://bugs.webkit.org/show_bug.cgi?id=181535
1264
1265         Reviewed by Saam Barati.
1266
1267         * stress/inserted-recovery-with-set-last-index.js: Added.
1268         (shouldBe):
1269         (foo):
1270         * stress/materialize-regexp-at-osr-exit.js: Added.
1271         (shouldBe):
1272         (test):
1273         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1274         (shouldBe):
1275         (test):
1276         * stress/materialize-regexp-cyclic-regexp.js: Added.
1277         (shouldBe):
1278         (test):
1279         (i.switch):
1280         * stress/materialize-regexp-cyclic.js: Added.
1281         (shouldBe):
1282         (test):
1283         (i.switch):
1284         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1285         (bar):
1286         (foo):
1287         (test):
1288         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1289         (bar):
1290         (foo):
1291         (test):
1292         * stress/materialize-regexp.js: Added.
1293         (shouldBe):
1294         (test):
1295         * stress/phantom-regexp-regexp-exec.js: Added.
1296         (shouldBe):
1297         (test):
1298         * stress/phantom-regexp-string-match.js: Added.
1299         (shouldBe):
1300         (test):
1301         * stress/regexp-last-index-sinking.js: Added.
1302         (shouldBe):
1303         (test):
1304
1305 2018-01-17  Saam Barati  <sbarati@apple.com>
1306
1307         Disable Atomics when SharedArrayBuffer isn’t enabled
1308         https://bugs.webkit.org/show_bug.cgi?id=181572
1309         <rdar://problem/36553206>
1310
1311         Reviewed by Michael Saboff.
1312
1313         * stress/isLockFree.js:
1314
1315 2018-01-17  Saam Barati  <sbarati@apple.com>
1316
1317         DFG::Node::convertToConstant needs to clear the varargs flags
1318         https://bugs.webkit.org/show_bug.cgi?id=181697
1319         <rdar://problem/36497332>
1320
1321         Reviewed by Yusuke Suzuki.
1322
1323         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1324         (doIndexOf):
1325         (bar):
1326         (i.bar):
1327
1328 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1329
1330         Unreviewed, rolling out r226937.
1331
1332         Tests added with this change are failing due to a missing
1333         exception check.
1334
1335         Reverted changeset:
1336
1337         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1338         double to int32_t"
1339         https://bugs.webkit.org/show_bug.cgi?id=181182
1340         https://trac.webkit.org/changeset/226937
1341
1342 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1343
1344         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1345         https://bugs.webkit.org/show_bug.cgi?id=181182
1346
1347         Reviewed by Darin Adler.
1348
1349         * bigIntTests.yaml:
1350         * stress/big-int-constructor.js:
1351         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1352         (assert):
1353         (assertThrowRangeError):
1354         * stress/number-prototype-to-string-cast-overflow.js: Added.
1355         (assert):
1356         (assertThrowRangeError):
1357
1358 2018-01-12  Saam Barati  <sbarati@apple.com>
1359
1360         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1361         https://bugs.webkit.org/show_bug.cgi?id=181177
1362         <rdar://problem/36205704>
1363
1364         Reviewed by Yusuke Suzuki.
1365
1366         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1367         (runNearStackLimit.t):
1368         (runNearStackLimit):
1369         (test.f):
1370         (test):
1371
1372 2018-01-12  Saam Barati  <sbarati@apple.com>
1373
1374         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1375         https://bugs.webkit.org/show_bug.cgi?id=181562
1376         <rdar://problem/36445624>
1377
1378         Reviewed by Yusuke Suzuki.
1379
1380         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1381         (f):
1382         (foo):
1383
1384 2018-01-11  Saam Barati  <sbarati@apple.com>
1385
1386         When inserting Unreachable in byte code parser we need to flush all the right things
1387         https://bugs.webkit.org/show_bug.cgi?id=181509
1388         <rdar://problem/36423110>
1389
1390         Reviewed by Mark Lam.
1391
1392         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1393
1394 2018-01-11  Saam Barati  <sbarati@apple.com>
1395
1396         JITMathIC code in the FTL is wrong when code gets duplicated
1397         https://bugs.webkit.org/show_bug.cgi?id=181525
1398         <rdar://problem/36351993>
1399
1400         Reviewed by Michael Saboff and Keith Miller.
1401
1402         * stress/allow-math-ic-b3-code-duplication.js: Added.
1403
1404 2018-01-11  Saam Barati  <sbarati@apple.com>
1405
1406         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1407         https://bugs.webkit.org/show_bug.cgi?id=181508
1408
1409         Reviewed by Yusuke Suzuki.
1410
1411         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1412         (assert):
1413         (test1.foo):
1414         (test1):
1415         (test2.foo):
1416         (test2):
1417
1418 2018-01-09  Mark Lam  <mark.lam@apple.com>
1419
1420         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1421         https://bugs.webkit.org/show_bug.cgi?id=181388
1422         <rdar://problem/36349351>
1423
1424         Reviewed by Saam Barati.
1425
1426         * stress/regress-181388.js: Added.
1427
1428 2018-01-08  JF Bastien  <jfbastien@apple.com>
1429
1430         WebAssembly: mask indexed accesses to Table
1431         https://bugs.webkit.org/show_bug.cgi?id=181412
1432         <rdar://problem/36363236>
1433
1434         Reviewed by Saam Barati.
1435
1436         Update error messages.
1437
1438         * wasm/js-api/table.js:
1439         (assert.throws.WebAssembly.Table.prototype.grow):
1440
1441 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1442
1443         Disable SharedArrayBuffer tests missed in r226386.
1444         https://bugs.webkit.org/show_bug.cgi?id=181266
1445
1446         Unreviewed test gardening.
1447
1448         * test262.yaml:
1449
1450 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1451
1452         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1453         https://bugs.webkit.org/show_bug.cgi?id=181321
1454
1455         Reviewed by Saam Barati.
1456
1457         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1458         (shouldBe):
1459         (testFunction):
1460         * test262.yaml:
1461
1462 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1463
1464         Unreviewed, attempt to fix test262 after r226386.
1465
1466         * test262.yaml:
1467
1468 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1469
1470         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1471         https://bugs.webkit.org/show_bug.cgi?id=179911
1472
1473         Reviewed by Saam Barati.
1474
1475         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1476
1477         * stress/map-set-change-get.js: Added.
1478         (shouldBe):
1479         (test):
1480         * stress/map-set-create-bucket.js: Added.
1481         (shouldBe):
1482         (test):
1483         * stress/set-add-create-bucket.js: Added.
1484         (shouldBe):
1485
1486 2018-01-03  Michael Saboff  <msaboff@apple.com>
1487
1488         Disable SharedArrayBuffers from Web API
1489         https://bugs.webkit.org/show_bug.cgi?id=181266
1490
1491         Reviewed by Saam Barati.
1492
1493         Disabled SharedArrayBuffer tests.
1494
1495         * stress/SharedArrayBuffer-opt.js:
1496         * stress/SharedArrayBuffer.js:
1497         * stress/array-buffer-byte-length.js:
1498         * stress/atomics-add-uint32.js:
1499         * stress/atomics-known-int-use.js:
1500         * stress/atomics-neg-zero.js:
1501         * stress/atomics-store-return.js:
1502         * stress/lars-sab-workers.js:
1503         * stress/regress-159779-1.js:
1504         * stress/regress-159779-2.js:
1505         * stress/regress-170473.js:
1506         * test262.yaml:
1507
1508 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1509
1510         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1511         https://bugs.webkit.org/show_bug.cgi?id=181258
1512
1513         Reviewed by Antonio Gomes.
1514
1515         * stress/big-int-constructor-gc.js:
1516         * stress/big-int-constructor-oom.js:
1517
1518 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1519
1520         Inlining of a function that ends in op_unreachable crashes
1521         https://bugs.webkit.org/show_bug.cgi?id=181027
1522
1523         Reviewed by Filip Pizlo.
1524
1525         * stress/inlining-unreachable.js: Added.
1526         (bar):
1527         (baz):
1528         (i.catch):
1529
1530 2018-01-02  Saam Barati  <sbarati@apple.com>
1531
1532         Incorrect assertion inside AccessCase
1533         https://bugs.webkit.org/show_bug.cgi?id=181200
1534         <rdar://problem/35494754>
1535
1536         Reviewed by Yusuke Suzuki.
1537
1538         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1539         (ctor):
1540         (theFunc):
1541         (run):
1542
1543 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1544
1545         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1546         https://bugs.webkit.org/show_bug.cgi?id=175359
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         * bigIntTests.yaml:
1551         * stress/big-int-as-key.js: Added.
1552         * stress/big-int-constructor-gc.js: Added.
1553         * stress/big-int-constructor-oom.js: Added.
1554         * stress/big-int-constructor-properties.js: Added.
1555         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1556         * stress/big-int-constructor-prototype.js: Added.
1557         * stress/big-int-constructor.js: Added.
1558         * stress/big-int-function-apply.js:
1559         * stress/big-int-length.js: Added.
1560         * stress/big-int-prop-descriptor.js: Added.
1561         * stress/big-int-proto-constructor.js: Added.
1562         * stress/big-int-proto-name.js: Added.
1563         * stress/big-int-prototype-properties.js: Added.
1564         * stress/big-int-prototype-proto.js: Added.
1565         * stress/big-int-prototype-value-of.js: Added.
1566         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1567         * stress/big-int-prototype-to-string-apply.js: Added.
1568         * stress/big-int-to-object.js: Added.
1569         * stress/big-int-to-string.js: Added.
1570
1571 2017-12-28  Saam Barati  <sbarati@apple.com>
1572
1573         Assertion used to determine if something is an async generator is wrong
1574         https://bugs.webkit.org/show_bug.cgi?id=181168
1575         <rdar://problem/35640560>
1576
1577         Reviewed by Yusuke Suzuki.
1578
1579         * stress/async-generator-assertion.js: Added.
1580
1581 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1582
1583         Skip stress/splay-flash-access tests on memory limited platforms
1584         https://bugs.webkit.org/show_bug.cgi?id=181086
1585
1586         Reviewed by Carlos Alberto Lopez Perez.
1587
1588         These tests use about 185M of memory, and occasionally get OOM-killed
1589         on memory limited platforms.
1590
1591         * stress/splay-flash-access-1ms.js:
1592         * stress/splay-flash-access.js:
1593
1594 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1595
1596         Skip slow jsc tests on embedded platforms
1597         https://bugs.webkit.org/show_bug.cgi?id=180937
1598
1599         Reviewed by Carlos Alberto Lopez Perez.
1600
1601         The tests typeProfiler/deltablue-for-of.js and
1602         typeProfiler/getter-richards.js take a very long time in the
1603         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1604         thus always timeout. They should be skipped on these platforms.
1605
1606         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1607         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1608
1609 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1610
1611         [JSC] Do not check isValid() in op_new_regexp
1612         https://bugs.webkit.org/show_bug.cgi?id=180970
1613
1614         Reviewed by Saam Barati.
1615
1616         * stress/regexp-syntax-error-invalid-flags.js: Added.
1617         (shouldThrow):
1618
1619 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1620
1621         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1622         https://bugs.webkit.org/show_bug.cgi?id=180712
1623
1624         Reviewed by Michael Catanzaro.
1625
1626         stress/call-apply-exponential-bytecode-size.js crashes if the
1627         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1628         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1629         should skip the test on other platforms.
1630
1631         * stress/call-apply-exponential-bytecode-size.js:
1632
1633 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1634
1635         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1636         https://bugs.webkit.org/show_bug.cgi?id=179762
1637
1638         Reviewed by Saam Barati.
1639
1640         * stress/call-varargs-double-new-array-buffer.js: Added.
1641         (assert):
1642         (bar):
1643         (foo):
1644         * stress/call-varargs-spread-new-array-buffer.js: Added.
1645         (assert):
1646         (bar):
1647         (foo):
1648         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1649         (assert):
1650         (bar):
1651         (foo):
1652         * stress/forward-varargs-double-new-array-buffer.js: Added.
1653         (assert):
1654         (test.baz):
1655         (test.bar):
1656         (test.foo):
1657         (test):
1658         * stress/new-array-buffer-sinking-osrexit.js: Added.
