DFG AI and clobberize should agree with each other
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG AI and clobberize should agree with each other
4         https://bugs.webkit.org/show_bug.cgi?id=184440
5
6         Reviewed by Saam Barati.
7         
8         Add tests for all of the bugs I fixed.
9
10         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
11         (foo):
12         * stress/new-typed-array-cse-effects.js: Added.
13         (foo):
14         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
15         (foo.theO):
16         (foo):
17         * stress/string-from-char-code-change-structure-not-dead.js: Added.
18         (foo):
19         (i.valueOf):
20         (weirdValue.valueOf):
21         * stress/string-from-char-code-change-structure.js: Added.
22         (foo):
23         (i.valueOf):
24         (weirdValue.valueOf):
25
26 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
27
28         Fix errant Test262 files CRLF to LF for consistency with the original source
29         https://bugs.webkit.org/show_bug.cgi?id=184425
30
31         Reviewed by Yusuke Suzuki.
32
33         * test262/test/built-ins/Math/acosh/nan-returns.js:
34         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
35         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
36         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
37         * test262/test/built-ins/Math/cbrt/prop-desc.js:
38         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
39         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
40         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
41         * test262/test/built-ins/Math/log2/log2-basicTests.js:
42         * test262/test/built-ins/Math/sign/sign-specialVals.js:
43         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
44         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
45         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
46         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
47
48 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
49
50         Unreviewed, remove incorrect entry in test262.yaml
51         https://bugs.webkit.org/show_bug.cgi?id=184266
52
53         * test262.yaml:
54
55 2018-04-08  Valerie Young  <valerie@bocoup.com>
56
57         [JSC] Update Test262 to April 6 version
58         https://bugs.webkit.org/show_bug.cgi?id=184266
59
60         Rubber stamped by Yusuke Suzuki.
61
62 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
63
64         [JSC] Introduce op_get_by_id_direct
65         https://bugs.webkit.org/show_bug.cgi?id=183970
66
67         Reviewed by Filip Pizlo.
68
69         * stress/generator-prototype-copy.js: Added.
70         (gen):
71         (catch):
72         Adopted JF's tests.
73
74         * stress/generator-type-check.js: Added.
75         (shouldThrow):
76         (foo2):
77         (i.shouldThrow):
78         * stress/get-by-id-direct-getter.js: Added.
79         (shouldBe):
80         (shouldThrow):
81         (obj.get hello):
82         (builtin.createBuiltin):
83         (obj2.get length):
84         * stress/get-by-id-direct.js: Added.
85         (shouldBe):
86         (shouldThrow):
87         (builtin.createBuiltin):
88         * test262.yaml:
89         We fixed long-standing spec compatibility issue.
90         As a result, this patch makes several test262 tests passed!
91
92
93 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
94
95         Unreviewed, annotate test with @skip if $memoryLimited
96         https://bugs.webkit.org/show_bug.cgi?id=183894
97
98         * stress/json-stringified-overflow.js:
99
100 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
101
102         Add svn:eol-style to line-terminator-normalisation-CR.js
103         https://bugs.webkit.org/show_bug.cgi?id=184341
104
105         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
106
107 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
108
109         Unreviewed, remove errant LF from existing test262 test for CR line endings.
110
111         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
112
113 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
114
115         Unreviewed, rolling out r230320.
116
117         Revert fix, as the root cause lies elsewhere.
118
119         Reverted changeset:
120
121         "[test262] Mark line-terminator-normalisation-CR.js as a
122         binary file."
123         https://bugs.webkit.org/show_bug.cgi?id=184341
124         https://trac.webkit.org/changeset/230320
125
126 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
127
128         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
129         https://bugs.webkit.org/show_bug.cgi?id=184341
130
131         Reviewed by Yusuke Suzuki.
132
133         This test is all about CR line endings, but `svn-apply` can't deal with them.
134         Treating the file as binary ensures that its contents never are never shown in a diff.
135
136         * .gitattributes: Added.
137
138 2018-04-05  Robin Morisset  <rmorisset@apple.com>
139
140         Fix testcase (missing try/catch).
141         https://bugs.webkit.org/show_bug.cgi?id=183657
142
143         Unreviewed.
144
145         * stress/large-unshift-splice.js
146
147 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
148
149         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
150         https://bugs.webkit.org/show_bug.cgi?id=184319
151
152         Reviewed by Saam Barati.
153
154         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
155         (foo):
156         (bar):
157         * stress/array-push-nan-to-double-array.js: Added.
158         (foo):
159         (bar):
160
161 2018-04-03  Mark Lam  <mark.lam@apple.com>
162
163         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
164         https://bugs.webkit.org/show_bug.cgi?id=184284
165
166         Reviewed by Saam Barati.
167
168         * stress/js-fixed-array-out-of-memory.js:
169
170 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
171
172         JSC crash in JIT code with for-of loop and Array/Set iterators
173         https://bugs.webkit.org/show_bug.cgi?id=183174
174
175         Reviewed by Saam Barati.
176
177         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
178         (foo):
179         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
180         (f):
181
182 2018-03-30  JF Bastien  <jfbastien@apple.com>
183
184         WebAssembly: support DataView compilation
185         https://bugs.webkit.org/show_bug.cgi?id=183342
186
187         Reviewed by Mark Lam.
188
189         Test WebAssembly compilation using a DataView with offset.
190
191         * wasm/regress/183342.js: Added.
192         (attempt.catch):
193
194 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
195
196         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
197         https://bugs.webkit.org/show_bug.cgi?id=184189
198
199         Reviewed by JF Bastien.
200
201         * stress/load-hole-from-scope-into-live-var.js: Added.
202         (result.eval.try.switch):
203         (catch):
204
205 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
206
207         Unreviewed, rolling out r230102.
208
209         Caused assertion failures on JSC bots.
210
211         Reverted changeset:
212
213         "A stack overflow in the parsing of a builtin (called by
214         createExecutable) cause a crash instead of a catchable js
215         exception"
216         https://bugs.webkit.org/show_bug.cgi?id=184074
217         https://trac.webkit.org/changeset/230102
218
219 2018-03-30  Robin Morisset  <rmorisset@apple.com>
220
221         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
222         https://bugs.webkit.org/show_bug.cgi?id=183812
223
224         Reviewed by Keith Miller.
225
226         * stress/inlining-unreachable-non-tail.js: Added.
227         (foo.):
228         (foo):
229
230 2018-03-30  Robin Morisset  <rmorisset@apple.com>
231
232         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
233         https://bugs.webkit.org/show_bug.cgi?id=184074
234         <rdar://problem/37165897>
235
236         Reviewed by Keith Miller.
237
238         * stress/stack-overflow-while-parsing-builtin.js: Added.
239         (f):
240
241 2018-03-30  Robin Morisset  <rmorisset@apple.com>
242
243         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
244         https://bugs.webkit.org/show_bug.cgi?id=183657
245
246         Reviewed by Keith Miller.
247
248         * stress/large-unshift-splice.js: Added.
249         (make_contig_arr):
250
251 2018-03-28  Robin Morisset  <rmorisset@apple.com>
252
253         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
254         https://bugs.webkit.org/show_bug.cgi?id=183894
255
256         Reviewed by Saam Barati.
257
258         * stress/json-stringified-overflow.js: Added.
259         (catch):
260
261 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
262
263         DFG should know that CreateThis can be effectful
264         https://bugs.webkit.org/show_bug.cgi?id=184013
265
266         Reviewed by Saam Barati.
267
268         * stress/create-this-property-change.js: Added.
269         (Foo):
270         (RealBar):
271         (get if):
272         * stress/create-this-structure-change-without-cse.js: Added.
273         (Foo):
274         (RealBar):
275         (get if):
276         * stress/create-this-structure-change.js: Added.
277         (Foo):
278         (RealBar):
279         (get if):
280
281 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
282
283         [DFG] Introduces fused compare and jump
284         https://bugs.webkit.org/show_bug.cgi?id=177100
285
286         Reviewed by Mark Lam.
287
288         * stress/fused-jeq-slow.js: Added.
289         (shouldBe):
290         (testJEQ):
291         (testJNEQB):
292         (testJEQB):
293         (testJNEQF):
294         (testJEQF):
295         * stress/fused-jeq.js: Added.
296         (shouldBe):
297         (testJEQ):
298         (testJNEQB):
299         (testJEQB):
300         (testJNEQF):
301         (testJEQF):
302         * stress/fused-jstricteq-slow.js: Added.
303         (shouldBe):
304         (testJSTRICTEQ):
305         (testJNSTRICTEQB):
306         (testJSTRICTEQB):
307         (testJNSTRICTEQF):
308         (testJSTRICTEQF):
309         * stress/fused-jstricteq.js: Added.
310         (shouldBe):
311         (testJSTRICTEQ):
312         (testJNSTRICTEQB):
313         (testJSTRICTEQB):
314         (testJNSTRICTEQF):
315         (testJSTRICTEQF):
316
317 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
318
319         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
320         https://bugs.webkit.org/show_bug.cgi?id=183559
321
322         Reviewed by Mark Lam.
323
324         * stress/double-to-string-in-loop-removed.js: Added.
325         (test):
326         * stress/int32-to-string-in-loop-removed.js: Added.
327         (test):
328         * stress/int52-to-string-in-loop-removed.js: Added.
329         (test):
330
331 2018-03-22  Michael Saboff  <msaboff@apple.com>
332
333         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
334         https://bugs.webkit.org/show_bug.cgi?id=183901
335
336         Reviewed by Keith Miller.
337
338         New test.
339
340         * stress/array-reverse-doesnt-clobber.js: Added.
341         (testArrayReverse):
342         (createArrayOfArrays):
343         (createArrayStorage):
344
345 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
346
347         ScopedArguments should do poisoning and index masking
348         https://bugs.webkit.org/show_bug.cgi?id=183863
349
350         Reviewed by Mark Lam.
351         
352         Adds another stress test of scoped arguments.
353
354         * stress/scoped-arguments-test.js: Added.
355         (foo):
356
357 2018-03-20  Saam Barati  <sbarati@apple.com>
358
359         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
360         https://bugs.webkit.org/show_bug.cgi?id=183795
361         <rdar://problem/38298694>
362
363         Reviewed by JF Bastien.
364
365         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
366         (foo):
367         (bar):
368
369 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
370
371         [DFG][FTL] Add vectorLengthHint for NewArray
372         https://bugs.webkit.org/show_bug.cgi?id=183694
373
374         Reviewed by Saam Barati.
375
376         * stress/vector-length-hint-array-constructor.js: Added.
377         (shouldBe):
378         (test):
379         * stress/vector-length-hint-new-array.js: Added.
380         (shouldBe):
381         (test):
382
383 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
384
385         [DFG][FTL] Make ArraySlice(0) code tight
386         https://bugs.webkit.org/show_bug.cgi?id=183590
387
388         Reviewed by Saam Barati.
389
390         * stress/array-slice-with-zero.js: Added.
391         (shouldBe):
392         (test):
393         (test2):
394         * stress/array-slice-zero-args.js: Added.
395         (shouldBe):
396         (test):
397
398 2018-03-14  Caitlin Potter  <caitp@igalia.com>
399
400         [JSC] fix order of evaluation for ClassDefinitionEvaluation
401         https://bugs.webkit.org/show_bug.cgi?id=183523
402
403         Reviewed by Keith Miller.
404
405         Computed property names need to be evaluated in source order during class
406         definition evaluation, as it's observable (and specified to work this way).
407
408         This change improves compatibility with Chromium.
409
410         * stress/class_elements.js: Added.
411         (test):
412         (test.C.prototype.effect):
413         (test.C.effect):
414         (test.C.prototype.get effect):
415         (test.C.prototype.set effect):
416         (test.C):
417
418 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
419
420         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
421         https://bugs.webkit.org/show_bug.cgi?id=183310
422
423         Reviewed by Filip Pizlo.
424
425         * stress/ai-create-this-to-new-object-fire.js: Added.
426         (assert):
427         (test):
428         (func):
429         (check):
430         (test.body.A):
431         (test.body.B):
432         (test.body):
433         * stress/ai-create-this-to-new-object.js: Added.
434         (assert):
435         (test):
436         (func):
437         (check):
438         (test.body.A):
439         (test.body.B):
440         (test.body):
441
442 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
443
444         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
445         https://bugs.webkit.org/show_bug.cgi?id=181848
446
447         Reviewed by Sam Weinig.
448
449         * microbenchmarks/regexp-u-global-es5.js: Added.
450         (fn):
451         * microbenchmarks/regexp-u-global-es6.js: Added.
452         (fn):
453         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
454         (shouldBe):
455         (test):
456         (i.switch):
457         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
458         (shouldBe):
459         (test):
460
461 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
462
463         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
464         https://bugs.webkit.org/show_bug.cgi?id=183334
465
466         Reviewed by Žan Doberšek.
467
468         * stress/var-injection-cache-invalidation.js:
469
470 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
471
472         [ARM] Disable tests that run out of memory
473         https://bugs.webkit.org/show_bug.cgi?id=182699
474
475         Reviewed by Žan Doberšek.
476
477         Skip tests that run of of memory. Do not run
478         modules/module-jit-reachability.js without LLInt to prevent
479         running out of executable memory.
480
481         * modules.yaml:
482         * modules/module-jit-reachability.js:
483         * stress/has-own-property-name-cache-string-keys.js:
484         * stress/has-own-property-name-cache-symbol-keys.js:
485
486 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
487
488         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
489         https://bugs.webkit.org/show_bug.cgi?id=183173
490
491         Reviewed by Saam Barati.
492
493         * stress/async-arrow-function-in-class-heritage.js: Added.
494         (testSyntax):
495         (testSyntaxError):
496         (SyntaxError):
497
498 2018-03-01  Saam Barati  <sbarati@apple.com>
499
500         We need to clear cached structures when having a bad time
501         https://bugs.webkit.org/show_bug.cgi?id=183256
502         <rdar://problem/36245022>
503
504         Reviewed by Mark Lam.
505
506         * stress/having-a-bad-time-with-derived-arrays.js: Added.
507         (assert):
508         (defineSetter):
509         (iterate):
510         (doSlice):
511
512 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
513
514         JSC crash with `import("")`
515         https://bugs.webkit.org/show_bug.cgi?id=183175
516
517         Reviewed by Saam Barati.
518
519         * stress/import-with-empty-string.js: Added.
520
521 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
522
523         Unreviewed, skip FTL tests if FTL is disabled
524         https://bugs.webkit.org/show_bug.cgi?id=183071
525
526         * stress/has-indexed-property-array-storage-ftl.js:
527         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
528
529 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
530
531         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
532         https://bugs.webkit.org/show_bug.cgi?id=182965
533
534         Reviewed by Saam Barati.
535
536         * stress/put-by-val-array-storage.js: Added.
537         (shouldBe):
538         (testArrayStorageInBounds):
539         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
540         (shouldBe):
541         (testInt32.createBuiltin):
542         (set for):
543         * stress/put-by-val-slow-put-array-storage.js: Added.
544         (shouldBe):
545         (testArrayStorageInBounds):
546
547 2018-02-26  Saam Barati  <sbarati@apple.com>
548
549         validateStackAccess should not validate if the offset is within the stack bounds
550         https://bugs.webkit.org/show_bug.cgi?id=183067
551         <rdar://problem/37749988>
552
553         Reviewed by Mark Lam.
554
555         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
556         (assert):
557         (test.a):
558         (test.b):
559         (test):
560
561 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
562
563         Unreviewed, skip FTL tests if FTL is disabled
564         https://bugs.webkit.org/show_bug.cgi?id=183071
565
566         * stress/has-indexed-property-array-storage-ftl.js:
567         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
568
569 2018-02-23  Saam Barati  <sbarati@apple.com>
570
571         Make Number.isInteger an intrinsic
572         https://bugs.webkit.org/show_bug.cgi?id=183088
573
574         Reviewed by JF Bastien.
575
576         * stress/number-is-integer-intrinsic.js: Added.
577
578 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
579
580         WebAssembly: cache memory address / size on instance
581         https://bugs.webkit.org/show_bug.cgi?id=177305
582
583         Reviewed by JF Bastien.
584
585         * wasm/function-tests/memory-reuse.js: Added.
