ToString constant folds without preserving checks, causing us to break assumptions...
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-30  Saam Barati  <sbarati@apple.com>
2
3         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
4         https://bugs.webkit.org/show_bug.cgi?id=185149
5         <rdar://problem/39455917>
6
7         Reviewed by Filip Pizlo.
8
9         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
10
11 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
12
13         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
14         https://bugs.webkit.org/show_bug.cgi?id=185126
15
16         Reviewed by Saam Barati.
17         
18         I found this bug by accident when I was writing this test for something else.
19         
20         This change also speeds up other benchmarks of this case that we already had. They are all called
21         the licm-dragons tests.
22
23         * microbenchmarks/licm-dragons-two-structures.js: Added.
24         (foo):
25
26 2018-04-29  Commit Queue  <commit-queue@webkit.org>
27
28         Unreviewed, rolling out r231137.
29         https://bugs.webkit.org/show_bug.cgi?id=185118
30
31         It is breaking Test262 language/expressions/multiplication
32         /order-of-evaluation.js (Requested by caiolima on #webkit).
33
34         Reverted changeset:
35
36         "[ESNext][BigInt] Implement support for "*" operation"
37         https://bugs.webkit.org/show_bug.cgi?id=183721
38         https://trac.webkit.org/changeset/231137
39
40 2018-04-28  Saam Barati  <sbarati@apple.com>
41
42         We don't model regexp effects properly
43         https://bugs.webkit.org/show_bug.cgi?id=185059
44         <rdar://problem/39736150>
45
46         Reviewed by Filip Pizlo.
47
48         * stress/regexp-exec-test-effectful-last-index.js: Added.
49         (assert):
50         (foo):
51         (i.regexLastIndex.toString):
52         (bar):
53
54 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
55
56         Token misspelled "tocken" in error message string
57         https://bugs.webkit.org/show_bug.cgi?id=185030
58
59         Reviewed by Saam Barati.
60
61         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
62         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
63         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
64         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
65         (testSyntaxError.String.raw.v):
66         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
67         (testSyntaxError.String.raw.a):
68
69 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
70
71         [ESNext][BigInt] Implement support for "*" operation
72         https://bugs.webkit.org/show_bug.cgi?id=183721
73
74         Reviewed by Saam Barati.
75
76         * bigIntTests.yaml:
77         * stress/big-int-mul-jit.js: Added.
78         * stress/big-int-mul-to-primitive-precedence.js: Added.
79         * stress/big-int-mul-to-primitive.js: Added.
80         * stress/big-int-mul-type-error.js: Added.
81         * stress/big-int-mul-wrapped-value.js: Added.
82         * stress/big-int-multiplication.js: Added.
83         * stress/big-int-multiply-memory-stress.js: Added.
84
85 2018-04-28  Commit Queue  <commit-queue@webkit.org>
86
87         Unreviewed, rolling out r231131.
88         https://bugs.webkit.org/show_bug.cgi?id=185112
89
90         It is breaking Debug build due to unchecked exception
91         (Requested by caiolima on #webkit).
92
93         Reverted changeset:
94
95         "[ESNext][BigInt] Implement support for "*" operation"
96         https://bugs.webkit.org/show_bug.cgi?id=183721
97         https://trac.webkit.org/changeset/231131
98
99 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
100
101         [ESNext][BigInt] Implement support for "*" operation
102         https://bugs.webkit.org/show_bug.cgi?id=183721
103
104         Reviewed by Saam Barati.
105
106         * bigIntTests.yaml:
107         * stress/big-int-mul-jit.js: Added.
108         * stress/big-int-mul-to-primitive-precedence.js: Added.
109         * stress/big-int-mul-to-primitive.js: Added.
110         * stress/big-int-mul-type-error.js: Added.
111         * stress/big-int-mul-wrapped-value.js: Added.
112         * stress/big-int-multiplication.js: Added.
113         * stress/big-int-multiply-memory-stress.js: Added.
114
115 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
116
117         Unreviewed, rolling out r231086.
118
119         Caused JSC test failures due to an unchecked exception.
120
121         Reverted changeset:
122
123         "[ESNext][BigInt] Implement support for "*" operation"
124         https://bugs.webkit.org/show_bug.cgi?id=183721
125         https://trac.webkit.org/changeset/231086
126
127 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
128
129         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
130
131         * test262.yaml: Mark tests as passing.
132
133 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
134
135         [ESNext][BigInt] Implement support for "*" operation
136         https://bugs.webkit.org/show_bug.cgi?id=183721
137
138         Reviewed by Saam Barati.
139
140         * bigIntTests.yaml:
141         * stress/big-int-mul-jit.js: Added.
142         * stress/big-int-mul-to-primitive-precedence.js: Added.
143         * stress/big-int-mul-to-primitive.js: Added.
144         * stress/big-int-mul-type-error.js: Added.
145         * stress/big-int-mul-wrapped-value.js: Added.
146         * stress/big-int-multiplication.js: Added.
147         * stress/big-int-multiply-memory-stress.js: Added.
148
149 2018-04-25  Robin Morisset  <rmorisset@apple.com>
150
151         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
152         https://bugs.webkit.org/show_bug.cgi?id=184773
153         <rdar://problem/37773612>
154
155         Reviewed by Filip Pizlo.
156
157         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
158         so I decided to add it to the stress tests nonetheless.
159
160         * stress/create-rest-while-having-a-bad-time.js: Added.
161         (f):
162         (g):
163         (h):
164
165 2018-04-25  Keith Miller  <keith_miller@apple.com>
166
167         Add missing scope release to functionProtoFuncToString
168         https://bugs.webkit.org/show_bug.cgi?id=184995
169
170         Reviewed by Saam Barati.
171
172         * stress/function-toString-arrow.js: Added.
173         (async):
174
175 2018-04-24  Keith Miller  <keith_miller@apple.com>
176
177         fromCharCode is missing some exception checks
178         https://bugs.webkit.org/show_bug.cgi?id=184952
179
180         Reviewed by Saam Barati.
181
182         * stress/fromCharCode-exception-check.js: Added.
183         (get catch):
184
185 2018-04-24  Mark Lam  <mark.lam@apple.com>
186
187         Gardening: test fix after r230863.
188         https://bugs.webkit.org/show_bug.cgi?id=184846
189         <rdar://problem/39390672>
190
191         Not reviewed.
192
193         * stress/json-stringified-overflow-2.js:
194         (catch):
195         * stress/json-stringified-overflow.js:
196         (catch):
197
198 2018-04-20  JF Bastien  <jfbastien@apple.com>
199
200         Handle more JSON stringify OOM
201         https://bugs.webkit.org/show_bug.cgi?id=184846
202         <rdar://problem/39390672>
203
204         Reviewed by Mark Lam.
205
206         * stress/json-stringified-overflow-2.js: Added. Same as the one
207         below, but with a bigger input which will trigger a different code
208         path.
209         (catch):
210         * stress/json-stringified-overflow.js: Modify the test to only
211         catch OOM on stringification. not on string creation.
212
213 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
214
215         [WebAssembly][Modules] Import tables in wasm modules
216         https://bugs.webkit.org/show_bug.cgi?id=184738
217
218         Reviewed by JF Bastien.
219
220         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
221         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
222         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
223         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
224         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
225         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
226         * wasm/modules/wasm-imports-wasm-exports.js:
227         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
228         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
229         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
230         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
231
232 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
233
234         [WebAssembly][Modules] Import globals from wasm modules
235         https://bugs.webkit.org/show_bug.cgi?id=184736
236
237         Reviewed by JF Bastien.
238
239         * wasm.yaml:
240         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
241         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
242         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
243         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
244         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
245         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
246         * wasm/modules/wasm-imports-wasm-exports.js:
247         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
248         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
249         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
250         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
251
252 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
253
254         Unreviewed, reland r230697, r230720, and r230724.
255         https://bugs.webkit.org/show_bug.cgi?id=184600
256
257         * wasm.yaml:
258         * wasm/modules/constant.wasm: Added.
259         * wasm/modules/constant.wat: Added.
260         * wasm/modules/default-import-star-error.js: Added.
261         (then):
262         * wasm/modules/default-import-star-error/entry.wasm: Added.
263         * wasm/modules/default-import-star-error/entry.wat: Added.
264         * wasm/modules/default-import-star-error/t0.js: Added.
265         * wasm/modules/default-import-star-error/t1.js: Added.
266         * wasm/modules/default-import-star-error/t2.js: Added.
267         (export.default.Cocoa):
268         * wasm/modules/js-wasm-cycle.js: Added.
269         * wasm/modules/js-wasm-cycle/entry.js: Added.
270         (from.string_appeared_here.export.return42):
271         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
272         * wasm/modules/js-wasm-cycle/sum.wat: Added.
273         * wasm/modules/js-wasm-function-namespace.js: Added.
274         (assert.throws):
275         * wasm/modules/js-wasm-function.js: Added.
276         (assert.throws):
277         * wasm/modules/js-wasm-global-namespace.js: Added.
278         (assert.throws):
279         * wasm/modules/js-wasm-global.js: Added.
280         (assert.throws):
281         * wasm/modules/js-wasm-memory-namespace.js: Added.
282         (assert.throws):
283         * wasm/modules/js-wasm-memory.js: Added.
284         (assert.throws):
285         * wasm/modules/js-wasm-start.js: Added.
286         (then):
287         * wasm/modules/js-wasm-table-namespace.js: Added.
288         (assert.throws):
289         * wasm/modules/js-wasm-table.js: Added.
290         (assert.throws):
291         * wasm/modules/memory.wasm: Added.
292         * wasm/modules/memory.wat: Added.
293         * wasm/modules/run-from-wasm.wasm: Added.
294         * wasm/modules/run-from-wasm.wat: Added.
295         * wasm/modules/run-from-wasm/check.js: Added.
296         (export.check):
297         * wasm/modules/start.wasm: Added.
298         * wasm/modules/start.wat: Added.
299         * wasm/modules/sum.wasm: Added.
300         * wasm/modules/sum.wat: Added.
301         * wasm/modules/table.wasm: Added.
302         * wasm/modules/table.wat: Added.
303         * wasm/modules/wasm-imports-js-exports.js: Added.
304         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
305         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
306         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
307         (export.sum):
308         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
309         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
310         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
311         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
312         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
313         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
314         * wasm/modules/wasm-imports-wasm-exports.js: Added.
315         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
316         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
317         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
318         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
319         * wasm/modules/wasm-js-cycle.js: Added.
320         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
321         * wasm/modules/wasm-js-cycle/entry.wat: Added.
322         * wasm/modules/wasm-js-cycle/sum.js: Added.
323         (from.string_appeared_here.export.sum):
324         * wasm/modules/wasm-wasm-cycle.js: Added.
325         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
326         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
327         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
328         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
329
330 2018-04-17  Commit Queue  <commit-queue@webkit.org>
331
332         Unreviewed, rolling out r230697, r230720, and r230724.
333         https://bugs.webkit.org/show_bug.cgi?id=184717
334
335         These caused multiple failures on the Test262 testers.
336         (Requested by mlewis13 on #webkit).
337
338         Reverted changesets:
339
340         "[WebAssembly][Modules] Prototype wasm import"
341         https://bugs.webkit.org/show_bug.cgi?id=184600
342         https://trac.webkit.org/changeset/230697
343
344         "[WebAssembly][Modules] Implement function import from wasm
345         modules"
346         https://bugs.webkit.org/show_bug.cgi?id=184689
347         https://trac.webkit.org/changeset/230720
348
349         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
350         https://bugs.webkit.org/show_bug.cgi?id=184703
351         https://trac.webkit.org/changeset/230724
352
353 2018-04-17  JF Bastien  <jfbastien@apple.com>
354
355         A put is not an ExistingProperty put when we transition a structure because of an attributes change
356         https://bugs.webkit.org/show_bug.cgi?id=184706
357         <rdar://problem/38871451>
358
359         Reviewed by Saam Barati.
360
361         * stress/put-by-id-direct-strict-transition.js: Added.
362         (const.foo):
363         (j.const.obj.set hello):
364         * stress/put-by-id-direct-transition.js: Added.
365         (const.foo):
366         (j.const.obj.set hello):
367         * stress/put-getter-setter-by-id-strict-transition.js: Added.
368         (const.foo):
369         (j.const.obj.set hello):
370         * stress/put-getter-setter-by-id-transition.js: Added.
371         (const.foo):
372         (j.const.obj.set hello):
373
374 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
375
376         PutStackSinkingPhase should know that KillStack means ConflictingFlush
377         https://bugs.webkit.org/show_bug.cgi?id=184672
378
379         Reviewed by Michael Saboff.
380
381         * stress/sink-put-stack-over-kill-stack.js: Added.
382         (avocado_1):
383         (apricot_0):
384         (__c_0):
385         (banana_2):
386
387 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
388
389         [JSC] Rename runWebAssembly to runWebAssemblySuite
390         https://bugs.webkit.org/show_bug.cgi?id=184703
391
392         Reviewed by JF Bastien.
393
394         And add runWebAssembly as a command to simplely run wasm modules.
395
396         * wasm.yaml:
397
398 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
399
400         [WebAssembly][Modules] Implement function import from wasm modules
401         https://bugs.webkit.org/show_bug.cgi?id=184689
402
403         Reviewed by JF Bastien.
404
405         * wasm.yaml:
406         * wasm/modules/js-wasm-cycle.js: Added.
407         * wasm/modules/js-wasm-cycle/entry.js: Added.
408         (from.string_appeared_here.export.return42):
409         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
410         * wasm/modules/js-wasm-cycle/sum.wat: Added.
411         * wasm/modules/run-from-wasm.wasm: Added.
412         * wasm/modules/run-from-wasm.wat: Added.
413         * wasm/modules/run-from-wasm/check.js: Added.
414         (export.check):
415         * wasm/modules/wasm-imports-js-exports.js: Added.
416         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
417         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
418         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
419         (export.sum):
420         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
421         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
422         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
423         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
424         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
425         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
426         * wasm/modules/wasm-imports-wasm-exports.js: Added.
427         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
428         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
429         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
430         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
431         * wasm/modules/wasm-js-cycle.js: Added.
432         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
433         * wasm/modules/wasm-js-cycle/entry.wat: Added.
434         * wasm/modules/wasm-js-cycle/sum.js: Added.
435         (from.string_appeared_here.export.sum):
436         * wasm/modules/wasm-wasm-cycle.js: Added.
437         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
438         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
439         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
440         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
441
442 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
443
444         [WebAssembly][Modules] Prototype wasm import
445         https://bugs.webkit.org/show_bug.cgi?id=184600
446
447         Reviewed by JF Bastien.
448
449         Add wasm and wat files since module loader want to load wasm files from FS.
450         Currently, importing the other modules from wasm is not supported.
451
452         * wasm.yaml:
453         * wasm/modules/constant.wasm: Added.
454         * wasm/modules/constant.wat: Added.
455         * wasm/modules/js-wasm-function-namespace.js: Added.
456         (assert.throws):
457         * wasm/modules/js-wasm-function.js: Added.
458         (assert.throws):
459         * wasm/modules/js-wasm-global-namespace.js: Added.
460         (assert.throws):
461         * wasm/modules/js-wasm-global.js: Added.
462         (assert.throws):
463         * wasm/modules/js-wasm-memory-namespace.js: Added.
464         (assert.throws):
465         * wasm/modules/js-wasm-memory.js: Added.
466         (assert.throws):
467         * wasm/modules/js-wasm-start.js: Added.
468         (then):
469         * wasm/modules/js-wasm-table-namespace.js: Added.
470         (assert.throws):
471         * wasm/modules/js-wasm-table.js: Added.
472         (assert.throws):
473         * wasm/modules/memory.wasm: Added.
474         * wasm/modules/memory.wat: Added.
475         * wasm/modules/start.wasm: Added.
476         * wasm/modules/start.wat: Added.
477         * wasm/modules/sum.wasm: Added.
478         * wasm/modules/sum.wat: Added.
479         * wasm/modules/table.wasm: Added.
480         * wasm/modules/table.wat: Added.
481
482 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
483
484         Function.prototype.caller shouldn't return generator bodies
485         https://bugs.webkit.org/show_bug.cgi?id=184630
486
487         Reviewed by Yusuke Suzuki.
488
489         * stress/function-caller-async-arrow-function-body.js: Added.
490         * stress/function-caller-async-function-body.js: Added.
491         * stress/function-caller-async-generator-body.js: Added.
492         * stress/function-caller-generator-body.js: Added.
493         * stress/function-caller-generator-method-body.js: Added.