1659         (target):
1660         (test):
1661         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1662         (shouldBe):
1663         (test):
1664         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1665         (shouldBe):
1666         (target):
1667         (test):
1668         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1669         (assert):
1670         (test1.bar):
1671         (test1.foo):
1672         (test1):
1673         (test2.bar):
1674         (test2.foo):
1675         (test3.baz):
1676         (test3.bar):
1677         (test3.foo):
1678         (test4.baz):
1679         (test4.bar):
1680         (test4.foo):
1681         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1682         (assert):
1683         (test.baz):
1684         (test.bar):
1685         (test.foo):
1686         (test):
1687         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1688         (assert):
1689         (baz):
1690         (bar):
1691         (effects):
1692         (foo):
1693
1694 2017-12-14  Saam Barati  <sbarati@apple.com>
1695
1696         The CleanUp after LICM is erroneously removing a Check
1697         https://bugs.webkit.org/show_bug.cgi?id=180852
1698         <rdar://problem/36063494>
1699
1700         Reviewed by Filip Pizlo.
1701
1702         * stress/dont-run-cleanup-after-licm.js: Added.
1703
1704 2017-12-14  Michael Saboff  <msaboff@apple.com>
1705
1706         REGRESSION (r225695): Repro crash on yahoo login page
1707         https://bugs.webkit.org/show_bug.cgi?id=180761
1708
1709         Reviewed by JF Bastien.
1710
1711         New regression test.
1712
1713         * stress/regress-180761.js: Added.
1714
1715 2017-12-13  Keith Miller  <keith_miller@apple.com>
1716
1717         JSObjects should have a mask for loading indexed properties
1718         https://bugs.webkit.org/show_bug.cgi?id=180768
1719
1720         Reviewed by Mark Lam.
1721
1722         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1723         (test):
1724
1725 2017-12-13  Saam Barati  <sbarati@apple.com>
1726
1727         Arrow functions need their own structure because they have different properties than sloppy functions
1728         https://bugs.webkit.org/show_bug.cgi?id=180779
1729         <rdar://problem/35814591>
1730
1731         Reviewed by Mark Lam.
1732
1733         * stress/arrow-function-needs-its-own-structure.js: Added.
1734         (assert):
1735         (readPrototype):
1736         (noInline.let.f1):
1737         (noInline):
1738
1739 2017-12-13  Saam Barati  <sbarati@apple.com>
1740
1741         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1742         https://bugs.webkit.org/show_bug.cgi?id=163579
1743         <rdar://problem/35455798>
1744
1745         Reviewed by Mark Lam.
1746
1747         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1748         (assert):
1749         (test1):
1750         (i.test1):
1751         (i.test1.C):
1752         (i.test1.async.foo):
1753         (i.test1.foo):
1754         (test2):
1755
1756 2017-12-13  Saam Barati  <sbarati@apple.com>
1757
1758         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1759         https://bugs.webkit.org/show_bug.cgi?id=180734
1760         <rdar://problem/35640547>
1761
1762         Reviewed by Yusuke Suzuki.
1763
1764         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1765         (__isPropertyOfType):
1766         (__getProperties):
1767         (__getObjects):
1768         (__getRandomObject):
1769         (theClass.):
1770         (theClass):
1771         (childClass):
1772         (counter.catch):
1773
1774 2017-12-12  Saam Barati  <sbarati@apple.com>
1775
1776         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1777         https://bugs.webkit.org/show_bug.cgi?id=180725
1778         <rdar://problem/35970511>
1779
1780         Reviewed by Michael Saboff.
1781
1782         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1783         (f1):
1784         (f2):
1785         (let.o2.valueOf):
1786
1787 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1788
1789         [JSC] Implement optimized WeakMap and WeakSet
1790         https://bugs.webkit.org/show_bug.cgi?id=179929
1791
1792         Reviewed by Saam Barati.
1793
1794         * microbenchmarks/weak-map-key.js:
1795         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1796         (assert):
1797         (objectKey):
1798         (let.start.Date.now):
1799         * stress/basic-weakmap.js: Added.
1800         (shouldBe):
1801         (test):
1802         * stress/basic-weakset.js: Added.
1803         (shouldBe):
1804         (test.set new):
1805         * stress/weakmap-cse-set-break.js: Added.
1806         (shouldBe):
1807         (test):
1808         * stress/weakmap-cse.js: Added.
1809         (shouldBe):
1810         (test):
1811         * stress/weakmap-gc.js: Added.
1812         (test):
1813         * stress/weakset-cse-add-break.js: Added.
1814         (shouldBe):
1815         (test.set new):
1816         * stress/weakset-cse.js: Added.
1817         (shouldBe):
1818         (test.set new):
1819         * stress/weakset-gc.js: Added.
1820         (test.set add):
1821         (test.set new):
1822         (test):
1823
1824 2017-12-12  Saam Barati  <sbarati@apple.com>
1825
1826         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1827         https://bugs.webkit.org/show_bug.cgi?id=180723
1828         <rdar://problem/35859726>
1829
1830         Reviewed by JF Bastien.
1831
1832         * stress/get-my-argument-by-val-constant-folding.js: Added.
1833         (test):
1834         (catch):
1835
1836 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1837
1838         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1839         https://bugs.webkit.org/show_bug.cgi?id=179000
1840
1841         Reviewed by Darin Adler and Yusuke Suzuki.
1842
1843         * bigIntTests.yaml: Added.
1844         * stress/big-int-literal-line-terminator.js: Added.
1845         * stress/big-int-literals.js: Added.
1846         * stress/big-int-operations-error.js: Added.
1847         * stress/big-int-type-of.js: Added.
1848         * stress/big-int-white-space-trailing-leading.js: Added.
1849         * stress/big-int-function-apply.js: Added.
1850
1851 2017-12-11  Saam Barati  <sbarati@apple.com>
1852
1853         We need to disableCaching() in ErrorInstance when we materialize properties
1854         https://bugs.webkit.org/show_bug.cgi?id=180343
1855         <rdar://problem/35833002>
1856
1857         Reviewed by Mark Lam.
1858
1859         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1860         (assert):
1861         (makeError):
1862         (storeToStack):
1863         (storeToStackAlreadyMaterialized):
1864
1865 2017-12-05  JF Bastien  <jfbastien@apple.com>
1866
1867         WebAssembly: don't eagerly checksum
1868         https://bugs.webkit.org/show_bug.cgi?id=180441
1869         <rdar://problem/35156628>
1870
1871         Reviewed by Saam Barati.
1872
1873         Checksum is now disabled, so tests only have <?> as the module
1874         name.
1875
1876         * wasm/function-tests/nameSection.js:
1877         * wasm/function-tests/stack-overflow.js:
1878         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1879         (assertOverflows.assertThrows):
1880         (assertOverflows):
1881         * wasm/function-tests/stack-trace.js:
1882
1883 2017-12-04  JF Bastien  <jfbastien@apple.com>
1884
1885         Proxy all functions, except the $ objects
1886         https://bugs.webkit.org/show_bug.cgi?id=180375
1887
1888         Reviewed by Saam Barati.
1889
1890         It looks like this test may have broken some executions because I
1891         call some internal objects. Explicitly ignore objects whose name
1892         starts with "$" because it's a bad idea anyways.
1893
1894         * stress/proxy-all-the-parameters.js:
1895         (generateObjects):
1896         (get throw):
1897
1898 2017-12-04  Saam Barati  <sbarati@apple.com>
1899
1900         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1901         https://bugs.webkit.org/show_bug.cgi?id=180366
1902         <rdar://problem/35685877>
1903
1904         Reviewed by Michael Saboff.
1905
1906         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1907         (theParent):
1908         (test1.base.getParentStaticValue):
1909         (test1.base):
1910         (test1.__v_24888.prototype.set prop):
1911         (test1.__v_24888):
1912         (test2.base.getParentStaticValue):
1913         (test2.base):
1914         (test2.__v_24888.prototype.set prop):
1915         (test2.__v_24888):
1916         (test2):
1917
1918 2017-12-01  JF Bastien  <jfbastien@apple.com>
1919
1920         Try proxying all function arguments
1921         https://bugs.webkit.org/show_bug.cgi?id=180306
1922
1923         Reviewed by Saam Barati.
1924
1925         * stress/proxy-all-the-parameters.js: Added.
1926         (isPropertyOfType):
1927         (getProperties):
1928         (generateObjects):
1929         (getObjects):
1930         (getFunctions):
1931         (get throw):
1932         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1933
1934 2017-12-01  JF Bastien  <jfbastien@apple.com>
1935
1936         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1937         https://bugs.webkit.org/show_bug.cgi?id=180297
1938         <rdar://problem/35745556>
1939
1940         Reviewed by Mark Lam.
1941
1942         * stress/math-exceptions.js: Added.
1943         (get try):
1944         (catch):
1945
1946 2017-12-01  JF Bastien  <jfbastien@apple.com>
1947
1948         JavaScriptCore: add test for weird class static getters
1949         https://bugs.webkit.org/show_bug.cgi?id=180281
1950         <rdar://problem/35592139>
1951
1952         Reviewed by Mark Lam.
1953
1954         I fixed a bug for it in r224927 and didn't add a test. Do so.
1955
1956         * stress/class-static-get-weird.js: Added.
1957         (c.prototype.get name):
1958         (c):
1959         (c.prototype.get arguments):
1960         (c.prototype.get caller):
1961         (c.prototype.get length):
1962
1963 2017-12-01  Saam Barati  <sbarati@apple.com>
1964
1965         Having a bad time needs to handle ArrayClass indexing type as well
1966         https://bugs.webkit.org/show_bug.cgi?id=180274
1967         <rdar://problem/35667869>
1968
1969         Reviewed by Keith Miller and Mark Lam.
1970
1971         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1972         (assert):
1973         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1974         (assert):
1975
1976 2017-12-01  JF Bastien  <jfbastien@apple.com>
1977
1978         WebAssembly: restore cached stack limit after out-call
1979         https://bugs.webkit.org/show_bug.cgi?id=179106
1980         <rdar://problem/35337525>
1981
1982         Reviewed by Saam Barati.
1983
1984         * wasm/function-tests/double-instance.js: Added.
1985         (const.imp.boom):
1986         (const.imp.get callAnother):
1987
1988 2017-11-30  JF Bastien  <jfbastien@apple.com>
1989
1990         WebAssembly: improve stack trace
1991         https://bugs.webkit.org/show_bug.cgi?id=179343
1992
1993         Reviewed by Saam Barati.
1994
1995         Update the tests to follow the new format. Notably, SHA1 module
1996         hash is now included in traces, and stubs are properly identified.
1997
1998         * wasm/assert.js: Add an assertion which matches regular expressions.
1999         * wasm/function-tests/nameSection.js:
2000         * wasm/function-tests/stack-overflow.js:
2001         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2002         (assertOverflows.assertThrows.wasm.1):
2003         (assertOverflows.assertThrows.wasm.0):
2004         (assertOverflows.assertThrows):
2005         (assertOverflows):
2006         * wasm/function-tests/stack-trace.js:
2007         (import.Builder.from.string_appeared_here.assert): Deleted.
2008         * wasm/function-tests/trap-after-cross-instance-call.js:
2009         (wasmFrameCountFromError):
2010         * wasm/function-tests/trap-load-2.js:
2011         (wasmFrameCountFromError):
2012         * wasm/function-tests/trap-load.js:
2013         (wasmFrameCountFromError):
2014
2015 2017-11-30  Mark Lam  <mark.lam@apple.com>
2016
2017         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2018         https://bugs.webkit.org/show_bug.cgi?id=180219
2019         <rdar://problem/35696536>
2020
2021         Reviewed by Filip Pizlo.
2022
2023         * stress/regress-180219.js: Added.
2024
2025 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2026
2027         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2028         https://bugs.webkit.org/show_bug.cgi?id=180190
2029
2030         Reviewed by Mark Lam.
2031
2032         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2033         (shouldBe):
2034         (test1):
2035         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2036         (shouldBe):
2037         (test1):
2038         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2039         (shouldBe):
2040         (test1):
2041         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2042         (shouldBe):
2043         (test1):
2044         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2045         (shouldBe):
2046         (test1):
2047         * stress/operation-in-may-have-negative-int32.js: Added.
2048         (shouldBe):
2049         (test2):
2050         * stress/operation-in-negative-int32-cast.js: Added.