586         (createWasmInstance):
587         (doCheckTrap):
588         (doMemoryGrow):
589         (doCheck):
590         (checkWasmInstancesWithSharedMemory):
591
592 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
593
594         [JSC] Implement $vm.ftlTrue function for FTL testing
595         https://bugs.webkit.org/show_bug.cgi?id=183071
596
597         Reviewed by Mark Lam.
598
599         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
600         (foo):
601         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
602         (foo):
603         * stress/dead-fiat-value-to-int52.js:
604         (foo):
605         * stress/dead-osr-entry-value.js:
606         (foo):
607         * stress/fiat-value-to-int52-then-exit-not-double.js:
608         (foo):
609         * stress/fiat-value-to-int52-then-exit-not-int52.js:
610         (foo):
611         * stress/fiat-value-to-int52-then-fail-to-fold.js:
612         (foo):
613         * stress/fiat-value-to-int52-then-fold.js:
614         (foo):
615         * stress/fiat-value-to-int52.js:
616         (foo):
617         * stress/fold-based-on-int32-proof-mul-branch.js:
618         (foo):
619         * stress/fold-profiled-call-to-call.js:
620         (foo):
621         * stress/fold-to-double-constant-then-exit.js:
622         (foo):
623         * stress/fold-to-int52-constant-then-exit.js:
624         (foo):
625         * stress/fold-to-primitive-in-cfa.js:
626         (foo):
627         * stress/fold-to-primitive-to-identity-in-cfa.js:
628         (foo):
629         * stress/has-indexed-property-array-storage-ftl.js: Added.
630         (shouldBe):
631         (test1):
632         (test2):
633         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
634         (shouldBe):
635         (test1):
636         (test2):
637         * stress/int52-ai-add-then-filter-int32.js:
638         (foo):
639         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
640         (foo):
641         * stress/int52-ai-mul-then-filter-int32.js:
642         (foo):
643         * stress/int52-ai-neg-then-filter-int32.js:
644         (foo):
645         * stress/int52-ai-sub-then-filter-int32.js:
646         (foo):
647         * stress/licm-pre-header-cannot-exit-nested.js:
648         (foo):
649         * stress/licm-pre-header-cannot-exit.js:
650         (foo):
651         * stress/sparse-array-entry-update-144067.js:
652         (useMemoryToTriggerGCs):
653         * stress/test-spec-misc.js:
654         (foo):
655         * stress/tricky-array-bounds-checks.js:
656         (foo):
657
658 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
659
660         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
661         https://bugs.webkit.org/show_bug.cgi?id=182792
662
663         Reviewed by Mark Lam.
664
665         * stress/has-indexed-property-array-storage.js: Added.
666         (shouldBe):
667         (test1):
668         (test2):
669         * stress/has-indexed-property-slow-put-array-storage.js: Added.
670         (shouldBe):
671         (test1):
672         (test2):
673
674 2018-02-20  Saam Barati  <sbarati@apple.com>
675
676         DFG::VarargsForwardingPhase should eliminate getting argument length
677         https://bugs.webkit.org/show_bug.cgi?id=182959
678
679         Reviewed by Keith Miller.
680
681         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
682
683 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
684
685         [FTL] Support ArrayPush for ArrayStorage
686         https://bugs.webkit.org/show_bug.cgi?id=182782
687
688         Reviewed by Saam Barati.
689
690         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
691
692         * stress/array-push-array-storage-beyond-int32.js: Added.
693         (shouldBe):
694         (test):
695         * stress/array-push-array-storage.js: Added.
696         (shouldBe):
697         (test):
698         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
699         (shouldBe):
700         (test):
701         * stress/array-push-multiple-storage-continuous.js: Added.
702         (shouldBe):
703         (test):
704
705 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
706
707         [FTL] Support ArrayPop for ArrayStorage
708         https://bugs.webkit.org/show_bug.cgi?id=182783
709
710         Reviewed by Saam Barati.
711
712         * stress/array-pop-array-storage.js: Added.
713         (shouldBe):
714         (test):
715
716 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
717
718         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
719         https://bugs.webkit.org/show_bug.cgi?id=182731
720
721         Reviewed by Saam Barati.
722
723         * stress/arrayify-array-storage-array.js: Added.
724         (shouldBe):
725         (testArrayStorage):
726         * stress/arrayify-array-storage-non-array.js: Added.
727         (shouldBe):
728         (testArrayStorage):
729         * stress/arrayify-array-storage.js: Added.
730         (shouldBe):
731         (testArrayStorage):
732         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
733         (shouldBe):
734         (testArrayStorage):
735         * stress/arrayify-slow-put-array-storage.js: Added.
736         (shouldBe):
737         (testArrayStorage):
738
739 2018-02-19  Saam Barati  <sbarati@apple.com>
740
741         Don't use JSFunction's allocation profile when getting the prototype can be effectful
742         https://bugs.webkit.org/show_bug.cgi?id=182942
743         <rdar://problem/37584764>
744
745         Reviewed by Mark Lam.
746
747         * stress/get-prototype-create-this-effectful.js: Added.
748
749 2018-02-16  Saam Barati  <sbarati@apple.com>
750
751         Fix bugs from r228411
752         https://bugs.webkit.org/show_bug.cgi?id=182851
753         <rdar://problem/37577732>
754
755         Reviewed by JF Bastien.
756
757         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
758
759 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
760
761         Unreviewed, roll out r228366 since it did not progress anything.
762
763         * stress/gc-error-stack.js: Removed.
764         * stress/no-gc-error-stack.js: Removed.
765
766 2018-02-15  Tomas Popela  <tpopela@redhat.com>
767
768         Many stress tests fail with JIT disabled
769         https://bugs.webkit.org/show_bug.cgi?id=182730
770
771         Reviewed by Saam Barati.
772
773         These tests are broken by design if the JIT is disabled - they test
774         the return value of numberOfDFGCompiles(), which is always set to
775         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
776
777         * stress/arith-abs-on-various-types.js:
778         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
779         * stress/arith-acos-on-various-types.js:
780         * stress/arith-acosh-on-various-types.js:
781         * stress/arith-asin-on-various-types.js:
782         * stress/arith-asinh-on-various-types.js:
783         * stress/arith-atan-on-various-types.js:
784         * stress/arith-atanh-on-various-types.js:
785         * stress/arith-cbrt-on-various-types.js:
786         * stress/arith-ceil-on-various-types.js:
787         * stress/arith-clz32-on-various-types.js:
788         * stress/arith-cos-on-various-types.js:
789         * stress/arith-cosh-on-various-types.js:
790         * stress/arith-expm1-on-various-types.js:
791         * stress/arith-floor-on-various-types.js:
792         * stress/arith-fround-on-various-types.js:
793         * stress/arith-log-on-various-types.js:
794         * stress/arith-log10-on-various-types.js:
795         * stress/arith-log2-on-various-types.js:
796         * stress/arith-negate-on-various-types.js:
797         * stress/arith-round-on-various-types.js:
798         * stress/arith-sin-on-various-types.js:
799         * stress/arith-sinh-on-various-types.js:
800         * stress/arith-sqrt-on-various-types.js:
801         * stress/arith-tan-on-various-types.js:
802         * stress/arith-tanh-on-various-types.js:
803         * stress/arith-trunc-on-various-types.js:
804         * stress/compare-strict-eq-on-various-types.js:
805
806 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
807
808         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
809
810         Unreviewed test gardening.
811
812         * stress/new-largeish-contiguous-array-with-size.js:
813
814 2018-02-14  Saam Barati  <sbarati@apple.com>
815
816         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
817         https://bugs.webkit.org/show_bug.cgi?id=182801
818
819         Reviewed by Keith Miller.
820
821         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
822
823 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
824
825         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
826         https://bugs.webkit.org/show_bug.cgi?id=182526
827
828         Unreviewed test gardening.
829
830         * stress/activation-sink-default-value-tdz-error.js:
831
832 2018-02-13  Saam Barati  <sbarati@apple.com>
833
834         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
835         https://bugs.webkit.org/show_bug.cgi?id=182755
836         <rdar://problem/37080864>
837
838         Reviewed by Keith Miller.
839
840         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
841         (test1.o.get 10005):
842         (test1):
843         (test2.o.get 1000):
844         (test2):
845
846 2018-02-13  Caitlin Potter  <caitp@igalia.com>
847
848         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
849         https://bugs.webkit.org/show_bug.cgi?id=182717
850
851         Reviewed by Yusuke Suzuki.
852
853         https://github.com/tc39/ecma262/pull/890 imposes a change to template
854         literals, to allow template callsite arrays to be collected when the
855         code containing the tagged template call is collected. This spec change
856         has received concensus and been ratified.
857
858         This change eliminates the eternal map associating template contents
859         with arrays.
860
861         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
862         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
863         * stress/tagged-templates-identity.js:
864         * stress/template-string-tags-eval.js:
865         * test262.yaml:
866
867 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
868
869         Support GetArrayLength on ArrayStorage in the FTL
870         https://bugs.webkit.org/show_bug.cgi?id=182625
871
872         Reviewed by Saam Barati.
873
874         * stress/array-storage-length.js: Added.
875         (shouldBe):
876         (testInBound):
877         (testUncountable):
878         (testSlowPutInBound):
879         (testSlowPutUncountable):
880         * stress/undecided-length.js: Added.
881         (shouldBe):
882         (test2):
883
884 2018-02-12  Saam Barati  <sbarati@apple.com>
885
886         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
887         https://bugs.webkit.org/show_bug.cgi?id=182706
888         <rdar://problem/36833681>
889
890         Reviewed by Filip Pizlo.
891
892         * stress/get-array-length-phantom-new-array-buffer.js: Added.
893         (effects):
894         (foo):
895
896 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
897
898         Don't waste memory for error.stack
899         https://bugs.webkit.org/show_bug.cgi?id=182656
900
901         Reviewed by Saam Barati.
902         
903         Tests the policy.
904
905         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
906         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
907
908 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
909
910         [JSC] Update Test262 to Feb 9 version
911         https://bugs.webkit.org/show_bug.cgi?id=182468
912
913         Reviewed by Saam Barati.
914
915 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
916
917         Unreviewed, fix invalid line terminator in old test262 file part 2
918         https://bugs.webkit.org/show_bug.cgi?id=182468
919
920         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
921
922 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
923
924         Unreviewed, fix invalid line terminator in old test262 file
925         https://bugs.webkit.org/show_bug.cgi?id=182468
926
927         * test262/test/language/literals/regexp/7.8.5-1.js:
928
929 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
930
931         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
932         https://bugs.webkit.org/show_bug.cgi?id=182440
933
934         Reviewed by Darin Adler.
935
936         * stress/array-flatmap.js: Added.
937         (shouldBe):
938         (shouldBeArray):
939         (shouldThrow):
940         (var):
941         * stress/array-flatten.js: Added.
942         (shouldBe):
943         (shouldBeArray):
944         * test262.yaml:
945         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
946         (3.flatMap):
947         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
948
949 2018-02-06  Keith Miller  <keith_miller@apple.com>
950
951         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
952         https://bugs.webkit.org/show_bug.cgi?id=182549
953         <rdar://problem/36189995>
954
955         Reviewed by Saam Barati.
956
957         * stress/var-injection-cache-invalidation.js: Added.
958         (allocateLotsOfThings):
959         (test):
960
961 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
962
963         Unreviewed, follow up for test262 update
964         https://bugs.webkit.org/show_bug.cgi?id=182288
965
966         * test262.yaml:
967
968 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
969
970         Update test262 to Jan 30 version
971         https://bugs.webkit.org/show_bug.cgi?id=182288
972
973         Unreviewed test gardening.
974
975         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
976
977 2018-02-02  Saam Barati  <sbarati@apple.com>
978
979         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
980         https://bugs.webkit.org/show_bug.cgi?id=182368
981         <rdar://problem/36932466>
982
983         Reviewed by Mark Lam.
984
985         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
986         (runNearStackLimit.t):
987         (runNearStackLimit):
988         (try.runNearStackLimit):
989         (catch):
990
991 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
992
993         Update test262 to Jan 30 version
994         https://bugs.webkit.org/show_bug.cgi?id=182288
995
996         Rubber stamped by Saam Barati.
997
998         This patch updates test262 to the latest one, Jan 30 version.
999         Since added and changed files are too many, we cannot create ChangeLog.
1000         The following files are changed.
1001
1002         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1003         including some special line terminators (like u2028, u2029).
1004
1005         * test262.yaml:
1006         * test262/test262-Revision.txt:
1007         * test262/*:
1008
1009 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1010
1011         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1012         https://bugs.webkit.org/show_bug.cgi?id=182411
1013
1014         Reviewed by Carlos Alberto Lopez Perez.
1015
1016         This is skipped only on arm memory limited platforms. Until recently
1017         it was not a problem on MIPS as the butterfly was not initialized. But
1018         since r227435, the butterfly is initialized in that test and therefore
1019         memory is allocated, and the test typically takes around 512M, which
1020         means it generally gets OOM-killed on the MIPS buildbot.
1021
1022         * mozilla/mozilla-tests.yaml:
1023
1024 2018-02-01  Mark Lam  <mark.lam@apple.com>
1025
1026         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1027         https://bugs.webkit.org/show_bug.cgi?id=182419
1028         <rdar://problem/37044945>
1029
1030         Reviewed by Saam Barati.
1031
1032         * stress/regress-182419.js: Added.
1033
1034 2018-02-01  Keith Miller  <keith_miller@apple.com>
1035
1036         Fix crashes due to mishandling custom sections.
1037         https://bugs.webkit.org/show_bug.cgi?id=182404
1038         <rdar://problem/36935863>
1039
1040         Reviewed by Saam Barati.
1041
1042         * wasm/Builder.js:
1043         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1044         * wasm/js-api/validate.js:
1045         (assert.truthy):
1046
1047 2018-01-31  Saam Barati  <sbarati@apple.com>
1048
1049         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1050         https://bugs.webkit.org/show_bug.cgi?id=182074
1051         <rdar://problem/36846261>
1052
1053         Reviewed by Mark Lam.
1054
1055         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1056         (assert):
1057         (let.func):
1058         (let.o.foo):
1059         (varFunc):
1060
1061 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1062
1063         Unreviewed, update test262 expects
1064         https://bugs.webkit.org/show_bug.cgi?id=182232
1065
1066         * test262.yaml:
1067
1068 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1069
1070         [JSC] Implement trimStart and trimEnd
1071         https://bugs.webkit.org/show_bug.cgi?id=182233
1072
1073         Reviewed by Mark Lam.
1074
1075         * stress/trim.js: Added.
1076         (shouldBe):
1077         (startTest):
1078         (endTest):
1079         (trimTest):
1080
1081 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         [JSC] Relax line terminators in String to make JSON subset of JS
1084         https://bugs.webkit.org/show_bug.cgi?id=182232
1085
1086         Reviewed by Keith Miller.
1087
1088         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1089         * stress/relaxed-line-terminators-in-string.js: Added.
1090         (shouldBe):
1091
1092 2018-01-29  Michael Saboff  <msaboff@apple.com>
1093
1094         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1095         https://bugs.webkit.org/show_bug.cgi?id=182249
1096
1097         Reviewed by Keith Miller.
1098
1099         New regression test.
1100
1101         * stress/compare-clobber-untypeduse.js: Added.
1102
1103 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1104
1105         Unreviewed, rolling out r227725.
1106
1107         This caused internal failures.
1108
1109         Reverted changeset:
1110
1111         "JSC Sampling Profiler: Detect tester and testee when sampling
1112         in RegExp JIT"
1113         https://bugs.webkit.org/show_bug.cgi?id=152729
1114         https://trac.webkit.org/changeset/227725
1115
1116 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1117
1118         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1119         https://bugs.webkit.org/show_bug.cgi?id=152729
1120
1121         Reviewed by Saam Barati.
1122
1123         * stress/sampling-profiler-regexp.js: Added.
1124         (platformSupportsSamplingProfiler.test):
1125         (platformSupportsSamplingProfiler.baz):
1126         (platformSupportsSamplingProfiler):
1127
1128 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1129
1130         [DFG][FTL] WeakMap#set should have DFG node
1131         https://bugs.webkit.org/show_bug.cgi?id=180015
1132
1133         Reviewed by Saam Barati.
1134
1135         * stress/weakmap-set-change-get.js: Added.
1136         (shouldBe):
1137         (test):
1138         * stress/weakmap-set-cse.js: Added.
1139         (shouldBe):
1140         (test):
1141         * stress/weakset-add-change-get.js: Added.
1142         (shouldBe):
1143         * stress/weakset-add-cse.js: Added.
1144         (shouldBe):
1145
1146 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1147
1148         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1149         https://bugs.webkit.org/show_bug.cgi?id=182213
1150
1151         Reviewed by Mark Lam.
1152
1153         * stress/int32-min-to-string.js: Added.
1154         (shouldBe):
1155         (test2):
1156         (test4):
1157         (test8):
1158         (test16):
1159         (test32):
1160         * stress/zero-to-string.js: Added.
