[ARM] Disable tests that run out of memory
[WebKit-https.git] / JSTests / ChangeLog
1 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         [ARM] Disable tests that run out of memory
4         https://bugs.webkit.org/show_bug.cgi?id=182699
5
6         Reviewed by Žan Doberšek.
7
8         Skip tests that run of of memory. Do not run
9         modules/module-jit-reachability.js without LLInt to prevent
10         running out of executable memory.
11
12         * modules.yaml:
13         * modules/module-jit-reachability.js:
14         * stress/has-own-property-name-cache-string-keys.js:
15         * stress/has-own-property-name-cache-symbol-keys.js:
16
17 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
18
19         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
20         https://bugs.webkit.org/show_bug.cgi?id=183173
21
22         Reviewed by Saam Barati.
23
24         * stress/async-arrow-function-in-class-heritage.js: Added.
25         (testSyntax):
26         (testSyntaxError):
27         (SyntaxError):
28
29 2018-03-01  Saam Barati  <sbarati@apple.com>
30
31         We need to clear cached structures when having a bad time
32         https://bugs.webkit.org/show_bug.cgi?id=183256
33         <rdar://problem/36245022>
34
35         Reviewed by Mark Lam.
36
37         * stress/having-a-bad-time-with-derived-arrays.js: Added.
38         (assert):
39         (defineSetter):
40         (iterate):
41         (doSlice):
42
43 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
44
45         JSC crash with `import("")`
46         https://bugs.webkit.org/show_bug.cgi?id=183175
47
48         Reviewed by Saam Barati.
49
50         * stress/import-with-empty-string.js: Added.
51
52 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
53
54         Unreviewed, skip FTL tests if FTL is disabled
55         https://bugs.webkit.org/show_bug.cgi?id=183071
56
57         * stress/has-indexed-property-array-storage-ftl.js:
58         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
59
60 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
61
62         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
63         https://bugs.webkit.org/show_bug.cgi?id=182965
64
65         Reviewed by Saam Barati.
66
67         * stress/put-by-val-array-storage.js: Added.
68         (shouldBe):
69         (testArrayStorageInBounds):
70         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
71         (shouldBe):
72         (testInt32.createBuiltin):
73         (set for):
74         * stress/put-by-val-slow-put-array-storage.js: Added.
75         (shouldBe):
76         (testArrayStorageInBounds):
77
78 2018-02-26  Saam Barati  <sbarati@apple.com>
79
80         validateStackAccess should not validate if the offset is within the stack bounds
81         https://bugs.webkit.org/show_bug.cgi?id=183067
82         <rdar://problem/37749988>
83
84         Reviewed by Mark Lam.
85
86         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
87         (assert):
88         (test.a):
89         (test.b):
90         (test):
91
92 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
93
94         Unreviewed, skip FTL tests if FTL is disabled
95         https://bugs.webkit.org/show_bug.cgi?id=183071
96
97         * stress/has-indexed-property-array-storage-ftl.js:
98         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
99
100 2018-02-23  Saam Barati  <sbarati@apple.com>
101
102         Make Number.isInteger an intrinsic
103         https://bugs.webkit.org/show_bug.cgi?id=183088
104
105         Reviewed by JF Bastien.
106
107         * stress/number-is-integer-intrinsic.js: Added.
108
109 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
110
111         WebAssembly: cache memory address / size on instance
112         https://bugs.webkit.org/show_bug.cgi?id=177305
113
114         Reviewed by JF Bastien.
115
116         * wasm/function-tests/memory-reuse.js: Added.
117         (createWasmInstance):
118         (doCheckTrap):
119         (doMemoryGrow):
120         (doCheck):
121         (checkWasmInstancesWithSharedMemory):
122
123 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
124
125         [JSC] Implement $vm.ftlTrue function for FTL testing
126         https://bugs.webkit.org/show_bug.cgi?id=183071
127
128         Reviewed by Mark Lam.
129
130         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
131         (foo):
132         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
133         (foo):
134         * stress/dead-fiat-value-to-int52.js:
135         (foo):
136         * stress/dead-osr-entry-value.js:
137         (foo):
138         * stress/fiat-value-to-int52-then-exit-not-double.js:
139         (foo):
140         * stress/fiat-value-to-int52-then-exit-not-int52.js:
141         (foo):
142         * stress/fiat-value-to-int52-then-fail-to-fold.js:
143         (foo):
144         * stress/fiat-value-to-int52-then-fold.js:
145         (foo):
146         * stress/fiat-value-to-int52.js:
147         (foo):
148         * stress/fold-based-on-int32-proof-mul-branch.js:
149         (foo):
150         * stress/fold-profiled-call-to-call.js:
151         (foo):
152         * stress/fold-to-double-constant-then-exit.js:
153         (foo):
154         * stress/fold-to-int52-constant-then-exit.js:
155         (foo):
156         * stress/fold-to-primitive-in-cfa.js:
157         (foo):
158         * stress/fold-to-primitive-to-identity-in-cfa.js:
159         (foo):
160         * stress/has-indexed-property-array-storage-ftl.js: Added.