494
495 2018-04-12  Tomas Popela  <tpopela@redhat.com>
496
497         Unreviewed, skip JIT tests if it isn't enabled
498
499         See https://bugs.webkit.org/show_bug.cgi?id=182730.
500
501         * stress/big-int-spec-to-primitive.js:
502         * stress/big-int-spec-to-this.js:
503
504 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
505
506         [ESNext][BigInt] Add support for BigInt in SpeculatedType
507         https://bugs.webkit.org/show_bug.cgi?id=182470
508
509         Reviewed by Saam Barati.
510
511         * stress/big-int-spec-to-primitive.js: Added.
512         * stress/big-int-spec-to-this.js: Added.
513         * stress/big-int-strict-equals-jit.js: Added.
514         * stress/big-int-strict-spec-to-this.js: Added.
515         * stress/big-int-type-of-proven-type.js: Added.
516
517 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
518
519         DFG AI and clobberize should agree with each other
520         https://bugs.webkit.org/show_bug.cgi?id=184440
521
522         Reviewed by Saam Barati.
523         
524         Add tests for all of the bugs I fixed.
525
526         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
527         (foo):
528         * stress/new-typed-array-cse-effects.js: Added.
529         (foo):
530         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
531         (foo.theO):
532         (foo):
533         * stress/string-from-char-code-change-structure-not-dead.js: Added.
534         (foo):
535         (i.valueOf):
536         (weirdValue.valueOf):
537         * stress/string-from-char-code-change-structure.js: Added.
538         (foo):
539         (i.valueOf):
540         (weirdValue.valueOf):
541
542 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
543
544         Fix errant Test262 files CRLF to LF for consistency with the original source
545         https://bugs.webkit.org/show_bug.cgi?id=184425
546
547         Reviewed by Yusuke Suzuki.
548
549         * test262/test/built-ins/Math/acosh/nan-returns.js:
550         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
551         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
552         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
553         * test262/test/built-ins/Math/cbrt/prop-desc.js:
554         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
555         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
556         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
557         * test262/test/built-ins/Math/log2/log2-basicTests.js:
558         * test262/test/built-ins/Math/sign/sign-specialVals.js:
559         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
560         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
561         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
562         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
563
564 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
565
566         Unreviewed, remove incorrect entry in test262.yaml
567         https://bugs.webkit.org/show_bug.cgi?id=184266
568
569         * test262.yaml:
570
571 2018-04-08  Valerie Young  <valerie@bocoup.com>
572
573         [JSC] Update Test262 to April 6 version
574         https://bugs.webkit.org/show_bug.cgi?id=184266
575
576         Rubber stamped by Yusuke Suzuki.
577
578 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
579
580         [JSC] Introduce op_get_by_id_direct
581         https://bugs.webkit.org/show_bug.cgi?id=183970
582
583         Reviewed by Filip Pizlo.
584
585         * stress/generator-prototype-copy.js: Added.
586         (gen):
587         (catch):
588         Adopted JF's tests.
589
590         * stress/generator-type-check.js: Added.
591         (shouldThrow):
592         (foo2):
593         (i.shouldThrow):
594         * stress/get-by-id-direct-getter.js: Added.
595         (shouldBe):
596         (shouldThrow):
597         (obj.get hello):
598         (builtin.createBuiltin):
599         (obj2.get length):
600         * stress/get-by-id-direct.js: Added.
601         (shouldBe):
602         (shouldThrow):
603         (builtin.createBuiltin):
604         * test262.yaml:
605         We fixed long-standing spec compatibility issue.
606         As a result, this patch makes several test262 tests passed!
607
608
609 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
610
611         Unreviewed, annotate test with @skip if $memoryLimited
612         https://bugs.webkit.org/show_bug.cgi?id=183894
613
614         * stress/json-stringified-overflow.js:
615
616 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
617
618         Add svn:eol-style to line-terminator-normalisation-CR.js
619         https://bugs.webkit.org/show_bug.cgi?id=184341
620
621         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
622
623 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
624
625         Unreviewed, remove errant LF from existing test262 test for CR line endings.
626
627         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
628
629 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
630
631         Unreviewed, rolling out r230320.
632
633         Revert fix, as the root cause lies elsewhere.
634
635         Reverted changeset:
636
637         "[test262] Mark line-terminator-normalisation-CR.js as a
638         binary file."
639         https://bugs.webkit.org/show_bug.cgi?id=184341
640         https://trac.webkit.org/changeset/230320
641
642 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
643
644         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
645         https://bugs.webkit.org/show_bug.cgi?id=184341
646
647         Reviewed by Yusuke Suzuki.
648
649         This test is all about CR line endings, but `svn-apply` can't deal with them.
650         Treating the file as binary ensures that its contents never are never shown in a diff.
651
652         * .gitattributes: Added.
653
654 2018-04-05  Robin Morisset  <rmorisset@apple.com>
655
656         Fix testcase (missing try/catch).
657         https://bugs.webkit.org/show_bug.cgi?id=183657
658
659         Unreviewed.
660
661         * stress/large-unshift-splice.js
662
663 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
664
665         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
666         https://bugs.webkit.org/show_bug.cgi?id=184319
667
668         Reviewed by Saam Barati.
669
670         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
671         (foo):
672         (bar):
673         * stress/array-push-nan-to-double-array.js: Added.
674         (foo):
675         (bar):
676
677 2018-04-03  Mark Lam  <mark.lam@apple.com>
678
679         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
680         https://bugs.webkit.org/show_bug.cgi?id=184284
681
682         Reviewed by Saam Barati.
683
684         * stress/js-fixed-array-out-of-memory.js:
685
686 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
687
688         JSC crash in JIT code with for-of loop and Array/Set iterators
689         https://bugs.webkit.org/show_bug.cgi?id=183174
690
691         Reviewed by Saam Barati.
692
693         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
694         (foo):
695         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
696         (f):
697
698 2018-03-30  JF Bastien  <jfbastien@apple.com>
699
700         WebAssembly: support DataView compilation
701         https://bugs.webkit.org/show_bug.cgi?id=183342
702
703         Reviewed by Mark Lam.
704
705         Test WebAssembly compilation using a DataView with offset.
706
707         * wasm/regress/183342.js: Added.
708         (attempt.catch):
709
710 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
711
712         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
713         https://bugs.webkit.org/show_bug.cgi?id=184189
714
715         Reviewed by JF Bastien.
716
717         * stress/load-hole-from-scope-into-live-var.js: Added.
718         (result.eval.try.switch):
719         (catch):
720
721 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
722
723         Unreviewed, rolling out r230102.
724
725         Caused assertion failures on JSC bots.
726
727         Reverted changeset:
728
729         "A stack overflow in the parsing of a builtin (called by
730         createExecutable) cause a crash instead of a catchable js
731         exception"
732         https://bugs.webkit.org/show_bug.cgi?id=184074
733         https://trac.webkit.org/changeset/230102
734
735 2018-03-30  Robin Morisset  <rmorisset@apple.com>
736
737         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
738         https://bugs.webkit.org/show_bug.cgi?id=183812
739
740         Reviewed by Keith Miller.
741
742         * stress/inlining-unreachable-non-tail.js: Added.
743         (foo.):
744         (foo):
745
746 2018-03-30  Robin Morisset  <rmorisset@apple.com>
747
748         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
749         https://bugs.webkit.org/show_bug.cgi?id=184074
750         <rdar://problem/37165897>
751
752         Reviewed by Keith Miller.
753
754         * stress/stack-overflow-while-parsing-builtin.js: Added.
755         (f):
756
757 2018-03-30  Robin Morisset  <rmorisset@apple.com>
758
759         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
760         https://bugs.webkit.org/show_bug.cgi?id=183657
761
762         Reviewed by Keith Miller.
763
764         * stress/large-unshift-splice.js: Added.
765         (make_contig_arr):
766
767 2018-03-28  Robin Morisset  <rmorisset@apple.com>
768
769         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
770         https://bugs.webkit.org/show_bug.cgi?id=183894
771
772         Reviewed by Saam Barati.
773
774         * stress/json-stringified-overflow.js: Added.
775         (catch):
776
777 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
778
779         DFG should know that CreateThis can be effectful
780         https://bugs.webkit.org/show_bug.cgi?id=184013
781
782         Reviewed by Saam Barati.
783
784         * stress/create-this-property-change.js: Added.
785         (Foo):
786         (RealBar):
787         (get if):
788         * stress/create-this-structure-change-without-cse.js: Added.
789         (Foo):
790         (RealBar):
791         (get if):
792         * stress/create-this-structure-change.js: Added.
793         (Foo):
794         (RealBar):
795         (get if):
796
797 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
798
799         [DFG] Introduces fused compare and jump
800         https://bugs.webkit.org/show_bug.cgi?id=177100
801
802         Reviewed by Mark Lam.
803
804         * stress/fused-jeq-slow.js: Added.
805         (shouldBe):
806         (testJEQ):
807         (testJNEQB):
808         (testJEQB):
809         (testJNEQF):
810         (testJEQF):
811         * stress/fused-jeq.js: Added.
812         (shouldBe):
813         (testJEQ):
814         (testJNEQB):
815         (testJEQB):
816         (testJNEQF):
817         (testJEQF):
818         * stress/fused-jstricteq-slow.js: Added.
819         (shouldBe):
820         (testJSTRICTEQ):
821         (testJNSTRICTEQB):
822         (testJSTRICTEQB):
823         (testJNSTRICTEQF):
824         (testJSTRICTEQF):
825         * stress/fused-jstricteq.js: Added.
826         (shouldBe):
827         (testJSTRICTEQ):
828         (testJNSTRICTEQB):
829         (testJSTRICTEQB):
830         (testJNSTRICTEQF):
831         (testJSTRICTEQF):
832
833 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
834
835         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
836         https://bugs.webkit.org/show_bug.cgi?id=183559
837
838         Reviewed by Mark Lam.
839
840         * stress/double-to-string-in-loop-removed.js: Added.
841         (test):
842         * stress/int32-to-string-in-loop-removed.js: Added.
843         (test):
844         * stress/int52-to-string-in-loop-removed.js: Added.
845         (test):
846
847 2018-03-22  Michael Saboff  <msaboff@apple.com>
848
849         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
850         https://bugs.webkit.org/show_bug.cgi?id=183901
851
852         Reviewed by Keith Miller.
853
854         New test.
855
856         * stress/array-reverse-doesnt-clobber.js: Added.
857         (testArrayReverse):
858         (createArrayOfArrays):
859         (createArrayStorage):
860
861 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
862
863         ScopedArguments should do poisoning and index masking
864         https://bugs.webkit.org/show_bug.cgi?id=183863
865
866         Reviewed by Mark Lam.
867         
868         Adds another stress test of scoped arguments.
869
870         * stress/scoped-arguments-test.js: Added.
871         (foo):
872
873 2018-03-20  Saam Barati  <sbarati@apple.com>
874
875         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
876         https://bugs.webkit.org/show_bug.cgi?id=183795
877         <rdar://problem/38298694>
878
879         Reviewed by JF Bastien.
880
881         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
882         (foo):
883         (bar):
884
885 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
886
887         [DFG][FTL] Add vectorLengthHint for NewArray
888         https://bugs.webkit.org/show_bug.cgi?id=183694
889
890         Reviewed by Saam Barati.
891
892         * stress/vector-length-hint-array-constructor.js: Added.
893         (shouldBe):
894         (test):
895         * stress/vector-length-hint-new-array.js: Added.
896         (shouldBe):
897         (test):
898
899 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
900
901         [DFG][FTL] Make ArraySlice(0) code tight
902         https://bugs.webkit.org/show_bug.cgi?id=183590
903
904         Reviewed by Saam Barati.
905
906         * stress/array-slice-with-zero.js: Added.
907         (shouldBe):
908         (test):
909         (test2):
910         * stress/array-slice-zero-args.js: Added.
911         (shouldBe):
912         (test):
913
914 2018-03-14  Caitlin Potter  <caitp@igalia.com>
915
916         [JSC] fix order of evaluation for ClassDefinitionEvaluation
917         https://bugs.webkit.org/show_bug.cgi?id=183523
918
919         Reviewed by Keith Miller.
920
921         Computed property names need to be evaluated in source order during class
922         definition evaluation, as it's observable (and specified to work this way).
923
924         This change improves compatibility with Chromium.
925
926         * stress/class_elements.js: Added.
927         (test):
928         (test.C.prototype.effect):
929         (test.C.effect):
930         (test.C.prototype.get effect):
931         (test.C.prototype.set effect):
932         (test.C):
933
934 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
935
936         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
937         https://bugs.webkit.org/show_bug.cgi?id=183310
938
939         Reviewed by Filip Pizlo.
940
941         * stress/ai-create-this-to-new-object-fire.js: Added.
942         (assert):
943         (test):
944         (func):
945         (check):
946         (test.body.A):
947         (test.body.B):
948         (test.body):
949         * stress/ai-create-this-to-new-object.js: Added.
950         (assert):
951         (test):
952         (func):
953         (check):
954         (test.body.A):
955         (test.body.B):
956         (test.body):
957
958 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
959
960         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
961         https://bugs.webkit.org/show_bug.cgi?id=181848
962
963         Reviewed by Sam Weinig.
964
965         * microbenchmarks/regexp-u-global-es5.js: Added.
966         (fn):
967         * microbenchmarks/regexp-u-global-es6.js: Added.
968         (fn):
969         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
970         (shouldBe):
971         (test):
972         (i.switch):
973         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
974         (shouldBe):
975         (test):
976
977 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
978
979         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
980         https://bugs.webkit.org/show_bug.cgi?id=183334
981
982         Reviewed by Žan Doberšek.
983
984         * stress/var-injection-cache-invalidation.js:
985
986 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
987
988         [ARM] Disable tests that run out of memory
989         https://bugs.webkit.org/show_bug.cgi?id=182699
990
991         Reviewed by Žan Doberšek.
992
993         Skip tests that run of of memory. Do not run
994         modules/module-jit-reachability.js without LLInt to prevent
995         running out of executable memory.
996
997         * modules.yaml:
998         * modules/module-jit-reachability.js:
999         * stress/has-own-property-name-cache-string-keys.js:
1000         * stress/has-own-property-name-cache-symbol-keys.js:
1001
1002 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1003
1004         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1005         https://bugs.webkit.org/show_bug.cgi?id=183173
1006
1007         Reviewed by Saam Barati.
1008
1009         * stress/async-arrow-function-in-class-heritage.js: Added.
1010         (testSyntax):
1011         (testSyntaxError):
1012         (SyntaxError):
1013
1014 2018-03-01  Saam Barati  <sbarati@apple.com>
1015
1016         We need to clear cached structures when having a bad time
1017         https://bugs.webkit.org/show_bug.cgi?id=183256
1018         <rdar://problem/36245022>
1019
1020         Reviewed by Mark Lam.
1021
1022         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1023         (assert):
1024         (defineSetter):
1025         (iterate):
1026         (doSlice):
1027
1028 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1029
1030         JSC crash with `import("")`
1031         https://bugs.webkit.org/show_bug.cgi?id=183175
1032
1033         Reviewed by Saam Barati.
1034
1035         * stress/import-with-empty-string.js: Added.
1036
1037 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1038
1039         Unreviewed, skip FTL tests if FTL is disabled
1040         https://bugs.webkit.org/show_bug.cgi?id=183071
1041
1042         * stress/has-indexed-property-array-storage-ftl.js:
1043         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1044
1045 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1046
1047         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1048         https://bugs.webkit.org/show_bug.cgi?id=182965
1049
1050         Reviewed by Saam Barati.
1051
1052         * stress/put-by-val-array-storage.js: Added.
1053         (shouldBe):
1054         (testArrayStorageInBounds):
1055         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1056         (shouldBe):
1057         (testInt32.createBuiltin):
1058         (set for):
1059         * stress/put-by-val-slow-put-array-storage.js: Added.
1060         (shouldBe):
1061         (testArrayStorageInBounds):
1062
1063 2018-02-26  Saam Barati  <sbarati@apple.com>
1064
1065         validateStackAccess should not validate if the offset is within the stack bounds
1066         https://bugs.webkit.org/show_bug.cgi?id=183067
1067         <rdar://problem/37749988>
1068
1069         Reviewed by Mark Lam.
1070
1071         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1072         (assert):
1073         (test.a):
1074         (test.b):
1075         (test):
1076
1077 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1078
1079         Unreviewed, skip FTL tests if FTL is disabled
1080         https://bugs.webkit.org/show_bug.cgi?id=183071
1081
1082         * stress/has-indexed-property-array-storage-ftl.js:
1083         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1084
1085 2018-02-23  Saam Barati  <sbarati@apple.com>
1086
1087         Make Number.isInteger an intrinsic
1088         https://bugs.webkit.org/show_bug.cgi?id=183088
1089
1090         Reviewed by JF Bastien.
1091
1092         * stress/number-is-integer-intrinsic.js: Added.