1161         (shouldBe):
1162         (test2):
1163         (test4):
1164         (test8):
1165         (test16):
1166         (test32):
1167
1168 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1169
1170         Add more module scope related tests with code evaluation by string
1171         https://bugs.webkit.org/show_bug.cgi?id=181983
1172
1173         Reviewed by Sam Weinig.
1174
1175         Add more module scope related tests. When the original tests are landed,
1176         we do not have browser integration. This patch adds more module scope tests
1177         with dynamically created script evaluation. We add tests with Function
1178         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1179
1180         * modules/scopes-eval.js: Added.
1181         (shouldBe):
1182         * modules/scopes.js:
1183         (shouldBe):
1184
1185 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1186
1187         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1188
1189         * microbenchmarks/array-push-3.js: Removed.
1190         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1191         * microbenchmarks/double-to-int32.js: Removed.
1192         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1193         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1194         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1195         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1196         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1197         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1198         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1199         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1200         * microbenchmarks/map-constant-key.js: Removed.
1201         * microbenchmarks/nested-function-parsing.js: Removed.
1202         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1203         * microbenchmarks/spread-large-array.js: Removed.
1204         * microbenchmarks/string-add-constant-folding.js: Removed.
1205         * microbenchmarks/to-lower-case.js: Removed.
1206         * microbenchmarks/undefined-property-access.js: Removed.
1207         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1208         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1209         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1210         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1211         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1212         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1213         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1214         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1215         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1216         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1217         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1218         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1219         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1220         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1221         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1222         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1223         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1224         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1225
1226 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1227
1228         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1229         https://bugs.webkit.org/show_bug.cgi?id=181739
1230         <rdar://problem/36627662>
1231
1232         Reviewed by Saam Barati.
1233
1234         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1235         (foo):
1236         (bar):
1237
1238 2018-01-22  Michael Saboff  <msaboff@apple.com>
1239
1240         DFG abstract interpreter needs to properly model effects of some Math ops
1241         https://bugs.webkit.org/show_bug.cgi?id=181886
1242
1243         Reviewed by Saam Barati.
1244
1245         New regression test.
1246
1247         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1248         (test):
1249
1250 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1251
1252         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1253         https://bugs.webkit.org/show_bug.cgi?id=181182
1254
1255         Reviewed by Darin Adler.
1256
1257         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1258         * stress/big-int-prototype-to-string-exception.js: Added.
1259         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1260         * stress/number-prototype-to-string-cast-overflow.js: Added.
1261         * stress/number-prototype-to-string-exception.js: Added.
1262         * stress/number-prototype-to-string-wrong-values.js: Added.
1263
1264 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1265
1266         Disable Atomics when SharedArrayBuffer isn’t enabled
1267         https://bugs.webkit.org/show_bug.cgi?id=181572
1268
1269         Unreviewed test gardening.
1270
1271         * test262.yaml: Skip tests that fail after this change.
1272
1273 2018-01-19  Saam Barati  <sbarati@apple.com>
1274
1275         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1276         https://bugs.webkit.org/show_bug.cgi?id=181877
1277         <rdar://problem/36630552>
1278
1279         Reviewed by Mark Lam.
1280
1281         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1282         (runNearStackLimit):
1283         (f1):
1284         (f2):
1285         (f3):
1286         (i.catch):
1287         (i.try.runNearStackLimit):
1288         (catch):
1289
1290 2018-01-19  Saam Barati  <sbarati@apple.com>
1291
1292         Spread's effects are modeled incorrectly both in AI and in Clobberize
1293         https://bugs.webkit.org/show_bug.cgi?id=181867
1294         <rdar://problem/36290415>
1295
1296         Reviewed by Michael Saboff.
1297
1298         * stress/ai-needs-to-model-spreads-effects.js: Added.
1299         (try.p.Symbol.iterator):
1300         (try.go):
1301         (catch):
1302         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1303         (assert):
1304         (foo):
1305         (a.Symbol.iterator):
1306
1307 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1308
1309         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1310         https://bugs.webkit.org/show_bug.cgi?id=181535
1311
1312         * stress/inserted-recovery-with-set-last-index.js:
1313
1314 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1315
1316         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1317         https://bugs.webkit.org/show_bug.cgi?id=181535
1318
1319         Reviewed by Saam Barati.
1320
1321         * stress/inserted-recovery-with-set-last-index.js: Added.
1322         (shouldBe):
1323         (foo):
1324         * stress/materialize-regexp-at-osr-exit.js: Added.
1325         (shouldBe):
1326         (test):
1327         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1328         (shouldBe):
1329         (test):
1330         * stress/materialize-regexp-cyclic-regexp.js: Added.
1331         (shouldBe):
1332         (test):
1333         (i.switch):
1334         * stress/materialize-regexp-cyclic.js: Added.
1335         (shouldBe):
1336         (test):
1337         (i.switch):
1338         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1339         (bar):
1340         (foo):
1341         (test):
1342         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1343         (bar):
1344         (foo):
1345         (test):
1346         * stress/materialize-regexp.js: Added.
1347         (shouldBe):
1348         (test):
1349         * stress/phantom-regexp-regexp-exec.js: Added.
1350         (shouldBe):
1351         (test):
1352         * stress/phantom-regexp-string-match.js: Added.
1353         (shouldBe):
1354         (test):
1355         * stress/regexp-last-index-sinking.js: Added.
1356         (shouldBe):
1357         (test):
1358
1359 2018-01-17  Saam Barati  <sbarati@apple.com>
1360
1361         Disable Atomics when SharedArrayBuffer isn’t enabled
1362         https://bugs.webkit.org/show_bug.cgi?id=181572
1363         <rdar://problem/36553206>
1364
1365         Reviewed by Michael Saboff.
1366
1367         * stress/isLockFree.js:
1368
1369 2018-01-17  Saam Barati  <sbarati@apple.com>
1370
1371         DFG::Node::convertToConstant needs to clear the varargs flags
1372         https://bugs.webkit.org/show_bug.cgi?id=181697
1373         <rdar://problem/36497332>
1374
1375         Reviewed by Yusuke Suzuki.
1376
1377         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1378         (doIndexOf):
1379         (bar):
1380         (i.bar):
1381
1382 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1383
1384         Unreviewed, rolling out r226937.
1385
1386         Tests added with this change are failing due to a missing
1387         exception check.
1388
1389         Reverted changeset:
1390
1391         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1392         double to int32_t"
1393         https://bugs.webkit.org/show_bug.cgi?id=181182
1394         https://trac.webkit.org/changeset/226937
1395
1396 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1397
1398         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1399         https://bugs.webkit.org/show_bug.cgi?id=181182
1400
1401         Reviewed by Darin Adler.
1402
1403         * bigIntTests.yaml:
1404         * stress/big-int-constructor.js:
1405         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1406         (assert):
1407         (assertThrowRangeError):
1408         * stress/number-prototype-to-string-cast-overflow.js: Added.
1409         (assert):
1410         (assertThrowRangeError):
1411
1412 2018-01-12  Saam Barati  <sbarati@apple.com>
1413
1414         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1415         https://bugs.webkit.org/show_bug.cgi?id=181177
1416         <rdar://problem/36205704>
1417
1418         Reviewed by Yusuke Suzuki.
1419
1420         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1421         (runNearStackLimit.t):
1422         (runNearStackLimit):
1423         (test.f):
1424         (test):
1425
1426 2018-01-12  Saam Barati  <sbarati@apple.com>
1427
1428         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1429         https://bugs.webkit.org/show_bug.cgi?id=181562
1430         <rdar://problem/36445624>
1431
1432         Reviewed by Yusuke Suzuki.
1433
1434         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1435         (f):
1436         (foo):
1437
1438 2018-01-11  Saam Barati  <sbarati@apple.com>
1439
1440         When inserting Unreachable in byte code parser we need to flush all the right things
1441         https://bugs.webkit.org/show_bug.cgi?id=181509
1442         <rdar://problem/36423110>
1443
1444         Reviewed by Mark Lam.
1445
1446         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1447
1448 2018-01-11  Saam Barati  <sbarati@apple.com>
1449
1450         JITMathIC code in the FTL is wrong when code gets duplicated
1451         https://bugs.webkit.org/show_bug.cgi?id=181525
1452         <rdar://problem/36351993>
1453
1454         Reviewed by Michael Saboff and Keith Miller.
1455
1456         * stress/allow-math-ic-b3-code-duplication.js: Added.
1457
1458 2018-01-11  Saam Barati  <sbarati@apple.com>
1459
1460         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1461         https://bugs.webkit.org/show_bug.cgi?id=181508
1462
1463         Reviewed by Yusuke Suzuki.
1464
1465         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1466         (assert):
1467         (test1.foo):
1468         (test1):
1469         (test2.foo):
1470         (test2):
1471
1472 2018-01-09  Mark Lam  <mark.lam@apple.com>
1473
1474         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1475         https://bugs.webkit.org/show_bug.cgi?id=181388
1476         <rdar://problem/36349351>
1477
1478         Reviewed by Saam Barati.
1479
1480         * stress/regress-181388.js: Added.
1481
1482 2018-01-08  JF Bastien  <jfbastien@apple.com>
1483
1484         WebAssembly: mask indexed accesses to Table
1485         https://bugs.webkit.org/show_bug.cgi?id=181412
1486         <rdar://problem/36363236>
1487
1488         Reviewed by Saam Barati.
1489
1490         Update error messages.
1491
1492         * wasm/js-api/table.js:
1493         (assert.throws.WebAssembly.Table.prototype.grow):
1494
1495 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1496
1497         Disable SharedArrayBuffer tests missed in r226386.
1498         https://bugs.webkit.org/show_bug.cgi?id=181266
1499
1500         Unreviewed test gardening.
1501
1502         * test262.yaml:
1503
1504 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1505
1506         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1507         https://bugs.webkit.org/show_bug.cgi?id=181321
1508
1509         Reviewed by Saam Barati.
1510
1511         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1512         (shouldBe):
1513         (testFunction):
1514         * test262.yaml:
1515
1516 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1517
1518         Unreviewed, attempt to fix test262 after r226386.
1519
1520         * test262.yaml:
1521
1522 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1523
1524         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1525         https://bugs.webkit.org/show_bug.cgi?id=179911
1526
1527         Reviewed by Saam Barati.
1528
1529         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1530
1531         * stress/map-set-change-get.js: Added.
1532         (shouldBe):
1533         (test):
1534         * stress/map-set-create-bucket.js: Added.
1535         (shouldBe):
1536         (test):
1537         * stress/set-add-create-bucket.js: Added.
1538         (shouldBe):
1539
1540 2018-01-03  Michael Saboff  <msaboff@apple.com>
1541
1542         Disable SharedArrayBuffers from Web API
1543         https://bugs.webkit.org/show_bug.cgi?id=181266
1544
1545         Reviewed by Saam Barati.
1546
1547         Disabled SharedArrayBuffer tests.
1548
1549         * stress/SharedArrayBuffer-opt.js:
1550         * stress/SharedArrayBuffer.js:
1551         * stress/array-buffer-byte-length.js:
1552         * stress/atomics-add-uint32.js:
1553         * stress/atomics-known-int-use.js:
1554         * stress/atomics-neg-zero.js:
1555         * stress/atomics-store-return.js:
1556         * stress/lars-sab-workers.js:
1557         * stress/regress-159779-1.js:
1558         * stress/regress-159779-2.js:
1559         * stress/regress-170473.js:
1560         * test262.yaml:
1561
1562 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1563
1564         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1565         https://bugs.webkit.org/show_bug.cgi?id=181258
1566
1567         Reviewed by Antonio Gomes.
1568
1569         * stress/big-int-constructor-gc.js:
1570         * stress/big-int-constructor-oom.js:
1571
1572 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1573
1574         Inlining of a function that ends in op_unreachable crashes
1575         https://bugs.webkit.org/show_bug.cgi?id=181027
1576
1577         Reviewed by Filip Pizlo.
1578
1579         * stress/inlining-unreachable.js: Added.
1580         (bar):
1581         (baz):
1582         (i.catch):
1583
1584 2018-01-02  Saam Barati  <sbarati@apple.com>
1585
1586         Incorrect assertion inside AccessCase
1587         https://bugs.webkit.org/show_bug.cgi?id=181200
1588         <rdar://problem/35494754>
1589
1590         Reviewed by Yusuke Suzuki.
1591
1592         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1593         (ctor):
1594         (theFunc):
1595         (run):
1596
1597 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1598
1599         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1600         https://bugs.webkit.org/show_bug.cgi?id=175359
1601
1602         Reviewed by Yusuke Suzuki.
1603
1604         * bigIntTests.yaml:
1605         * stress/big-int-as-key.js: Added.
1606         * stress/big-int-constructor-gc.js: Added.
1607         * stress/big-int-constructor-oom.js: Added.
1608         * stress/big-int-constructor-properties.js: Added.
1609         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1610         * stress/big-int-constructor-prototype.js: Added.
1611         * stress/big-int-constructor.js: Added.
1612         * stress/big-int-function-apply.js:
1613         * stress/big-int-length.js: Added.
1614         * stress/big-int-prop-descriptor.js: Added.
1615         * stress/big-int-proto-constructor.js: Added.
1616         * stress/big-int-proto-name.js: Added.
1617         * stress/big-int-prototype-properties.js: Added.
1618         * stress/big-int-prototype-proto.js: Added.
1619         * stress/big-int-prototype-value-of.js: Added.
1620         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1621         * stress/big-int-prototype-to-string-apply.js: Added.
1622         * stress/big-int-to-object.js: Added.
1623         * stress/big-int-to-string.js: Added.
1624
1625 2017-12-28  Saam Barati  <sbarati@apple.com>
1626
1627         Assertion used to determine if something is an async generator is wrong
1628         https://bugs.webkit.org/show_bug.cgi?id=181168
1629         <rdar://problem/35640560>
1630
1631         Reviewed by Yusuke Suzuki.
1632
1633         * stress/async-generator-assertion.js: Added.
1634
1635 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1636
1637         Skip stress/splay-flash-access tests on memory limited platforms
1638         https://bugs.webkit.org/show_bug.cgi?id=181086
1639
1640         Reviewed by Carlos Alberto Lopez Perez.
1641
1642         These tests use about 185M of memory, and occasionally get OOM-killed
1643         on memory limited platforms.
1644
1645         * stress/splay-flash-access-1ms.js:
1646         * stress/splay-flash-access.js:
1647
1648 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1649
1650         Skip slow jsc tests on embedded platforms
1651         https://bugs.webkit.org/show_bug.cgi?id=180937
1652
1653         Reviewed by Carlos Alberto Lopez Perez.
1654
1655         The tests typeProfiler/deltablue-for-of.js and
1656         typeProfiler/getter-richards.js take a very long time in the
1657         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1658         thus always timeout. They should be skipped on these platforms.
1659
1660         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1661         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1662
1663 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1664
1665         [JSC] Do not check isValid() in op_new_regexp
1666         https://bugs.webkit.org/show_bug.cgi?id=180970
1667
1668         Reviewed by Saam Barati.
1669
1670         * stress/regexp-syntax-error-invalid-flags.js: Added.
1671         (shouldThrow):
1672
1673 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1674
1675         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1676         https://bugs.webkit.org/show_bug.cgi?id=180712
1677
1678         Reviewed by Michael Catanzaro.
1679
1680         stress/call-apply-exponential-bytecode-size.js crashes if the
1681         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1682         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1683         should skip the test on other platforms.
1684
1685         * stress/call-apply-exponential-bytecode-size.js:
1686
1687 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1688
1689         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1690         https://bugs.webkit.org/show_bug.cgi?id=179762
1691
1692         Reviewed by Saam Barati.
1693
1694         * stress/call-varargs-double-new-array-buffer.js: Added.
1695         (assert):
1696         (bar):
1697         (foo):
1698         * stress/call-varargs-spread-new-array-buffer.js: Added.
1699         (assert):
1700         (bar):
1701         (foo):
1702         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1703         (assert):
1704         (bar):
1705         (foo):
1706         * stress/forward-varargs-double-new-array-buffer.js: Added.
1707         (assert):
1708         (test.baz):
1709         (test.bar):
1710         (test.foo):
1711         (test):
1712         * stress/new-array-buffer-sinking-osrexit.js: Added.
1713         (target):
1714         (test):
1715         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1716         (shouldBe):
1717         (test):
1718         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1719         (shouldBe):
1720         (target):
1721         (test):
1722         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1723         (assert):
1724         (test1.bar):
1725         (test1.foo):
1726         (test1):
1727         (test2.bar):
1728         (test2.foo):
1729         (test3.baz):
1730         (test3.bar):
1731         (test3.foo):
1732         (test4.baz):
1733         (test4.bar):
1734         (test4.foo):
1735         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1736         (assert):
1737         (test.baz):
1738         (test.bar):
1739         (test.foo):
1740         (test):
1741         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1742         (assert):
1743         (baz):
1744         (bar):
1745         (effects):
1746         (foo):
1747
1748 2017-12-14  Saam Barati  <sbarati@apple.com>
1749
1750         The CleanUp after LICM is erroneously removing a Check
1751         https://bugs.webkit.org/show_bug.cgi?id=180852
1752         <rdar://problem/36063494>
1753
1754         Reviewed by Filip Pizlo.
1755
1756         * stress/dont-run-cleanup-after-licm.js: Added.