2051         (shouldBe):
2052         (test1):
2053
2054 2017-11-28  JF Bastien  <jfbastien@apple.com>
2055
2056         Strict and sloppy functions shouldn't share structure
2057         https://bugs.webkit.org/show_bug.cgi?id=180103
2058         <rdar://problem/35667847>
2059
2060         Reviewed by Saam Barati.
2061
2062         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2063         because the IC was wrong.
2064         (foo):
2065         (bar):
2066         (baz):
2067         (catch):
2068         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2069         in this patch, but may as well test odd strict mode corner cases.
2070         (bar):
2071         (baz):
2072         (catch):
2073         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2074         (foo):
2075         (bar):
2076         (baz):
2077         (catch):
2078         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2079         next file, but with invalidation of the FunctionExecutable's
2080         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2081         slower path.
2082         (foo):
2083         (bar.const.x):
2084         (bar.const.y):
2085         (bar):
2086         (catch):
2087         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2088         strict nesting works correctly.
2089         (foo):
2090         (bar.baz):
2091         (bar):
2092         * stress/strict-function-structure.js: Added. The test used to
2093         assert in objectProtoFuncHasOwnProperty.
2094         (foo):
2095         (bar):
2096         (baz):
2097         * stress/strict-nested-function-structure.js: Added. Nesting.
2098         (foo):
2099         (bar):
2100         (baz.boo):
2101         (baz):
2102
2103 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2104
2105         The recursive tail call optimisation is wrong on closures
2106         https://bugs.webkit.org/show_bug.cgi?id=179835
2107
2108         Reviewed by Saam Barati.
2109
2110         * stress/closure-recursive-tail-call.js: Added.
2111         (makeClosure):
2112
2113 2017-11-27  JF Bastien  <jfbastien@apple.com>
2114
2115         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2116         https://bugs.webkit.org/show_bug.cgi?id=180051
2117         <rdar://problem/35614371>
2118
2119         Reviewed by Saam Barati.
2120
2121         * stress/rest-parameter-negative.js: Added.
2122         (__f_5484):
2123         (catch):
2124         (__f_5485):
2125         (__v_22598.catch):
2126
2127 2017-11-27  Saam Barati  <sbarati@apple.com>
2128
2129         Spread can escape when CreateRest does not
2130         https://bugs.webkit.org/show_bug.cgi?id=180057
2131         <rdar://problem/35676119>
2132
2133         Reviewed by JF Bastien.
2134
2135         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2136         (assert):
2137         (getProperties):
2138         (theFunc):
2139         (let.obj.valueOf):
2140
2141 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2142
2143         [DFG] Add NormalizeMapKey DFG IR
2144         https://bugs.webkit.org/show_bug.cgi?id=179912
2145
2146         Reviewed by Saam Barati.
2147
2148         * stress/map-untyped-normalize-cse.js: Added.
2149         (shouldBe):
2150         (test):
2151         * stress/map-untyped-normalize.js: Added.
2152         (shouldBe):
2153         (test):
2154         * stress/set-untyped-normalize-cse.js: Added.
2155         (shouldBe):
2156         (set return.set has.set has):
2157         * stress/set-untyped-normalize.js: Added.
2158         (shouldBe):
2159         (set return.set has):
2160
2161 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2162
2163         [FTL] Support DeleteById and DeleteByVal
2164         https://bugs.webkit.org/show_bug.cgi?id=180022
2165
2166         Reviewed by Saam Barati.
2167
2168         * stress/delete-by-id.js: Added.
2169         (shouldBe):
2170         (test1):
2171         (test2):
2172         * stress/delete-by-val-ftl.js: Added.
2173         (shouldBe):
2174         (test1):
2175         (test2):
2176
2177 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2178
2179         [DFG] Introduce {Set,Map,WeakMap}Fields
2180         https://bugs.webkit.org/show_bug.cgi?id=179925
2181
2182         Reviewed by Saam Barati.
2183
2184         * stress/map-set-clobber-map-get.js: Added.
2185         (shouldBe):
2186         (test):
2187         * stress/map-set-does-not-clobber-set-has.js: Added.
2188         (shouldBe):
2189         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2190         (shouldBe):
2191         (test):
2192         * stress/set-add-clobber-set-has.js: Added.
2193         (shouldBe):
2194         * stress/set-add-does-not-clobber-map-get.js: Added.
2195         (shouldBe):
2196
2197 2017-11-24  Mark Lam  <mark.lam@apple.com>
2198
2199         Move unsafe jsc shell test functions to the $vm object.
2200         https://bugs.webkit.org/show_bug.cgi?id=179980
2201
2202         Reviewed by Yusuke Suzuki.
2203
2204         * controlFlowProfiler/driver/driver.js:
2205         * controlFlowProfiler/execution-count.js:
2206         * controlFlowProfiler/if-statement.js:
2207         * controlFlowProfiler/loop-statements.js:
2208         * controlFlowProfiler/switch-statements.js:
2209         * controlFlowProfiler/test-jit.js:
2210         * exceptionFuzz/3d-cube.js:
2211         * exceptionFuzz/date-format-xparb.js:
2212         * exceptionFuzz/earley-boyer.js:
2213         * heapProfiler/basic-edges.js:
2214         * heapProfiler/property-edge-types.js:
2215         * microbenchmarks/try-get-by-id-basic.js:
2216         * microbenchmarks/try-get-by-id-polymorphic.js:
2217         * modules/namespace-object-try-get.js:
2218         * stress/argument-count-bytecode.js:
2219         * stress/argument-intrinsic-basic.js:
2220         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2221         * stress/argument-intrinsic-inlining-with-result-escape.js:
2222         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2223         * stress/argument-intrinsic-inlining-with-vararg.js:
2224         * stress/argument-intrinsic-nested-inlining.js:
2225         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2226         * stress/argument-intrinsic-with-stack-write.js:
2227         * stress/arity-mismatch-get-argument.js:
2228         * stress/array-message-passing.js:
2229         * stress/array-push-with-force-exit.js:
2230         * stress/check-dom-with-signature.js:
2231         * stress/check-sub-class.js:
2232         * stress/compare-eq-incomplete-profile.js:
2233         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2234         * stress/do-eval-virtual-call-correctly.js:
2235         * stress/dom-jit-with-poly-proto.js:
2236         * stress/domjit-exception-ic.js:
2237         * stress/domjit-exception.js:
2238         * stress/domjit-getter-complex-with-incorrect-object.js:
2239         * stress/domjit-getter-complex.js:
2240         * stress/domjit-getter-poly.js:
2241         * stress/domjit-getter-proto.js:
2242         * stress/domjit-getter-super-poly.js:
2243         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2244         * stress/domjit-getter-type-check.js:
2245         * stress/domjit-getter.js:
2246         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2247         * stress/for-in-proxy-target-changed-structure.js:
2248         * stress/for-in-proxy.js:
2249         * stress/generational-opaque-roots.js:
2250         * stress/global-const-redeclaration-setting-2.js:
2251         * stress/global-const-redeclaration-setting-3.js:
2252         * stress/global-const-redeclaration-setting-4.js:
2253         * stress/global-const-redeclaration-setting-5.js:
2254         * stress/global-const-redeclaration-setting.js:
2255         * stress/import-basic.js:
2256         * stress/import-from-eval.js:
2257         * stress/import-reject-with-exception.js:
2258         * stress/import-syntax.js:
2259         * stress/impure-get-own-property-slot-inline-cache.js:
2260         * stress/is-constructor.js:
2261         * stress/istypedarrayview-intrinsic.js:
2262         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2263         * stress/jsc-test-functions-should-be-more-robust.js:
2264         * stress/object-toString-with-proxy.js:
2265         * stress/poly-proto-custom-value-and-accessor.js:
2266         * stress/proxy-inline-cache.js:
2267         * stress/re-execute-error-module.js:
2268         * stress/regress-150532.js:
2269         * stress/regress-156992.js:
2270         * stress/regress-179619.js:
2271         * stress/resources/shadow-chicken-support.js:
2272         * stress/runtime-array.js:
2273         * stress/sampling-profiler-microtasks.js:
2274         * stress/shadow-chicken-enabled.js:
2275         * stress/spread-correct-global-object-on-exception.js:
2276         * stress/super-get-by-id.js:
2277         * stress/tailCallForwardArguments.js:
2278         * stress/to-object-intrinsic-boolean-edge.js:
2279         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2280         * stress/to-object-intrinsic-number-edge.js:
2281         * stress/to-object-intrinsic-object-edge.js:
2282         * stress/to-object-intrinsic-string-edge.js:
2283         * stress/to-object-intrinsic-symbol-edge.js:
2284         * stress/to-object-intrinsic.js:
2285         * stress/try-catch-custom-getter-as-get-by-id.js:
2286         * stress/try-get-by-id-poly-proto.js:
2287         * stress/try-get-by-id-should-spill-registers-dfg.js:
2288         * stress/try-get-by-id.js:
2289         * typeProfiler/arrow-functions.js:
2290         * typeProfiler/basic.js:
2291         * typeProfiler/captured.js:
2292         * typeProfiler/classes.js:
2293         * typeProfiler/dfg-jit-optimizations.js:
2294         * typeProfiler/dictionary-mode.js:
2295         * typeProfiler/es6-block-scoping.js:
2296         * typeProfiler/es6-classes.js:
2297         * typeProfiler/inheritance.js:
2298         * typeProfiler/int52-dfg.js:
2299         * typeProfiler/loop.js:
2300         * typeProfiler/optional-fields.js:
2301         * typeProfiler/overflow.js:
2302         * typeProfiler/return.js:
2303         * typeProfiler/symbol.js:
2304         * typeProfiler/weird-prototype-chain.js:
2305
2306 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2307
2308         [DFG][FTL] Support MapSet / SetAdd intrinsics
2309         https://bugs.webkit.org/show_bug.cgi?id=179858
2310
2311         Reviewed by Saam Barati.
2312
2313         * microbenchmarks/map-has-and-set.js: Added.
2314         (test):
2315         * stress/map-set-check-failure.js: Added.
2316         (shouldBe):
2317         (shouldThrow):
2318         (target):
2319         * stress/map-set-cse.js: Added.
2320         (shouldBe):
2321         (test):
2322         * stress/set-add-check-failure.js: Added.
2323         (shouldBe):
2324         (shouldThrow):
2325         (set shouldThrow):
2326         * stress/set-add-cse.js: Added.
2327         (shouldBe):
2328
2329 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2330
2331         [JSC] Allow poly proto for intrinsic getters
2332         https://bugs.webkit.org/show_bug.cgi?id=179550
2333
2334         Reviewed by Saam Barati.
2335
2336         This change is also tested by existing tests.
2337
2338             1. stress/intrinsic-getter-with-poly-proto.js
2339             2. stress/poly-proto-intrinsic-getter-correctness.js
2340
2341         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2342         (shouldBe):
2343         (makePolyProtoObject.foo.C):
2344         (makePolyProtoObject.foo):
2345         (makePolyProtoObject):
2346         (target):
2347         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2348         (shouldBe):
2349         (makePolyProtoObject.foo.C):
2350         (makePolyProtoObject.foo):
2351         (makePolyProtoObject):
2352         (target):
2353
2354 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2355
2356         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2357         https://bugs.webkit.org/show_bug.cgi?id=179744
2358
2359         Reviewed by Michael Catanzaro.
2360
2361         This test uses too much memory for our buildbots on these platforms
2362         and gets OOM-killed.
2363
2364         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2365         Skip if $memoryLimited and linux.
2366
2367 2017-11-17  JF Bastien  <jfbastien@apple.com>
2368
2369         WebAssembly JS API: throw when a promise can't be created
2370         https://bugs.webkit.org/show_bug.cgi?id=179826
2371         <rdar://problem/35455813>
2372
2373         Reviewed by Mark Lam.
2374
2375         Test WebAssembly.{compile,instantiate} where promise creation
2376         fails because of a stack overflow.
2377
2378         * wasm/js-api/promise-stack-overflow.js: Added.
2379         (const.runNearStackLimit.f.const.t):
2380         (async.testCompile):
2381         (async.testInstantiate):
2382
2383 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2384
2385         Unreviewed, mark regress-178385.js as memory exhausting
2386
2387         * stress/regress-178385.js:
2388
2389 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2390
2391         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2392
2393         Unreviewed test gardening.
2394
2395         * test262.yaml:
2396
2397 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2398
2399         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2400         https://bugs.webkit.org/show_bug.cgi?id=179763
2401         <rdar://problem/35550513>
2402
2403         Reviewed by Keith Miller.
2404
2405         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2406
2407         * stress/tdz-this-in-try-catch.js: Added.