1093
1094 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1095
1096         WebAssembly: cache memory address / size on instance
1097         https://bugs.webkit.org/show_bug.cgi?id=177305
1098
1099         Reviewed by JF Bastien.
1100
1101         * wasm/function-tests/memory-reuse.js: Added.
1102         (createWasmInstance):
1103         (doCheckTrap):
1104         (doMemoryGrow):
1105         (doCheck):
1106         (checkWasmInstancesWithSharedMemory):
1107
1108 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1109
1110         [JSC] Implement $vm.ftlTrue function for FTL testing
1111         https://bugs.webkit.org/show_bug.cgi?id=183071
1112
1113         Reviewed by Mark Lam.
1114
1115         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1116         (foo):
1117         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1118         (foo):
1119         * stress/dead-fiat-value-to-int52.js:
1120         (foo):
1121         * stress/dead-osr-entry-value.js:
1122         (foo):
1123         * stress/fiat-value-to-int52-then-exit-not-double.js:
1124         (foo):
1125         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1126         (foo):
1127         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1128         (foo):
1129         * stress/fiat-value-to-int52-then-fold.js:
1130         (foo):
1131         * stress/fiat-value-to-int52.js:
1132         (foo):
1133         * stress/fold-based-on-int32-proof-mul-branch.js:
1134         (foo):
1135         * stress/fold-profiled-call-to-call.js:
1136         (foo):
1137         * stress/fold-to-double-constant-then-exit.js:
1138         (foo):
1139         * stress/fold-to-int52-constant-then-exit.js:
1140         (foo):
1141         * stress/fold-to-primitive-in-cfa.js:
1142         (foo):
1143         * stress/fold-to-primitive-to-identity-in-cfa.js:
1144         (foo):
1145         * stress/has-indexed-property-array-storage-ftl.js: Added.
1146         (shouldBe):
1147         (test1):
1148         (test2):
1149         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1150         (shouldBe):
1151         (test1):
1152         (test2):
1153         * stress/int52-ai-add-then-filter-int32.js:
1154         (foo):
1155         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1156         (foo):
1157         * stress/int52-ai-mul-then-filter-int32.js:
1158         (foo):
1159         * stress/int52-ai-neg-then-filter-int32.js:
1160         (foo):
1161         * stress/int52-ai-sub-then-filter-int32.js:
1162         (foo):
1163         * stress/licm-pre-header-cannot-exit-nested.js:
1164         (foo):
1165         * stress/licm-pre-header-cannot-exit.js:
1166         (foo):
1167         * stress/sparse-array-entry-update-144067.js:
1168         (useMemoryToTriggerGCs):
1169         * stress/test-spec-misc.js:
1170         (foo):
1171         * stress/tricky-array-bounds-checks.js:
1172         (foo):
1173
1174 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1175
1176         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1177         https://bugs.webkit.org/show_bug.cgi?id=182792
1178
1179         Reviewed by Mark Lam.
1180
1181         * stress/has-indexed-property-array-storage.js: Added.
1182         (shouldBe):
1183         (test1):
1184         (test2):
1185         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1186         (shouldBe):
1187         (test1):
1188         (test2):
1189
1190 2018-02-20  Saam Barati  <sbarati@apple.com>
1191
1192         DFG::VarargsForwardingPhase should eliminate getting argument length
1193         https://bugs.webkit.org/show_bug.cgi?id=182959
1194
1195         Reviewed by Keith Miller.
1196
1197         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1198
1199 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1200
1201         [FTL] Support ArrayPush for ArrayStorage
1202         https://bugs.webkit.org/show_bug.cgi?id=182782
1203
1204         Reviewed by Saam Barati.
1205
1206         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1207
1208         * stress/array-push-array-storage-beyond-int32.js: Added.
1209         (shouldBe):
1210         (test):
1211         * stress/array-push-array-storage.js: Added.
1212         (shouldBe):
1213         (test):
1214         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1215         (shouldBe):
1216         (test):
1217         * stress/array-push-multiple-storage-continuous.js: Added.
1218         (shouldBe):
1219         (test):
1220
1221 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1222
1223         [FTL] Support ArrayPop for ArrayStorage
1224         https://bugs.webkit.org/show_bug.cgi?id=182783
1225
1226         Reviewed by Saam Barati.
1227
1228         * stress/array-pop-array-storage.js: Added.
1229         (shouldBe):
1230         (test):
1231
1232 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1233
1234         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1235         https://bugs.webkit.org/show_bug.cgi?id=182731
1236
1237         Reviewed by Saam Barati.
1238
1239         * stress/arrayify-array-storage-array.js: Added.
1240         (shouldBe):
1241         (testArrayStorage):
1242         * stress/arrayify-array-storage-non-array.js: Added.
1243         (shouldBe):
1244         (testArrayStorage):
1245         * stress/arrayify-array-storage.js: Added.
1246         (shouldBe):
1247         (testArrayStorage):
1248         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1249         (shouldBe):
1250         (testArrayStorage):
1251         * stress/arrayify-slow-put-array-storage.js: Added.
1252         (shouldBe):
1253         (testArrayStorage):
1254
1255 2018-02-19  Saam Barati  <sbarati@apple.com>
1256
1257         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1258         https://bugs.webkit.org/show_bug.cgi?id=182942
1259         <rdar://problem/37584764>
1260
1261         Reviewed by Mark Lam.
1262
1263         * stress/get-prototype-create-this-effectful.js: Added.
1264
1265 2018-02-16  Saam Barati  <sbarati@apple.com>
1266
1267         Fix bugs from r228411
1268         https://bugs.webkit.org/show_bug.cgi?id=182851
1269         <rdar://problem/37577732>
1270
1271         Reviewed by JF Bastien.
1272
1273         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1274
1275 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1276
1277         Unreviewed, roll out r228366 since it did not progress anything.
1278
1279         * stress/gc-error-stack.js: Removed.
1280         * stress/no-gc-error-stack.js: Removed.
1281
1282 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1283
1284         Many stress tests fail with JIT disabled
1285         https://bugs.webkit.org/show_bug.cgi?id=182730
1286
1287         Reviewed by Saam Barati.
1288
1289         These tests are broken by design if the JIT is disabled - they test
1290         the return value of numberOfDFGCompiles(), which is always set to
1291         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1292
1293         * stress/arith-abs-on-various-types.js:
1294         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1295         * stress/arith-acos-on-various-types.js:
1296         * stress/arith-acosh-on-various-types.js:
1297         * stress/arith-asin-on-various-types.js:
1298         * stress/arith-asinh-on-various-types.js:
1299         * stress/arith-atan-on-various-types.js:
1300         * stress/arith-atanh-on-various-types.js:
1301         * stress/arith-cbrt-on-various-types.js:
1302         * stress/arith-ceil-on-various-types.js:
1303         * stress/arith-clz32-on-various-types.js:
1304         * stress/arith-cos-on-various-types.js:
1305         * stress/arith-cosh-on-various-types.js:
1306         * stress/arith-expm1-on-various-types.js:
1307         * stress/arith-floor-on-various-types.js:
1308         * stress/arith-fround-on-various-types.js:
1309         * stress/arith-log-on-various-types.js:
1310         * stress/arith-log10-on-various-types.js:
1311         * stress/arith-log2-on-various-types.js:
1312         * stress/arith-negate-on-various-types.js:
1313         * stress/arith-round-on-various-types.js:
1314         * stress/arith-sin-on-various-types.js:
1315         * stress/arith-sinh-on-various-types.js:
1316         * stress/arith-sqrt-on-various-types.js:
1317         * stress/arith-tan-on-various-types.js:
1318         * stress/arith-tanh-on-various-types.js:
1319         * stress/arith-trunc-on-various-types.js:
1320         * stress/compare-strict-eq-on-various-types.js:
1321
1322 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1323
1324         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1325
1326         Unreviewed test gardening.
1327
1328         * stress/new-largeish-contiguous-array-with-size.js:
1329
1330 2018-02-14  Saam Barati  <sbarati@apple.com>
1331
1332         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1333         https://bugs.webkit.org/show_bug.cgi?id=182801
1334
1335         Reviewed by Keith Miller.
1336
1337         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1338
1339 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1340
1341         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1342         https://bugs.webkit.org/show_bug.cgi?id=182526
1343
1344         Unreviewed test gardening.
1345
1346         * stress/activation-sink-default-value-tdz-error.js:
1347
1348 2018-02-13  Saam Barati  <sbarati@apple.com>
1349
1350         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1351         https://bugs.webkit.org/show_bug.cgi?id=182755
1352         <rdar://problem/37080864>
1353
1354         Reviewed by Keith Miller.
1355
1356         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1357         (test1.o.get 10005):
1358         (test1):
1359         (test2.o.get 1000):
1360         (test2):
1361
1362 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1363
1364         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1365         https://bugs.webkit.org/show_bug.cgi?id=182717
1366
1367         Reviewed by Yusuke Suzuki.
1368
1369         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1370         literals, to allow template callsite arrays to be collected when the
1371         code containing the tagged template call is collected. This spec change
1372         has received concensus and been ratified.
1373
1374         This change eliminates the eternal map associating template contents
1375         with arrays.
1376
1377         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1378         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1379         * stress/tagged-templates-identity.js:
1380         * stress/template-string-tags-eval.js:
1381         * test262.yaml:
1382
1383 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1384
1385         Support GetArrayLength on ArrayStorage in the FTL
1386         https://bugs.webkit.org/show_bug.cgi?id=182625
1387
1388         Reviewed by Saam Barati.
1389
1390         * stress/array-storage-length.js: Added.
1391         (shouldBe):
1392         (testInBound):
1393         (testUncountable):
1394         (testSlowPutInBound):
1395         (testSlowPutUncountable):
1396         * stress/undecided-length.js: Added.
1397         (shouldBe):
1398         (test2):
1399
1400 2018-02-12  Saam Barati  <sbarati@apple.com>
1401
1402         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1403         https://bugs.webkit.org/show_bug.cgi?id=182706
1404         <rdar://problem/36833681>
1405
1406         Reviewed by Filip Pizlo.
1407
1408         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1409         (effects):
1410         (foo):
1411
1412 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1413
1414         Don't waste memory for error.stack
1415         https://bugs.webkit.org/show_bug.cgi?id=182656
1416
1417         Reviewed by Saam Barati.
1418         
1419         Tests the policy.
1420
1421         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1422         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1423
1424 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1425
1426         [JSC] Update Test262 to Feb 9 version
1427         https://bugs.webkit.org/show_bug.cgi?id=182468
1428
1429         Reviewed by Saam Barati.
1430
1431 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1432
1433         Unreviewed, fix invalid line terminator in old test262 file part 2
1434         https://bugs.webkit.org/show_bug.cgi?id=182468
1435
1436         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1437
1438 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1439
1440         Unreviewed, fix invalid line terminator in old test262 file
1441         https://bugs.webkit.org/show_bug.cgi?id=182468
1442
1443         * test262/test/language/literals/regexp/7.8.5-1.js:
1444
1445 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1446
1447         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1448         https://bugs.webkit.org/show_bug.cgi?id=182440
1449
1450         Reviewed by Darin Adler.
1451
1452         * stress/array-flatmap.js: Added.
1453         (shouldBe):
1454         (shouldBeArray):
1455         (shouldThrow):
1456         (var):
1457         * stress/array-flatten.js: Added.
1458         (shouldBe):
1459         (shouldBeArray):
1460         * test262.yaml:
1461         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1462         (3.flatMap):
1463         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1464
1465 2018-02-06  Keith Miller  <keith_miller@apple.com>
1466
1467         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1468         https://bugs.webkit.org/show_bug.cgi?id=182549
1469         <rdar://problem/36189995>
1470
1471         Reviewed by Saam Barati.
1472
1473         * stress/var-injection-cache-invalidation.js: Added.
1474         (allocateLotsOfThings):
1475         (test):
1476
1477 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1478
1479         Unreviewed, follow up for test262 update
1480         https://bugs.webkit.org/show_bug.cgi?id=182288
1481
1482         * test262.yaml:
1483
1484 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1485
1486         Update test262 to Jan 30 version
1487         https://bugs.webkit.org/show_bug.cgi?id=182288
1488
1489         Unreviewed test gardening.
1490
1491         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1492
1493 2018-02-02  Saam Barati  <sbarati@apple.com>
1494
1495         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1496         https://bugs.webkit.org/show_bug.cgi?id=182368
1497         <rdar://problem/36932466>
1498
1499         Reviewed by Mark Lam.
1500
1501         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1502         (runNearStackLimit.t):
1503         (runNearStackLimit):
1504         (try.runNearStackLimit):
1505         (catch):
1506
1507 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1508
1509         Update test262 to Jan 30 version
1510         https://bugs.webkit.org/show_bug.cgi?id=182288
1511
1512         Rubber stamped by Saam Barati.
1513
1514         This patch updates test262 to the latest one, Jan 30 version.
1515         Since added and changed files are too many, we cannot create ChangeLog.
1516         The following files are changed.
1517
1518         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1519         including some special line terminators (like u2028, u2029).
1520
1521         * test262.yaml:
1522         * test262/test262-Revision.txt:
1523         * test262/*:
1524
1525 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1526
1527         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1528         https://bugs.webkit.org/show_bug.cgi?id=182411
1529
1530         Reviewed by Carlos Alberto Lopez Perez.
1531
1532         This is skipped only on arm memory limited platforms. Until recently
1533         it was not a problem on MIPS as the butterfly was not initialized. But
1534         since r227435, the butterfly is initialized in that test and therefore
1535         memory is allocated, and the test typically takes around 512M, which
1536         means it generally gets OOM-killed on the MIPS buildbot.
1537
1538         * mozilla/mozilla-tests.yaml:
1539
1540 2018-02-01  Mark Lam  <mark.lam@apple.com>
1541
1542         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1543         https://bugs.webkit.org/show_bug.cgi?id=182419
1544         <rdar://problem/37044945>
1545
1546         Reviewed by Saam Barati.
1547
1548         * stress/regress-182419.js: Added.
1549
1550 2018-02-01  Keith Miller  <keith_miller@apple.com>
1551
1552         Fix crashes due to mishandling custom sections.
1553         https://bugs.webkit.org/show_bug.cgi?id=182404
1554         <rdar://problem/36935863>
1555
1556         Reviewed by Saam Barati.
1557
1558         * wasm/Builder.js:
1559         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1560         * wasm/js-api/validate.js:
1561         (assert.truthy):
1562
1563 2018-01-31  Saam Barati  <sbarati@apple.com>
1564
1565         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1566         https://bugs.webkit.org/show_bug.cgi?id=182074
1567         <rdar://problem/36846261>
1568
1569         Reviewed by Mark Lam.
1570
1571         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1572         (assert):
1573         (let.func):
1574         (let.o.foo):
1575         (varFunc):
1576
1577 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1578
1579         Unreviewed, update test262 expects
1580         https://bugs.webkit.org/show_bug.cgi?id=182232
1581
1582         * test262.yaml:
1583
1584 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1585
1586         [JSC] Implement trimStart and trimEnd
1587         https://bugs.webkit.org/show_bug.cgi?id=182233
1588
1589         Reviewed by Mark Lam.
1590
1591         * stress/trim.js: Added.
1592         (shouldBe):
1593         (startTest):
1594         (endTest):
1595         (trimTest):
1596
1597 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1598
1599         [JSC] Relax line terminators in String to make JSON subset of JS
1600         https://bugs.webkit.org/show_bug.cgi?id=182232
1601
1602         Reviewed by Keith Miller.
1603
1604         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1605         * stress/relaxed-line-terminators-in-string.js: Added.
1606         (shouldBe):
1607
1608 2018-01-29  Michael Saboff  <msaboff@apple.com>
1609
1610         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1611         https://bugs.webkit.org/show_bug.cgi?id=182249
1612
1613         Reviewed by Keith Miller.
1614
1615         New regression test.
1616
1617         * stress/compare-clobber-untypeduse.js: Added.
1618
1619 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1620
1621         Unreviewed, rolling out r227725.
1622
1623         This caused internal failures.
1624
1625         Reverted changeset:
1626
1627         "JSC Sampling Profiler: Detect tester and testee when sampling
1628         in RegExp JIT"
1629         https://bugs.webkit.org/show_bug.cgi?id=152729
1630         https://trac.webkit.org/changeset/227725
1631
1632 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1633
1634         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1635         https://bugs.webkit.org/show_bug.cgi?id=152729
1636
1637         Reviewed by Saam Barati.
1638
1639         * stress/sampling-profiler-regexp.js: Added.
1640         (platformSupportsSamplingProfiler.test):
1641         (platformSupportsSamplingProfiler.baz):
1642         (platformSupportsSamplingProfiler):
1643
1644 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1645
1646         [DFG][FTL] WeakMap#set should have DFG node
1647         https://bugs.webkit.org/show_bug.cgi?id=180015
1648
1649         Reviewed by Saam Barati.
1650
1651         * stress/weakmap-set-change-get.js: Added.