1757
1758 2017-12-14  Michael Saboff  <msaboff@apple.com>
1759
1760         REGRESSION (r225695): Repro crash on yahoo login page
1761         https://bugs.webkit.org/show_bug.cgi?id=180761
1762
1763         Reviewed by JF Bastien.
1764
1765         New regression test.
1766
1767         * stress/regress-180761.js: Added.
1768
1769 2017-12-13  Keith Miller  <keith_miller@apple.com>
1770
1771         JSObjects should have a mask for loading indexed properties
1772         https://bugs.webkit.org/show_bug.cgi?id=180768
1773
1774         Reviewed by Mark Lam.
1775
1776         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1777         (test):
1778
1779 2017-12-13  Saam Barati  <sbarati@apple.com>
1780
1781         Arrow functions need their own structure because they have different properties than sloppy functions
1782         https://bugs.webkit.org/show_bug.cgi?id=180779
1783         <rdar://problem/35814591>
1784
1785         Reviewed by Mark Lam.
1786
1787         * stress/arrow-function-needs-its-own-structure.js: Added.
1788         (assert):
1789         (readPrototype):
1790         (noInline.let.f1):
1791         (noInline):
1792
1793 2017-12-13  Saam Barati  <sbarati@apple.com>
1794
1795         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1796         https://bugs.webkit.org/show_bug.cgi?id=163579
1797         <rdar://problem/35455798>
1798
1799         Reviewed by Mark Lam.
1800
1801         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1802         (assert):
1803         (test1):
1804         (i.test1):
1805         (i.test1.C):
1806         (i.test1.async.foo):
1807         (i.test1.foo):
1808         (test2):
1809
1810 2017-12-13  Saam Barati  <sbarati@apple.com>
1811
1812         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1813         https://bugs.webkit.org/show_bug.cgi?id=180734
1814         <rdar://problem/35640547>
1815
1816         Reviewed by Yusuke Suzuki.
1817
1818         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1819         (__isPropertyOfType):
1820         (__getProperties):
1821         (__getObjects):
1822         (__getRandomObject):
1823         (theClass.):
1824         (theClass):
1825         (childClass):
1826         (counter.catch):
1827
1828 2017-12-12  Saam Barati  <sbarati@apple.com>
1829
1830         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1831         https://bugs.webkit.org/show_bug.cgi?id=180725
1832         <rdar://problem/35970511>
1833
1834         Reviewed by Michael Saboff.
1835
1836         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1837         (f1):
1838         (f2):
1839         (let.o2.valueOf):
1840
1841 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1842
1843         [JSC] Implement optimized WeakMap and WeakSet
1844         https://bugs.webkit.org/show_bug.cgi?id=179929
1845
1846         Reviewed by Saam Barati.
1847
1848         * microbenchmarks/weak-map-key.js:
1849         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1850         (assert):
1851         (objectKey):
1852         (let.start.Date.now):
1853         * stress/basic-weakmap.js: Added.
1854         (shouldBe):
1855         (test):
1856         * stress/basic-weakset.js: Added.
1857         (shouldBe):
1858         (test.set new):
1859         * stress/weakmap-cse-set-break.js: Added.
1860         (shouldBe):
1861         (test):
1862         * stress/weakmap-cse.js: Added.
1863         (shouldBe):
1864         (test):
1865         * stress/weakmap-gc.js: Added.
1866         (test):
1867         * stress/weakset-cse-add-break.js: Added.
1868         (shouldBe):
1869         (test.set new):
1870         * stress/weakset-cse.js: Added.
1871         (shouldBe):
1872         (test.set new):
1873         * stress/weakset-gc.js: Added.
1874         (test.set add):
1875         (test.set new):
1876         (test):
1877
1878 2017-12-12  Saam Barati  <sbarati@apple.com>
1879
1880         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1881         https://bugs.webkit.org/show_bug.cgi?id=180723
1882         <rdar://problem/35859726>
1883
1884         Reviewed by JF Bastien.
1885
1886         * stress/get-my-argument-by-val-constant-folding.js: Added.
1887         (test):
1888         (catch):
1889
1890 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1891
1892         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1893         https://bugs.webkit.org/show_bug.cgi?id=179000
1894
1895         Reviewed by Darin Adler and Yusuke Suzuki.
1896
1897         * bigIntTests.yaml: Added.
1898         * stress/big-int-literal-line-terminator.js: Added.
1899         * stress/big-int-literals.js: Added.
1900         * stress/big-int-operations-error.js: Added.
1901         * stress/big-int-type-of.js: Added.
1902         * stress/big-int-white-space-trailing-leading.js: Added.
1903         * stress/big-int-function-apply.js: Added.
1904
1905 2017-12-11  Saam Barati  <sbarati@apple.com>
1906
1907         We need to disableCaching() in ErrorInstance when we materialize properties
1908         https://bugs.webkit.org/show_bug.cgi?id=180343
1909         <rdar://problem/35833002>
1910
1911         Reviewed by Mark Lam.
1912
1913         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1914         (assert):
1915         (makeError):
1916         (storeToStack):
1917         (storeToStackAlreadyMaterialized):
1918
1919 2017-12-05  JF Bastien  <jfbastien@apple.com>
1920
1921         WebAssembly: don't eagerly checksum
1922         https://bugs.webkit.org/show_bug.cgi?id=180441
1923         <rdar://problem/35156628>
1924
1925         Reviewed by Saam Barati.
1926
1927         Checksum is now disabled, so tests only have <?> as the module
1928         name.
1929
1930         * wasm/function-tests/nameSection.js:
1931         * wasm/function-tests/stack-overflow.js:
1932         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1933         (assertOverflows.assertThrows):
1934         (assertOverflows):
1935         * wasm/function-tests/stack-trace.js:
1936
1937 2017-12-04  JF Bastien  <jfbastien@apple.com>
1938
1939         Proxy all functions, except the $ objects
1940         https://bugs.webkit.org/show_bug.cgi?id=180375
1941
1942         Reviewed by Saam Barati.
1943
1944         It looks like this test may have broken some executions because I
1945         call some internal objects. Explicitly ignore objects whose name
1946         starts with "$" because it's a bad idea anyways.
1947
1948         * stress/proxy-all-the-parameters.js:
1949         (generateObjects):
1950         (get throw):
1951
1952 2017-12-04  Saam Barati  <sbarati@apple.com>
1953
1954         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1955         https://bugs.webkit.org/show_bug.cgi?id=180366
1956         <rdar://problem/35685877>
1957
1958         Reviewed by Michael Saboff.
1959
1960         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1961         (theParent):
1962         (test1.base.getParentStaticValue):
1963         (test1.base):
1964         (test1.__v_24888.prototype.set prop):
1965         (test1.__v_24888):
1966         (test2.base.getParentStaticValue):
1967         (test2.base):
1968         (test2.__v_24888.prototype.set prop):
1969         (test2.__v_24888):
1970         (test2):
1971
1972 2017-12-01  JF Bastien  <jfbastien@apple.com>
1973
1974         Try proxying all function arguments
1975         https://bugs.webkit.org/show_bug.cgi?id=180306
1976
1977         Reviewed by Saam Barati.
1978
1979         * stress/proxy-all-the-parameters.js: Added.
1980         (isPropertyOfType):
1981         (getProperties):
1982         (generateObjects):
1983         (getObjects):
1984         (getFunctions):
1985         (get throw):
1986         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1987
1988 2017-12-01  JF Bastien  <jfbastien@apple.com>
1989
1990         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1991         https://bugs.webkit.org/show_bug.cgi?id=180297
1992         <rdar://problem/35745556>
1993
1994         Reviewed by Mark Lam.
1995
1996         * stress/math-exceptions.js: Added.
1997         (get try):
1998         (catch):
1999
2000 2017-12-01  JF Bastien  <jfbastien@apple.com>
2001
2002         JavaScriptCore: add test for weird class static getters
2003         https://bugs.webkit.org/show_bug.cgi?id=180281
2004         <rdar://problem/35592139>
2005
2006         Reviewed by Mark Lam.
2007
2008         I fixed a bug for it in r224927 and didn't add a test. Do so.
2009
2010         * stress/class-static-get-weird.js: Added.
2011         (c.prototype.get name):
2012         (c):
2013         (c.prototype.get arguments):
2014         (c.prototype.get caller):
2015         (c.prototype.get length):
2016
2017 2017-12-01  Saam Barati  <sbarati@apple.com>
2018
2019         Having a bad time needs to handle ArrayClass indexing type as well
2020         https://bugs.webkit.org/show_bug.cgi?id=180274
2021         <rdar://problem/35667869>
2022
2023         Reviewed by Keith Miller and Mark Lam.
2024
2025         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2026         (assert):
2027         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2028         (assert):
2029
2030 2017-12-01  JF Bastien  <jfbastien@apple.com>
2031
2032         WebAssembly: restore cached stack limit after out-call
2033         https://bugs.webkit.org/show_bug.cgi?id=179106
2034         <rdar://problem/35337525>
2035
2036         Reviewed by Saam Barati.
2037
2038         * wasm/function-tests/double-instance.js: Added.
2039         (const.imp.boom):
2040         (const.imp.get callAnother):
2041
2042 2017-11-30  JF Bastien  <jfbastien@apple.com>
2043
2044         WebAssembly: improve stack trace
2045         https://bugs.webkit.org/show_bug.cgi?id=179343
2046
2047         Reviewed by Saam Barati.
2048
2049         Update the tests to follow the new format. Notably, SHA1 module
2050         hash is now included in traces, and stubs are properly identified.
2051
2052         * wasm/assert.js: Add an assertion which matches regular expressions.
2053         * wasm/function-tests/nameSection.js:
2054         * wasm/function-tests/stack-overflow.js:
2055         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2056         (assertOverflows.assertThrows.wasm.1):
2057         (assertOverflows.assertThrows.wasm.0):
2058         (assertOverflows.assertThrows):
2059         (assertOverflows):
2060         * wasm/function-tests/stack-trace.js:
2061         (import.Builder.from.string_appeared_here.assert): Deleted.
2062         * wasm/function-tests/trap-after-cross-instance-call.js:
2063         (wasmFrameCountFromError):
2064         * wasm/function-tests/trap-load-2.js:
2065         (wasmFrameCountFromError):
2066         * wasm/function-tests/trap-load.js:
2067         (wasmFrameCountFromError):
2068
2069 2017-11-30  Mark Lam  <mark.lam@apple.com>
2070
2071         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2072         https://bugs.webkit.org/show_bug.cgi?id=180219
2073         <rdar://problem/35696536>
2074
2075         Reviewed by Filip Pizlo.
2076
2077         * stress/regress-180219.js: Added.
2078
2079 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2080
2081         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2082         https://bugs.webkit.org/show_bug.cgi?id=180190
2083
2084         Reviewed by Mark Lam.
2085
2086         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2087         (shouldBe):
2088         (test1):
2089         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2090         (shouldBe):
2091         (test1):
2092         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2093         (shouldBe):
2094         (test1):
2095         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2096         (shouldBe):
2097         (test1):
2098         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2099         (shouldBe):
2100         (test1):
2101         * stress/operation-in-may-have-negative-int32.js: Added.
2102         (shouldBe):
2103         (test2):
2104         * stress/operation-in-negative-int32-cast.js: Added.
2105         (shouldBe):
2106         (test1):
2107
2108 2017-11-28  JF Bastien  <jfbastien@apple.com>
2109
2110         Strict and sloppy functions shouldn't share structure
2111         https://bugs.webkit.org/show_bug.cgi?id=180103
2112         <rdar://problem/35667847>
2113
2114         Reviewed by Saam Barati.
2115
2116         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2117         because the IC was wrong.
2118         (foo):
2119         (bar):
2120         (baz):
2121         (catch):
2122         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2123         in this patch, but may as well test odd strict mode corner cases.
2124         (bar):
2125         (baz):
2126         (catch):
2127         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2128         (foo):
2129         (bar):
2130         (baz):
2131         (catch):
2132         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2133         next file, but with invalidation of the FunctionExecutable's
2134         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2135         slower path.
2136         (foo):
2137         (bar.const.x):
2138         (bar.const.y):
2139         (bar):
2140         (catch):
2141         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2142         strict nesting works correctly.
2143         (foo):
2144         (bar.baz):
2145         (bar):
2146         * stress/strict-function-structure.js: Added. The test used to
2147         assert in objectProtoFuncHasOwnProperty.
2148         (foo):
2149         (bar):
2150         (baz):
2151         * stress/strict-nested-function-structure.js: Added. Nesting.
2152         (foo):
2153         (bar):
2154         (baz.boo):
2155         (baz):
2156
2157 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2158
2159         The recursive tail call optimisation is wrong on closures
2160         https://bugs.webkit.org/show_bug.cgi?id=179835
2161
2162         Reviewed by Saam Barati.
2163
2164         * stress/closure-recursive-tail-call.js: Added.
2165         (makeClosure):
2166
2167 2017-11-27  JF Bastien  <jfbastien@apple.com>
2168
2169         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2170         https://bugs.webkit.org/show_bug.cgi?id=180051
2171         <rdar://problem/35614371>
2172
2173         Reviewed by Saam Barati.
2174
2175         * stress/rest-parameter-negative.js: Added.
2176         (__f_5484):
2177         (catch):
2178         (__f_5485):
2179         (__v_22598.catch):
2180
2181 2017-11-27  Saam Barati  <sbarati@apple.com>
2182
2183         Spread can escape when CreateRest does not
2184         https://bugs.webkit.org/show_bug.cgi?id=180057
2185         <rdar://problem/35676119>
2186
2187         Reviewed by JF Bastien.
2188
2189         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2190         (assert):
2191         (getProperties):
2192         (theFunc):
2193         (let.obj.valueOf):
2194
2195 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2196
2197         [DFG] Add NormalizeMapKey DFG IR
2198         https://bugs.webkit.org/show_bug.cgi?id=179912
2199
2200         Reviewed by Saam Barati.
2201
2202         * stress/map-untyped-normalize-cse.js: Added.
2203         (shouldBe):
2204         (test):
2205         * stress/map-untyped-normalize.js: Added.
2206         (shouldBe):
2207         (test):
2208         * stress/set-untyped-normalize-cse.js: Added.
2209         (shouldBe):
2210         (set return.set has.set has):
2211         * stress/set-untyped-normalize.js: Added.
2212         (shouldBe):
2213         (set return.set has):
2214
2215 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2216
2217         [FTL] Support DeleteById and DeleteByVal
2218         https://bugs.webkit.org/show_bug.cgi?id=180022
2219
2220         Reviewed by Saam Barati.
2221
2222         * stress/delete-by-id.js: Added.
2223         (shouldBe):
2224         (test1):
2225         (test2):
2226         * stress/delete-by-val-ftl.js: Added.
2227         (shouldBe):
2228         (test1):
2229         (test2):
2230
2231 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2232
2233         [DFG] Introduce {Set,Map,WeakMap}Fields
2234         https://bugs.webkit.org/show_bug.cgi?id=179925
2235
2236         Reviewed by Saam Barati.
2237
2238         * stress/map-set-clobber-map-get.js: Added.
2239         (shouldBe):
2240         (test):
2241         * stress/map-set-does-not-clobber-set-has.js: Added.
2242         (shouldBe):
2243         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2244         (shouldBe):
2245         (test):
2246         * stress/set-add-clobber-set-has.js: Added.
2247         (shouldBe):
2248         * stress/set-add-does-not-clobber-map-get.js: Added.