2408         (__v_6388):
2409         (__v_6392):
2410
2411 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2412
2413         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2414         https://bugs.webkit.org/show_bug.cgi?id=179594
2415
2416         Reviewed by Saam Barati.
2417
2418         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2419         (shouldBe):
2420         (args):
2421         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2422         (shouldBe):
2423         (args):
2424
2425 2017-11-14  Saam Barati  <sbarati@apple.com>
2426
2427         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2428         https://bugs.webkit.org/show_bug.cgi?id=179639
2429         <rdar://problem/35513018>
2430
2431         Reviewed by JF Bastien.
2432
2433         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2434         (escape):
2435         (i.func):
2436
2437 2017-11-13  Mark Lam  <mark.lam@apple.com>
2438
2439         Add more overflow check book-keeping for MarkedArgumentBuffer.
2440         https://bugs.webkit.org/show_bug.cgi?id=179634
2441         <rdar://problem/35492517>
2442
2443         Reviewed by Saam Barati.
2444
2445         * stress/regress-179634.js: Added.
2446
2447 2017-11-13  Mark Lam  <mark.lam@apple.com>
2448
2449         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2450         https://bugs.webkit.org/show_bug.cgi?id=179619
2451         <rdar://problem/35492518>
2452
2453         Reviewed by Saam Barati.
2454
2455         * stress/regress-179619.js: Added.
2456
2457 2017-11-12  Mark Lam  <mark.lam@apple.com>
2458
2459         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2460         https://bugs.webkit.org/show_bug.cgi?id=179562
2461         <rdar://problem/35467022>
2462
2463         Reviewed by Saam Barati.
2464
2465         * regress-179562.js: Added.
2466
2467 2017-11-08  Saam Barati  <sbarati@apple.com>
2468
2469         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2470         https://bugs.webkit.org/show_bug.cgi?id=177792
2471
2472         Reviewed by Yusuke Suzuki.
2473
2474         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2475         (assert):
2476         (foo.Foo.prototype.ensureX):
2477         (foo.Foo):
2478         (foo):
2479         (access):
2480
2481 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2482
2483         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2484         https://bugs.webkit.org/show_bug.cgi?id=178592
2485
2486         Unreviewed test gardening.
2487
2488         * test262.yaml:
2489
2490 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2491
2492         Turn recursive tail calls into loops
2493         https://bugs.webkit.org/show_bug.cgi?id=176601
2494
2495         Reviewed by Saam Barati.
2496
2497         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2498
2499         Add some simple test that computes factorial in several ways, and other trivial computations.
2500         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2501         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2502         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2503         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2504
2505         * stress/inline-call-to-recursive-tail-call.js: Added.
2506         (factorial.aux):
2507         (factorial):
2508         (factorial2.aux2):
2509         (factorial2.id):
2510         (factorial2):
2511         (factorial3.aux3):
2512         (factorial3):
2513         (aux4):
2514         (factorial4):
2515         (foo):
2516         (auxBar):
2517         (bar):
2518         (test):
2519
2520 2017-11-07  Mark Lam  <mark.lam@apple.com>
2521
2522         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2523         https://bugs.webkit.org/show_bug.cgi?id=179355
2524         <rdar://problem/35263053>
2525
2526         Reviewed by Saam Barati.
2527
2528         * stress/regress-179355.js: Added.
2529
2530 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2531
2532         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2533         https://bugs.webkit.org/show_bug.cgi?id=144458
2534
2535         Reviewed by Saam Barati.
2536
2537         * microbenchmarks/dfg-internal-function-call.js: Added.
2538         (target):
2539         * microbenchmarks/dfg-internal-function-construct.js: Added.
2540         (target):
2541         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2542         (target):
2543         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2544         (target):
2545         * stress/dfg-internal-function-call.js: Added.
2546         (shouldBe):
2547         (target):
2548         * stress/dfg-internal-function-construct.js: Added.
2549         (shouldBe):
2550         (target):
2551         * stress/internal-function-call.js: Added.
2552         (shouldBe):
2553         * stress/internal-function-construct.js: Added.
2554         (shouldBe):
2555
2556 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2557
2558         [Win] Skip stress/regress-178385.js.
2559         https://bugs.webkit.org/show_bug.cgi?id=179298
2560
2561         Unreviewed test gardening.
2562
2563         * stress/regress-178385.js:
2564
2565 2017-11-03  Keith Miller  <keith_miller@apple.com>
2566
2567         Add test for ic with side effects
2568         https://bugs.webkit.org/show_bug.cgi?id=179268
2569
2570         Reviewed by Saam Barati.
2571
2572         * stress/put-inline-cache-side-effects.js: Added.
2573         (let.i.of.objs.keys):
2574         (f):
2575
2576 2017-11-03  Mark Lam  <mark.lam@apple.com>
2577
2578         CachedCall (and its clients) needs overflow checks.
2579         https://bugs.webkit.org/show_bug.cgi?id=179185
2580
2581         Reviewed by JF Bastien.
2582
2583         * stress/regress-179185.js: Added.
2584
2585 2017-11-02  Michael Saboff  <msaboff@apple.com>
2586
2587         DFG needs to handle code motion of code in for..in loop bodies
2588         https://bugs.webkit.org/show_bug.cgi?id=179212
2589
2590         Reviewed by Keith Miller.
2591
2592         New regression test.
2593
2594         * stress/for-in-side-effects.js: Added.
2595         (getPrototypeOf):
2596         (reset):
2597         (testWithoutFTL.f):
2598         (testWithoutFTL):
2599         (testWithFTL.f):
2600         (testWithFTL):
2601
2602 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2603
2604         AI does not correctly model the clobber case of ArithClz32
2605         https://bugs.webkit.org/show_bug.cgi?id=179188
2606
2607         Reviewed by Michael Saboff.
2608
2609         * stress/arith-clz32-effects.js: Added.
2610         (foo):
2611         (valueOf):
2612
2613 2017-11-01  Michael Saboff  <msaboff@apple.com>
2614
2615         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2616         https://bugs.webkit.org/show_bug.cgi?id=179140
2617
2618         Reviewed by Saam Barati.
2619
2620         New regression test.
2621
2622         * stress/regress-179140.js: Added.
2623         (testWithoutFTL):
2624         (testWithFTL):
2625
2626 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2627
2628         [JSC] Introduce @toObject
2629         https://bugs.webkit.org/show_bug.cgi?id=178726
2630
2631         Reviewed by Saam Barati.
2632
2633         * stress/array-copywithin.js:
2634         (shouldThrow):
2635         * stress/object-constructor-boolean-edge.js: Added.
2636         (shouldBe):
2637         (test):
2638         * stress/object-constructor-global.js: Added.
2639         (shouldBe):
2640         * stress/object-constructor-null-edge.js: Added.
2641         (shouldBe):
2642         (test):
2643         * stress/object-constructor-number-edge.js: Added.
2644         (shouldBe):
2645         (test):
2646         * stress/object-constructor-object-edge.js: Added.
2647         (shouldBe):
2648         (test):
2649         (i.arg):
2650         * stress/object-constructor-string-edge.js: Added.
2651         (shouldBe):
2652         (test):
2653         * stress/object-constructor-symbol-edge.js: Added.
2654         (shouldBe):
2655         (test):
2656         * stress/object-constructor-undefined-edge.js: Added.
2657         (shouldBe):
2658         (test):
2659         * stress/symbol-array-from.js: Added.
2660         (shouldBe):
2661         * stress/to-object-intrinsic-boolean-edge.js: Added.
2662         (shouldBe):
2663         (builtin.createBuiltin):
2664         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2665         (shouldThrow):
2666         * stress/to-object-intrinsic-number-edge.js: Added.
2667         (shouldBe):
2668         (builtin.createBuiltin):
2669         * stress/to-object-intrinsic-object-edge.js: Added.
2670         (shouldBe):
2671         (builtin.createBuiltin):
2672         (i.arg):
2673         * stress/to-object-intrinsic-string-edge.js: Added.
2674         (shouldBe):
2675         (builtin.createBuiltin):
2676         * stress/to-object-intrinsic-symbol-edge.js: Added.
2677         (shouldBe):
2678         (builtin.createBuiltin):
2679         * stress/to-object-intrinsic.js: Added.
2680         (shouldBe):
2681         (shouldThrow):
2682         (builtin.createBuiltin):
2683
2684 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2685
2686         [DFG][FTL] Introduce StringSlice
2687         https://bugs.webkit.org/show_bug.cgi?id=178934
2688
2689         Reviewed by Saam Barati.
2690
2691         * microbenchmarks/string-slice-empty.js: Added.
2692         (slice):
2693         * microbenchmarks/string-slice-one-char.js: Added.
2694         (slice):
2695         * microbenchmarks/string-slice.js: Added.
2696         (slice):
2697
2698 2017-10-26  Michael Saboff  <msaboff@apple.com>
2699
2700         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2701         https://bugs.webkit.org/show_bug.cgi?id=178890
2702
2703         Reviewed by Keith Miller.
2704
2705         New regression test.
2706
2707         * stress/regress-178890.js: Added.
2708
2709 2017-10-26  Mark Lam  <mark.lam@apple.com>
2710
2711         JSRopeString::RopeBuilder::append() should check for overflows.
2712         https://bugs.webkit.org/show_bug.cgi?id=178385
2713         <rdar://problem/35027468>
2714
2715         Reviewed by Saam Barati.
2716
2717         * stress/regress-178385.js: Added.
2718
2719 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2720
2721         Unreviewed, rolling out r223961.
2722
2723         The change that required this has been rolled out.
2724
2725         Reverted changeset:
2726
2727         "Mark test262.yaml/test262/test/language/statements/try/tco-
2728         catch.js as passing."
2729         https://bugs.webkit.org/show_bug.cgi?id=178592
2730         https://trac.webkit.org/changeset/223961
2731
2732 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2733
2734         Unreviewed, rolling out r223691 and r223729.
2735         https://bugs.webkit.org/show_bug.cgi?id=178834
2736
2737         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2738         by rniwa on #webkit).
2739
2740         Reverted changesets:
2741
2742         "Turn recursive tail calls into loops"
2743         https://bugs.webkit.org/show_bug.cgi?id=176601
2744         https://trac.webkit.org/changeset/223691
2745
2746         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2747         comparison is always false due to limited range of data type
2748         [-Wtype-limits]"
2749         https://bugs.webkit.org/show_bug.cgi?id=178543
2750         https://trac.webkit.org/changeset/223729
2751
2752 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2753
2754         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2755         https://bugs.webkit.org/show_bug.cgi?id=178592
2756
2757         Unreviewed test gardening.
2758
2759         * test262.yaml:
2760
2761 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2762
2763         [FTL] Support NewStringObject
2764         https://bugs.webkit.org/show_bug.cgi?id=178737
2765
2766         Reviewed by Saam Barati.
2767
2768         * stress/new-string-object.js: Added.
2769         (shouldBe):
2770         (test):
2771
2772 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2773
2774         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2775         https://bugs.webkit.org/show_bug.cgi?id=178308
2776
2777         Reviewed by Mark Lam.
2778
2779         * test262.yaml:
2780
2781 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2782
2783         [JSC] Use fastJoin in Array#toString
2784         https://bugs.webkit.org/show_bug.cgi?id=178062
2785
2786         Reviewed by Darin Adler.
2787
2788         * microbenchmarks/contiguous-array-to-string.js: Added.
2789         (target):
2790         * microbenchmarks/double-array-to-string.js: Added.
2791         (target):
2792         * microbenchmarks/int32-array-to-string.js: Added.
2793         (target):
2794
2795 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2796
2797         stress/check-string-ident.js is improperly skipped
2798         https://bugs.webkit.org/show_bug.cgi?id=178642
2799
2800         Reviewed by Saam Barati.
2801
2802         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2803         since it enforces the run-jsc-stress-tests script to still set up the
2804         test to run, despite the skip directive that's used before.