1652         (shouldBe):
1653         (test):
1654         * stress/weakmap-set-cse.js: Added.
1655         (shouldBe):
1656         (test):
1657         * stress/weakset-add-change-get.js: Added.
1658         (shouldBe):
1659         * stress/weakset-add-cse.js: Added.
1660         (shouldBe):
1661
1662 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1663
1664         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1665         https://bugs.webkit.org/show_bug.cgi?id=182213
1666
1667         Reviewed by Mark Lam.
1668
1669         * stress/int32-min-to-string.js: Added.
1670         (shouldBe):
1671         (test2):
1672         (test4):
1673         (test8):
1674         (test16):
1675         (test32):
1676         * stress/zero-to-string.js: Added.
1677         (shouldBe):
1678         (test2):
1679         (test4):
1680         (test8):
1681         (test16):
1682         (test32):
1683
1684 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1685
1686         Add more module scope related tests with code evaluation by string
1687         https://bugs.webkit.org/show_bug.cgi?id=181983
1688
1689         Reviewed by Sam Weinig.
1690
1691         Add more module scope related tests. When the original tests are landed,
1692         we do not have browser integration. This patch adds more module scope tests
1693         with dynamically created script evaluation. We add tests with Function
1694         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1695
1696         * modules/scopes-eval.js: Added.
1697         (shouldBe):
1698         * modules/scopes.js:
1699         (shouldBe):
1700
1701 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1702
1703         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1704
1705         * microbenchmarks/array-push-3.js: Removed.
1706         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1707         * microbenchmarks/double-to-int32.js: Removed.
1708         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1709         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1710         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1711         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1712         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1713         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1714         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1715         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1716         * microbenchmarks/map-constant-key.js: Removed.
1717         * microbenchmarks/nested-function-parsing.js: Removed.
1718         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1719         * microbenchmarks/spread-large-array.js: Removed.
1720         * microbenchmarks/string-add-constant-folding.js: Removed.
1721         * microbenchmarks/to-lower-case.js: Removed.
1722         * microbenchmarks/undefined-property-access.js: Removed.
1723         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1724         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1725         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1726         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1727         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1728         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1729         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1730         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1731         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1732         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1733         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1734         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1735         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1736         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1737         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1738         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1739         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1740         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1741
1742 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1743
1744         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1745         https://bugs.webkit.org/show_bug.cgi?id=181739
1746         <rdar://problem/36627662>
1747
1748         Reviewed by Saam Barati.
1749
1750         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1751         (foo):
1752         (bar):
1753
1754 2018-01-22  Michael Saboff  <msaboff@apple.com>
1755
1756         DFG abstract interpreter needs to properly model effects of some Math ops
1757         https://bugs.webkit.org/show_bug.cgi?id=181886
1758
1759         Reviewed by Saam Barati.
1760
1761         New regression test.
1762
1763         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1764         (test):
1765
1766 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1767
1768         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1769         https://bugs.webkit.org/show_bug.cgi?id=181182
1770
1771         Reviewed by Darin Adler.
1772
1773         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1774         * stress/big-int-prototype-to-string-exception.js: Added.
1775         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1776         * stress/number-prototype-to-string-cast-overflow.js: Added.
1777         * stress/number-prototype-to-string-exception.js: Added.
1778         * stress/number-prototype-to-string-wrong-values.js: Added.
1779
1780 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1781
1782         Disable Atomics when SharedArrayBuffer isn’t enabled
1783         https://bugs.webkit.org/show_bug.cgi?id=181572
1784
1785         Unreviewed test gardening.
1786
1787         * test262.yaml: Skip tests that fail after this change.
1788
1789 2018-01-19  Saam Barati  <sbarati@apple.com>
1790
1791         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1792         https://bugs.webkit.org/show_bug.cgi?id=181877
1793         <rdar://problem/36630552>
1794
1795         Reviewed by Mark Lam.
1796
1797         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1798         (runNearStackLimit):
1799         (f1):
1800         (f2):
1801         (f3):
1802         (i.catch):
1803         (i.try.runNearStackLimit):
1804         (catch):
1805
1806 2018-01-19  Saam Barati  <sbarati@apple.com>
1807
1808         Spread's effects are modeled incorrectly both in AI and in Clobberize
1809         https://bugs.webkit.org/show_bug.cgi?id=181867
1810         <rdar://problem/36290415>
1811
1812         Reviewed by Michael Saboff.
1813
1814         * stress/ai-needs-to-model-spreads-effects.js: Added.
1815         (try.p.Symbol.iterator):
1816         (try.go):
1817         (catch):
1818         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1819         (assert):
1820         (foo):
1821         (a.Symbol.iterator):
1822
1823 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1824
1825         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1826         https://bugs.webkit.org/show_bug.cgi?id=181535
1827
1828         * stress/inserted-recovery-with-set-last-index.js:
1829
1830 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1831
1832         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1833         https://bugs.webkit.org/show_bug.cgi?id=181535
1834
1835         Reviewed by Saam Barati.
1836
1837         * stress/inserted-recovery-with-set-last-index.js: Added.
1838         (shouldBe):
1839         (foo):
1840         * stress/materialize-regexp-at-osr-exit.js: Added.
1841         (shouldBe):
1842         (test):
1843         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1844         (shouldBe):
1845         (test):
1846         * stress/materialize-regexp-cyclic-regexp.js: Added.
1847         (shouldBe):
1848         (test):
1849         (i.switch):
1850         * stress/materialize-regexp-cyclic.js: Added.
1851         (shouldBe):
1852         (test):
1853         (i.switch):
1854         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1855         (bar):
1856         (foo):
1857         (test):
1858         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1859         (bar):
1860         (foo):
1861         (test):
1862         * stress/materialize-regexp.js: Added.
1863         (shouldBe):
1864         (test):
1865         * stress/phantom-regexp-regexp-exec.js: Added.
1866         (shouldBe):
1867         (test):
1868         * stress/phantom-regexp-string-match.js: Added.
1869         (shouldBe):
1870         (test):
1871         * stress/regexp-last-index-sinking.js: Added.
1872         (shouldBe):
1873         (test):
1874
1875 2018-01-17  Saam Barati  <sbarati@apple.com>
1876
1877         Disable Atomics when SharedArrayBuffer isn’t enabled
1878         https://bugs.webkit.org/show_bug.cgi?id=181572
1879         <rdar://problem/36553206>
1880
1881         Reviewed by Michael Saboff.
1882
1883         * stress/isLockFree.js:
1884
1885 2018-01-17  Saam Barati  <sbarati@apple.com>
1886
1887         DFG::Node::convertToConstant needs to clear the varargs flags
1888         https://bugs.webkit.org/show_bug.cgi?id=181697
1889         <rdar://problem/36497332>
1890
1891         Reviewed by Yusuke Suzuki.
1892
1893         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1894         (doIndexOf):
1895         (bar):
1896         (i.bar):
1897
1898 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1899
1900         Unreviewed, rolling out r226937.
1901
1902         Tests added with this change are failing due to a missing
1903         exception check.
1904
1905         Reverted changeset:
1906
1907         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1908         double to int32_t"
1909         https://bugs.webkit.org/show_bug.cgi?id=181182
1910         https://trac.webkit.org/changeset/226937
1911
1912 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1913
1914         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1915         https://bugs.webkit.org/show_bug.cgi?id=181182
1916
1917         Reviewed by Darin Adler.
1918
1919         * bigIntTests.yaml:
1920         * stress/big-int-constructor.js:
1921         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1922         (assert):
1923         (assertThrowRangeError):
1924         * stress/number-prototype-to-string-cast-overflow.js: Added.
1925         (assert):
1926         (assertThrowRangeError):
1927
1928 2018-01-12  Saam Barati  <sbarati@apple.com>
1929
1930         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1931         https://bugs.webkit.org/show_bug.cgi?id=181177
1932         <rdar://problem/36205704>
1933
1934         Reviewed by Yusuke Suzuki.
1935
1936         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1937         (runNearStackLimit.t):
1938         (runNearStackLimit):
1939         (test.f):
1940         (test):
1941
1942 2018-01-12  Saam Barati  <sbarati@apple.com>
1943
1944         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1945         https://bugs.webkit.org/show_bug.cgi?id=181562
1946         <rdar://problem/36445624>
1947
1948         Reviewed by Yusuke Suzuki.
1949
1950         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1951         (f):
1952         (foo):
1953
1954 2018-01-11  Saam Barati  <sbarati@apple.com>
1955
1956         When inserting Unreachable in byte code parser we need to flush all the right things
1957         https://bugs.webkit.org/show_bug.cgi?id=181509
1958         <rdar://problem/36423110>
1959
1960         Reviewed by Mark Lam.
1961
1962         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1963
1964 2018-01-11  Saam Barati  <sbarati@apple.com>
1965
1966         JITMathIC code in the FTL is wrong when code gets duplicated
1967         https://bugs.webkit.org/show_bug.cgi?id=181525
1968         <rdar://problem/36351993>
1969
1970         Reviewed by Michael Saboff and Keith Miller.
1971
1972         * stress/allow-math-ic-b3-code-duplication.js: Added.
1973
1974 2018-01-11  Saam Barati  <sbarati@apple.com>
1975
1976         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1977         https://bugs.webkit.org/show_bug.cgi?id=181508
1978
1979         Reviewed by Yusuke Suzuki.
1980
1981         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1982         (assert):
1983         (test1.foo):
1984         (test1):
1985         (test2.foo):
1986         (test2):
1987
1988 2018-01-09  Mark Lam  <mark.lam@apple.com>
1989
1990         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1991         https://bugs.webkit.org/show_bug.cgi?id=181388
1992         <rdar://problem/36349351>
1993
1994         Reviewed by Saam Barati.
1995
1996         * stress/regress-181388.js: Added.
1997
1998 2018-01-08  JF Bastien  <jfbastien@apple.com>
1999
2000         WebAssembly: mask indexed accesses to Table
2001         https://bugs.webkit.org/show_bug.cgi?id=181412
2002         <rdar://problem/36363236>
2003
2004         Reviewed by Saam Barati.
2005
2006         Update error messages.
2007
2008         * wasm/js-api/table.js:
2009         (assert.throws.WebAssembly.Table.prototype.grow):
2010
2011 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2012
2013         Disable SharedArrayBuffer tests missed in r226386.
2014         https://bugs.webkit.org/show_bug.cgi?id=181266
2015
2016         Unreviewed test gardening.
2017
2018         * test262.yaml:
2019
2020 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2021
2022         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2023         https://bugs.webkit.org/show_bug.cgi?id=181321
2024
2025         Reviewed by Saam Barati.
2026
2027         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2028         (shouldBe):
2029         (testFunction):
2030         * test262.yaml:
2031
2032 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2033
2034         Unreviewed, attempt to fix test262 after r226386.
2035
2036         * test262.yaml:
2037
2038 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2039
2040         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2041         https://bugs.webkit.org/show_bug.cgi?id=179911
2042
2043         Reviewed by Saam Barati.
2044
2045         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2046
2047         * stress/map-set-change-get.js: Added.
2048         (shouldBe):
2049         (test):
2050         * stress/map-set-create-bucket.js: Added.
2051         (shouldBe):
2052         (test):
2053         * stress/set-add-create-bucket.js: Added.
2054         (shouldBe):
2055
2056 2018-01-03  Michael Saboff  <msaboff@apple.com>
2057
2058         Disable SharedArrayBuffers from Web API
2059         https://bugs.webkit.org/show_bug.cgi?id=181266
2060
2061         Reviewed by Saam Barati.
2062
2063         Disabled SharedArrayBuffer tests.
2064
2065         * stress/SharedArrayBuffer-opt.js:
2066         * stress/SharedArrayBuffer.js:
2067         * stress/array-buffer-byte-length.js:
2068         * stress/atomics-add-uint32.js:
2069         * stress/atomics-known-int-use.js:
2070         * stress/atomics-neg-zero.js:
2071         * stress/atomics-store-return.js:
2072         * stress/lars-sab-workers.js:
2073         * stress/regress-159779-1.js:
2074         * stress/regress-159779-2.js:
2075         * stress/regress-170473.js:
2076         * test262.yaml:
2077
2078 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2079
2080         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2081         https://bugs.webkit.org/show_bug.cgi?id=181258
2082
2083         Reviewed by Antonio Gomes.
2084
2085         * stress/big-int-constructor-gc.js:
2086         * stress/big-int-constructor-oom.js:
2087
2088 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2089
2090         Inlining of a function that ends in op_unreachable crashes
2091         https://bugs.webkit.org/show_bug.cgi?id=181027
2092
2093         Reviewed by Filip Pizlo.
2094
2095         * stress/inlining-unreachable.js: Added.
2096         (bar):
2097         (baz):
2098         (i.catch):
2099
2100 2018-01-02  Saam Barati  <sbarati@apple.com>
2101
2102         Incorrect assertion inside AccessCase
2103         https://bugs.webkit.org/show_bug.cgi?id=181200
2104         <rdar://problem/35494754>
2105
2106         Reviewed by Yusuke Suzuki.
2107
2108         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2109         (ctor):
2110         (theFunc):
2111         (run):
2112
2113 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2114
2115         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2116         https://bugs.webkit.org/show_bug.cgi?id=175359
2117
2118         Reviewed by Yusuke Suzuki.
2119
2120         * bigIntTests.yaml:
2121         * stress/big-int-as-key.js: Added.
2122         * stress/big-int-constructor-gc.js: Added.
2123         * stress/big-int-constructor-oom.js: Added.
2124         * stress/big-int-constructor-properties.js: Added.
2125         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2126         * stress/big-int-constructor-prototype.js: Added.
2127         * stress/big-int-constructor.js: Added.
2128         * stress/big-int-function-apply.js:
2129         * stress/big-int-length.js: Added.
2130         * stress/big-int-prop-descriptor.js: Added.
2131         * stress/big-int-proto-constructor.js: Added.
2132         * stress/big-int-proto-name.js: Added.
2133         * stress/big-int-prototype-properties.js: Added.
2134         * stress/big-int-prototype-proto.js: Added.
2135         * stress/big-int-prototype-value-of.js: Added.
2136         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2137         * stress/big-int-prototype-to-string-apply.js: Added.
2138         * stress/big-int-to-object.js: Added.
2139         * stress/big-int-to-string.js: Added.
2140
2141 2017-12-28  Saam Barati  <sbarati@apple.com>
2142
2143         Assertion used to determine if something is an async generator is wrong
2144         https://bugs.webkit.org/show_bug.cgi?id=181168
2145         <rdar://problem/35640560>
2146
2147         Reviewed by Yusuke Suzuki.
2148
2149         * stress/async-generator-assertion.js: Added.
2150
2151 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2152
2153         Skip stress/splay-flash-access tests on memory limited platforms
2154         https://bugs.webkit.org/show_bug.cgi?id=181086
2155
2156         Reviewed by Carlos Alberto Lopez Perez.
2157
2158         These tests use about 185M of memory, and occasionally get OOM-killed
2159         on memory limited platforms.
2160
2161         * stress/splay-flash-access-1ms.js:
2162         * stress/splay-flash-access.js:
2163
2164 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2165
2166         Skip slow jsc tests on embedded platforms
2167         https://bugs.webkit.org/show_bug.cgi?id=180937
2168
2169         Reviewed by Carlos Alberto Lopez Perez.
2170
2171         The tests typeProfiler/deltablue-for-of.js and
2172         typeProfiler/getter-richards.js take a very long time in the
2173         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2174         thus always timeout. They should be skipped on these platforms.
2175
2176         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2177         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2178
2179 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2180
2181         [JSC] Do not check isValid() in op_new_regexp
2182         https://bugs.webkit.org/show_bug.cgi?id=180970
2183
2184         Reviewed by Saam Barati.
2185
2186         * stress/regexp-syntax-error-invalid-flags.js: Added.
2187         (shouldThrow):
2188
2189 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2190
2191         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2192         https://bugs.webkit.org/show_bug.cgi?id=180712
2193
2194         Reviewed by Michael Catanzaro.
2195
2196         stress/call-apply-exponential-bytecode-size.js crashes if the
2197         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2198         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2199         should skip the test on other platforms.
2200
2201         * stress/call-apply-exponential-bytecode-size.js:
2202
2203 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2204
2205         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2206         https://bugs.webkit.org/show_bug.cgi?id=179762
2207
2208         Reviewed by Saam Barati.
2209
2210         * stress/call-varargs-double-new-array-buffer.js: Added.
2211         (assert):
2212         (bar):
2213         (foo):
2214         * stress/call-varargs-spread-new-array-buffer.js: Added.