2249         (shouldBe):
2250
2251 2017-11-24  Mark Lam  <mark.lam@apple.com>
2252
2253         Move unsafe jsc shell test functions to the $vm object.
2254         https://bugs.webkit.org/show_bug.cgi?id=179980
2255
2256         Reviewed by Yusuke Suzuki.
2257
2258         * controlFlowProfiler/driver/driver.js:
2259         * controlFlowProfiler/execution-count.js:
2260         * controlFlowProfiler/if-statement.js:
2261         * controlFlowProfiler/loop-statements.js:
2262         * controlFlowProfiler/switch-statements.js:
2263         * controlFlowProfiler/test-jit.js:
2264         * exceptionFuzz/3d-cube.js:
2265         * exceptionFuzz/date-format-xparb.js:
2266         * exceptionFuzz/earley-boyer.js:
2267         * heapProfiler/basic-edges.js:
2268         * heapProfiler/property-edge-types.js:
2269         * microbenchmarks/try-get-by-id-basic.js:
2270         * microbenchmarks/try-get-by-id-polymorphic.js:
2271         * modules/namespace-object-try-get.js:
2272         * stress/argument-count-bytecode.js:
2273         * stress/argument-intrinsic-basic.js:
2274         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2275         * stress/argument-intrinsic-inlining-with-result-escape.js:
2276         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2277         * stress/argument-intrinsic-inlining-with-vararg.js:
2278         * stress/argument-intrinsic-nested-inlining.js:
2279         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2280         * stress/argument-intrinsic-with-stack-write.js:
2281         * stress/arity-mismatch-get-argument.js:
2282         * stress/array-message-passing.js:
2283         * stress/array-push-with-force-exit.js:
2284         * stress/check-dom-with-signature.js:
2285         * stress/check-sub-class.js:
2286         * stress/compare-eq-incomplete-profile.js:
2287         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2288         * stress/do-eval-virtual-call-correctly.js:
2289         * stress/dom-jit-with-poly-proto.js:
2290         * stress/domjit-exception-ic.js:
2291         * stress/domjit-exception.js:
2292         * stress/domjit-getter-complex-with-incorrect-object.js:
2293         * stress/domjit-getter-complex.js:
2294         * stress/domjit-getter-poly.js:
2295         * stress/domjit-getter-proto.js:
2296         * stress/domjit-getter-super-poly.js:
2297         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2298         * stress/domjit-getter-type-check.js:
2299         * stress/domjit-getter.js:
2300         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2301         * stress/for-in-proxy-target-changed-structure.js:
2302         * stress/for-in-proxy.js:
2303         * stress/generational-opaque-roots.js:
2304         * stress/global-const-redeclaration-setting-2.js:
2305         * stress/global-const-redeclaration-setting-3.js:
2306         * stress/global-const-redeclaration-setting-4.js:
2307         * stress/global-const-redeclaration-setting-5.js:
2308         * stress/global-const-redeclaration-setting.js:
2309         * stress/import-basic.js:
2310         * stress/import-from-eval.js:
2311         * stress/import-reject-with-exception.js:
2312         * stress/import-syntax.js:
2313         * stress/impure-get-own-property-slot-inline-cache.js:
2314         * stress/is-constructor.js:
2315         * stress/istypedarrayview-intrinsic.js:
2316         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2317         * stress/jsc-test-functions-should-be-more-robust.js:
2318         * stress/object-toString-with-proxy.js:
2319         * stress/poly-proto-custom-value-and-accessor.js:
2320         * stress/proxy-inline-cache.js:
2321         * stress/re-execute-error-module.js:
2322         * stress/regress-150532.js:
2323         * stress/regress-156992.js:
2324         * stress/regress-179619.js:
2325         * stress/resources/shadow-chicken-support.js:
2326         * stress/runtime-array.js:
2327         * stress/sampling-profiler-microtasks.js:
2328         * stress/shadow-chicken-enabled.js:
2329         * stress/spread-correct-global-object-on-exception.js:
2330         * stress/super-get-by-id.js:
2331         * stress/tailCallForwardArguments.js:
2332         * stress/to-object-intrinsic-boolean-edge.js:
2333         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2334         * stress/to-object-intrinsic-number-edge.js:
2335         * stress/to-object-intrinsic-object-edge.js:
2336         * stress/to-object-intrinsic-string-edge.js:
2337         * stress/to-object-intrinsic-symbol-edge.js:
2338         * stress/to-object-intrinsic.js:
2339         * stress/try-catch-custom-getter-as-get-by-id.js:
2340         * stress/try-get-by-id-poly-proto.js:
2341         * stress/try-get-by-id-should-spill-registers-dfg.js:
2342         * stress/try-get-by-id.js:
2343         * typeProfiler/arrow-functions.js:
2344         * typeProfiler/basic.js:
2345         * typeProfiler/captured.js:
2346         * typeProfiler/classes.js:
2347         * typeProfiler/dfg-jit-optimizations.js:
2348         * typeProfiler/dictionary-mode.js:
2349         * typeProfiler/es6-block-scoping.js:
2350         * typeProfiler/es6-classes.js:
2351         * typeProfiler/inheritance.js:
2352         * typeProfiler/int52-dfg.js:
2353         * typeProfiler/loop.js:
2354         * typeProfiler/optional-fields.js:
2355         * typeProfiler/overflow.js:
2356         * typeProfiler/return.js:
2357         * typeProfiler/symbol.js:
2358         * typeProfiler/weird-prototype-chain.js:
2359
2360 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2361
2362         [DFG][FTL] Support MapSet / SetAdd intrinsics
2363         https://bugs.webkit.org/show_bug.cgi?id=179858
2364
2365         Reviewed by Saam Barati.
2366
2367         * microbenchmarks/map-has-and-set.js: Added.
2368         (test):
2369         * stress/map-set-check-failure.js: Added.
2370         (shouldBe):
2371         (shouldThrow):
2372         (target):
2373         * stress/map-set-cse.js: Added.
2374         (shouldBe):
2375         (test):
2376         * stress/set-add-check-failure.js: Added.
2377         (shouldBe):
2378         (shouldThrow):
2379         (set shouldThrow):
2380         * stress/set-add-cse.js: Added.
2381         (shouldBe):
2382
2383 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2384
2385         [JSC] Allow poly proto for intrinsic getters
2386         https://bugs.webkit.org/show_bug.cgi?id=179550
2387
2388         Reviewed by Saam Barati.
2389
2390         This change is also tested by existing tests.
2391
2392             1. stress/intrinsic-getter-with-poly-proto.js
2393             2. stress/poly-proto-intrinsic-getter-correctness.js
2394
2395         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2396         (shouldBe):
2397         (makePolyProtoObject.foo.C):
2398         (makePolyProtoObject.foo):
2399         (makePolyProtoObject):
2400         (target):
2401         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2402         (shouldBe):
2403         (makePolyProtoObject.foo.C):
2404         (makePolyProtoObject.foo):
2405         (makePolyProtoObject):
2406         (target):
2407
2408 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2409
2410         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2411         https://bugs.webkit.org/show_bug.cgi?id=179744
2412
2413         Reviewed by Michael Catanzaro.
2414
2415         This test uses too much memory for our buildbots on these platforms
2416         and gets OOM-killed.
2417
2418         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2419         Skip if $memoryLimited and linux.
2420
2421 2017-11-17  JF Bastien  <jfbastien@apple.com>
2422
2423         WebAssembly JS API: throw when a promise can't be created
2424         https://bugs.webkit.org/show_bug.cgi?id=179826
2425         <rdar://problem/35455813>
2426
2427         Reviewed by Mark Lam.
2428
2429         Test WebAssembly.{compile,instantiate} where promise creation
2430         fails because of a stack overflow.
2431
2432         * wasm/js-api/promise-stack-overflow.js: Added.
2433         (const.runNearStackLimit.f.const.t):
2434         (async.testCompile):
2435         (async.testInstantiate):
2436
2437 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2438
2439         Unreviewed, mark regress-178385.js as memory exhausting
2440
2441         * stress/regress-178385.js:
2442
2443 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2444
2445         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2446
2447         Unreviewed test gardening.
2448
2449         * test262.yaml:
2450
2451 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2452
2453         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2454         https://bugs.webkit.org/show_bug.cgi?id=179763
2455         <rdar://problem/35550513>
2456
2457         Reviewed by Keith Miller.
2458
2459         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2460
2461         * stress/tdz-this-in-try-catch.js: Added.
2462         (__v_6388):
2463         (__v_6392):
2464
2465 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2466
2467         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2468         https://bugs.webkit.org/show_bug.cgi?id=179594
2469
2470         Reviewed by Saam Barati.
2471
2472         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2473         (shouldBe):
2474         (args):
2475         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2476         (shouldBe):
2477         (args):
2478
2479 2017-11-14  Saam Barati  <sbarati@apple.com>
2480
2481         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2482         https://bugs.webkit.org/show_bug.cgi?id=179639
2483         <rdar://problem/35513018>
2484
2485         Reviewed by JF Bastien.
2486
2487         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2488         (escape):
2489         (i.func):
2490
2491 2017-11-13  Mark Lam  <mark.lam@apple.com>
2492
2493         Add more overflow check book-keeping for MarkedArgumentBuffer.
2494         https://bugs.webkit.org/show_bug.cgi?id=179634
2495         <rdar://problem/35492517>
2496
2497         Reviewed by Saam Barati.
2498
2499         * stress/regress-179634.js: Added.
2500
2501 2017-11-13  Mark Lam  <mark.lam@apple.com>
2502
2503         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2504         https://bugs.webkit.org/show_bug.cgi?id=179619
2505         <rdar://problem/35492518>
2506
2507         Reviewed by Saam Barati.
2508
2509         * stress/regress-179619.js: Added.
2510
2511 2017-11-12  Mark Lam  <mark.lam@apple.com>
2512
2513         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2514         https://bugs.webkit.org/show_bug.cgi?id=179562
2515         <rdar://problem/35467022>
2516
2517         Reviewed by Saam Barati.
2518
2519         * regress-179562.js: Added.
2520
2521 2017-11-08  Saam Barati  <sbarati@apple.com>
2522
2523         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2524         https://bugs.webkit.org/show_bug.cgi?id=177792
2525
2526         Reviewed by Yusuke Suzuki.
2527
2528         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2529         (assert):
2530         (foo.Foo.prototype.ensureX):
2531         (foo.Foo):
2532         (foo):
2533         (access):
2534
2535 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2536
2537         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2538         https://bugs.webkit.org/show_bug.cgi?id=178592
2539
2540         Unreviewed test gardening.
2541
2542         * test262.yaml:
2543
2544 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2545
2546         Turn recursive tail calls into loops
2547         https://bugs.webkit.org/show_bug.cgi?id=176601
2548
2549         Reviewed by Saam Barati.
2550
2551         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2552
2553         Add some simple test that computes factorial in several ways, and other trivial computations.
2554         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2555         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2556         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2557         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2558
2559         * stress/inline-call-to-recursive-tail-call.js: Added.
2560         (factorial.aux):
2561         (factorial):
2562         (factorial2.aux2):
2563         (factorial2.id):
2564         (factorial2):
2565         (factorial3.aux3):
2566         (factorial3):
2567         (aux4):
2568         (factorial4):
2569         (foo):
2570         (auxBar):
2571         (bar):
2572         (test):
2573
2574 2017-11-07  Mark Lam  <mark.lam@apple.com>
2575
2576         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2577         https://bugs.webkit.org/show_bug.cgi?id=179355
2578         <rdar://problem/35263053>
2579
2580         Reviewed by Saam Barati.
2581
2582         * stress/regress-179355.js: Added.
2583
2584 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2585
2586         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2587         https://bugs.webkit.org/show_bug.cgi?id=144458
2588
2589         Reviewed by Saam Barati.
2590
2591         * microbenchmarks/dfg-internal-function-call.js: Added.
2592         (target):
2593         * microbenchmarks/dfg-internal-function-construct.js: Added.
2594         (target):
2595         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2596         (target):
2597         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2598         (target):
2599         * stress/dfg-internal-function-call.js: Added.
2600         (shouldBe):
2601         (target):
2602         * stress/dfg-internal-function-construct.js: Added.
2603         (shouldBe):
2604         (target):
2605         * stress/internal-function-call.js: Added.
2606         (shouldBe):
2607         * stress/internal-function-construct.js: Added.
2608         (shouldBe):
2609
2610 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2611
2612         [Win] Skip stress/regress-178385.js.
2613         https://bugs.webkit.org/show_bug.cgi?id=179298
2614
2615         Unreviewed test gardening.
2616
2617         * stress/regress-178385.js:
2618
2619 2017-11-03  Keith Miller  <keith_miller@apple.com>
2620
2621         Add test for ic with side effects
2622         https://bugs.webkit.org/show_bug.cgi?id=179268
2623
2624         Reviewed by Saam Barati.
2625
2626         * stress/put-inline-cache-side-effects.js: Added.
2627         (let.i.of.objs.keys):
2628         (f):
2629
2630 2017-11-03  Mark Lam  <mark.lam@apple.com>
2631
2632         CachedCall (and its clients) needs overflow checks.
2633         https://bugs.webkit.org/show_bug.cgi?id=179185
2634
2635         Reviewed by JF Bastien.
2636
2637         * stress/regress-179185.js: Added.
2638
2639 2017-11-02  Michael Saboff  <msaboff@apple.com>
2640
2641         DFG needs to handle code motion of code in for..in loop bodies
2642         https://bugs.webkit.org/show_bug.cgi?id=179212
2643
2644         Reviewed by Keith Miller.
2645
2646         New regression test.
2647
2648         * stress/for-in-side-effects.js: Added.
2649         (getPrototypeOf):
2650         (reset):
2651         (testWithoutFTL.f):
2652         (testWithoutFTL):
2653         (testWithFTL.f):
2654         (testWithFTL):
2655
2656 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2657
2658         AI does not correctly model the clobber case of ArithClz32
2659         https://bugs.webkit.org/show_bug.cgi?id=179188
2660
2661         Reviewed by Michael Saboff.
2662
2663         * stress/arith-clz32-effects.js: Added.
2664         (foo):
2665         (valueOf):
2666
2667 2017-11-01  Michael Saboff  <msaboff@apple.com>
2668
2669         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2670         https://bugs.webkit.org/show_bug.cgi?id=179140
2671
2672         Reviewed by Saam Barati.
2673
2674         New regression test.
2675
2676         * stress/regress-179140.js: Added.
2677         (testWithoutFTL):
2678         (testWithFTL):
2679
2680 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2681
2682         [JSC] Introduce @toObject
2683         https://bugs.webkit.org/show_bug.cgi?id=178726
2684
2685         Reviewed by Saam Barati.
2686
2687         * stress/array-copywithin.js:
2688         (shouldThrow):
2689         * stress/object-constructor-boolean-edge.js: Added.
2690         (shouldBe):
2691         (test):
2692         * stress/object-constructor-global.js: Added.
2693         (shouldBe):
2694         * stress/object-constructor-null-edge.js: Added.
2695         (shouldBe):
2696         (test):
2697         * stress/object-constructor-number-edge.js: Added.
2698         (shouldBe):
2699         (test):
2700         * stress/object-constructor-object-edge.js: Added.
2701         (shouldBe):
2702         (test):
2703         (i.arg):
2704         * stress/object-constructor-string-edge.js: Added.
2705         (shouldBe):
2706         (test):
2707         * stress/object-constructor-symbol-edge.js: Added.
2708         (shouldBe):
2709         (test):
2710         * stress/object-constructor-undefined-edge.js: Added.
2711         (shouldBe):
2712         (test):
2713         * stress/symbol-array-from.js: Added.
2714         (shouldBe):
2715         * stress/to-object-intrinsic-boolean-edge.js: Added.
2716         (shouldBe):
2717         (builtin.createBuiltin):
2718         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2719         (shouldThrow):
2720         * stress/to-object-intrinsic-number-edge.js: Added.
2721         (shouldBe):
2722         (builtin.createBuiltin):
2723         * stress/to-object-intrinsic-object-edge.js: Added.
2724         (shouldBe):
2725         (builtin.createBuiltin):
2726         (i.arg):
2727         * stress/to-object-intrinsic-string-edge.js: Added.
2728         (shouldBe):
2729         (builtin.createBuiltin):
2730         * stress/to-object-intrinsic-symbol-edge.js: Added.
2731         (shouldBe):
2732         (builtin.createBuiltin):
2733         * stress/to-object-intrinsic.js: Added.
2734         (shouldBe):
2735         (shouldThrow):
2736         (builtin.createBuiltin):
2737
2738 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2739
2740         [DFG][FTL] Introduce StringSlice
2741         https://bugs.webkit.org/show_bug.cgi?id=178934
2742
2743         Reviewed by Saam Barati.
2744
2745         * microbenchmarks/string-slice-empty.js: Added.
2746         (slice):
2747         * microbenchmarks/string-slice-one-char.js: Added.
2748         (slice):
2749         * microbenchmarks/string-slice.js: Added.
2750         (slice):
2751
2752 2017-10-26  Michael Saboff  <msaboff@apple.com>
2753
2754         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2755         https://bugs.webkit.org/show_bug.cgi?id=178890
2756
2757         Reviewed by Keith Miller.
2758
2759         New regression test.
2760
2761         * stress/regress-178890.js: Added.