2805
2806 2017-10-20  Mark Lam  <mark.lam@apple.com>
2807
2808         Add a test case for r214334.
2809         https://bugs.webkit.org/show_bug.cgi?id=169941
2810         <rdar://problem/31221258>
2811
2812         Reviewed by JF Bastien.
2813
2814         * stress/regress-169941.js: Added.
2815
2816 2017-10-19  JF Bastien  <jfbastien@apple.com>
2817
2818         WebAssembly: no VM / JS version of everything but Instance
2819         https://bugs.webkit.org/show_bug.cgi?id=177473
2820
2821         Reviewed by Filip Pizlo, Saam Barati.
2822
2823         - Exceeding max on memory growth now returns a range error as per
2824         spec. This is a (very minor) breaking change: it used to throw OOM
2825         error. Update the corresponding test.
2826
2827         * wasm/js-api/memory-grow.js:
2828         (assertEq):
2829         * wasm/js-api/table.js:
2830         (assert.throws):
2831
2832 2017-10-19  Mark Lam  <mark.lam@apple.com>
2833
2834         Stringifier::appendStringifiedValue() is missing an exception check.
2835         https://bugs.webkit.org/show_bug.cgi?id=178386
2836         <rdar://problem/35027610>
2837
2838         Reviewed by Saam Barati.
2839
2840         * stress/regress-178386.js: Added.
2841
2842 2017-10-19  Michael Saboff  <msaboff@apple.com>
2843
2844         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2845         https://bugs.webkit.org/show_bug.cgi?id=178521
2846
2847         Reviewed by JF Bastien.
2848
2849         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2850         now passes with the current version (5.0) of the Emoji spec.
2851
2852 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2853
2854         Turn recursive tail calls into loops
2855         https://bugs.webkit.org/show_bug.cgi?id=176601
2856
2857         Reviewed by Saam Barati.
2858
2859         Add some simple test that computes factorial in several ways, and other trivial computations.
2860         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2861         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2862         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2863         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2864
2865         * stress/inline-call-to-recursive-tail-call.js: Added.
2866         (factorial.aux):
2867         (factorial):
2868         (factorial2.aux):
2869         (factorial2.id):
2870         (factorial2):
2871         (factorial3.aux):
2872         (factorial3):
2873         (aux):
2874         (factorial4):
2875         (test):
2876
2877 2017-10-18  Mark Lam  <mark.lam@apple.com>
2878
2879         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2880         https://bugs.webkit.org/show_bug.cgi?id=177600
2881         <rdar://problem/34710985>
2882
2883         Reviewed by Saam Barati.
2884
2885         * stress/regress-177600.js: Added.
2886
2887 2017-10-18  Mark Lam  <mark.lam@apple.com>
2888
2889         The compiler should always register a structure when it adds its transitionWatchPointSet.
2890         https://bugs.webkit.org/show_bug.cgi?id=178420
2891         <rdar://problem/34814024>
2892
2893         Reviewed by Saam Barati and Filip Pizlo.
2894
2895         * stress/regress-178420.js: Added.
2896         (new.Array.10000.map):
2897
2898 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2899
2900         [JSC] __proto__ getter should be fast
2901         https://bugs.webkit.org/show_bug.cgi?id=178067
2902
2903         Reviewed by Saam Barati.
2904
2905         * stress/dfg-object-proto-accessor.js: Added.
2906         (shouldBe):
2907         (shouldThrow):
2908         (target):
2909         * stress/dfg-object-proto-getter.js: Added.
2910         (shouldBe):
2911         (shouldThrow):
2912         (target):
2913         * stress/dfg-object-prototype-of.js: Added.
2914         (shouldBe):
2915         (shouldThrow):
2916         (target):
2917         * stress/dfg-reflect-get-prototype-of.js: Added.
2918         (shouldBe):
2919         (shouldThrow):
2920         (target):
2921         * stress/intrinsic-getter-with-poly-proto.js: Added.
2922         (shouldBe):
2923         (makePolyProtoObject.foo.C):
2924         (makePolyProtoObject.foo):
2925         (makePolyProtoObject):
2926         (target):
2927         * stress/object-get-prototype-of-filtered.js: Added.
2928         (shouldBe):
2929         (shouldThrow):
2930         (target):
2931         (i.Cocoa):
2932         * stress/object-get-prototype-of-mono-proto.js: Added.
2933         (shouldBe):
2934         (makePolyProtoObject.foo.C):
2935         (makePolyProtoObject.foo):
2936         (makePolyProtoObject):
2937         (target):
2938         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2939         (shouldBe):
2940         (makePolyProtoObject.foo.C):
2941         (makePolyProtoObject.foo):
2942         (makePolyProtoObject):
2943         (target):
2944         * stress/object-get-prototype-of-poly-proto.js: Added.
2945         (shouldBe):
2946         (makePolyProtoObject.foo.C):
2947         (makePolyProtoObject.foo):
2948         (makePolyProtoObject):
2949         (target):
2950         * stress/object-proto-getter-filtered.js: Added.
2951         (shouldBe):
2952         (shouldThrow):
2953         (target):
2954         (i.Cocoa):
2955         * stress/object-proto-getter-poly-mono-proto.js: Added.
2956         (shouldBe):
2957         (makePolyProtoObject.foo.C):
2958         (makePolyProtoObject.foo):
2959         (makePolyProtoObject):
2960         (target):
2961         * stress/object-proto-getter-poly-proto.js: Added.
2962         (shouldBe):
2963         (makePolyProtoObject.foo.C):
2964         (makePolyProtoObject.foo):
2965         (makePolyProtoObject):
2966         (target):
2967         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2968         * stress/string-proto.js: Added.
2969         (shouldBe):
2970         (target):
2971
2972 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2973
2974         Unreviewed, rolling out r223523.
2975
2976         A test for this change is failing on debug JSC bots.
2977
2978         Reverted changeset:
2979
2980         "[JSC] __proto__ getter should be fast"
2981         https://bugs.webkit.org/show_bug.cgi?id=178067
2982         https://trac.webkit.org/changeset/223523
2983
2984 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2985
2986         [JSC] __proto__ getter should be fast
2987         https://bugs.webkit.org/show_bug.cgi?id=178067
2988
2989         Reviewed by Saam Barati.
2990
2991         * stress/dfg-object-proto-accessor.js: Added.
2992         (shouldBe):
2993         (shouldThrow):
2994         (target):
2995         * stress/dfg-object-proto-getter.js: Added.
2996         (shouldBe):
2997         (shouldThrow):
2998         (target):
2999         * stress/dfg-object-prototype-of.js: Added.
3000         (shouldBe):
3001         (shouldThrow):
3002         (target):
3003         * stress/dfg-reflect-get-prototype-of.js: Added.
3004         (shouldBe):
3005         (shouldThrow):
3006         (target):
3007         * stress/object-get-prototype-of-filtered.js: Added.
3008         (shouldBe):
3009         (shouldThrow):
3010         (target):
3011         (i.Cocoa):
3012         * stress/object-get-prototype-of-mono-proto.js: Added.
3013         (shouldBe):
3014         (makePolyProtoObject.foo.C):
3015         (makePolyProtoObject.foo):
3016         (makePolyProtoObject):
3017         (target):
3018         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3019         (shouldBe):
3020         (makePolyProtoObject.foo.C):
3021         (makePolyProtoObject.foo):
3022         (makePolyProtoObject):
3023         (target):
3024         * stress/object-get-prototype-of-poly-proto.js: Added.
3025         (shouldBe):
3026         (makePolyProtoObject.foo.C):
3027         (makePolyProtoObject.foo):
3028         (makePolyProtoObject):
3029         (target):
3030         * stress/object-proto-getter-filtered.js: Added.
3031         (shouldBe):
3032         (shouldThrow):
3033         (target):
3034         (i.Cocoa):
3035         * stress/object-proto-getter-poly-mono-proto.js: Added.
3036         (shouldBe):
3037         (makePolyProtoObject.foo.C):
3038         (makePolyProtoObject.foo):
3039         (makePolyProtoObject):
3040         (target):
3041         * stress/object-proto-getter-poly-proto.js: Added.
3042         (shouldBe):
3043         (makePolyProtoObject.foo.C):
3044         (makePolyProtoObject.foo):
3045         (makePolyProtoObject):
3046         (target):
3047         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3048         * stress/string-proto.js: Added.
3049         (shouldBe):
3050         (target):
3051
3052 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3053
3054         Reland "Add Above/Below comparisons for UInt32 patterns"
3055         https://bugs.webkit.org/show_bug.cgi?id=177281
3056
3057         Reviewed by Saam Barati.
3058
3059         * stress/uint32-comparison-jump.js: Added.
3060         (shouldBe):
3061         (above):
3062         (aboveOrEqual):
3063         (below):
3064         (belowOrEqual):
3065         (notAbove):
3066         (notAboveOrEqual):
3067         (notBelow):
3068         (notBelowOrEqual):
3069         * stress/uint32-comparison.js: Added.
3070         (shouldBe):
3071         (above):
3072         (aboveOrEqual):
3073         (below):
3074         (belowOrEqual):
3075         (aboveTest):
3076         (aboveOrEqualTest):
3077         (belowTest):
3078         (belowOrEqualTest):
3079
3080 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3081
3082         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3083         https://bugs.webkit.org/show_bug.cgi?id=178210
3084
3085         Reviewed by Saam Barati.
3086
3087         * wasm/function-tests/trap-from-start-async.js:
3088         (async.StartTrapsAsync):
3089         * wasm/function-tests/trap-from-start.js:
3090         (StartTraps):
3091         * wasm/js-api/web-assembly-function.js:
3092         (assert.eq.Object.getPrototypeOf):
3093         * wasm/js-api/wrapper-function.js:
3094         (return.new.WebAssembly.Module):
3095         (assert.throws.makeInstance): Deleted.
3096         (assert.throws.Bar): Deleted.
3097         (assert.throws): Deleted.
3098
3099 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3100
3101         Enable gigacage on iOS
3102         https://bugs.webkit.org/show_bug.cgi?id=177586
3103
3104         Reviewed by JF Bastien.
3105         
3106         Add tests for when Gigacage gets runtime disabled.
3107
3108         * stress/disable-gigacage-arrays.js: Added.
3109         (foo):
3110         * stress/disable-gigacage-strings.js: Added.
3111         (foo):
3112         * stress/disable-gigacage-typed-arrays.js: Added.
3113         (foo):
3114
3115 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3116
3117         import.meta should not be assignable
3118         https://bugs.webkit.org/show_bug.cgi?id=178202
3119
3120         Reviewed by Saam Barati.
3121
3122         * modules/import-meta-assignment.js: Added.
3123         (shouldThrow):
3124         (SyntaxError.import.meta.can.shouldThrow):
3125
3126 2017-10-11  Saam Barati  <sbarati@apple.com>
3127
3128         Unreviewed. Actually skip certain type profiler tests in debug.
3129
3130         * typeProfiler.yaml:
3131         * typeProfiler/deltablue-for-of.js:
3132         * typeProfiler/getter-richards.js:
3133
3134 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3135
3136         Unreviewed, rolling out r223113 and r223121.
3137         https://bugs.webkit.org/show_bug.cgi?id=178182
3138
3139         Reintroduced 20% regression on Kraken (Requested by rniwa on
3140         #webkit).
3141
3142         Reverted changesets:
3143
3144         "Enable gigacage on iOS"
3145         https://bugs.webkit.org/show_bug.cgi?id=177586
3146         https://trac.webkit.org/changeset/223113
3147
3148         "Use one virtual allocation for all gigacages and their
3149         runways"
3150         https://bugs.webkit.org/show_bug.cgi?id=178050
3151         https://trac.webkit.org/changeset/223121
3152
3153 2017-10-11  Michael Saboff  <msaboff@apple.com>
3154
3155         Disable test262 named capture group tests with direct unicode names and with references before definitions
3156         https://bugs.webkit.org/show_bug.cgi?id=178177
3157
3158         Reviewed by Keith Miller.
3159
3160         Bugs to track fixing these test are:
3161         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3162             "Add support in named capture group identifiers for direct surrogate pairs"
3163         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3164             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3165
3166         * test262.yaml:
3167
3168 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3169
3170         Object properties are undefined in super.call() but not in this.call()
3171         https://bugs.webkit.org/show_bug.cgi?id=177230
3172
3173         Reviewed by Saam Barati.
3174
3175         * stress/super-call-function-subclass.js: Added.