2215         (assert):
2216         (bar):
2217         (foo):
2218         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2219         (assert):
2220         (bar):
2221         (foo):
2222         * stress/forward-varargs-double-new-array-buffer.js: Added.
2223         (assert):
2224         (test.baz):
2225         (test.bar):
2226         (test.foo):
2227         (test):
2228         * stress/new-array-buffer-sinking-osrexit.js: Added.
2229         (target):
2230         (test):
2231         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2232         (shouldBe):
2233         (test):
2234         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2235         (shouldBe):
2236         (target):
2237         (test):
2238         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2239         (assert):
2240         (test1.bar):
2241         (test1.foo):
2242         (test1):
2243         (test2.bar):
2244         (test2.foo):
2245         (test3.baz):
2246         (test3.bar):
2247         (test3.foo):
2248         (test4.baz):
2249         (test4.bar):
2250         (test4.foo):
2251         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2252         (assert):
2253         (test.baz):
2254         (test.bar):
2255         (test.foo):
2256         (test):
2257         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2258         (assert):
2259         (baz):
2260         (bar):
2261         (effects):
2262         (foo):
2263
2264 2017-12-14  Saam Barati  <sbarati@apple.com>
2265
2266         The CleanUp after LICM is erroneously removing a Check
2267         https://bugs.webkit.org/show_bug.cgi?id=180852
2268         <rdar://problem/36063494>
2269
2270         Reviewed by Filip Pizlo.
2271
2272         * stress/dont-run-cleanup-after-licm.js: Added.
2273
2274 2017-12-14  Michael Saboff  <msaboff@apple.com>
2275
2276         REGRESSION (r225695): Repro crash on yahoo login page
2277         https://bugs.webkit.org/show_bug.cgi?id=180761
2278
2279         Reviewed by JF Bastien.
2280
2281         New regression test.
2282
2283         * stress/regress-180761.js: Added.
2284
2285 2017-12-13  Keith Miller  <keith_miller@apple.com>
2286
2287         JSObjects should have a mask for loading indexed properties
2288         https://bugs.webkit.org/show_bug.cgi?id=180768
2289
2290         Reviewed by Mark Lam.
2291
2292         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2293         (test):
2294
2295 2017-12-13  Saam Barati  <sbarati@apple.com>
2296
2297         Arrow functions need their own structure because they have different properties than sloppy functions
2298         https://bugs.webkit.org/show_bug.cgi?id=180779
2299         <rdar://problem/35814591>
2300
2301         Reviewed by Mark Lam.
2302
2303         * stress/arrow-function-needs-its-own-structure.js: Added.
2304         (assert):
2305         (readPrototype):
2306         (noInline.let.f1):
2307         (noInline):
2308
2309 2017-12-13  Saam Barati  <sbarati@apple.com>
2310
2311         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2312         https://bugs.webkit.org/show_bug.cgi?id=163579
2313         <rdar://problem/35455798>
2314
2315         Reviewed by Mark Lam.
2316
2317         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2318         (assert):
2319         (test1):
2320         (i.test1):
2321         (i.test1.C):
2322         (i.test1.async.foo):
2323         (i.test1.foo):
2324         (test2):
2325
2326 2017-12-13  Saam Barati  <sbarati@apple.com>
2327
2328         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2329         https://bugs.webkit.org/show_bug.cgi?id=180734
2330         <rdar://problem/35640547>
2331
2332         Reviewed by Yusuke Suzuki.
2333
2334         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2335         (__isPropertyOfType):
2336         (__getProperties):
2337         (__getObjects):
2338         (__getRandomObject):
2339         (theClass.):
2340         (theClass):
2341         (childClass):
2342         (counter.catch):
2343
2344 2017-12-12  Saam Barati  <sbarati@apple.com>
2345
2346         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2347         https://bugs.webkit.org/show_bug.cgi?id=180725
2348         <rdar://problem/35970511>
2349
2350         Reviewed by Michael Saboff.
2351
2352         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2353         (f1):
2354         (f2):
2355         (let.o2.valueOf):
2356
2357 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2358
2359         [JSC] Implement optimized WeakMap and WeakSet
2360         https://bugs.webkit.org/show_bug.cgi?id=179929
2361
2362         Reviewed by Saam Barati.
2363
2364         * microbenchmarks/weak-map-key.js:
2365         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2366         (assert):
2367         (objectKey):
2368         (let.start.Date.now):
2369         * stress/basic-weakmap.js: Added.
2370         (shouldBe):
2371         (test):
2372         * stress/basic-weakset.js: Added.
2373         (shouldBe):
2374         (test.set new):
2375         * stress/weakmap-cse-set-break.js: Added.
2376         (shouldBe):
2377         (test):
2378         * stress/weakmap-cse.js: Added.
2379         (shouldBe):
2380         (test):
2381         * stress/weakmap-gc.js: Added.
2382         (test):
2383         * stress/weakset-cse-add-break.js: Added.
2384         (shouldBe):
2385         (test.set new):
2386         * stress/weakset-cse.js: Added.
2387         (shouldBe):
2388         (test.set new):
2389         * stress/weakset-gc.js: Added.
2390         (test.set add):
2391         (test.set new):
2392         (test):
2393
2394 2017-12-12  Saam Barati  <sbarati@apple.com>
2395
2396         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2397         https://bugs.webkit.org/show_bug.cgi?id=180723
2398         <rdar://problem/35859726>
2399
2400         Reviewed by JF Bastien.
2401
2402         * stress/get-my-argument-by-val-constant-folding.js: Added.
2403         (test):
2404         (catch):
2405
2406 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2407
2408         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2409         https://bugs.webkit.org/show_bug.cgi?id=179000
2410
2411         Reviewed by Darin Adler and Yusuke Suzuki.
2412
2413         * bigIntTests.yaml: Added.
2414         * stress/big-int-literal-line-terminator.js: Added.
2415         * stress/big-int-literals.js: Added.
2416         * stress/big-int-operations-error.js: Added.
2417         * stress/big-int-type-of.js: Added.
2418         * stress/big-int-white-space-trailing-leading.js: Added.
2419         * stress/big-int-function-apply.js: Added.
2420
2421 2017-12-11  Saam Barati  <sbarati@apple.com>
2422
2423         We need to disableCaching() in ErrorInstance when we materialize properties
2424         https://bugs.webkit.org/show_bug.cgi?id=180343
2425         <rdar://problem/35833002>
2426
2427         Reviewed by Mark Lam.
2428
2429         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2430         (assert):
2431         (makeError):
2432         (storeToStack):
2433         (storeToStackAlreadyMaterialized):
2434
2435 2017-12-05  JF Bastien  <jfbastien@apple.com>
2436
2437         WebAssembly: don't eagerly checksum
2438         https://bugs.webkit.org/show_bug.cgi?id=180441
2439         <rdar://problem/35156628>
2440
2441         Reviewed by Saam Barati.
2442
2443         Checksum is now disabled, so tests only have <?> as the module
2444         name.
2445
2446         * wasm/function-tests/nameSection.js:
2447         * wasm/function-tests/stack-overflow.js:
2448         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2449         (assertOverflows.assertThrows):
2450         (assertOverflows):
2451         * wasm/function-tests/stack-trace.js:
2452
2453 2017-12-04  JF Bastien  <jfbastien@apple.com>
2454
2455         Proxy all functions, except the $ objects
2456         https://bugs.webkit.org/show_bug.cgi?id=180375
2457
2458         Reviewed by Saam Barati.
2459
2460         It looks like this test may have broken some executions because I
2461         call some internal objects. Explicitly ignore objects whose name
2462         starts with "$" because it's a bad idea anyways.
2463
2464         * stress/proxy-all-the-parameters.js:
2465         (generateObjects):
2466         (get throw):
2467
2468 2017-12-04  Saam Barati  <sbarati@apple.com>
2469
2470         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2471         https://bugs.webkit.org/show_bug.cgi?id=180366
2472         <rdar://problem/35685877>
2473
2474         Reviewed by Michael Saboff.
2475
2476         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2477         (theParent):
2478         (test1.base.getParentStaticValue):
2479         (test1.base):
2480         (test1.__v_24888.prototype.set prop):
2481         (test1.__v_24888):
2482         (test2.base.getParentStaticValue):
2483         (test2.base):
2484         (test2.__v_24888.prototype.set prop):
2485         (test2.__v_24888):
2486         (test2):
2487
2488 2017-12-01  JF Bastien  <jfbastien@apple.com>
2489
2490         Try proxying all function arguments
2491         https://bugs.webkit.org/show_bug.cgi?id=180306
2492
2493         Reviewed by Saam Barati.
2494
2495         * stress/proxy-all-the-parameters.js: Added.
2496         (isPropertyOfType):
2497         (getProperties):
2498         (generateObjects):
2499         (getObjects):
2500         (getFunctions):
2501         (get throw):
2502         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2503
2504 2017-12-01  JF Bastien  <jfbastien@apple.com>
2505
2506         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2507         https://bugs.webkit.org/show_bug.cgi?id=180297
2508         <rdar://problem/35745556>
2509
2510         Reviewed by Mark Lam.
2511
2512         * stress/math-exceptions.js: Added.
2513         (get try):
2514         (catch):
2515
2516 2017-12-01  JF Bastien  <jfbastien@apple.com>
2517
2518         JavaScriptCore: add test for weird class static getters
2519         https://bugs.webkit.org/show_bug.cgi?id=180281
2520         <rdar://problem/35592139>
2521
2522         Reviewed by Mark Lam.
2523
2524         I fixed a bug for it in r224927 and didn't add a test. Do so.
2525
2526         * stress/class-static-get-weird.js: Added.
2527         (c.prototype.get name):
2528         (c):
2529         (c.prototype.get arguments):
2530         (c.prototype.get caller):
2531         (c.prototype.get length):
2532
2533 2017-12-01  Saam Barati  <sbarati@apple.com>
2534
2535         Having a bad time needs to handle ArrayClass indexing type as well
2536         https://bugs.webkit.org/show_bug.cgi?id=180274
2537         <rdar://problem/35667869>
2538
2539         Reviewed by Keith Miller and Mark Lam.
2540
2541         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2542         (assert):
2543         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2544         (assert):
2545
2546 2017-12-01  JF Bastien  <jfbastien@apple.com>
2547
2548         WebAssembly: restore cached stack limit after out-call
2549         https://bugs.webkit.org/show_bug.cgi?id=179106
2550         <rdar://problem/35337525>
2551
2552         Reviewed by Saam Barati.
2553
2554         * wasm/function-tests/double-instance.js: Added.
2555         (const.imp.boom):
2556         (const.imp.get callAnother):
2557
2558 2017-11-30  JF Bastien  <jfbastien@apple.com>
2559
2560         WebAssembly: improve stack trace
2561         https://bugs.webkit.org/show_bug.cgi?id=179343
2562
2563         Reviewed by Saam Barati.
2564
2565         Update the tests to follow the new format. Notably, SHA1 module
2566         hash is now included in traces, and stubs are properly identified.
2567
2568         * wasm/assert.js: Add an assertion which matches regular expressions.
2569         * wasm/function-tests/nameSection.js:
2570         * wasm/function-tests/stack-overflow.js:
2571         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2572         (assertOverflows.assertThrows.wasm.1):
2573         (assertOverflows.assertThrows.wasm.0):
2574         (assertOverflows.assertThrows):
2575         (assertOverflows):
2576         * wasm/function-tests/stack-trace.js:
2577         (import.Builder.from.string_appeared_here.assert): Deleted.
2578         * wasm/function-tests/trap-after-cross-instance-call.js:
2579         (wasmFrameCountFromError):
2580         * wasm/function-tests/trap-load-2.js:
2581         (wasmFrameCountFromError):
2582         * wasm/function-tests/trap-load.js:
2583         (wasmFrameCountFromError):
2584
2585 2017-11-30  Mark Lam  <mark.lam@apple.com>
2586
2587         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2588         https://bugs.webkit.org/show_bug.cgi?id=180219
2589         <rdar://problem/35696536>
2590
2591         Reviewed by Filip Pizlo.
2592
2593         * stress/regress-180219.js: Added.
2594
2595 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2596
2597         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2598         https://bugs.webkit.org/show_bug.cgi?id=180190
2599
2600         Reviewed by Mark Lam.
2601
2602         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2603         (shouldBe):
2604         (test1):
2605         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2606         (shouldBe):
2607         (test1):
2608         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2609         (shouldBe):
2610         (test1):
2611         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2612         (shouldBe):
2613         (test1):
2614         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2615         (shouldBe):
2616         (test1):
2617         * stress/operation-in-may-have-negative-int32.js: Added.
2618         (shouldBe):
2619         (test2):
2620         * stress/operation-in-negative-int32-cast.js: Added.
2621         (shouldBe):
2622         (test1):
2623
2624 2017-11-28  JF Bastien  <jfbastien@apple.com>
2625
2626         Strict and sloppy functions shouldn't share structure
2627         https://bugs.webkit.org/show_bug.cgi?id=180103
2628         <rdar://problem/35667847>
2629
2630         Reviewed by Saam Barati.
2631
2632         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2633         because the IC was wrong.
2634         (foo):
2635         (bar):
2636         (baz):
2637         (catch):
2638         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2639         in this patch, but may as well test odd strict mode corner cases.
2640         (bar):
2641         (baz):
2642         (catch):
2643         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2644         (foo):
2645         (bar):
2646         (baz):
2647         (catch):
2648         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2649         next file, but with invalidation of the FunctionExecutable's
2650         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2651         slower path.
2652         (foo):
2653         (bar.const.x):
2654         (bar.const.y):
2655         (bar):
2656         (catch):
2657         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2658         strict nesting works correctly.
2659         (foo):
2660         (bar.baz):
2661         (bar):
2662         * stress/strict-function-structure.js: Added. The test used to
2663         assert in objectProtoFuncHasOwnProperty.
2664         (foo):
2665         (bar):
2666         (baz):
2667         * stress/strict-nested-function-structure.js: Added. Nesting.
2668         (foo):
2669         (bar):
2670         (baz.boo):
2671         (baz):
2672
2673 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2674
2675         The recursive tail call optimisation is wrong on closures
2676         https://bugs.webkit.org/show_bug.cgi?id=179835
2677
2678         Reviewed by Saam Barati.
2679
2680         * stress/closure-recursive-tail-call.js: Added.
2681         (makeClosure):
2682
2683 2017-11-27  JF Bastien  <jfbastien@apple.com>
2684
2685         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2686         https://bugs.webkit.org/show_bug.cgi?id=180051
2687         <rdar://problem/35614371>
2688
2689         Reviewed by Saam Barati.
2690
2691         * stress/rest-parameter-negative.js: Added.
2692         (__f_5484):
2693         (catch):
2694         (__f_5485):
2695         (__v_22598.catch):
2696
2697 2017-11-27  Saam Barati  <sbarati@apple.com>
2698
2699         Spread can escape when CreateRest does not
2700         https://bugs.webkit.org/show_bug.cgi?id=180057
2701         <rdar://problem/35676119>
2702
2703         Reviewed by JF Bastien.
2704
2705         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2706         (assert):
2707         (getProperties):
2708         (theFunc):
2709         (let.obj.valueOf):
2710
2711 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2712
2713         [DFG] Add NormalizeMapKey DFG IR
2714         https://bugs.webkit.org/show_bug.cgi?id=179912
2715
2716         Reviewed by Saam Barati.
2717
2718         * stress/map-untyped-normalize-cse.js: Added.
2719         (shouldBe):
2720         (test):
2721         * stress/map-untyped-normalize.js: Added.
2722         (shouldBe):
2723         (test):
2724         * stress/set-untyped-normalize-cse.js: Added.
2725         (shouldBe):
2726         (set return.set has.set has):
2727         * stress/set-untyped-normalize.js: Added.
2728         (shouldBe):
2729         (set return.set has):
2730
2731 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2732
2733         [FTL] Support DeleteById and DeleteByVal
2734         https://bugs.webkit.org/show_bug.cgi?id=180022
2735
2736         Reviewed by Saam Barati.
2737
2738         * stress/delete-by-id.js: Added.
2739         (shouldBe):
2740         (test1):
2741         (test2):
2742         * stress/delete-by-val-ftl.js: Added.
2743         (shouldBe):
2744         (test1):
2745         (test2):
2746
2747 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2748
2749         [DFG] Introduce {Set,Map,WeakMap}Fields
2750         https://bugs.webkit.org/show_bug.cgi?id=179925
2751
2752         Reviewed by Saam Barati.
2753
2754         * stress/map-set-clobber-map-get.js: Added.
2755         (shouldBe):
2756         (test):
2757         * stress/map-set-does-not-clobber-set-has.js: Added.
2758         (shouldBe):
2759         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2760         (shouldBe):
2761         (test):
2762         * stress/set-add-clobber-set-has.js: Added.