2762
2763 2017-10-26  Mark Lam  <mark.lam@apple.com>
2764
2765         JSRopeString::RopeBuilder::append() should check for overflows.
2766         https://bugs.webkit.org/show_bug.cgi?id=178385
2767         <rdar://problem/35027468>
2768
2769         Reviewed by Saam Barati.
2770
2771         * stress/regress-178385.js: Added.
2772
2773 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2774
2775         Unreviewed, rolling out r223961.
2776
2777         The change that required this has been rolled out.
2778
2779         Reverted changeset:
2780
2781         "Mark test262.yaml/test262/test/language/statements/try/tco-
2782         catch.js as passing."
2783         https://bugs.webkit.org/show_bug.cgi?id=178592
2784         https://trac.webkit.org/changeset/223961
2785
2786 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2787
2788         Unreviewed, rolling out r223691 and r223729.
2789         https://bugs.webkit.org/show_bug.cgi?id=178834
2790
2791         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2792         by rniwa on #webkit).
2793
2794         Reverted changesets:
2795
2796         "Turn recursive tail calls into loops"
2797         https://bugs.webkit.org/show_bug.cgi?id=176601
2798         https://trac.webkit.org/changeset/223691
2799
2800         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2801         comparison is always false due to limited range of data type
2802         [-Wtype-limits]"
2803         https://bugs.webkit.org/show_bug.cgi?id=178543
2804         https://trac.webkit.org/changeset/223729
2805
2806 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2807
2808         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2809         https://bugs.webkit.org/show_bug.cgi?id=178592
2810
2811         Unreviewed test gardening.
2812
2813         * test262.yaml:
2814
2815 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2816
2817         [FTL] Support NewStringObject
2818         https://bugs.webkit.org/show_bug.cgi?id=178737
2819
2820         Reviewed by Saam Barati.
2821
2822         * stress/new-string-object.js: Added.
2823         (shouldBe):
2824         (test):
2825
2826 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2827
2828         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2829         https://bugs.webkit.org/show_bug.cgi?id=178308
2830
2831         Reviewed by Mark Lam.
2832
2833         * test262.yaml:
2834
2835 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2836
2837         [JSC] Use fastJoin in Array#toString
2838         https://bugs.webkit.org/show_bug.cgi?id=178062
2839
2840         Reviewed by Darin Adler.
2841
2842         * microbenchmarks/contiguous-array-to-string.js: Added.
2843         (target):
2844         * microbenchmarks/double-array-to-string.js: Added.
2845         (target):
2846         * microbenchmarks/int32-array-to-string.js: Added.
2847         (target):
2848
2849 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2850
2851         stress/check-string-ident.js is improperly skipped
2852         https://bugs.webkit.org/show_bug.cgi?id=178642
2853
2854         Reviewed by Saam Barati.
2855
2856         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2857         since it enforces the run-jsc-stress-tests script to still set up the
2858         test to run, despite the skip directive that's used before.
2859
2860 2017-10-20  Mark Lam  <mark.lam@apple.com>
2861
2862         Add a test case for r214334.
2863         https://bugs.webkit.org/show_bug.cgi?id=169941
2864         <rdar://problem/31221258>
2865
2866         Reviewed by JF Bastien.
2867
2868         * stress/regress-169941.js: Added.
2869
2870 2017-10-19  JF Bastien  <jfbastien@apple.com>
2871
2872         WebAssembly: no VM / JS version of everything but Instance
2873         https://bugs.webkit.org/show_bug.cgi?id=177473
2874
2875         Reviewed by Filip Pizlo, Saam Barati.
2876
2877         - Exceeding max on memory growth now returns a range error as per
2878         spec. This is a (very minor) breaking change: it used to throw OOM
2879         error. Update the corresponding test.
2880
2881         * wasm/js-api/memory-grow.js:
2882         (assertEq):
2883         * wasm/js-api/table.js:
2884         (assert.throws):
2885
2886 2017-10-19  Mark Lam  <mark.lam@apple.com>
2887
2888         Stringifier::appendStringifiedValue() is missing an exception check.
2889         https://bugs.webkit.org/show_bug.cgi?id=178386
2890         <rdar://problem/35027610>
2891
2892         Reviewed by Saam Barati.
2893
2894         * stress/regress-178386.js: Added.
2895
2896 2017-10-19  Michael Saboff  <msaboff@apple.com>
2897
2898         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2899         https://bugs.webkit.org/show_bug.cgi?id=178521
2900
2901         Reviewed by JF Bastien.
2902
2903         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2904         now passes with the current version (5.0) of the Emoji spec.
2905
2906 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2907
2908         Turn recursive tail calls into loops
2909         https://bugs.webkit.org/show_bug.cgi?id=176601
2910
2911         Reviewed by Saam Barati.
2912
2913         Add some simple test that computes factorial in several ways, and other trivial computations.
2914         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2915         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2916         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2917         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2918
2919         * stress/inline-call-to-recursive-tail-call.js: Added.
2920         (factorial.aux):
2921         (factorial):
2922         (factorial2.aux):
2923         (factorial2.id):
2924         (factorial2):
2925         (factorial3.aux):
2926         (factorial3):
2927         (aux):
2928         (factorial4):
2929         (test):
2930
2931 2017-10-18  Mark Lam  <mark.lam@apple.com>
2932
2933         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2934         https://bugs.webkit.org/show_bug.cgi?id=177600
2935         <rdar://problem/34710985>
2936
2937         Reviewed by Saam Barati.
2938
2939         * stress/regress-177600.js: Added.
2940
2941 2017-10-18  Mark Lam  <mark.lam@apple.com>
2942
2943         The compiler should always register a structure when it adds its transitionWatchPointSet.
2944         https://bugs.webkit.org/show_bug.cgi?id=178420
2945         <rdar://problem/34814024>
2946
2947         Reviewed by Saam Barati and Filip Pizlo.
2948
2949         * stress/regress-178420.js: Added.
2950         (new.Array.10000.map):
2951
2952 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2953
2954         [JSC] __proto__ getter should be fast
2955         https://bugs.webkit.org/show_bug.cgi?id=178067
2956
2957         Reviewed by Saam Barati.
2958
2959         * stress/dfg-object-proto-accessor.js: Added.
2960         (shouldBe):
2961         (shouldThrow):
2962         (target):
2963         * stress/dfg-object-proto-getter.js: Added.
2964         (shouldBe):
2965         (shouldThrow):
2966         (target):
2967         * stress/dfg-object-prototype-of.js: Added.
2968         (shouldBe):
2969         (shouldThrow):
2970         (target):
2971         * stress/dfg-reflect-get-prototype-of.js: Added.
2972         (shouldBe):
2973         (shouldThrow):
2974         (target):
2975         * stress/intrinsic-getter-with-poly-proto.js: Added.
2976         (shouldBe):
2977         (makePolyProtoObject.foo.C):
2978         (makePolyProtoObject.foo):
2979         (makePolyProtoObject):
2980         (target):
2981         * stress/object-get-prototype-of-filtered.js: Added.
2982         (shouldBe):
2983         (shouldThrow):
2984         (target):
2985         (i.Cocoa):
2986         * stress/object-get-prototype-of-mono-proto.js: Added.
2987         (shouldBe):
2988         (makePolyProtoObject.foo.C):
2989         (makePolyProtoObject.foo):
2990         (makePolyProtoObject):
2991         (target):
2992         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2993         (shouldBe):
2994         (makePolyProtoObject.foo.C):
2995         (makePolyProtoObject.foo):
2996         (makePolyProtoObject):
2997         (target):
2998         * stress/object-get-prototype-of-poly-proto.js: Added.
2999         (shouldBe):
3000         (makePolyProtoObject.foo.C):
3001         (makePolyProtoObject.foo):
3002         (makePolyProtoObject):
3003         (target):
3004         * stress/object-proto-getter-filtered.js: Added.
3005         (shouldBe):
3006         (shouldThrow):
3007         (target):
3008         (i.Cocoa):
3009         * stress/object-proto-getter-poly-mono-proto.js: Added.
3010         (shouldBe):
3011         (makePolyProtoObject.foo.C):
3012         (makePolyProtoObject.foo):
3013         (makePolyProtoObject):
3014         (target):
3015         * stress/object-proto-getter-poly-proto.js: Added.
3016         (shouldBe):
3017         (makePolyProtoObject.foo.C):
3018         (makePolyProtoObject.foo):
3019         (makePolyProtoObject):
3020         (target):
3021         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3022         * stress/string-proto.js: Added.
3023         (shouldBe):
3024         (target):
3025
3026 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3027
3028         Unreviewed, rolling out r223523.
3029
3030         A test for this change is failing on debug JSC bots.
3031
3032         Reverted changeset:
3033
3034         "[JSC] __proto__ getter should be fast"
3035         https://bugs.webkit.org/show_bug.cgi?id=178067
3036         https://trac.webkit.org/changeset/223523
3037
3038 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3039
3040         [JSC] __proto__ getter should be fast
3041         https://bugs.webkit.org/show_bug.cgi?id=178067
3042
3043         Reviewed by Saam Barati.
3044
3045         * stress/dfg-object-proto-accessor.js: Added.
3046         (shouldBe):
3047         (shouldThrow):
3048         (target):
3049         * stress/dfg-object-proto-getter.js: Added.
3050         (shouldBe):
3051         (shouldThrow):
3052         (target):
3053         * stress/dfg-object-prototype-of.js: Added.
3054         (shouldBe):
3055         (shouldThrow):
3056         (target):
3057         * stress/dfg-reflect-get-prototype-of.js: Added.
3058         (shouldBe):
3059         (shouldThrow):
3060         (target):
3061         * stress/object-get-prototype-of-filtered.js: Added.
3062         (shouldBe):
3063         (shouldThrow):
3064         (target):
3065         (i.Cocoa):
3066         * stress/object-get-prototype-of-mono-proto.js: Added.
3067         (shouldBe):
3068         (makePolyProtoObject.foo.C):
3069         (makePolyProtoObject.foo):
3070         (makePolyProtoObject):
3071         (target):
3072         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3073         (shouldBe):
3074         (makePolyProtoObject.foo.C):
3075         (makePolyProtoObject.foo):
3076         (makePolyProtoObject):
3077         (target):
3078         * stress/object-get-prototype-of-poly-proto.js: Added.
3079         (shouldBe):
3080         (makePolyProtoObject.foo.C):
3081         (makePolyProtoObject.foo):
3082         (makePolyProtoObject):
3083         (target):
3084         * stress/object-proto-getter-filtered.js: Added.
3085         (shouldBe):
3086         (shouldThrow):
3087         (target):
3088         (i.Cocoa):
3089         * stress/object-proto-getter-poly-mono-proto.js: Added.
3090         (shouldBe):
3091         (makePolyProtoObject.foo.C):
3092         (makePolyProtoObject.foo):
3093         (makePolyProtoObject):
3094         (target):
3095         * stress/object-proto-getter-poly-proto.js: Added.
3096         (shouldBe):
3097         (makePolyProtoObject.foo.C):
3098         (makePolyProtoObject.foo):
3099         (makePolyProtoObject):
3100         (target):
3101         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3102         * stress/string-proto.js: Added.
3103         (shouldBe):
3104         (target):
3105
3106 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3107
3108         Reland "Add Above/Below comparisons for UInt32 patterns"
3109         https://bugs.webkit.org/show_bug.cgi?id=177281
3110
3111         Reviewed by Saam Barati.
3112
3113         * stress/uint32-comparison-jump.js: Added.
3114         (shouldBe):
3115         (above):
3116         (aboveOrEqual):
3117         (below):
3118         (belowOrEqual):
3119         (notAbove):
3120         (notAboveOrEqual):
3121         (notBelow):
3122         (notBelowOrEqual):
3123         * stress/uint32-comparison.js: Added.
3124         (shouldBe):
3125         (above):
3126         (aboveOrEqual):
3127         (below):
3128         (belowOrEqual):
3129         (aboveTest):
3130         (aboveOrEqualTest):
3131         (belowTest):
3132         (belowOrEqualTest):
3133
3134 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3135
3136         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3137         https://bugs.webkit.org/show_bug.cgi?id=178210
3138
3139         Reviewed by Saam Barati.
3140
3141         * wasm/function-tests/trap-from-start-async.js:
3142         (async.StartTrapsAsync):
3143         * wasm/function-tests/trap-from-start.js:
3144         (StartTraps):
3145         * wasm/js-api/web-assembly-function.js:
3146         (assert.eq.Object.getPrototypeOf):
3147         * wasm/js-api/wrapper-function.js:
3148         (return.new.WebAssembly.Module):
3149         (assert.throws.makeInstance): Deleted.
3150         (assert.throws.Bar): Deleted.
3151         (assert.throws): Deleted.
3152
3153 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3154
3155         Enable gigacage on iOS
3156         https://bugs.webkit.org/show_bug.cgi?id=177586
3157
3158         Reviewed by JF Bastien.
3159         
3160         Add tests for when Gigacage gets runtime disabled.
3161
3162         * stress/disable-gigacage-arrays.js: Added.
3163         (foo):
3164         * stress/disable-gigacage-strings.js: Added.
3165         (foo):
3166         * stress/disable-gigacage-typed-arrays.js: Added.
3167         (foo):
3168
3169 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3170
3171         import.meta should not be assignable
3172         https://bugs.webkit.org/show_bug.cgi?id=178202
3173
3174         Reviewed by Saam Barati.
3175
3176         * modules/import-meta-assignment.js: Added.
3177         (shouldThrow):
3178         (SyntaxError.import.meta.can.shouldThrow):
3179
3180 2017-10-11  Saam Barati  <sbarati@apple.com>
3181
3182         Unreviewed. Actually skip certain type profiler tests in debug.
3183
3184         * typeProfiler.yaml:
3185         * typeProfiler/deltablue-for-of.js:
3186         * typeProfiler/getter-richards.js:
3187
3188 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3189
3190         Unreviewed, rolling out r223113 and r223121.
3191         https://bugs.webkit.org/show_bug.cgi?id=178182
3192
3193         Reintroduced 20% regression on Kraken (Requested by rniwa on
3194         #webkit).
3195
3196         Reverted changesets:
3197
3198         "Enable gigacage on iOS"
3199         https://bugs.webkit.org/show_bug.cgi?id=177586
3200         https://trac.webkit.org/changeset/223113
3201
3202         "Use one virtual allocation for all gigacages and their
3203         runways"
3204         https://bugs.webkit.org/show_bug.cgi?id=178050
3205         https://trac.webkit.org/changeset/223121
3206
3207 2017-10-11  Michael Saboff  <msaboff@apple.com>
3208
3209         Disable test262 named capture group tests with direct unicode names and with references before definitions
3210         https://bugs.webkit.org/show_bug.cgi?id=178177
3211
3212         Reviewed by Keith Miller.
3213
3214         Bugs to track fixing these test are:
3215         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3216             "Add support in named capture group identifiers for direct surrogate pairs"
3217         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3218             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3219
3220         * test262.yaml:
3221
3222 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3223
3224         Object properties are undefined in super.call() but not in this.call()
3225         https://bugs.webkit.org/show_bug.cgi?id=177230
3226
3227         Reviewed by Saam Barati.
3228
3229         * stress/super-call-function-subclass.js: Added.
3230         (assert):
3231         (A.prototype.t):
3232         (A):
3233         * stress/super-dot-call-and-apply.js: Added.
3234         (assert):
3235         (A):
3236         (A.prototype.call):
3237         (A.prototype.apply):
3238         (B.prototype.testSuper):
3239         (B):
3240         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3241         (D.prototype.testSuper):
3242         (D):
3243
3244 2017-10-10  Saam Barati  <sbarati@apple.com>
3245
3246         The prototype cache should be aware of the Executable it generates a Structure for
3247         https://bugs.webkit.org/show_bug.cgi?id=177907
3248
3249         Reviewed by Filip Pizlo.
3250
3251         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3252         (assert):
3253         (foo.C):
3254         (foo):
3255         (bar.C):
3256         (bar):
3257         (access):
3258         (makeLongChain):
3259         (accessY):
3260
3261 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3262
3263         `async` should be able to be used as an imported binding name
3264         https://bugs.webkit.org/show_bug.cgi?id=176573
3265
3266         Reviewed by Saam Barati.
3267
3268         * modules/import-default-async.js: Added.
3269         * modules/import-named-async-as.js: Added.
3270         * modules/import-named-async.js: Added.
3271         * modules/import-named-async/target.js: Added.
3272         * modules/import-namespace-async.js: Added.
3273         * test262.yaml:
3274
3275 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3276
3277         Enable gigacage on iOS
3278         https://bugs.webkit.org/show_bug.cgi?id=177586
3279
3280         Reviewed by JF Bastien.
3281         
3282         Add tests for when Gigacage gets runtime disabled.
3283
3284         * stress/disable-gigacage-arrays.js: Added.