3176         (assert):
3177         (A.prototype.t):
3178         (A):
3179         * stress/super-dot-call-and-apply.js: Added.
3180         (assert):
3181         (A):
3182         (A.prototype.call):
3183         (A.prototype.apply):
3184         (B.prototype.testSuper):
3185         (B):
3186         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3187         (D.prototype.testSuper):
3188         (D):
3189
3190 2017-10-10  Saam Barati  <sbarati@apple.com>
3191
3192         The prototype cache should be aware of the Executable it generates a Structure for
3193         https://bugs.webkit.org/show_bug.cgi?id=177907
3194
3195         Reviewed by Filip Pizlo.
3196
3197         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3198         (assert):
3199         (foo.C):
3200         (foo):
3201         (bar.C):
3202         (bar):
3203         (access):
3204         (makeLongChain):
3205         (accessY):
3206
3207 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3208
3209         `async` should be able to be used as an imported binding name
3210         https://bugs.webkit.org/show_bug.cgi?id=176573
3211
3212         Reviewed by Saam Barati.
3213
3214         * modules/import-default-async.js: Added.
3215         * modules/import-named-async-as.js: Added.
3216         * modules/import-named-async.js: Added.
3217         * modules/import-named-async/target.js: Added.
3218         * modules/import-namespace-async.js: Added.
3219         * test262.yaml:
3220
3221 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3222
3223         Enable gigacage on iOS
3224         https://bugs.webkit.org/show_bug.cgi?id=177586
3225
3226         Reviewed by JF Bastien.
3227         
3228         Add tests for when Gigacage gets runtime disabled.
3229
3230         * stress/disable-gigacage-arrays.js: Added.
3231         (foo):
3232         * stress/disable-gigacage-strings.js: Added.
3233         (foo):
3234         * stress/disable-gigacage-typed-arrays.js: Added.
3235         (foo):
3236
3237 2017-10-09  Michael Saboff  <msaboff@apple.com>
3238
3239         Implement RegExp Unicode property escapes
3240         https://bugs.webkit.org/show_bug.cgi?id=172069
3241
3242         Reviewed by JF Bastien.
3243
3244         Enabled Unicode Property tests.
3245
3246         * test262.yaml:
3247
3248 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3249
3250         Unreviewed, rolling out r223015 and r223025.
3251         https://bugs.webkit.org/show_bug.cgi?id=178093
3252
3253         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3254         #webkit).
3255
3256         Reverted changesets:
3257
3258         "Enable gigacage on iOS"
3259         https://bugs.webkit.org/show_bug.cgi?id=177586
3260         http://trac.webkit.org/changeset/223015
3261
3262         "Unreviewed, disable Gigacage on ARM64 Linux"
3263         https://bugs.webkit.org/show_bug.cgi?id=177586
3264         http://trac.webkit.org/changeset/223025
3265
3266 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3267
3268         Update expectations for test262 tests that pass after r223043.
3269         https://bugs.webkit.org/show_bug.cgi?id=176685
3270
3271         Unreviewed test gardening.
3272
3273         * test262.yaml:
3274
3275 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3276
3277         Unreviewed, rolling out r223022.
3278
3279         This change introduced 18 test262 failures.
3280
3281         Reverted changeset:
3282
3283         "`async` should be able to be used as an imported binding
3284         name"
3285         https://bugs.webkit.org/show_bug.cgi?id=176573
3286         http://trac.webkit.org/changeset/223022
3287
3288 2017-10-09  Saam Barati  <sbarati@apple.com>
3289
3290         3 poly-proto JSC tests timing out on debug after r222827
3291         https://bugs.webkit.org/show_bug.cgi?id=177880
3292         <rdar://problem/34817122>
3293
3294         Unreviewed.
3295
3296         I'm skipping these type profiler tests on debug since they are long running.
3297
3298         * typeProfiler/deltablue-for-of.js:
3299         * typeProfiler/getter-richards.js:
3300
3301 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3302
3303         Safari 10 /11 problem with if (!await get(something)).
3304         https://bugs.webkit.org/show_bug.cgi?id=176685
3305
3306         Reviewed by Saam Barati.
3307
3308         * stress/async-await-basic.js:
3309         (awaitEpression.async):
3310         * stress/async-await-syntax.js:
3311         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3312         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3313
3314 2017-10-08  Saam Barati  <sbarati@apple.com>
3315
3316         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3317
3318         * typeProfiler/deltablue-for-of.js:
3319         * typeProfiler/getter-richards.js:
3320
3321 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3322
3323         `async` should be able to be used as an imported binding name
3324         https://bugs.webkit.org/show_bug.cgi?id=176573
3325
3326         Reviewed by Darin Adler.
3327
3328         * modules/import-default-async.js: Added.
3329         * modules/import-named-async-as.js: Added.
3330         * modules/import-named-async.js: Added.
3331         * modules/import-named-async/target.js: Added.
3332         * modules/import-namespace-async.js: Added.
3333
3334 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3335
3336         Enable gigacage on iOS
3337         https://bugs.webkit.org/show_bug.cgi?id=177586
3338
3339         Reviewed by JF Bastien.
3340         
3341         Add tests for when Gigacage gets runtime disabled.
3342
3343         * stress/disable-gigacage-arrays.js: Added.
3344         (foo):
3345         * stress/disable-gigacage-strings.js: Added.
3346         (foo):
3347         * stress/disable-gigacage-typed-arrays.js: Added.
3348         (foo):
3349
3350 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3351
3352         Unreviewed, rolling out r222791 and r222873.
3353         https://bugs.webkit.org/show_bug.cgi?id=178031
3354
3355         Caused crashes with workers/wasm LayoutTests (Requested by
3356         ryanhaddad on #webkit).
3357
3358         Reverted changesets:
3359
3360         "WebAssembly: no VM / JS version of everything but Instance"
3361         https://bugs.webkit.org/show_bug.cgi?id=177473
3362         http://trac.webkit.org/changeset/222791
3363
3364         "WebAssembly: address no VM / JS follow-ups"
3365         https://bugs.webkit.org/show_bug.cgi?id=177887
3366         http://trac.webkit.org/changeset/222873
3367
3368 2017-10-05  Saam Barati  <sbarati@apple.com>
3369
3370         Make sure all prototypes under poly proto get added into the VM's prototype map
3371         https://bugs.webkit.org/show_bug.cgi?id=177909
3372
3373         Reviewed by Keith Miller.
3374
3375         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3376         (assert):
3377         (foo.C):
3378         (foo):
3379         (set x):
3380
3381 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3382
3383         [JSC] Introduce import.meta
3384         https://bugs.webkit.org/show_bug.cgi?id=177703
3385
3386         Reviewed by Filip Pizlo.
3387
3388         * modules/import-meta-syntax.js: Added.
3389         (shouldThrow):
3390         (shouldNotThrow):
3391         * modules/import-meta.js: Added.
3392         * modules/import-meta/cocoa.js: Added.
3393         * modules/resources/assert.js:
3394         (export.shouldNotThrow):
3395         * stress/import-syntax.js:
3396
3397 2017-10-04  Saam Barati  <sbarati@apple.com>
3398
3399         Make pertinent AccessCases watch the poly proto watchpoint
3400         https://bugs.webkit.org/show_bug.cgi?id=177765
3401
3402         Reviewed by Keith Miller.
3403
3404         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3405         (assert):
3406         (foo.C):
3407         (foo):
3408         (validate):
3409         * stress/poly-proto-clear-stub.js: Added.
3410         (assert):
3411         (foo.C):
3412         (foo):
3413
3414 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3415
3416         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3417
3418         Unreviewed test gardening.
3419
3420         * test262.yaml:
3421
3422 2017-10-04  Saam Barati  <sbarati@apple.com>
3423
3424         3 poly-proto JSC tests timing out on debug after r222827
3425         https://bugs.webkit.org/show_bug.cgi?id=177880
3426
3427         Rubber stamped by Mark Lam.
3428
3429         * microbenchmarks/poly-proto-access.js:
3430         * typeProfiler/deltablue-for-of.js:
3431         * typeProfiler/getter-richards.js:
3432
3433 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3434
3435         Unreviewed, marking tco-catch.js as a failure after test262 update
3436         https://bugs.webkit.org/show_bug.cgi?id=177859
3437
3438         * test262.yaml:
3439
3440 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3441
3442         Unreviewed, marking one async iterator test262 test failed
3443         https://bugs.webkit.org/show_bug.cgi?id=177859
3444
3445         * test262.yaml:
3446
3447 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3448
3449         [Test262] Update Test262 to Oct 4 version
3450         https://bugs.webkit.org/show_bug.cgi?id=177859
3451
3452         Reviewed by Sam Weinig.
3453
3454         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3455         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3456
3457         * test262.yaml:
3458         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3459         (checkSequence):
3460         * test262/harness/typeCoercion.js:
3461         (testCoercibleToIndexZero):
3462         (testCoercibleToIndexOne):
3463         (testCoercibleToIndexFromIndex):
3464         (testNotCoercibleToIndex.testPrimitiveValue):
3465         (testNotCoercibleToInteger):
3466         (testCoercibleToBigIntZero.testPrimitiveValue):
3467         (testCoercibleToBigIntZero):
3468         (testCoercibleToBigIntOne.testPrimitiveValue):
3469         (testCoercibleToBigIntOne):
3470         (testPrimitiveValue):
3471         (testCoercibleToBigIntFromBigInt):
3472         (testNotCoercibleToBigInt.testPrimitiveValue):
3473         (testNotCoercibleToBigInt.testStringValue):
3474         (testNotCoercibleToBigInt):
3475         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3476         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3477         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3478         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3479         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3480         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3481         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3482         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3483         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3484         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3485         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3486         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3487         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3488         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3489         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3490         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3491         (testCoercibleToBigIntZero):
3492         (testCoercibleToBigIntOne):
3493         (testNotCoercibleToBigInt):
3494         (MyError): Deleted.
3495         (valueOf): Deleted.
3496         (toString): Deleted.
3497         (Symbol.toPrimitive): Deleted.
3498         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3499         (testCoercibleToIndexZero):
3500         (testCoercibleToIndexOne):
3501         (testNotCoercibleToIndex):
3502         (MyError): Deleted.
3503         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3504         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3505         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3506         (BigInt.asIntN.valueOf): Deleted.
3507         (BigInt.asIntN.toString): Deleted.
3508         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3509         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3510         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3511         (testCoercibleToBigIntZero):
3512         (testCoercibleToBigIntOne):
3513         (testNotCoercibleToBigInt):
3514         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3515         (testCoercibleToIndexZero):
3516         (testCoercibleToIndexOne):
3517         (testNotCoercibleToIndex):
3518         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3519         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3520         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3521         (bits.valueOf):
3522         (bigint.valueOf):
3523         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3524         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3525         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3526         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3527         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3528         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3529         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3530         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3531         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3532         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3533         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3534         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3535         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3536         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3537         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3538         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3539         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3540         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3541         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3542         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3543         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3544         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3545         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3546         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3547         (replacer):
3548         (BigInt.prototype.toJSON):
3549         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3550         (replacer):
3551         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3552         (BigInt.prototype.toJSON):
3553         * test262/test/built-ins/JSON/stringify/bigint.js:
3554         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3555         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3556         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3557         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3558         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3559         * test262/test/built-ins/Object/proto-from-ctor.js:
3560         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3561         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3562         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3563         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3564         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3565         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3566         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3567         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3568         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3569         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3570         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3571         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3572         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3573         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3574         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3575         * test262/test/built-ins/Proxy/get-fn-realm.js:
3576         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3577         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3578         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3579         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3580         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3581         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3582         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3583         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3584         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3585         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3586         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3587         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3588         (i6.replace):
3589         (i6b.replace):
3590         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3591         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3592         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3593         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3594         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3595         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3596         * test262/test/built-ins/RegExp/u180e.js: Added.