2763         (shouldBe):
2764         * stress/set-add-does-not-clobber-map-get.js: Added.
2765         (shouldBe):
2766
2767 2017-11-24  Mark Lam  <mark.lam@apple.com>
2768
2769         Move unsafe jsc shell test functions to the $vm object.
2770         https://bugs.webkit.org/show_bug.cgi?id=179980
2771
2772         Reviewed by Yusuke Suzuki.
2773
2774         * controlFlowProfiler/driver/driver.js:
2775         * controlFlowProfiler/execution-count.js:
2776         * controlFlowProfiler/if-statement.js:
2777         * controlFlowProfiler/loop-statements.js:
2778         * controlFlowProfiler/switch-statements.js:
2779         * controlFlowProfiler/test-jit.js:
2780         * exceptionFuzz/3d-cube.js:
2781         * exceptionFuzz/date-format-xparb.js:
2782         * exceptionFuzz/earley-boyer.js:
2783         * heapProfiler/basic-edges.js:
2784         * heapProfiler/property-edge-types.js:
2785         * microbenchmarks/try-get-by-id-basic.js:
2786         * microbenchmarks/try-get-by-id-polymorphic.js:
2787         * modules/namespace-object-try-get.js:
2788         * stress/argument-count-bytecode.js:
2789         * stress/argument-intrinsic-basic.js:
2790         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2791         * stress/argument-intrinsic-inlining-with-result-escape.js:
2792         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2793         * stress/argument-intrinsic-inlining-with-vararg.js:
2794         * stress/argument-intrinsic-nested-inlining.js:
2795         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2796         * stress/argument-intrinsic-with-stack-write.js:
2797         * stress/arity-mismatch-get-argument.js:
2798         * stress/array-message-passing.js:
2799         * stress/array-push-with-force-exit.js:
2800         * stress/check-dom-with-signature.js:
2801         * stress/check-sub-class.js:
2802         * stress/compare-eq-incomplete-profile.js:
2803         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2804         * stress/do-eval-virtual-call-correctly.js:
2805         * stress/dom-jit-with-poly-proto.js:
2806         * stress/domjit-exception-ic.js:
2807         * stress/domjit-exception.js:
2808         * stress/domjit-getter-complex-with-incorrect-object.js:
2809         * stress/domjit-getter-complex.js:
2810         * stress/domjit-getter-poly.js:
2811         * stress/domjit-getter-proto.js:
2812         * stress/domjit-getter-super-poly.js:
2813         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2814         * stress/domjit-getter-type-check.js:
2815         * stress/domjit-getter.js:
2816         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2817         * stress/for-in-proxy-target-changed-structure.js:
2818         * stress/for-in-proxy.js:
2819         * stress/generational-opaque-roots.js:
2820         * stress/global-const-redeclaration-setting-2.js:
2821         * stress/global-const-redeclaration-setting-3.js:
2822         * stress/global-const-redeclaration-setting-4.js:
2823         * stress/global-const-redeclaration-setting-5.js:
2824         * stress/global-const-redeclaration-setting.js:
2825         * stress/import-basic.js:
2826         * stress/import-from-eval.js:
2827         * stress/import-reject-with-exception.js:
2828         * stress/import-syntax.js:
2829         * stress/impure-get-own-property-slot-inline-cache.js:
2830         * stress/is-constructor.js:
2831         * stress/istypedarrayview-intrinsic.js:
2832         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2833         * stress/jsc-test-functions-should-be-more-robust.js:
2834         * stress/object-toString-with-proxy.js:
2835         * stress/poly-proto-custom-value-and-accessor.js:
2836         * stress/proxy-inline-cache.js:
2837         * stress/re-execute-error-module.js:
2838         * stress/regress-150532.js:
2839         * stress/regress-156992.js:
2840         * stress/regress-179619.js:
2841         * stress/resources/shadow-chicken-support.js:
2842         * stress/runtime-array.js:
2843         * stress/sampling-profiler-microtasks.js:
2844         * stress/shadow-chicken-enabled.js:
2845         * stress/spread-correct-global-object-on-exception.js:
2846         * stress/super-get-by-id.js:
2847         * stress/tailCallForwardArguments.js:
2848         * stress/to-object-intrinsic-boolean-edge.js:
2849         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2850         * stress/to-object-intrinsic-number-edge.js:
2851         * stress/to-object-intrinsic-object-edge.js:
2852         * stress/to-object-intrinsic-string-edge.js:
2853         * stress/to-object-intrinsic-symbol-edge.js:
2854         * stress/to-object-intrinsic.js:
2855         * stress/try-catch-custom-getter-as-get-by-id.js:
2856         * stress/try-get-by-id-poly-proto.js:
2857         * stress/try-get-by-id-should-spill-registers-dfg.js:
2858         * stress/try-get-by-id.js:
2859         * typeProfiler/arrow-functions.js:
2860         * typeProfiler/basic.js:
2861         * typeProfiler/captured.js:
2862         * typeProfiler/classes.js:
2863         * typeProfiler/dfg-jit-optimizations.js:
2864         * typeProfiler/dictionary-mode.js:
2865         * typeProfiler/es6-block-scoping.js:
2866         * typeProfiler/es6-classes.js:
2867         * typeProfiler/inheritance.js:
2868         * typeProfiler/int52-dfg.js:
2869         * typeProfiler/loop.js:
2870         * typeProfiler/optional-fields.js:
2871         * typeProfiler/overflow.js:
2872         * typeProfiler/return.js:
2873         * typeProfiler/symbol.js:
2874         * typeProfiler/weird-prototype-chain.js:
2875
2876 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2877
2878         [DFG][FTL] Support MapSet / SetAdd intrinsics
2879         https://bugs.webkit.org/show_bug.cgi?id=179858
2880
2881         Reviewed by Saam Barati.
2882
2883         * microbenchmarks/map-has-and-set.js: Added.
2884         (test):
2885         * stress/map-set-check-failure.js: Added.
2886         (shouldBe):
2887         (shouldThrow):
2888         (target):
2889         * stress/map-set-cse.js: Added.
2890         (shouldBe):
2891         (test):
2892         * stress/set-add-check-failure.js: Added.
2893         (shouldBe):
2894         (shouldThrow):
2895         (set shouldThrow):
2896         * stress/set-add-cse.js: Added.
2897         (shouldBe):
2898
2899 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2900
2901         [JSC] Allow poly proto for intrinsic getters
2902         https://bugs.webkit.org/show_bug.cgi?id=179550
2903
2904         Reviewed by Saam Barati.
2905
2906         This change is also tested by existing tests.
2907
2908             1. stress/intrinsic-getter-with-poly-proto.js
2909             2. stress/poly-proto-intrinsic-getter-correctness.js
2910
2911         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2912         (shouldBe):
2913         (makePolyProtoObject.foo.C):
2914         (makePolyProtoObject.foo):
2915         (makePolyProtoObject):
2916         (target):
2917         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2918         (shouldBe):
2919         (makePolyProtoObject.foo.C):
2920         (makePolyProtoObject.foo):
2921         (makePolyProtoObject):
2922         (target):
2923
2924 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2925
2926         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2927         https://bugs.webkit.org/show_bug.cgi?id=179744
2928
2929         Reviewed by Michael Catanzaro.
2930
2931         This test uses too much memory for our buildbots on these platforms
2932         and gets OOM-killed.
2933
2934         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2935         Skip if $memoryLimited and linux.
2936
2937 2017-11-17  JF Bastien  <jfbastien@apple.com>
2938
2939         WebAssembly JS API: throw when a promise can't be created
2940         https://bugs.webkit.org/show_bug.cgi?id=179826
2941         <rdar://problem/35455813>
2942
2943         Reviewed by Mark Lam.
2944
2945         Test WebAssembly.{compile,instantiate} where promise creation
2946         fails because of a stack overflow.
2947
2948         * wasm/js-api/promise-stack-overflow.js: Added.
2949         (const.runNearStackLimit.f.const.t):
2950         (async.testCompile):
2951         (async.testInstantiate):
2952
2953 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2954
2955         Unreviewed, mark regress-178385.js as memory exhausting
2956
2957         * stress/regress-178385.js:
2958
2959 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2960
2961         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2962
2963         Unreviewed test gardening.
2964
2965         * test262.yaml:
2966
2967 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2968
2969         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2970         https://bugs.webkit.org/show_bug.cgi?id=179763
2971         <rdar://problem/35550513>
2972
2973         Reviewed by Keith Miller.
2974
2975         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2976
2977         * stress/tdz-this-in-try-catch.js: Added.
2978         (__v_6388):
2979         (__v_6392):
2980
2981 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2982
2983         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2984         https://bugs.webkit.org/show_bug.cgi?id=179594
2985
2986         Reviewed by Saam Barati.
2987
2988         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2989         (shouldBe):
2990         (args):
2991         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2992         (shouldBe):
2993         (args):
2994
2995 2017-11-14  Saam Barati  <sbarati@apple.com>
2996
2997         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2998         https://bugs.webkit.org/show_bug.cgi?id=179639
2999         <rdar://problem/35513018>
3000
3001         Reviewed by JF Bastien.
3002
3003         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3004         (escape):
3005         (i.func):
3006
3007 2017-11-13  Mark Lam  <mark.lam@apple.com>
3008
3009         Add more overflow check book-keeping for MarkedArgumentBuffer.
3010         https://bugs.webkit.org/show_bug.cgi?id=179634
3011         <rdar://problem/35492517>
3012
3013         Reviewed by Saam Barati.
3014
3015         * stress/regress-179634.js: Added.
3016
3017 2017-11-13  Mark Lam  <mark.lam@apple.com>
3018
3019         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3020         https://bugs.webkit.org/show_bug.cgi?id=179619
3021         <rdar://problem/35492518>
3022
3023         Reviewed by Saam Barati.
3024
3025         * stress/regress-179619.js: Added.
3026
3027 2017-11-12  Mark Lam  <mark.lam@apple.com>
3028
3029         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3030         https://bugs.webkit.org/show_bug.cgi?id=179562
3031         <rdar://problem/35467022>
3032
3033         Reviewed by Saam Barati.
3034
3035         * regress-179562.js: Added.
3036
3037 2017-11-08  Saam Barati  <sbarati@apple.com>
3038
3039         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3040         https://bugs.webkit.org/show_bug.cgi?id=177792
3041
3042         Reviewed by Yusuke Suzuki.
3043
3044         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3045         (assert):
3046         (foo.Foo.prototype.ensureX):
3047         (foo.Foo):
3048         (foo):
3049         (access):
3050
3051 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3052
3053         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3054         https://bugs.webkit.org/show_bug.cgi?id=178592
3055
3056         Unreviewed test gardening.
3057
3058         * test262.yaml:
3059
3060 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3061
3062         Turn recursive tail calls into loops
3063         https://bugs.webkit.org/show_bug.cgi?id=176601
3064
3065         Reviewed by Saam Barati.
3066
3067         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3068
3069         Add some simple test that computes factorial in several ways, and other trivial computations.
3070         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3071         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3072         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3073         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3074
3075         * stress/inline-call-to-recursive-tail-call.js: Added.
3076         (factorial.aux):
3077         (factorial):
3078         (factorial2.aux2):
3079         (factorial2.id):
3080         (factorial2):
3081         (factorial3.aux3):
3082         (factorial3):
3083         (aux4):
3084         (factorial4):
3085         (foo):
3086         (auxBar):
3087         (bar):
3088         (test):
3089
3090 2017-11-07  Mark Lam  <mark.lam@apple.com>
3091
3092         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3093         https://bugs.webkit.org/show_bug.cgi?id=179355
3094         <rdar://problem/35263053>
3095
3096         Reviewed by Saam Barati.
3097
3098         * stress/regress-179355.js: Added.
3099
3100 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3101
3102         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3103         https://bugs.webkit.org/show_bug.cgi?id=144458
3104
3105         Reviewed by Saam Barati.
3106
3107         * microbenchmarks/dfg-internal-function-call.js: Added.
3108         (target):
3109         * microbenchmarks/dfg-internal-function-construct.js: Added.
3110         (target):
3111         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3112         (target):
3113         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3114         (target):
3115         * stress/dfg-internal-function-call.js: Added.
3116         (shouldBe):
3117         (target):
3118         * stress/dfg-internal-function-construct.js: Added.
3119         (shouldBe):
3120         (target):
3121         * stress/internal-function-call.js: Added.
3122         (shouldBe):
3123         * stress/internal-function-construct.js: Added.
3124         (shouldBe):
3125
3126 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3127
3128         [Win] Skip stress/regress-178385.js.
3129         https://bugs.webkit.org/show_bug.cgi?id=179298
3130
3131         Unreviewed test gardening.
3132
3133         * stress/regress-178385.js:
3134
3135 2017-11-03  Keith Miller  <keith_miller@apple.com>
3136
3137         Add test for ic with side effects
3138         https://bugs.webkit.org/show_bug.cgi?id=179268
3139
3140         Reviewed by Saam Barati.
3141
3142         * stress/put-inline-cache-side-effects.js: Added.
3143         (let.i.of.objs.keys):
3144         (f):
3145
3146 2017-11-03  Mark Lam  <mark.lam@apple.com>
3147
3148         CachedCall (and its clients) needs overflow checks.
3149         https://bugs.webkit.org/show_bug.cgi?id=179185
3150
3151         Reviewed by JF Bastien.
3152
3153         * stress/regress-179185.js: Added.
3154
3155 2017-11-02  Michael Saboff  <msaboff@apple.com>
3156
3157         DFG needs to handle code motion of code in for..in loop bodies
3158         https://bugs.webkit.org/show_bug.cgi?id=179212
3159
3160         Reviewed by Keith Miller.
3161
3162         New regression test.
3163
3164         * stress/for-in-side-effects.js: Added.
3165         (getPrototypeOf):
3166         (reset):
3167         (testWithoutFTL.f):
3168         (testWithoutFTL):
3169         (testWithFTL.f):
3170         (testWithFTL):
3171
3172 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3173
3174         AI does not correctly model the clobber case of ArithClz32
3175         https://bugs.webkit.org/show_bug.cgi?id=179188
3176
3177         Reviewed by Michael Saboff.
3178
3179         * stress/arith-clz32-effects.js: Added.
3180         (foo):
3181         (valueOf):
3182
3183 2017-11-01  Michael Saboff  <msaboff@apple.com>
3184
3185         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3186         https://bugs.webkit.org/show_bug.cgi?id=179140
3187
3188         Reviewed by Saam Barati.
3189
3190         New regression test.
3191
3192         * stress/regress-179140.js: Added.
3193         (testWithoutFTL):
3194         (testWithFTL):
3195
3196 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3197
3198         [JSC] Introduce @toObject
3199         https://bugs.webkit.org/show_bug.cgi?id=178726
3200
3201         Reviewed by Saam Barati.
3202
3203         * stress/array-copywithin.js:
3204         (shouldThrow):
3205         * stress/object-constructor-boolean-edge.js: Added.
3206         (shouldBe):
3207         (test):
3208         * stress/object-constructor-global.js: Added.
3209         (shouldBe):
3210         * stress/object-constructor-null-edge.js: Added.
3211         (shouldBe):
3212         (test):
3213         * stress/object-constructor-number-edge.js: Added.
3214         (shouldBe):
3215         (test):
3216         * stress/object-constructor-object-edge.js: Added.
3217         (shouldBe):
3218         (test):
3219         (i.arg):
3220         * stress/object-constructor-string-edge.js: Added.
3221         (shouldBe):
3222         (test):
3223         * stress/object-constructor-symbol-edge.js: Added.
3224         (shouldBe):
3225         (test):
3226         * stress/object-constructor-undefined-edge.js: Added.
3227         (shouldBe):
3228         (test):
3229         * stress/symbol-array-from.js: Added.
3230         (shouldBe):
3231         * stress/to-object-intrinsic-boolean-edge.js: Added.
3232         (shouldBe):
3233         (builtin.createBuiltin):
3234         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3235         (shouldThrow):
3236         * stress/to-object-intrinsic-number-edge.js: Added.
3237         (shouldBe):
3238         (builtin.createBuiltin):
3239         * stress/to-object-intrinsic-object-edge.js: Added.
3240         (shouldBe):
3241         (builtin.createBuiltin):
3242         (i.arg):
3243         * stress/to-object-intrinsic-string-edge.js: Added.
3244         (shouldBe):
3245         (builtin.createBuiltin):
3246         * stress/to-object-intrinsic-symbol-edge.js: Added.
3247         (shouldBe):
3248         (builtin.createBuiltin):
3249         * stress/to-object-intrinsic.js: Added.
3250         (shouldBe):
3251         (shouldThrow):
3252         (builtin.createBuiltin):
3253
3254 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3255
3256         [DFG][FTL] Introduce StringSlice
3257         https://bugs.webkit.org/show_bug.cgi?id=178934
3258
3259         Reviewed by Saam Barati.
3260
3261         * microbenchmarks/string-slice-empty.js: Added.