3285         (foo):
3286         * stress/disable-gigacage-strings.js: Added.
3287         (foo):
3288         * stress/disable-gigacage-typed-arrays.js: Added.
3289         (foo):
3290
3291 2017-10-09  Michael Saboff  <msaboff@apple.com>
3292
3293         Implement RegExp Unicode property escapes
3294         https://bugs.webkit.org/show_bug.cgi?id=172069
3295
3296         Reviewed by JF Bastien.
3297
3298         Enabled Unicode Property tests.
3299
3300         * test262.yaml:
3301
3302 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3303
3304         Unreviewed, rolling out r223015 and r223025.
3305         https://bugs.webkit.org/show_bug.cgi?id=178093
3306
3307         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3308         #webkit).
3309
3310         Reverted changesets:
3311
3312         "Enable gigacage on iOS"
3313         https://bugs.webkit.org/show_bug.cgi?id=177586
3314         http://trac.webkit.org/changeset/223015
3315
3316         "Unreviewed, disable Gigacage on ARM64 Linux"
3317         https://bugs.webkit.org/show_bug.cgi?id=177586
3318         http://trac.webkit.org/changeset/223025
3319
3320 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3321
3322         Update expectations for test262 tests that pass after r223043.
3323         https://bugs.webkit.org/show_bug.cgi?id=176685
3324
3325         Unreviewed test gardening.
3326
3327         * test262.yaml:
3328
3329 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3330
3331         Unreviewed, rolling out r223022.
3332
3333         This change introduced 18 test262 failures.
3334
3335         Reverted changeset:
3336
3337         "`async` should be able to be used as an imported binding
3338         name"
3339         https://bugs.webkit.org/show_bug.cgi?id=176573
3340         http://trac.webkit.org/changeset/223022
3341
3342 2017-10-09  Saam Barati  <sbarati@apple.com>
3343
3344         3 poly-proto JSC tests timing out on debug after r222827
3345         https://bugs.webkit.org/show_bug.cgi?id=177880
3346         <rdar://problem/34817122>
3347
3348         Unreviewed.
3349
3350         I'm skipping these type profiler tests on debug since they are long running.
3351
3352         * typeProfiler/deltablue-for-of.js:
3353         * typeProfiler/getter-richards.js:
3354
3355 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3356
3357         Safari 10 /11 problem with if (!await get(something)).
3358         https://bugs.webkit.org/show_bug.cgi?id=176685
3359
3360         Reviewed by Saam Barati.
3361
3362         * stress/async-await-basic.js:
3363         (awaitEpression.async):
3364         * stress/async-await-syntax.js:
3365         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3366         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3367
3368 2017-10-08  Saam Barati  <sbarati@apple.com>
3369
3370         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3371
3372         * typeProfiler/deltablue-for-of.js:
3373         * typeProfiler/getter-richards.js:
3374
3375 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3376
3377         `async` should be able to be used as an imported binding name
3378         https://bugs.webkit.org/show_bug.cgi?id=176573
3379
3380         Reviewed by Darin Adler.
3381
3382         * modules/import-default-async.js: Added.
3383         * modules/import-named-async-as.js: Added.
3384         * modules/import-named-async.js: Added.
3385         * modules/import-named-async/target.js: Added.
3386         * modules/import-namespace-async.js: Added.
3387
3388 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3389
3390         Enable gigacage on iOS
3391         https://bugs.webkit.org/show_bug.cgi?id=177586
3392
3393         Reviewed by JF Bastien.
3394         
3395         Add tests for when Gigacage gets runtime disabled.
3396
3397         * stress/disable-gigacage-arrays.js: Added.
3398         (foo):
3399         * stress/disable-gigacage-strings.js: Added.
3400         (foo):
3401         * stress/disable-gigacage-typed-arrays.js: Added.
3402         (foo):
3403
3404 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3405
3406         Unreviewed, rolling out r222791 and r222873.
3407         https://bugs.webkit.org/show_bug.cgi?id=178031
3408
3409         Caused crashes with workers/wasm LayoutTests (Requested by
3410         ryanhaddad on #webkit).
3411
3412         Reverted changesets:
3413
3414         "WebAssembly: no VM / JS version of everything but Instance"
3415         https://bugs.webkit.org/show_bug.cgi?id=177473
3416         http://trac.webkit.org/changeset/222791
3417
3418         "WebAssembly: address no VM / JS follow-ups"
3419         https://bugs.webkit.org/show_bug.cgi?id=177887
3420         http://trac.webkit.org/changeset/222873
3421
3422 2017-10-05  Saam Barati  <sbarati@apple.com>
3423
3424         Make sure all prototypes under poly proto get added into the VM's prototype map
3425         https://bugs.webkit.org/show_bug.cgi?id=177909
3426
3427         Reviewed by Keith Miller.
3428
3429         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3430         (assert):
3431         (foo.C):
3432         (foo):
3433         (set x):
3434
3435 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3436
3437         [JSC] Introduce import.meta
3438         https://bugs.webkit.org/show_bug.cgi?id=177703
3439
3440         Reviewed by Filip Pizlo.
3441
3442         * modules/import-meta-syntax.js: Added.
3443         (shouldThrow):
3444         (shouldNotThrow):
3445         * modules/import-meta.js: Added.
3446         * modules/import-meta/cocoa.js: Added.
3447         * modules/resources/assert.js:
3448         (export.shouldNotThrow):
3449         * stress/import-syntax.js:
3450
3451 2017-10-04  Saam Barati  <sbarati@apple.com>
3452
3453         Make pertinent AccessCases watch the poly proto watchpoint
3454         https://bugs.webkit.org/show_bug.cgi?id=177765
3455
3456         Reviewed by Keith Miller.
3457
3458         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3459         (assert):
3460         (foo.C):
3461         (foo):
3462         (validate):
3463         * stress/poly-proto-clear-stub.js: Added.
3464         (assert):
3465         (foo.C):
3466         (foo):
3467
3468 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3469
3470         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3471
3472         Unreviewed test gardening.
3473
3474         * test262.yaml:
3475
3476 2017-10-04  Saam Barati  <sbarati@apple.com>
3477
3478         3 poly-proto JSC tests timing out on debug after r222827
3479         https://bugs.webkit.org/show_bug.cgi?id=177880
3480
3481         Rubber stamped by Mark Lam.
3482
3483         * microbenchmarks/poly-proto-access.js:
3484         * typeProfiler/deltablue-for-of.js:
3485         * typeProfiler/getter-richards.js:
3486
3487 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3488
3489         Unreviewed, marking tco-catch.js as a failure after test262 update
3490         https://bugs.webkit.org/show_bug.cgi?id=177859
3491
3492         * test262.yaml:
3493
3494 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3495
3496         Unreviewed, marking one async iterator test262 test failed
3497         https://bugs.webkit.org/show_bug.cgi?id=177859
3498
3499         * test262.yaml:
3500
3501 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3502
3503         [Test262] Update Test262 to Oct 4 version
3504         https://bugs.webkit.org/show_bug.cgi?id=177859
3505
3506         Reviewed by Sam Weinig.
3507
3508         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3509         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3510
3511         * test262.yaml:
3512         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3513         (checkSequence):
3514         * test262/harness/typeCoercion.js:
3515         (testCoercibleToIndexZero):
3516         (testCoercibleToIndexOne):
3517         (testCoercibleToIndexFromIndex):
3518         (testNotCoercibleToIndex.testPrimitiveValue):
3519         (testNotCoercibleToInteger):
3520         (testCoercibleToBigIntZero.testPrimitiveValue):
3521         (testCoercibleToBigIntZero):
3522         (testCoercibleToBigIntOne.testPrimitiveValue):
3523         (testCoercibleToBigIntOne):
3524         (testPrimitiveValue):
3525         (testCoercibleToBigIntFromBigInt):
3526         (testNotCoercibleToBigInt.testPrimitiveValue):
3527         (testNotCoercibleToBigInt.testStringValue):
3528         (testNotCoercibleToBigInt):
3529         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3530         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3531         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3532         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3533         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3534         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3535         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3536         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3537         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3538         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3539         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3540         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3541         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3542         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3543         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3544         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3545         (testCoercibleToBigIntZero):
3546         (testCoercibleToBigIntOne):
3547         (testNotCoercibleToBigInt):
3548         (MyError): Deleted.
3549         (valueOf): Deleted.
3550         (toString): Deleted.
3551         (Symbol.toPrimitive): Deleted.
3552         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3553         (testCoercibleToIndexZero):
3554         (testCoercibleToIndexOne):
3555         (testNotCoercibleToIndex):
3556         (MyError): Deleted.
3557         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3558         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3559         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3560         (BigInt.asIntN.valueOf): Deleted.
3561         (BigInt.asIntN.toString): Deleted.
3562         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3563         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3564         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3565         (testCoercibleToBigIntZero):
3566         (testCoercibleToBigIntOne):
3567         (testNotCoercibleToBigInt):
3568         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3569         (testCoercibleToIndexZero):
3570         (testCoercibleToIndexOne):
3571         (testNotCoercibleToIndex):
3572         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3573         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3574         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3575         (bits.valueOf):
3576         (bigint.valueOf):
3577         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3578         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3579         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3580         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3581         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3582         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3583         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3584         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3585         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3586         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3587         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3588         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3589         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3590         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3591         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3592         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3593         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3594         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3595         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3596         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3597         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3598         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3599         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3600         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3601         (replacer):
3602         (BigInt.prototype.toJSON):
3603         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3604         (replacer):
3605         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3606         (BigInt.prototype.toJSON):
3607         * test262/test/built-ins/JSON/stringify/bigint.js:
3608         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3609         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3610         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3611         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3612         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3613         * test262/test/built-ins/Object/proto-from-ctor.js:
3614         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3615         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3616         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3617         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3618         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3619         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3620         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3621         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3622         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3623         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3624         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3625         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3626         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3627         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3628         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3629         * test262/test/built-ins/Proxy/get-fn-realm.js:
3630         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3631         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3632         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3633         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3634         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3635         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3636         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3637         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3638         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3639         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3640         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3641         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3642         (i6.replace):
3643         (i6b.replace):
3644         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3645         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3646         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3647         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3648         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3649         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3650         * test262/test/built-ins/RegExp/u180e.js: Added.
3651         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3652         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3653         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3654         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3655         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3656         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3657         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3658         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3659         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3660         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3661         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3662         * test262/test/built-ins/String/prototype/endsWith/length.js:
3663         * test262/test/built-ins/String/prototype/endsWith/name.js:
3664         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3665         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3666         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3667         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3668         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3669         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3670         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3671         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3672         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3673         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3674         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3675         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3676         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3677         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3678         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3679         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3680         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3681         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3682         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3683         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3684         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3685         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3686         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3687         * test262/test/built-ins/String/prototype/includes/includes.js:
3688         * test262/test/built-ins/String/prototype/includes/length.js:
3689         * test262/test/built-ins/String/prototype/includes/name.js:
3690         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3691         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3692         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3693         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3694         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3695         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3696         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3697         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3698         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3699         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3700         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3701         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3702         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3703         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3704         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3705         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3706         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3707         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3708         * test262/test/built-ins/String/prototype/trim/u180e.js:
3709         * test262/test/built-ins/Symbol/for/cross-realm.js:
3710         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3711         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3712         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3713         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3714         * test262/test/built-ins/Symbol/match/cross-realm.js:
3715         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3716         * test262/test/built-ins/Symbol/search/cross-realm.js:
3717         * test262/test/built-ins/Symbol/species/cross-realm.js:
3718         * test262/test/built-ins/Symbol/split/cross-realm.js:
3719         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3720         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3721         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3722         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3723         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3724         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3725         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3726         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3727         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3728         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3729         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3730         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3731         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3732         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3733         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3734         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3735         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3736         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3737         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3738         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3739         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3740         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3741         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3742         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3743         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3744         * test262/test/language/eval-code/indirect/realm.js:
3745         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3746         (o.get z):
3747         (o.get a):
3748         * test262/test/language/expressions/call/eval-realm-indirect.js:
3749         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3750         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3751         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3752         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3753         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3754         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3755         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3756         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3757         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3758         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3759         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3760         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3761         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3762         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3763         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3764         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3765         * test262/test/language/expressions/less-than/bigint-and-number.js:
3766         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3767         * test262/test/language/expressions/super/realm.js:
3768         * test262/test/language/expressions/tagged-template/cache-realm.js:
3769         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3770         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3771         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3772         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3773         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3774         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3775         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3776         (o.get z):
3777         (o.get a):
3778         * test262/test/language/statements/for-of/iterator-next-reference.js:
3779         (next):
3780         (iterator.next): Deleted.
3781         (x.of.iterable.): Deleted.
3782         (x.of.iterable.get return): Deleted.
3783         (x.of.iterable.iterator.next): Deleted.
3784         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3785         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3786         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3787         * test262/test/language/white-space/mongolian-vowel-separator.js:
3788         * test262/test262-Revision.txt:
3789
3790 2017-10-03  Saam Barati  <sbarati@apple.com>
3791
3792         Implement polymorphic prototypes
3793         https://bugs.webkit.org/show_bug.cgi?id=176391
3794
3795         Reviewed by Filip Pizlo.
3796
3797         * microbenchmarks/poly-proto-access.js: Added.
3798         (assert):
3799         (foo.C):
3800         (foo.C.prototype.get bar):
3801         (foo):
3802         (bar):
3803         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3804         (assert):
3805         (makePolyProtoObject.foo.C):
3806         (makePolyProtoObject.foo):
3807         (makePolyProtoObject):
3808         (performSet):
3809         * microbenchmarks/poly-proto-setter-speed.js: Added.
3810         (assert):
3811         (makePolyProtoObject.foo.C):
3812         (makePolyProtoObject.foo.C.prototype.set p):
3813         (makePolyProtoObject.foo):
3814         (makePolyProtoObject):
3815         (performSet):
3816         * stress/constructor-with-return.js:
3817         (i.tests.forEach.Constructor):
3818         (i.tests.forEach):
3819         (tests.forEach.Constructor): Deleted.
3820         (tests.forEach): Deleted.
3821         * stress/dom-jit-with-poly-proto.js: Added.
3822         (assert):
3823         (makePolyProtoObject.foo.C):
3824         (makePolyProtoObject.foo):
3825         (makePolyProtoObject):
3826         (validate):
3827         * stress/poly-proto-custom-value-and-accessor.js: Added.
3828         (assert):
3829         (makePolyProtoObject.foo.C):
3830         (makePolyProtoObject.foo):
3831         (makePolyProtoObject):
3832         (items.forEach):
3833         (set get for):
3834         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3835         (assert):
3836         (makePolyProtoObject.foo.C):
3837         (makePolyProtoObject.foo):
3838         (makePolyProtoObject):
3839         (foo):
3840         * stress/poly-proto-miss.js: Added.
3841         (makePolyProtoInstanceWithNullPrototype.foo.C):
3842         (makePolyProtoInstanceWithNullPrototype.foo):
3843         (makePolyProtoInstanceWithNullPrototype):
3844         (assert):
3845         (validate):
3846         * stress/poly-proto-op-in-caching.js: Added.
3847         (assert):
3848         (makePolyProtoObject.foo.C):
3849         (makePolyProtoObject.foo):
3850         (makePolyProtoObject):
3851         (validate):
3852         (validate2):
3853         * stress/poly-proto-put-transition.js: Added.
3854         (assert):
3855         (makePolyProtoObject.foo.C):
3856         (makePolyProtoObject.foo):
3857         (makePolyProtoObject):
3858         (performSet):
3859         (i.obj.__proto__.set p):
3860         * stress/poly-proto-set-prototype.js: Added.
3861         (assert):
3862         (let.alternateProto.get x):
3863         (let.alternateProto2.get y):
3864         (let.alternateProto2.get x):
3865         (foo.C):
3866         (foo):
3867         (validate):
3868         * stress/poly-proto-setter.js: Added.
3869         (assert):
3870         (makePolyProtoObject.foo.C):
3871         (makePolyProtoObject.foo.C.prototype.set p):
3872         (makePolyProtoObject.foo.C.prototype.get p):
3873         (makePolyProtoObject.foo):
3874         (makePolyProtoObject):
3875         (performSet):
3876         * stress/poly-proto-using-inheritance.js: Added.
3877         (assert):
3878         (foo.C):
3879         (foo.C.prototype.get baz):
3880         (foo):
3881         (bar.C):
3882         (bar):
3883         (validate):
3884         * stress/primitive-poly-proto.js: Added.
3885         (makePolyProtoInstance.foo.C):
3886         (makePolyProtoInstance.foo):
3887         (makePolyProtoInstance):
3888         (assert):
3889         (validate):
3890         * stress/prototype-is-not-js-object.js: Added.