3597         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3598         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3599         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3600         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3601         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3602         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3603         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3604         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3605         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3606         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3607         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3608         * test262/test/built-ins/String/prototype/endsWith/length.js:
3609         * test262/test/built-ins/String/prototype/endsWith/name.js:
3610         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3611         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3612         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3613         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3614         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3615         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3616         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3617         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3618         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3619         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3620         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3621         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3622         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3623         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3624         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3625         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3626         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3627         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3628         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3629         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3630         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3631         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3632         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3633         * test262/test/built-ins/String/prototype/includes/includes.js:
3634         * test262/test/built-ins/String/prototype/includes/length.js:
3635         * test262/test/built-ins/String/prototype/includes/name.js:
3636         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3637         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3638         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3639         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3640         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3641         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3642         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3643         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3644         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3645         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3646         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3647         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3648         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3649         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3650         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3651         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3652         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3653         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3654         * test262/test/built-ins/String/prototype/trim/u180e.js:
3655         * test262/test/built-ins/Symbol/for/cross-realm.js:
3656         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3657         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3658         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3659         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3660         * test262/test/built-ins/Symbol/match/cross-realm.js:
3661         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3662         * test262/test/built-ins/Symbol/search/cross-realm.js:
3663         * test262/test/built-ins/Symbol/species/cross-realm.js:
3664         * test262/test/built-ins/Symbol/split/cross-realm.js:
3665         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3666         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3667         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3668         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3669         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3670         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3671         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3672         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3673         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3674         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3675         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3676         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3677         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3678         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3679         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3680         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3681         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3682         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3683         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3684         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3685         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3686         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3687         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3688         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3689         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3690         * test262/test/language/eval-code/indirect/realm.js:
3691         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3692         (o.get z):
3693         (o.get a):
3694         * test262/test/language/expressions/call/eval-realm-indirect.js:
3695         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3696         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3697         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3698         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3699         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3700         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3701         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3702         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3703         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3704         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3705         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3706         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3707         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3708         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3709         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3710         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3711         * test262/test/language/expressions/less-than/bigint-and-number.js:
3712         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3713         * test262/test/language/expressions/super/realm.js:
3714         * test262/test/language/expressions/tagged-template/cache-realm.js:
3715         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3716         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3717         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3718         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3719         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3720         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3721         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3722         (o.get z):
3723         (o.get a):
3724         * test262/test/language/statements/for-of/iterator-next-reference.js:
3725         (next):
3726         (iterator.next): Deleted.
3727         (x.of.iterable.): Deleted.
3728         (x.of.iterable.get return): Deleted.
3729         (x.of.iterable.iterator.next): Deleted.
3730         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3731         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3732         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3733         * test262/test/language/white-space/mongolian-vowel-separator.js:
3734         * test262/test262-Revision.txt:
3735
3736 2017-10-03  Saam Barati  <sbarati@apple.com>
3737
3738         Implement polymorphic prototypes
3739         https://bugs.webkit.org/show_bug.cgi?id=176391
3740
3741         Reviewed by Filip Pizlo.
3742
3743         * microbenchmarks/poly-proto-access.js: Added.
3744         (assert):
3745         (foo.C):
3746         (foo.C.prototype.get bar):
3747         (foo):
3748         (bar):
3749         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3750         (assert):
3751         (makePolyProtoObject.foo.C):
3752         (makePolyProtoObject.foo):
3753         (makePolyProtoObject):
3754         (performSet):
3755         * microbenchmarks/poly-proto-setter-speed.js: Added.
3756         (assert):
3757         (makePolyProtoObject.foo.C):
3758         (makePolyProtoObject.foo.C.prototype.set p):
3759         (makePolyProtoObject.foo):
3760         (makePolyProtoObject):
3761         (performSet):
3762         * stress/constructor-with-return.js:
3763         (i.tests.forEach.Constructor):
3764         (i.tests.forEach):
3765         (tests.forEach.Constructor): Deleted.
3766         (tests.forEach): Deleted.
3767         * stress/dom-jit-with-poly-proto.js: Added.
3768         (assert):
3769         (makePolyProtoObject.foo.C):
3770         (makePolyProtoObject.foo):
3771         (makePolyProtoObject):
3772         (validate):
3773         * stress/poly-proto-custom-value-and-accessor.js: Added.
3774         (assert):
3775         (makePolyProtoObject.foo.C):
3776         (makePolyProtoObject.foo):
3777         (makePolyProtoObject):
3778         (items.forEach):
3779         (set get for):
3780         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3781         (assert):
3782         (makePolyProtoObject.foo.C):
3783         (makePolyProtoObject.foo):
3784         (makePolyProtoObject):
3785         (foo):
3786         * stress/poly-proto-miss.js: Added.
3787         (makePolyProtoInstanceWithNullPrototype.foo.C):
3788         (makePolyProtoInstanceWithNullPrototype.foo):
3789         (makePolyProtoInstanceWithNullPrototype):
3790         (assert):
3791         (validate):
3792         * stress/poly-proto-op-in-caching.js: Added.
3793         (assert):
3794         (makePolyProtoObject.foo.C):
3795         (makePolyProtoObject.foo):
3796         (makePolyProtoObject):
3797         (validate):
3798         (validate2):
3799         * stress/poly-proto-put-transition.js: Added.
3800         (assert):
3801         (makePolyProtoObject.foo.C):
3802         (makePolyProtoObject.foo):
3803         (makePolyProtoObject):
3804         (performSet):
3805         (i.obj.__proto__.set p):
3806         * stress/poly-proto-set-prototype.js: Added.
3807         (assert):
3808         (let.alternateProto.get x):
3809         (let.alternateProto2.get y):
3810         (let.alternateProto2.get x):
3811         (foo.C):
3812         (foo):
3813         (validate):
3814         * stress/poly-proto-setter.js: Added.
3815         (assert):
3816         (makePolyProtoObject.foo.C):
3817         (makePolyProtoObject.foo.C.prototype.set p):
3818         (makePolyProtoObject.foo.C.prototype.get p):
3819         (makePolyProtoObject.foo):
3820         (makePolyProtoObject):
3821         (performSet):
3822         * stress/poly-proto-using-inheritance.js: Added.
3823         (assert):
3824         (foo.C):
3825         (foo.C.prototype.get baz):
3826         (foo):
3827         (bar.C):
3828         (bar):
3829         (validate):
3830         * stress/primitive-poly-proto.js: Added.
3831         (makePolyProtoInstance.foo.C):
3832         (makePolyProtoInstance.foo):
3833         (makePolyProtoInstance):
3834         (assert):
3835         (validate):
3836         * stress/prototype-is-not-js-object.js: Added.
3837         (foo.bar):
3838         (foo):
3839         (assert):
3840         (validate):
3841         * stress/try-get-by-id-poly-proto.js: Added.
3842         (assert):
3843         (makePolyProtoObject.foo.C):
3844         (makePolyProtoObject.foo):
3845         (makePolyProtoObject):
3846         (tryGetByIdText):
3847         (x.__proto__.get bar):
3848         (validate):
3849         * typeProfiler/overflow.js:
3850
3851 2017-10-03  JF Bastien  <jfbastien@apple.com>
3852
3853         WebAssembly: no VM / JS version of everything but Instance
3854         https://bugs.webkit.org/show_bug.cgi?id=177473
3855
3856         Reviewed by Filip Pizlo.
3857
3858         - Exceeding max on memory growth now returns a range error as per
3859         spec. This is a (very minor) breaking change: it used to throw OOM
3860         error. Update the corresponding test.
3861
3862         * wasm/js-api/memory-grow.js:
3863         (assertEq):
3864         * wasm/js-api/table.js:
3865         (assert.throws):
3866
3867 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3868
3869         Skip JSC test stress/regress-159779-2.js on debug.
3870         https://bugs.webkit.org/show_bug.cgi?id=177204
3871
3872         Unreviewed test gardening.
3873
3874         * stress/regress-159779-2.js:
3875
3876 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3877
3878         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3879         https://bugs.webkit.org/show_bug.cgi?id=175642
3880
3881         Reviewed by Darin Adler.
3882
3883         * ChakraCore/test/Function/apply3.baseline-jsc:
3884
3885 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3886
3887         Unreviewed, rolling out r222564.
3888         https://bugs.webkit.org/show_bug.cgi?id=177720
3889
3890         "It regressed JetStream by 2% on iOS caused by a 50%
3891         regression on the bigfib subtest" (Requested by saamyjoon on
3892         #webkit).
3893
3894         Reverted changeset:
3895
3896         "Add Above/Below comparisons for UInt32 patterns"
3897         https://bugs.webkit.org/show_bug.cgi?id=177281
3898         http://trac.webkit.org/changeset/222564
3899
3900 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3901
3902         [DFG] Support ArrayPush with multiple args
3903         https://bugs.webkit.org/show_bug.cgi?id=175823
3904
3905         Reviewed by Saam Barati.
3906
3907         * microbenchmarks/array-push-0.js: Added.
3908         (arrayPush0):
3909         * microbenchmarks/array-push-1.js: Added.
3910         (arrayPush1):
3911         * microbenchmarks/array-push-2.js: Added.
3912         (arrayPush2):
3913         * microbenchmarks/array-push-3.js: Added.
3914         (arrayPush3):
3915         * stress/array-push-multiple-contiguous.js: Added.
3916         (shouldBe):
3917         (test):
3918         * stress/array-push-multiple-double-nan.js: Added.
3919         (shouldBe):
3920         (test):
3921         * stress/array-push-multiple-double.js: Added.
3922         (shouldBe):
3923         (test):
3924         * stress/array-push-multiple-int32.js: Added.
3925         (shouldBe):
3926         (test):
3927         * stress/array-push-multiple-many-contiguous.js: Added.
3928         (shouldBe):
3929         (test):
3930         * stress/array-push-multiple-many-double.js: Added.
3931         (shouldBe):
3932         (test):
3933         * stress/array-push-multiple-many-int32.js: Added.
3934         (shouldBe):
3935         (test):
3936         * stress/array-push-multiple-many-storage.js: Added.
3937         (shouldBe):
3938         (test):
3939         * stress/array-push-multiple-storage.js: Added.
3940         (shouldBe):
3941         (test):
3942         * stress/array-push-with-force-exit.js: Added.
3943         (target.createBuiltin):
3944
3945 2017-09-29  Saam Barati  <sbarati@apple.com>
3946
3947         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3948         https://bugs.webkit.org/show_bug.cgi?id=177639
3949
3950         Reviewed by Geoffrey Garen.
3951
3952         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3953         (assert):
3954         (Class):
3955         (items.forEach):
3956         (set get for):
3957
3958 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3959
3960         Unreviewed, rolling out r222563, r222565, and r222581.
3961         https://bugs.webkit.org/show_bug.cgi?id=177675
3962
3963         "It causes a crash when playing youtube videos" (Requested by
3964         saamyjoon on #webkit).
3965
3966         Reverted changesets:
3967
3968         "[DFG] Support ArrayPush with multiple args"
3969         https://bugs.webkit.org/show_bug.cgi?id=175823
3970         http://trac.webkit.org/changeset/222563
3971
3972         "Unreviewed, build fix after r222563"
3973         https://bugs.webkit.org/show_bug.cgi?id=175823
3974         http://trac.webkit.org/changeset/222565
3975
3976         "Unreviewed, fix x86 breaking due to exhausted registers"
3977         https://bugs.webkit.org/show_bug.cgi?id=175823
3978         http://trac.webkit.org/changeset/222581
3979
3980 2017-09-28  Mark Lam  <mark.lam@apple.com>
3981
3982         test262: Unexpected passes after r222617 and r222618.
3983         https://bugs.webkit.org/show_bug.cgi?id=177622
3984         <rdar://problem/34725960>
3985
3986         Reviewed by Saam Barati.
3987
3988         Update test262.yaml for tests that are now passing.
3989
3990         * test262.yaml:
3991
3992 2017-09-27  Michael Saboff  <msaboff@apple.com>
3993
3994         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3995         https://bugs.webkit.org/show_bug.cgi?id=177570
3996
3997         Reviewed by Filip Pizlo.
3998
3999         New regression test.
4000
4001         * stress/regress-177570.js: Added.
4002
4003 2017-09-28  Michael Saboff  <msaboff@apple.com>
4004
4005         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4006         https://bugs.webkit.org/show_bug.cgi?id=177423
4007
4008         Reviewed by Mark Lam.
4009
4010         Updated regression test.
4011
4012         * stress/regress-177423.js:
4013         (catch):
4014
4015 2017-09-27  Mark Lam  <mark.lam@apple.com>
4016
4017         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4018         https://bugs.webkit.org/show_bug.cgi?id=177584
4019         <rdar://problem/34463903>
4020
4021         Reviewed by Saam Barati.
4022
4023         * stress/regress-177584.js: Added.