3262         (slice):
3263         * microbenchmarks/string-slice-one-char.js: Added.
3264         (slice):
3265         * microbenchmarks/string-slice.js: Added.
3266         (slice):
3267
3268 2017-10-26  Michael Saboff  <msaboff@apple.com>
3269
3270         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3271         https://bugs.webkit.org/show_bug.cgi?id=178890
3272
3273         Reviewed by Keith Miller.
3274
3275         New regression test.
3276
3277         * stress/regress-178890.js: Added.
3278
3279 2017-10-26  Mark Lam  <mark.lam@apple.com>
3280
3281         JSRopeString::RopeBuilder::append() should check for overflows.
3282         https://bugs.webkit.org/show_bug.cgi?id=178385
3283         <rdar://problem/35027468>
3284
3285         Reviewed by Saam Barati.
3286
3287         * stress/regress-178385.js: Added.
3288
3289 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3290
3291         Unreviewed, rolling out r223961.
3292
3293         The change that required this has been rolled out.
3294
3295         Reverted changeset:
3296
3297         "Mark test262.yaml/test262/test/language/statements/try/tco-
3298         catch.js as passing."
3299         https://bugs.webkit.org/show_bug.cgi?id=178592
3300         https://trac.webkit.org/changeset/223961
3301
3302 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3303
3304         Unreviewed, rolling out r223691 and r223729.
3305         https://bugs.webkit.org/show_bug.cgi?id=178834
3306
3307         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3308         by rniwa on #webkit).
3309
3310         Reverted changesets:
3311
3312         "Turn recursive tail calls into loops"
3313         https://bugs.webkit.org/show_bug.cgi?id=176601
3314         https://trac.webkit.org/changeset/223691
3315
3316         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3317         comparison is always false due to limited range of data type
3318         [-Wtype-limits]"
3319         https://bugs.webkit.org/show_bug.cgi?id=178543
3320         https://trac.webkit.org/changeset/223729
3321
3322 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3323
3324         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3325         https://bugs.webkit.org/show_bug.cgi?id=178592
3326
3327         Unreviewed test gardening.
3328
3329         * test262.yaml:
3330
3331 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3332
3333         [FTL] Support NewStringObject
3334         https://bugs.webkit.org/show_bug.cgi?id=178737
3335
3336         Reviewed by Saam Barati.
3337
3338         * stress/new-string-object.js: Added.
3339         (shouldBe):
3340         (test):
3341
3342 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3343
3344         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3345         https://bugs.webkit.org/show_bug.cgi?id=178308
3346
3347         Reviewed by Mark Lam.
3348
3349         * test262.yaml:
3350
3351 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3352
3353         [JSC] Use fastJoin in Array#toString
3354         https://bugs.webkit.org/show_bug.cgi?id=178062
3355
3356         Reviewed by Darin Adler.
3357
3358         * microbenchmarks/contiguous-array-to-string.js: Added.
3359         (target):
3360         * microbenchmarks/double-array-to-string.js: Added.
3361         (target):
3362         * microbenchmarks/int32-array-to-string.js: Added.
3363         (target):
3364
3365 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3366
3367         stress/check-string-ident.js is improperly skipped
3368         https://bugs.webkit.org/show_bug.cgi?id=178642
3369
3370         Reviewed by Saam Barati.
3371
3372         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3373         since it enforces the run-jsc-stress-tests script to still set up the
3374         test to run, despite the skip directive that's used before.
3375
3376 2017-10-20  Mark Lam  <mark.lam@apple.com>
3377
3378         Add a test case for r214334.
3379         https://bugs.webkit.org/show_bug.cgi?id=169941
3380         <rdar://problem/31221258>
3381
3382         Reviewed by JF Bastien.
3383
3384         * stress/regress-169941.js: Added.
3385
3386 2017-10-19  JF Bastien  <jfbastien@apple.com>
3387
3388         WebAssembly: no VM / JS version of everything but Instance
3389         https://bugs.webkit.org/show_bug.cgi?id=177473
3390
3391         Reviewed by Filip Pizlo, Saam Barati.
3392
3393         - Exceeding max on memory growth now returns a range error as per
3394         spec. This is a (very minor) breaking change: it used to throw OOM
3395         error. Update the corresponding test.
3396
3397         * wasm/js-api/memory-grow.js:
3398         (assertEq):
3399         * wasm/js-api/table.js:
3400         (assert.throws):
3401
3402 2017-10-19  Mark Lam  <mark.lam@apple.com>
3403
3404         Stringifier::appendStringifiedValue() is missing an exception check.
3405         https://bugs.webkit.org/show_bug.cgi?id=178386
3406         <rdar://problem/35027610>
3407
3408         Reviewed by Saam Barati.
3409
3410         * stress/regress-178386.js: Added.
3411
3412 2017-10-19  Michael Saboff  <msaboff@apple.com>
3413
3414         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3415         https://bugs.webkit.org/show_bug.cgi?id=178521
3416
3417         Reviewed by JF Bastien.
3418
3419         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3420         now passes with the current version (5.0) of the Emoji spec.
3421
3422 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3423
3424         Turn recursive tail calls into loops
3425         https://bugs.webkit.org/show_bug.cgi?id=176601
3426
3427         Reviewed by Saam Barati.
3428
3429         Add some simple test that computes factorial in several ways, and other trivial computations.
3430         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3431         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3432         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3433         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3434
3435         * stress/inline-call-to-recursive-tail-call.js: Added.
3436         (factorial.aux):
3437         (factorial):
3438         (factorial2.aux):
3439         (factorial2.id):
3440         (factorial2):
3441         (factorial3.aux):
3442         (factorial3):
3443         (aux):
3444         (factorial4):
3445         (test):
3446
3447 2017-10-18  Mark Lam  <mark.lam@apple.com>
3448
3449         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3450         https://bugs.webkit.org/show_bug.cgi?id=177600
3451         <rdar://problem/34710985>
3452
3453         Reviewed by Saam Barati.
3454
3455         * stress/regress-177600.js: Added.
3456
3457 2017-10-18  Mark Lam  <mark.lam@apple.com>
3458
3459         The compiler should always register a structure when it adds its transitionWatchPointSet.
3460         https://bugs.webkit.org/show_bug.cgi?id=178420
3461         <rdar://problem/34814024>
3462
3463         Reviewed by Saam Barati and Filip Pizlo.
3464
3465         * stress/regress-178420.js: Added.
3466         (new.Array.10000.map):
3467
3468 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3469
3470         [JSC] __proto__ getter should be fast
3471         https://bugs.webkit.org/show_bug.cgi?id=178067
3472
3473         Reviewed by Saam Barati.
3474
3475         * stress/dfg-object-proto-accessor.js: Added.
3476         (shouldBe):
3477         (shouldThrow):
3478         (target):
3479         * stress/dfg-object-proto-getter.js: Added.
3480         (shouldBe):
3481         (shouldThrow):
3482         (target):
3483         * stress/dfg-object-prototype-of.js: Added.
3484         (shouldBe):
3485         (shouldThrow):
3486         (target):
3487         * stress/dfg-reflect-get-prototype-of.js: Added.
3488         (shouldBe):
3489         (shouldThrow):
3490         (target):
3491         * stress/intrinsic-getter-with-poly-proto.js: Added.
3492         (shouldBe):
3493         (makePolyProtoObject.foo.C):
3494         (makePolyProtoObject.foo):
3495         (makePolyProtoObject):
3496         (target):
3497         * stress/object-get-prototype-of-filtered.js: Added.
3498         (shouldBe):
3499         (shouldThrow):
3500         (target):
3501         (i.Cocoa):
3502         * stress/object-get-prototype-of-mono-proto.js: Added.
3503         (shouldBe):
3504         (makePolyProtoObject.foo.C):
3505         (makePolyProtoObject.foo):
3506         (makePolyProtoObject):
3507         (target):
3508         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3509         (shouldBe):
3510         (makePolyProtoObject.foo.C):
3511         (makePolyProtoObject.foo):
3512         (makePolyProtoObject):
3513         (target):
3514         * stress/object-get-prototype-of-poly-proto.js: Added.
3515         (shouldBe):
3516         (makePolyProtoObject.foo.C):
3517         (makePolyProtoObject.foo):
3518         (makePolyProtoObject):
3519         (target):
3520         * stress/object-proto-getter-filtered.js: Added.
3521         (shouldBe):
3522         (shouldThrow):
3523         (target):
3524         (i.Cocoa):
3525         * stress/object-proto-getter-poly-mono-proto.js: Added.
3526         (shouldBe):
3527         (makePolyProtoObject.foo.C):
3528         (makePolyProtoObject.foo):
3529         (makePolyProtoObject):
3530         (target):
3531         * stress/object-proto-getter-poly-proto.js: Added.
3532         (shouldBe):
3533         (makePolyProtoObject.foo.C):
3534         (makePolyProtoObject.foo):
3535         (makePolyProtoObject):
3536         (target):
3537         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3538         * stress/string-proto.js: Added.
3539         (shouldBe):
3540         (target):
3541
3542 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3543
3544         Unreviewed, rolling out r223523.
3545
3546         A test for this change is failing on debug JSC bots.
3547
3548         Reverted changeset:
3549
3550         "[JSC] __proto__ getter should be fast"
3551         https://bugs.webkit.org/show_bug.cgi?id=178067
3552         https://trac.webkit.org/changeset/223523
3553
3554 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3555
3556         [JSC] __proto__ getter should be fast
3557         https://bugs.webkit.org/show_bug.cgi?id=178067
3558
3559         Reviewed by Saam Barati.
3560
3561         * stress/dfg-object-proto-accessor.js: Added.
3562         (shouldBe):
3563         (shouldThrow):
3564         (target):
3565         * stress/dfg-object-proto-getter.js: Added.
3566         (shouldBe):
3567         (shouldThrow):
3568         (target):
3569         * stress/dfg-object-prototype-of.js: Added.
3570         (shouldBe):
3571         (shouldThrow):
3572         (target):
3573         * stress/dfg-reflect-get-prototype-of.js: Added.
3574         (shouldBe):
3575         (shouldThrow):
3576         (target):
3577         * stress/object-get-prototype-of-filtered.js: Added.
3578         (shouldBe):
3579         (shouldThrow):
3580         (target):
3581         (i.Cocoa):
3582         * stress/object-get-prototype-of-mono-proto.js: Added.
3583         (shouldBe):
3584         (makePolyProtoObject.foo.C):
3585         (makePolyProtoObject.foo):
3586         (makePolyProtoObject):
3587         (target):
3588         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3589         (shouldBe):
3590         (makePolyProtoObject.foo.C):
3591         (makePolyProtoObject.foo):
3592         (makePolyProtoObject):
3593         (target):
3594         * stress/object-get-prototype-of-poly-proto.js: Added.
3595         (shouldBe):
3596         (makePolyProtoObject.foo.C):
3597         (makePolyProtoObject.foo):
3598         (makePolyProtoObject):
3599         (target):
3600         * stress/object-proto-getter-filtered.js: Added.
3601         (shouldBe):
3602         (shouldThrow):
3603         (target):
3604         (i.Cocoa):
3605         * stress/object-proto-getter-poly-mono-proto.js: Added.
3606         (shouldBe):
3607         (makePolyProtoObject.foo.C):
3608         (makePolyProtoObject.foo):
3609         (makePolyProtoObject):
3610         (target):
3611         * stress/object-proto-getter-poly-proto.js: Added.
3612         (shouldBe):
3613         (makePolyProtoObject.foo.C):
3614         (makePolyProtoObject.foo):
3615         (makePolyProtoObject):
3616         (target):
3617         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3618         * stress/string-proto.js: Added.
3619         (shouldBe):
3620         (target):
3621
3622 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3623
3624         Reland "Add Above/Below comparisons for UInt32 patterns"
3625         https://bugs.webkit.org/show_bug.cgi?id=177281
3626
3627         Reviewed by Saam Barati.
3628
3629         * stress/uint32-comparison-jump.js: Added.
3630         (shouldBe):
3631         (above):
3632         (aboveOrEqual):
3633         (below):
3634         (belowOrEqual):
3635         (notAbove):
3636         (notAboveOrEqual):
3637         (notBelow):
3638         (notBelowOrEqual):
3639         * stress/uint32-comparison.js: Added.
3640         (shouldBe):
3641         (above):
3642         (aboveOrEqual):
3643         (below):
3644         (belowOrEqual):
3645         (aboveTest):
3646         (aboveOrEqualTest):
3647         (belowTest):
3648         (belowOrEqualTest):
3649
3650 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3651
3652         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3653         https://bugs.webkit.org/show_bug.cgi?id=178210
3654
3655         Reviewed by Saam Barati.
3656
3657         * wasm/function-tests/trap-from-start-async.js:
3658         (async.StartTrapsAsync):
3659         * wasm/function-tests/trap-from-start.js:
3660         (StartTraps):
3661         * wasm/js-api/web-assembly-function.js:
3662         (assert.eq.Object.getPrototypeOf):
3663         * wasm/js-api/wrapper-function.js:
3664         (return.new.WebAssembly.Module):
3665         (assert.throws.makeInstance): Deleted.
3666         (assert.throws.Bar): Deleted.
3667         (assert.throws): Deleted.
3668
3669 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3670
3671         Enable gigacage on iOS
3672         https://bugs.webkit.org/show_bug.cgi?id=177586
3673
3674         Reviewed by JF Bastien.
3675         
3676         Add tests for when Gigacage gets runtime disabled.
3677
3678         * stress/disable-gigacage-arrays.js: Added.
3679         (foo):
3680         * stress/disable-gigacage-strings.js: Added.
3681         (foo):
3682         * stress/disable-gigacage-typed-arrays.js: Added.
3683         (foo):
3684
3685 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3686
3687         import.meta should not be assignable
3688         https://bugs.webkit.org/show_bug.cgi?id=178202
3689
3690         Reviewed by Saam Barati.
3691
3692         * modules/import-meta-assignment.js: Added.
3693         (shouldThrow):
3694         (SyntaxError.import.meta.can.shouldThrow):
3695
3696 2017-10-11  Saam Barati  <sbarati@apple.com>
3697
3698         Unreviewed. Actually skip certain type profiler tests in debug.
3699
3700         * typeProfiler.yaml:
3701         * typeProfiler/deltablue-for-of.js:
3702         * typeProfiler/getter-richards.js:
3703
3704 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3705
3706         Unreviewed, rolling out r223113 and r223121.
3707         https://bugs.webkit.org/show_bug.cgi?id=178182
3708
3709         Reintroduced 20% regression on Kraken (Requested by rniwa on
3710         #webkit).
3711
3712         Reverted changesets:
3713
3714         "Enable gigacage on iOS"
3715         https://bugs.webkit.org/show_bug.cgi?id=177586
3716         https://trac.webkit.org/changeset/223113
3717
3718         "Use one virtual allocation for all gigacages and their
3719         runways"
3720         https://bugs.webkit.org/show_bug.cgi?id=178050
3721         https://trac.webkit.org/changeset/223121
3722
3723 2017-10-11  Michael Saboff  <msaboff@apple.com>
3724
3725         Disable test262 named capture group tests with direct unicode names and with references before definitions
3726         https://bugs.webkit.org/show_bug.cgi?id=178177
3727
3728         Reviewed by Keith Miller.
3729
3730         Bugs to track fixing these test are:
3731         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3732             "Add support in named capture group identifiers for direct surrogate pairs"
3733         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3734             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3735
3736         * test262.yaml:
3737
3738 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3739
3740         Object properties are undefined in super.call() but not in this.call()
3741         https://bugs.webkit.org/show_bug.cgi?id=177230
3742
3743         Reviewed by Saam Barati.
3744
3745         * stress/super-call-function-subclass.js: Added.
3746         (assert):
3747         (A.prototype.t):
3748         (A):
3749         * stress/super-dot-call-and-apply.js: Added.
3750         (assert):
3751         (A):
3752         (A.prototype.call):
3753         (A.prototype.apply):
3754         (B.prototype.testSuper):
3755         (B):
3756         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3757         (D.prototype.testSuper):
3758         (D):
3759
3760 2017-10-10  Saam Barati  <sbarati@apple.com>
3761
3762         The prototype cache should be aware of the Executable it generates a Structure for
3763         https://bugs.webkit.org/show_bug.cgi?id=177907
3764
3765         Reviewed by Filip Pizlo.
3766
3767         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3768         (assert):
3769         (foo.C):
3770         (foo):
3771         (bar.C):
3772         (bar):
3773         (access):
3774         (makeLongChain):
3775         (accessY):
3776
3777 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3778
3779         `async` should be able to be used as an imported binding name
3780         https://bugs.webkit.org/show_bug.cgi?id=176573
3781
3782         Reviewed by Saam Barati.
3783
3784         * modules/import-default-async.js: Added.