3891         (foo.bar):
3892         (foo):
3893         (assert):
3894         (validate):
3895         * stress/try-get-by-id-poly-proto.js: Added.
3896         (assert):
3897         (makePolyProtoObject.foo.C):
3898         (makePolyProtoObject.foo):
3899         (makePolyProtoObject):
3900         (tryGetByIdText):
3901         (x.__proto__.get bar):
3902         (validate):
3903         * typeProfiler/overflow.js:
3904
3905 2017-10-03  JF Bastien  <jfbastien@apple.com>
3906
3907         WebAssembly: no VM / JS version of everything but Instance
3908         https://bugs.webkit.org/show_bug.cgi?id=177473
3909
3910         Reviewed by Filip Pizlo.
3911
3912         - Exceeding max on memory growth now returns a range error as per
3913         spec. This is a (very minor) breaking change: it used to throw OOM
3914         error. Update the corresponding test.
3915
3916         * wasm/js-api/memory-grow.js:
3917         (assertEq):
3918         * wasm/js-api/table.js:
3919         (assert.throws):
3920
3921 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3922
3923         Skip JSC test stress/regress-159779-2.js on debug.
3924         https://bugs.webkit.org/show_bug.cgi?id=177204
3925
3926         Unreviewed test gardening.
3927
3928         * stress/regress-159779-2.js:
3929
3930 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3931
3932         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3933         https://bugs.webkit.org/show_bug.cgi?id=175642
3934
3935         Reviewed by Darin Adler.
3936
3937         * ChakraCore/test/Function/apply3.baseline-jsc:
3938
3939 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3940
3941         Unreviewed, rolling out r222564.
3942         https://bugs.webkit.org/show_bug.cgi?id=177720
3943
3944         "It regressed JetStream by 2% on iOS caused by a 50%
3945         regression on the bigfib subtest" (Requested by saamyjoon on
3946         #webkit).
3947
3948         Reverted changeset:
3949
3950         "Add Above/Below comparisons for UInt32 patterns"
3951         https://bugs.webkit.org/show_bug.cgi?id=177281
3952         http://trac.webkit.org/changeset/222564
3953
3954 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3955
3956         [DFG] Support ArrayPush with multiple args
3957         https://bugs.webkit.org/show_bug.cgi?id=175823
3958
3959         Reviewed by Saam Barati.
3960
3961         * microbenchmarks/array-push-0.js: Added.
3962         (arrayPush0):
3963         * microbenchmarks/array-push-1.js: Added.
3964         (arrayPush1):
3965         * microbenchmarks/array-push-2.js: Added.
3966         (arrayPush2):
3967         * microbenchmarks/array-push-3.js: Added.
3968         (arrayPush3):
3969         * stress/array-push-multiple-contiguous.js: Added.
3970         (shouldBe):
3971         (test):
3972         * stress/array-push-multiple-double-nan.js: Added.
3973         (shouldBe):
3974         (test):
3975         * stress/array-push-multiple-double.js: Added.
3976         (shouldBe):
3977         (test):
3978         * stress/array-push-multiple-int32.js: Added.
3979         (shouldBe):
3980         (test):
3981         * stress/array-push-multiple-many-contiguous.js: Added.
3982         (shouldBe):
3983         (test):
3984         * stress/array-push-multiple-many-double.js: Added.
3985         (shouldBe):
3986         (test):
3987         * stress/array-push-multiple-many-int32.js: Added.
3988         (shouldBe):
3989         (test):
3990         * stress/array-push-multiple-many-storage.js: Added.
3991         (shouldBe):
3992         (test):
3993         * stress/array-push-multiple-storage.js: Added.
3994         (shouldBe):
3995         (test):
3996         * stress/array-push-with-force-exit.js: Added.
3997         (target.createBuiltin):
3998
3999 2017-09-29  Saam Barati  <sbarati@apple.com>
4000
4001         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4002         https://bugs.webkit.org/show_bug.cgi?id=177639
4003
4004         Reviewed by Geoffrey Garen.
4005
4006         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4007         (assert):
4008         (Class):
4009         (items.forEach):
4010         (set get for):
4011
4012 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4013
4014         Unreviewed, rolling out r222563, r222565, and r222581.
4015         https://bugs.webkit.org/show_bug.cgi?id=177675
4016
4017         "It causes a crash when playing youtube videos" (Requested by
4018         saamyjoon on #webkit).
4019
4020         Reverted changesets:
4021
4022         "[DFG] Support ArrayPush with multiple args"
4023         https://bugs.webkit.org/show_bug.cgi?id=175823
4024         http://trac.webkit.org/changeset/222563
4025
4026         "Unreviewed, build fix after r222563"
4027         https://bugs.webkit.org/show_bug.cgi?id=175823
4028         http://trac.webkit.org/changeset/222565
4029
4030         "Unreviewed, fix x86 breaking due to exhausted registers"
4031         https://bugs.webkit.org/show_bug.cgi?id=175823
4032         http://trac.webkit.org/changeset/222581
4033
4034 2017-09-28  Mark Lam  <mark.lam@apple.com>
4035
4036         test262: Unexpected passes after r222617 and r222618.
4037         https://bugs.webkit.org/show_bug.cgi?id=177622
4038         <rdar://problem/34725960>
4039
4040         Reviewed by Saam Barati.
4041
4042         Update test262.yaml for tests that are now passing.
4043
4044         * test262.yaml:
4045
4046 2017-09-27  Michael Saboff  <msaboff@apple.com>
4047
4048         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4049         https://bugs.webkit.org/show_bug.cgi?id=177570
4050
4051         Reviewed by Filip Pizlo.
4052
4053         New regression test.
4054
4055         * stress/regress-177570.js: Added.
4056
4057 2017-09-28  Michael Saboff  <msaboff@apple.com>
4058
4059         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4060         https://bugs.webkit.org/show_bug.cgi?id=177423
4061
4062         Reviewed by Mark Lam.
4063
4064         Updated regression test.
4065
4066         * stress/regress-177423.js:
4067         (catch):
4068
4069 2017-09-27  Mark Lam  <mark.lam@apple.com>
4070
4071         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4072         https://bugs.webkit.org/show_bug.cgi?id=177584
4073         <rdar://problem/34463903>
4074
4075         Reviewed by Saam Barati.
4076
4077         * stress/regress-177584.js: Added.
4078         (assertEqual):
4079         (Array.prototype.Symbol.species):
4080
4081 2017-09-27  Saam Barati  <sbarati@apple.com>
4082
4083         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4084         https://bugs.webkit.org/show_bug.cgi?id=177523
4085
4086         Reviewed by Mark Lam.
4087
4088         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4089         (assert):
4090         (Test):
4091         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4092         (addMethods):
4093         (i.Test.prototype.propName):
4094
4095 2017-09-27  Mark Lam  <mark.lam@apple.com>
4096
4097         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4098         https://bugs.webkit.org/show_bug.cgi?id=177423
4099         <rdar://problem/34621320>
4100
4101         Reviewed by Keith Miller.
4102
4103         * stress/regress-177423.js: Added.
4104
4105 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4106
4107         Add Above/Below comparisons for UInt32 patterns
4108         https://bugs.webkit.org/show_bug.cgi?id=177281
4109
4110         Reviewed by Saam Barati.
4111
4112         * stress/uint32-comparison-jump.js: Added.
4113         (shouldBe):
4114         (above):
4115         (aboveOrEqual):
4116         (below):
4117         (belowOrEqual):
4118         (notAbove):
4119         (notAboveOrEqual):
4120         (notBelow):
4121         (notBelowOrEqual):
4122         * stress/uint32-comparison.js: Added.
4123         (shouldBe):
4124         (above):
4125         (aboveOrEqual):
4126         (below):
4127         (belowOrEqual):
4128         (aboveTest):
4129         (aboveOrEqualTest):
4130         (belowTest):
4131         (belowOrEqualTest):
4132
4133 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
4134
4135         [DFG] Support ArrayPush with multiple args
4136         https://bugs.webkit.org/show_bug.cgi?id=175823
4137
4138         Reviewed by Saam Barati.
4139
4140         * microbenchmarks/array-push-0.js: Added.
4141         (arrayPush0):
4142         * microbenchmarks/array-push-1.js: Added.
4143         (arrayPush1):
4144         * microbenchmarks/array-push-2.js: Added.
4145         (arrayPush2):
4146         * microbenchmarks/array-push-3.js: Added.
4147         (arrayPush3):
4148         * stress/array-push-multiple-contiguous.js: Added.
4149         (shouldBe):
4150         (test):
4151         * stress/array-push-multiple-double-nan.js: Added.
4152         (shouldBe):
4153         (test):
4154         * stress/array-push-multiple-double.js: Added.
4155         (shouldBe):
4156         (test):
4157         * stress/array-push-multiple-int32.js: Added.
4158         (shouldBe):
4159         (test):
4160         * stress/array-push-multiple-many-contiguous.js: Added.
4161         (shouldBe):
4162         (test):
4163         * stress/array-push-multiple-many-double.js: Added.
4164         (shouldBe):
4165         (test):
4166         * stress/array-push-multiple-many-int32.js: Added.
4167         (shouldBe):
4168         (test):
4169         * stress/array-push-multiple-many-storage.js: Added.
4170         (shouldBe):
4171         (test):
4172         * stress/array-push-multiple-storage.js: Added.
4173         (shouldBe):
4174         (test):
4175
4176 2017-09-26  Commit Queue  <commit-queue@webkit.org>
4177
4178         Unreviewed, rolling out r222518.
4179         https://bugs.webkit.org/show_bug.cgi?id=177507
4180
4181         Break the High Sierra build (Requested by yusukesuzuki on
4182         #webkit).
4183
4184         Reverted changeset:
4185
4186         "Add Above/Below comparisons for UInt32 patterns"
4187         https://bugs.webkit.org/show_bug.cgi?id=177281
4188         http://trac.webkit.org/changeset/222518
4189
4190 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4191
4192         Add Above/Below comparisons for UInt32 patterns
4193         https://bugs.webkit.org/show_bug.cgi?id=177281
4194
4195         Reviewed by Saam Barati.
4196
4197         * stress/uint32-comparison-jump.js: Added.
4198         (shouldBe):
4199         (above):
4200         (aboveOrEqual):
4201         (below):
4202         (belowOrEqual):
4203         (notAbove):
4204         (notAboveOrEqual):
4205         (notBelow):
4206         (notBelowOrEqual):
4207         * stress/uint32-comparison.js: Added.
4208         (shouldBe):
4209         (above):
4210         (aboveOrEqual):
4211         (below):
4212         (belowOrEqual):
4213         (aboveTest):
4214         (aboveOrEqualTest):
4215         (belowTest):
4216         (belowOrEqualTest):
4217
4218 2017-09-23  Keith Miller  <keith_miller@apple.com>
4219
4220         Fix infinite looping test262 test
4221         https://bugs.webkit.org/show_bug.cgi?id=177412
4222
4223         Reviewed by Yusuke Suzuki.
4224
4225         This test was poorly designed since failing it would cause the vm
4226         to inifinite loop. I've fixed it locally and will fix it on github pending
4227         the results of next weeks tc39 meeting.
4228
4229         * test262.yaml:
4230         * test262/test/language/statements/for-of/iterator-next-reference.js:
4231
4232 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
4233
4234         test262: $.agent became $262.agent in test262 update
4235         https://bugs.webkit.org/show_bug.cgi?id=177407
4236
4237         Reviewed by Yusuke Suzuki.
4238
4239         * test262.yaml:
4240         ~320 tests pass now that we correctly make $262 available.
4241
4242 2017-09-22  Keith Miller  <keith_miller@apple.com>
4243
4244         Speculatively change iteration protocall to use the same next function
4245         https://bugs.webkit.org/show_bug.cgi?id=175653
4246
4247         Reviewed by Saam Barati.
4248
4249         Change test to match the new iteration behavior.
4250
4251         * stress/spread-optimized-properly.js:
4252
4253 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4254
4255         [DFG][FTL] Profile array vector length for array allocation
4256         https://bugs.webkit.org/show_bug.cgi?id=177051
4257
4258         Reviewed by Saam Barati.
4259
4260         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4261         (target):
4262
4263 2017-09-22  Commit Queue  <commit-queue@webkit.org>
4264
4265         Unreviewed, rolling out r222380.
4266         https://bugs.webkit.org/show_bug.cgi?id=177352
4267
4268         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
4269         #webkit).
4270
4271         Reverted changeset:
4272
4273         "[DFG][FTL] Profile array vector length for array allocation"
4274         https://bugs.webkit.org/show_bug.cgi?id=177051
4275         http://trac.webkit.org/changeset/222380
4276
4277 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4278
4279         [DFG][FTL] Profile array vector length for array allocation
4280         https://bugs.webkit.org/show_bug.cgi?id=177051
4281
4282         Reviewed by Saam Barati.
4283
4284         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4285         (target):
4286
4287 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
4288
4289         Skip new hanging test262 tests.
4290         https://bugs.webkit.org/show_bug.cgi?id=177326
4291
4292         Unreviewed test gardening.
4293
4294         * test262.yaml:
4295
4296 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
4297
4298         Mark 6 test262 tests as passing.
4299         https://bugs.webkit.org/show_bug.cgi?id=177307
4300
4301         Unreviewed test gardening.
4302
4303         * test262.yaml:
4304
4305 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4306
4307         Unreviewed follow-up to r222311.
4308
4309         * test262/harness/sta.js:
4310         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
4311         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
4312         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
4313         * test262/test/built-ins/Array/from/elements-added-after.js:
4314         * test262/test/built-ins/Array/from/elements-deleted-after.js:
4315         * test262/test/built-ins/Array/from/elements-updated-after.js:
4316         * test262/test/built-ins/Array/from/from-array.js:
4317         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
4318         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
4319         * test262/test/built-ins/Array/from/source-array-boundary.js:
4320         * test262/test/built-ins/Array/from/source-object-constructor.js:
4321         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
4322         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
4323         * test262/test/built-ins/Array/from/source-object-length.js:
4324         * test262/test/built-ins/Array/from/source-object-missing.js:
4325         * test262/test/built-ins/Array/from/source-object-without.js:
4326         * test262/test/built-ins/Array/from/this-null.js:
4327         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
4328         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
4329         * test262/test/language/literals/numeric/7.8.3-1gs.js:
4330         * test262/test/language/literals/numeric/7.8.3-2gs.js:
4331         * test262/test/language/literals/numeric/7.8.3-3gs.js:
4332         * test262/test/language/literals/regexp/7.8.5-1gs.js:
4333         * test262/test/language/literals/string/7.8.4-1gs.js:
4334         Fix some files that I failed to update when I applied my patch.
4335
4336 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4337
4338         Update test262 tests
4339         https://bugs.webkit.org/show_bug.cgi?id=177220
4340
4341         Reviewed by Saam Barati and Yusuke Suzuki.
4342
4343         * test262.yaml:
4344         * test262/test262-Revision.txt:
4345         New rebaselined expectations for all tests.
4346
4347         * test262/*:
4348         Updated.
4349
4350 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
4351
4352         [DFG] Remove ToThis more aggressively
4353         https://bugs.webkit.org/show_bug.cgi?id=177056
4354
4355         Reviewed by Saam Barati.
4356
4357         * stress/generator-with-this-strict.js: Added.
4358         (shouldBe):
4359         (generator):
4360         (target):
4361         * stress/generator-with-this.js: Added.
4362         (shouldBe):
4363         (generator):
4364         (target):
4365
4366 2017-09-17  Michael Saboff  <msaboff@apple.com>
4367
4368         https://bugs.webkit.org/show_bug.cgi?id=177038
4369         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
4370
4371         Reviewed by JF Bastien.
4372
4373         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
4374         as it dies using too much memory.
4375
4376 2017-09-15  Saam Barati  <sbarati@apple.com>
4377
4378         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
4379         https://bugs.webkit.org/show_bug.cgi?id=176981
4380
4381         Reviewed by Yusuke Suzuki.
4382
4383         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
4384         (assert):
4385         (verify):
4386         (func):
4387         (const.bar.createBuiltin):
4388
4389 2017-09-14  Saam Barati  <sbarati@apple.com>
4390
4391         It should be valid to exit before each set when doing arity fixup when inlining
4392         https://bugs.webkit.org/show_bug.cgi?id=176948
4393
4394         Reviewed by Keith Miller.
4395
4396         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
4397         (baz):
4398         (bar):
4399         (foo):
4400
4401 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
4402
4403         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
4404         https://bugs.webkit.org/show_bug.cgi?id=176867
4405
4406         Reviewed by Sam Weinig.
4407
4408         * microbenchmarks/object-get-own-property-symbols.js: Added.
4409         (test):