4024         (assertEqual):
4025         (Array.prototype.Symbol.species):
4026
4027 2017-09-27  Saam Barati  <sbarati@apple.com>
4028
4029         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4030         https://bugs.webkit.org/show_bug.cgi?id=177523
4031
4032         Reviewed by Mark Lam.
4033
4034         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4035         (assert):
4036         (Test):
4037         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4038         (addMethods):
4039         (i.Test.prototype.propName):
4040
4041 2017-09-27  Mark Lam  <mark.lam@apple.com>
4042
4043         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4044         https://bugs.webkit.org/show_bug.cgi?id=177423
4045         <rdar://problem/34621320>
4046
4047         Reviewed by Keith Miller.
4048
4049         * stress/regress-177423.js: Added.
4050
4051 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4052
4053         Add Above/Below comparisons for UInt32 patterns
4054         https://bugs.webkit.org/show_bug.cgi?id=177281
4055
4056         Reviewed by Saam Barati.
4057
4058         * stress/uint32-comparison-jump.js: Added.
4059         (shouldBe):
4060         (above):
4061         (aboveOrEqual):
4062         (below):
4063         (belowOrEqual):
4064         (notAbove):
4065         (notAboveOrEqual):
4066         (notBelow):
4067         (notBelowOrEqual):
4068         * stress/uint32-comparison.js: Added.
4069         (shouldBe):
4070         (above):
4071         (aboveOrEqual):
4072         (below):
4073         (belowOrEqual):
4074         (aboveTest):
4075         (aboveOrEqualTest):
4076         (belowTest):
4077         (belowOrEqualTest):
4078
4079 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
4080
4081         [DFG] Support ArrayPush with multiple args
4082         https://bugs.webkit.org/show_bug.cgi?id=175823
4083
4084         Reviewed by Saam Barati.
4085
4086         * microbenchmarks/array-push-0.js: Added.
4087         (arrayPush0):
4088         * microbenchmarks/array-push-1.js: Added.
4089         (arrayPush1):
4090         * microbenchmarks/array-push-2.js: Added.
4091         (arrayPush2):
4092         * microbenchmarks/array-push-3.js: Added.
4093         (arrayPush3):
4094         * stress/array-push-multiple-contiguous.js: Added.
4095         (shouldBe):
4096         (test):
4097         * stress/array-push-multiple-double-nan.js: Added.
4098         (shouldBe):
4099         (test):
4100         * stress/array-push-multiple-double.js: Added.
4101         (shouldBe):
4102         (test):
4103         * stress/array-push-multiple-int32.js: Added.
4104         (shouldBe):
4105         (test):
4106         * stress/array-push-multiple-many-contiguous.js: Added.
4107         (shouldBe):
4108         (test):
4109         * stress/array-push-multiple-many-double.js: Added.
4110         (shouldBe):
4111         (test):
4112         * stress/array-push-multiple-many-int32.js: Added.
4113         (shouldBe):
4114         (test):
4115         * stress/array-push-multiple-many-storage.js: Added.
4116         (shouldBe):
4117         (test):
4118         * stress/array-push-multiple-storage.js: Added.
4119         (shouldBe):
4120         (test):
4121
4122 2017-09-26  Commit Queue  <commit-queue@webkit.org>
4123
4124         Unreviewed, rolling out r222518.
4125         https://bugs.webkit.org/show_bug.cgi?id=177507
4126
4127         Break the High Sierra build (Requested by yusukesuzuki on
4128         #webkit).
4129
4130         Reverted changeset:
4131
4132         "Add Above/Below comparisons for UInt32 patterns"
4133         https://bugs.webkit.org/show_bug.cgi?id=177281
4134         http://trac.webkit.org/changeset/222518
4135
4136 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4137
4138         Add Above/Below comparisons for UInt32 patterns
4139         https://bugs.webkit.org/show_bug.cgi?id=177281
4140
4141         Reviewed by Saam Barati.
4142
4143         * stress/uint32-comparison-jump.js: Added.
4144         (shouldBe):
4145         (above):
4146         (aboveOrEqual):
4147         (below):
4148         (belowOrEqual):
4149         (notAbove):
4150         (notAboveOrEqual):
4151         (notBelow):
4152         (notBelowOrEqual):
4153         * stress/uint32-comparison.js: Added.
4154         (shouldBe):
4155         (above):
4156         (aboveOrEqual):
4157         (below):
4158         (belowOrEqual):
4159         (aboveTest):
4160         (aboveOrEqualTest):
4161         (belowTest):
4162         (belowOrEqualTest):
4163
4164 2017-09-23  Keith Miller  <keith_miller@apple.com>
4165
4166         Fix infinite looping test262 test
4167         https://bugs.webkit.org/show_bug.cgi?id=177412
4168
4169         Reviewed by Yusuke Suzuki.
4170
4171         This test was poorly designed since failing it would cause the vm
4172         to inifinite loop. I've fixed it locally and will fix it on github pending
4173         the results of next weeks tc39 meeting.
4174
4175         * test262.yaml:
4176         * test262/test/language/statements/for-of/iterator-next-reference.js:
4177
4178 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
4179
4180         test262: $.agent became $262.agent in test262 update
4181         https://bugs.webkit.org/show_bug.cgi?id=177407
4182
4183         Reviewed by Yusuke Suzuki.
4184
4185         * test262.yaml:
4186         ~320 tests pass now that we correctly make $262 available.
4187
4188 2017-09-22  Keith Miller  <keith_miller@apple.com>
4189
4190         Speculatively change iteration protocall to use the same next function
4191         https://bugs.webkit.org/show_bug.cgi?id=175653
4192
4193         Reviewed by Saam Barati.
4194
4195         Change test to match the new iteration behavior.
4196
4197         * stress/spread-optimized-properly.js:
4198
4199 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4200
4201         [DFG][FTL] Profile array vector length for array allocation
4202         https://bugs.webkit.org/show_bug.cgi?id=177051
4203
4204         Reviewed by Saam Barati.
4205
4206         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4207         (target):
4208
4209 2017-09-22  Commit Queue  <commit-queue@webkit.org>
4210
4211         Unreviewed, rolling out r222380.
4212         https://bugs.webkit.org/show_bug.cgi?id=177352
4213
4214         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
4215         #webkit).
4216
4217         Reverted changeset:
4218
4219         "[DFG][FTL] Profile array vector length for array allocation"
4220         https://bugs.webkit.org/show_bug.cgi?id=177051
4221         http://trac.webkit.org/changeset/222380
4222
4223 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4224
4225         [DFG][FTL] Profile array vector length for array allocation
4226         https://bugs.webkit.org/show_bug.cgi?id=177051
4227
4228         Reviewed by Saam Barati.
4229
4230         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4231         (target):
4232
4233 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
4234
4235         Skip new hanging test262 tests.
4236         https://bugs.webkit.org/show_bug.cgi?id=177326
4237
4238         Unreviewed test gardening.
4239
4240         * test262.yaml:
4241
4242 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
4243
4244         Mark 6 test262 tests as passing.
4245         https://bugs.webkit.org/show_bug.cgi?id=177307
4246
4247         Unreviewed test gardening.
4248
4249         * test262.yaml:
4250
4251 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4252
4253         Unreviewed follow-up to r222311.
4254
4255         * test262/harness/sta.js:
4256         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
4257         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
4258         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
4259         * test262/test/built-ins/Array/from/elements-added-after.js:
4260         * test262/test/built-ins/Array/from/elements-deleted-after.js:
4261         * test262/test/built-ins/Array/from/elements-updated-after.js:
4262         * test262/test/built-ins/Array/from/from-array.js:
4263         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
4264         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
4265         * test262/test/built-ins/Array/from/source-array-boundary.js:
4266         * test262/test/built-ins/Array/from/source-object-constructor.js:
4267         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
4268         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
4269         * test262/test/built-ins/Array/from/source-object-length.js:
4270         * test262/test/built-ins/Array/from/source-object-missing.js:
4271         * test262/test/built-ins/Array/from/source-object-without.js:
4272         * test262/test/built-ins/Array/from/this-null.js:
4273         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
4274         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
4275         * test262/test/language/literals/numeric/7.8.3-1gs.js:
4276         * test262/test/language/literals/numeric/7.8.3-2gs.js:
4277         * test262/test/language/literals/numeric/7.8.3-3gs.js:
4278         * test262/test/language/literals/regexp/7.8.5-1gs.js:
4279         * test262/test/language/literals/string/7.8.4-1gs.js:
4280         Fix some files that I failed to update when I applied my patch.
4281
4282 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4283
4284         Update test262 tests
4285         https://bugs.webkit.org/show_bug.cgi?id=177220
4286
4287         Reviewed by Saam Barati and Yusuke Suzuki.
4288
4289         * test262.yaml:
4290         * test262/test262-Revision.txt:
4291         New rebaselined expectations for all tests.
4292
4293         * test262/*:
4294         Updated.
4295
4296 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
4297
4298         [DFG] Remove ToThis more aggressively
4299         https://bugs.webkit.org/show_bug.cgi?id=177056
4300
4301         Reviewed by Saam Barati.
4302
4303         * stress/generator-with-this-strict.js: Added.
4304         (shouldBe):
4305         (generator):
4306         (target):
4307         * stress/generator-with-this.js: Added.
4308         (shouldBe):
4309         (generator):
4310         (target):
4311
4312 2017-09-17  Michael Saboff  <msaboff@apple.com>
4313
4314         https://bugs.webkit.org/show_bug.cgi?id=177038
4315         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
4316
4317         Reviewed by JF Bastien.
4318
4319         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
4320         as it dies using too much memory.
4321
4322 2017-09-15  Saam Barati  <sbarati@apple.com>
4323
4324         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
4325         https://bugs.webkit.org/show_bug.cgi?id=176981
4326
4327         Reviewed by Yusuke Suzuki.
4328
4329         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
4330         (assert):
4331         (verify):
4332         (func):
4333         (const.bar.createBuiltin):
4334
4335 2017-09-14  Saam Barati  <sbarati@apple.com>
4336
4337         It should be valid to exit before each set when doing arity fixup when inlining
4338         https://bugs.webkit.org/show_bug.cgi?id=176948
4339
4340         Reviewed by Keith Miller.
4341
4342         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
4343         (baz):
4344         (bar):
4345         (foo):
4346
4347 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
4348
4349         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
4350         https://bugs.webkit.org/show_bug.cgi?id=176867
4351
4352         Reviewed by Sam Weinig.
4353
4354         * microbenchmarks/object-get-own-property-symbols.js: Added.
4355         (test):
4356
4357 2017-09-13  Mark Lam  <mark.lam@apple.com>
4358
4359         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
4360         https://bugs.webkit.org/show_bug.cgi?id=176888
4361         <rdar://problem/34381832>
4362
4363         Not reviewed.
4364
4365         * stress/op_mod-ConstVar.js:
4366         * stress/op_mod-VarConst.js:
4367         * stress/op_mod-VarVar.js:
4368
4369 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
4370
4371         Skip 3 op_mod tests on Debug JSC bots.
4372         https://bugs.webkit.org/show_bug.cgi?id=176630
4373
4374         Unreviewed test gardening.
4375
4376         * stress/op_mod-ConstVar.js:
4377         * stress/op_mod-VarConst.js:
4378         * stress/op_mod-VarVar.js:
4379
4380 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
4381
4382         [JSC] Fix Array allocation in Object.keys
4383         https://bugs.webkit.org/show_bug.cgi?id=176826
4384
4385         Reviewed by Saam Barati.
4386
4387         * stress/object-own-property-keys.js: Added.
4388         (shouldBe):
4389
4390 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
4391
4392         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
4393         https://bugs.webkit.org/show_bug.cgi?id=176010
4394
4395         Reviewed by Filip Pizlo.
4396
4397         * microbenchmarks/weak-map-key.js: Added.
4398         (assert):
4399         (objectKey):
4400         (let.start.Date.now):
4401
4402 2017-09-12  Mark Lam  <mark.lam@apple.com>
4403
4404         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
4405         https://bugs.webkit.org/show_bug.cgi?id=176630
4406
4407         Reviewed by JF Bastien.
4408
4409         Debug builds are just slow, and these tests do a lot.  They pass when I run them
4410         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
4411         a speculative fix for the bots that are seeing these fail.
4412