3785         * modules/import-named-async-as.js: Added.
3786         * modules/import-named-async.js: Added.
3787         * modules/import-named-async/target.js: Added.
3788         * modules/import-namespace-async.js: Added.
3789         * test262.yaml:
3790
3791 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3792
3793         Enable gigacage on iOS
3794         https://bugs.webkit.org/show_bug.cgi?id=177586
3795
3796         Reviewed by JF Bastien.
3797         
3798         Add tests for when Gigacage gets runtime disabled.
3799
3800         * stress/disable-gigacage-arrays.js: Added.
3801         (foo):
3802         * stress/disable-gigacage-strings.js: Added.
3803         (foo):
3804         * stress/disable-gigacage-typed-arrays.js: Added.
3805         (foo):
3806
3807 2017-10-09  Michael Saboff  <msaboff@apple.com>
3808
3809         Implement RegExp Unicode property escapes
3810         https://bugs.webkit.org/show_bug.cgi?id=172069
3811
3812         Reviewed by JF Bastien.
3813
3814         Enabled Unicode Property tests.
3815
3816         * test262.yaml:
3817
3818 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3819
3820         Unreviewed, rolling out r223015 and r223025.
3821         https://bugs.webkit.org/show_bug.cgi?id=178093
3822
3823         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3824         #webkit).
3825
3826         Reverted changesets:
3827
3828         "Enable gigacage on iOS"
3829         https://bugs.webkit.org/show_bug.cgi?id=177586
3830         http://trac.webkit.org/changeset/223015
3831
3832         "Unreviewed, disable Gigacage on ARM64 Linux"
3833         https://bugs.webkit.org/show_bug.cgi?id=177586
3834         http://trac.webkit.org/changeset/223025
3835
3836 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3837
3838         Update expectations for test262 tests that pass after r223043.
3839         https://bugs.webkit.org/show_bug.cgi?id=176685
3840
3841         Unreviewed test gardening.
3842
3843         * test262.yaml:
3844
3845 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3846
3847         Unreviewed, rolling out r223022.
3848
3849         This change introduced 18 test262 failures.
3850
3851         Reverted changeset:
3852
3853         "`async` should be able to be used as an imported binding
3854         name"
3855         https://bugs.webkit.org/show_bug.cgi?id=176573
3856         http://trac.webkit.org/changeset/223022
3857
3858 2017-10-09  Saam Barati  <sbarati@apple.com>
3859
3860         3 poly-proto JSC tests timing out on debug after r222827
3861         https://bugs.webkit.org/show_bug.cgi?id=177880
3862         <rdar://problem/34817122>
3863
3864         Unreviewed.
3865
3866         I'm skipping these type profiler tests on debug since they are long running.
3867
3868         * typeProfiler/deltablue-for-of.js:
3869         * typeProfiler/getter-richards.js:
3870
3871 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3872
3873         Safari 10 /11 problem with if (!await get(something)).
3874         https://bugs.webkit.org/show_bug.cgi?id=176685
3875
3876         Reviewed by Saam Barati.
3877
3878         * stress/async-await-basic.js:
3879         (awaitEpression.async):
3880         * stress/async-await-syntax.js:
3881         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3882         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3883
3884 2017-10-08  Saam Barati  <sbarati@apple.com>
3885
3886         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3887
3888         * typeProfiler/deltablue-for-of.js:
3889         * typeProfiler/getter-richards.js:
3890
3891 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3892
3893         `async` should be able to be used as an imported binding name
3894         https://bugs.webkit.org/show_bug.cgi?id=176573
3895
3896         Reviewed by Darin Adler.
3897
3898         * modules/import-default-async.js: Added.
3899         * modules/import-named-async-as.js: Added.
3900         * modules/import-named-async.js: Added.
3901         * modules/import-named-async/target.js: Added.
3902         * modules/import-namespace-async.js: Added.
3903
3904 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3905
3906         Enable gigacage on iOS
3907         https://bugs.webkit.org/show_bug.cgi?id=177586
3908
3909         Reviewed by JF Bastien.
3910         
3911         Add tests for when Gigacage gets runtime disabled.
3912
3913         * stress/disable-gigacage-arrays.js: Added.
3914         (foo):
3915         * stress/disable-gigacage-strings.js: Added.
3916         (foo):
3917         * stress/disable-gigacage-typed-arrays.js: Added.
3918         (foo):
3919
3920 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3921
3922         Unreviewed, rolling out r222791 and r222873.
3923         https://bugs.webkit.org/show_bug.cgi?id=178031
3924
3925         Caused crashes with workers/wasm LayoutTests (Requested by
3926         ryanhaddad on #webkit).
3927
3928         Reverted changesets:
3929
3930         "WebAssembly: no VM / JS version of everything but Instance"
3931         https://bugs.webkit.org/show_bug.cgi?id=177473
3932         http://trac.webkit.org/changeset/222791
3933
3934         "WebAssembly: address no VM / JS follow-ups"
3935         https://bugs.webkit.org/show_bug.cgi?id=177887
3936         http://trac.webkit.org/changeset/222873
3937
3938 2017-10-05  Saam Barati  <sbarati@apple.com>
3939
3940         Make sure all prototypes under poly proto get added into the VM's prototype map
3941         https://bugs.webkit.org/show_bug.cgi?id=177909
3942
3943         Reviewed by Keith Miller.
3944
3945         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3946         (assert):
3947         (foo.C):
3948         (foo):
3949         (set x):
3950
3951 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3952
3953         [JSC] Introduce import.meta
3954         https://bugs.webkit.org/show_bug.cgi?id=177703
3955
3956         Reviewed by Filip Pizlo.
3957
3958         * modules/import-meta-syntax.js: Added.
3959         (shouldThrow):
3960         (shouldNotThrow):
3961         * modules/import-meta.js: Added.
3962         * modules/import-meta/cocoa.js: Added.
3963         * modules/resources/assert.js:
3964         (export.shouldNotThrow):
3965         * stress/import-syntax.js:
3966
3967 2017-10-04  Saam Barati  <sbarati@apple.com>
3968
3969         Make pertinent AccessCases watch the poly proto watchpoint
3970         https://bugs.webkit.org/show_bug.cgi?id=177765
3971
3972         Reviewed by Keith Miller.
3973
3974         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3975         (assert):
3976         (foo.C):
3977         (foo):
3978         (validate):
3979         * stress/poly-proto-clear-stub.js: Added.
3980         (assert):
3981         (foo.C):
3982         (foo):
3983
3984 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3985
3986         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3987
3988         Unreviewed test gardening.
3989
3990         * test262.yaml:
3991
3992 2017-10-04  Saam Barati  <sbarati@apple.com>
3993
3994         3 poly-proto JSC tests timing out on debug after r222827
3995         https://bugs.webkit.org/show_bug.cgi?id=177880
3996
3997         Rubber stamped by Mark Lam.
3998
3999         * microbenchmarks/poly-proto-access.js:
4000         * typeProfiler/deltablue-for-of.js:
4001         * typeProfiler/getter-richards.js:
4002
4003 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
4004
4005         Unreviewed, marking tco-catch.js as a failure after test262 update
4006         https://bugs.webkit.org/show_bug.cgi?id=177859
4007
4008         * test262.yaml:
4009
4010 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4011
4012         Unreviewed, marking one async iterator test262 test failed
4013         https://bugs.webkit.org/show_bug.cgi?id=177859
4014
4015         * test262.yaml:
4016
4017 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4018
4019         [Test262] Update Test262 to Oct 4 version
4020         https://bugs.webkit.org/show_bug.cgi?id=177859
4021
4022         Reviewed by Sam Weinig.
4023
4024         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
4025         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
4026
4027         * test262.yaml:
4028         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
4029         (checkSequence):
4030         * test262/harness/typeCoercion.js:
4031         (testCoercibleToIndexZero):
4032         (testCoercibleToIndexOne):
4033         (testCoercibleToIndexFromIndex):
4034         (testNotCoercibleToIndex.testPrimitiveValue):
4035         (testNotCoercibleToInteger):
4036         (testCoercibleToBigIntZero.testPrimitiveValue):
4037         (testCoercibleToBigIntZero):
4038         (testCoercibleToBigIntOne.testPrimitiveValue):
4039         (testCoercibleToBigIntOne):
4040         (testPrimitiveValue):
4041         (testCoercibleToBigIntFromBigInt):
4042         (testNotCoercibleToBigInt.testPrimitiveValue):
4043         (testNotCoercibleToBigInt.testStringValue):
4044         (testNotCoercibleToBigInt):
4045         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
4046         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
4047         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
4048         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
4049         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
4050         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
4051         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
4052         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
4053         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
4054         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
4055         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
4056         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
4057         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
4058         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
4059         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
4060         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
4061         (testCoercibleToBigIntZero):
4062         (testCoercibleToBigIntOne):
4063         (testNotCoercibleToBigInt):
4064         (MyError): Deleted.
4065         (valueOf): Deleted.
4066         (toString): Deleted.
4067         (Symbol.toPrimitive): Deleted.
4068         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
4069         (testCoercibleToIndexZero):
4070         (testCoercibleToIndexOne):
4071         (testNotCoercibleToIndex):
4072         (MyError): Deleted.
4073         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
4074         (assert.sameValue.BigInt.asIntN.toString): Deleted.
4075         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
4076         (BigInt.asIntN.valueOf): Deleted.
4077         (BigInt.asIntN.toString): Deleted.
4078         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
4079         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
4080         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
4081         (testCoercibleToBigIntZero):
4082         (testCoercibleToBigIntOne):
4083         (testNotCoercibleToBigInt):
4084         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
4085         (testCoercibleToIndexZero):
4086         (testCoercibleToIndexOne):
4087         (testNotCoercibleToIndex):
4088         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
4089         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
4090         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
4091         (bits.valueOf):
4092         (bigint.valueOf):
4093         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
4094         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
4095         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
4096         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
4097         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
4098         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
4099         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
4100         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
4101         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
4102         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
4103         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
4104         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
4105         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
4106         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
4107         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
4108         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
4109         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
4110         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
4111         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
4112         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
4113         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
4114         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
4115         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
4116         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
4117         (replacer):
4118         (BigInt.prototype.toJSON):
4119         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
4120         (replacer):
4121         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
4122         (BigInt.prototype.toJSON):
4123         * test262/test/built-ins/JSON/stringify/bigint.js:
4124         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
4125         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4126         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4127         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4128         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4129         * test262/test/built-ins/Object/proto-from-ctor.js:
4130         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4131         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4132         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4133         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4134         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4135         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4136         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4137         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4138         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4139         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4140         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4141         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4142         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4143         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4144         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4145         * test262/test/built-ins/Proxy/get-fn-realm.js:
4146         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4147         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4148         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4149         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4150         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4151         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4152         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4153         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4154         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4155         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4156         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4157         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4158         (i6.replace):
4159         (i6b.replace):
4160         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4161         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4162         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4163         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4164         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4165         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4166         * test262/test/built-ins/RegExp/u180e.js: Added.
4167         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4168         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4169         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4170         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4171         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4172         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4173         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4174         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4175         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4176         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4177         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4178         * test262/test/built-ins/String/prototype/endsWith/length.js:
4179         * test262/test/built-ins/String/prototype/endsWith/name.js:
4180         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4181         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4182         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4183         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4184         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4185         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4186         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4187         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4188         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4189         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4190         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4191         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4192         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4193         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4194         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4195         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4196         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4197         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4198         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4199         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4200         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4201         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4202         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4203         * test262/test/built-ins/String/prototype/includes/includes.js:
4204         * test262/test/built-ins/String/prototype/includes/length.js:
4205         * test262/test/built-ins/String/prototype/includes/name.js:
4206         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4207         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4208         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4209         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4210         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4211         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4212         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4213         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4214         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4215         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4216         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4217         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4218         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4219         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4220         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4221         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4222         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4223         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4224         * test262/test/built-ins/String/prototype/trim/u180e.js:
4225         * test262/test/built-ins/Symbol/for/cross-realm.js:
4226         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4227         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4228         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4229         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4230         * test262/test/built-ins/Symbol/match/cross-realm.js:
4231         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4232         * test262/test/built-ins/Symbol/search/cross-realm.js:
4233         * test262/test/built-ins/Symbol/species/cross-realm.js:
4234         * test262/test/built-ins/Symbol/split/cross-realm.js:
4235         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4236         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4237         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4238         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4239         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4240         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4241         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4242         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4243         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4244         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4245         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4246         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4247         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4248         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4249         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4250         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4251         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4252         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4253         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4254         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4255         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4256         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4257         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4258         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4259         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4260         * test262/test/language/eval-code/indirect/realm.js:
4261         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4262         (o.get z):
4263         (o.get a):
4264         * test262/test/language/expressions/call/eval-realm-indirect.js:
4265         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4266         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4267         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4268         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4269         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4270         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4271         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4272         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4273         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4274         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4275         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4276         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4277         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4278         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4279         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4280         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4281         * test262/test/language/expressions/less-than/bigint-and-number.js:
4282         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4283         * test262/test/language/expressions/super/realm.js:
4284         * test262/test/language/expressions/tagged-template/cache-realm.js:
4285         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4286         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4287         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4288         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4289         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4290         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4291         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4292         (o.get z):
4293         (o.get a):
4294         * test262/test/language/statements/for-of/iterator-next-reference.js:
4295         (next):
4296         (iterator.next): Deleted.
4297         (x.of.iterable.): Deleted.
4298         (x.of.iterable.get return): Deleted.
4299         (x.of.iterable.iterator.next): Deleted.
4300         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4301         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4302         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4303         * test262/test/language/white-space/mongolian-vowel-separator.js:
4304         * test262/test262-Revision.txt:
4305
4306 2017-10-03  Saam Barati  <sbarati@apple.com>
4307
4308         Implement polymorphic prototypes
4309         https://bugs.webkit.org/show_bug.cgi?id=176391
4310
4311         Reviewed by Filip Pizlo.
4312
4313         * microbenchmarks/poly-proto-access.js: Added.
4314         (assert):
4315         (foo.C):
4316         (foo.C.prototype.get bar):
4317         (foo):
4318         (bar):
4319         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
4320         (assert):
4321         (makePolyProtoObject.foo.C):
4322         (makePolyProtoObject.foo):
4323         (makePolyProtoObject):
4324         (performSet):
4325         * microbenchmarks/poly-proto-setter-speed.js: Added.
4326         (assert):
4327         (makePolyProtoObject.foo.C):
4328         (makePolyProtoObject.foo.C.prototype.set p):
4329         (makePolyProtoObject.foo):
4330         (makePolyProtoObject):
4331         (performSet):
4332         * stress/constructor-with-return.js:
4333         (i.tests.forEach.Constructor):
4334         (i.tests.forEach):
4335         (tests.forEach.Constructor): Deleted.
4336         (tests.forEach): Deleted.
4337         * stress/dom-jit-with-poly-proto.js: Added.
4338         (assert):
4339         (makePolyProtoObject.foo.C):
4340         (makePolyProtoObject.foo):
4341         (makePolyProtoObject):
4342         (validate):
4343         * stress/poly-proto-custom-value-and-accessor.js: Added.
4344         (assert):
4345         (makePolyProtoObject.foo.C):
4346         (makePolyProtoObject.foo):
4347         (makePolyProtoObject):
4348         (items.forEach):
4349         (set get for):
4350         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
4351         (assert):
4352         (makePolyProtoObject.foo.C):
4353         (makePolyProtoObject.foo):
4354         (makePolyProtoObject):
4355         (foo):
4356         * stress/poly-proto-miss.js: Added.
4357         (makePolyProtoInstanceWithNullPrototype.foo.C):
4358         (makePolyProtoInstanceWithNullPrototype.foo):
4359         (makePolyProtoInstanceWithNullPrototype):
4360         (assert):
4361         (validate):
4362         * stress/poly-proto-op-in-caching.js: Added.
4363         (assert):
4364         (makePolyProtoObject.foo.C):
4365         (makePolyProtoObject.foo):
4366         (makePolyProtoObject):
4367         (validate):
4368         (validate2):
4369         * stress/poly-proto-put-transition.js: Added.
4370         (assert):
4371         (makePolyProtoObject.foo.C):
4372         (makePolyProtoObject.foo):
4373         (makePolyProtoObject):
4374         (performSet):
4375         (i.obj.__proto__.set p):
4376         * stress/poly-proto-set-prototype.js: Added.
4377         (assert):
4378         (let.alternateProto.get x):
4379         (let.alternateProto2.get y):
4380         (let.alternateProto2.get x):
4381         (foo.C):
4382         (foo):
4383         (validate):
4384         * stress/poly-proto-setter.js: Added.