161         (shouldBe):
162         (test1):
163         (test2):
164         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
165         (shouldBe):
166         (test1):
167         (test2):
168         * stress/int52-ai-add-then-filter-int32.js:
169         (foo):
170         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
171         (foo):
172         * stress/int52-ai-mul-then-filter-int32.js:
173         (foo):
174         * stress/int52-ai-neg-then-filter-int32.js:
175         (foo):
176         * stress/int52-ai-sub-then-filter-int32.js:
177         (foo):
178         * stress/licm-pre-header-cannot-exit-nested.js:
179         (foo):
180         * stress/licm-pre-header-cannot-exit.js:
181         (foo):
182         * stress/sparse-array-entry-update-144067.js:
183         (useMemoryToTriggerGCs):
184         * stress/test-spec-misc.js:
185         (foo):
186         * stress/tricky-array-bounds-checks.js:
187         (foo):
188
189 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
190
191         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
192         https://bugs.webkit.org/show_bug.cgi?id=182792
193
194         Reviewed by Mark Lam.
195
196         * stress/has-indexed-property-array-storage.js: Added.
197         (shouldBe):
198         (test1):
199         (test2):
200         * stress/has-indexed-property-slow-put-array-storage.js: Added.
201         (shouldBe):
202         (test1):
203         (test2):
204
205 2018-02-20  Saam Barati  <sbarati@apple.com>
206
207         DFG::VarargsForwardingPhase should eliminate getting argument length
208         https://bugs.webkit.org/show_bug.cgi?id=182959
209
210         Reviewed by Keith Miller.
211
212         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
213
214 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
215
216         [FTL] Support ArrayPush for ArrayStorage
217         https://bugs.webkit.org/show_bug.cgi?id=182782
218
219         Reviewed by Saam Barati.
220
221         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
222
223         * stress/array-push-array-storage-beyond-int32.js: Added.
224         (shouldBe):
225         (test):
226         * stress/array-push-array-storage.js: Added.
227         (shouldBe):
228         (test):
229         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
230         (shouldBe):
231         (test):
232         * stress/array-push-multiple-storage-continuous.js: Added.
233         (shouldBe):
234         (test):
235
236 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
237
238         [FTL] Support ArrayPop for ArrayStorage
239         https://bugs.webkit.org/show_bug.cgi?id=182783
240
241         Reviewed by Saam Barati.
242
243         * stress/array-pop-array-storage.js: Added.
244         (shouldBe):
245         (test):
246
247 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
248
249         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
250         https://bugs.webkit.org/show_bug.cgi?id=182731
251
252         Reviewed by Saam Barati.
253
254         * stress/arrayify-array-storage-array.js: Added.
255         (shouldBe):
256         (testArrayStorage):
257         * stress/arrayify-array-storage-non-array.js: Added.
258         (shouldBe):
259         (testArrayStorage):
260         * stress/arrayify-array-storage.js: Added.
261         (shouldBe):
262         (testArrayStorage):
263         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
264         (shouldBe):
265         (testArrayStorage):
266         * stress/arrayify-slow-put-array-storage.js: Added.
267         (shouldBe):
268         (testArrayStorage):
269
270 2018-02-19  Saam Barati  <sbarati@apple.com>
271
272         Don't use JSFunction's allocation profile when getting the prototype can be effectful
273         https://bugs.webkit.org/show_bug.cgi?id=182942
274         <rdar://problem/37584764>
275
276         Reviewed by Mark Lam.
277
278         * stress/get-prototype-create-this-effectful.js: Added.
279
280 2018-02-16  Saam Barati  <sbarati@apple.com>
281
282         Fix bugs from r228411
283         https://bugs.webkit.org/show_bug.cgi?id=182851
284         <rdar://problem/37577732>
285
286         Reviewed by JF Bastien.
287
288         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
289
290 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
291
292         Unreviewed, roll out r228366 since it did not progress anything.
293
294         * stress/gc-error-stack.js: Removed.
295         * stress/no-gc-error-stack.js: Removed.
296
297 2018-02-15  Tomas Popela  <tpopela@redhat.com>
298
299         Many stress tests fail with JIT disabled
300         https://bugs.webkit.org/show_bug.cgi?id=182730
301
302         Reviewed by Saam Barati.
303
304         These tests are broken by design if the JIT is disabled - they test
305         the return value of numberOfDFGCompiles(), which is always set to
306         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
307
308         * stress/arith-abs-on-various-types.js:
309         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
310         * stress/arith-acos-on-various-types.js:
311         * stress/arith-acosh-on-various-types.js:
312         * stress/arith-asin-on-various-types.js:
313         * stress/arith-asinh-on-various-types.js:
314         * stress/arith-atan-on-various-types.js:
315         * stress/arith-atanh-on-various-types.js:
316         * stress/arith-cbrt-on-various-types.js:
317         * stress/arith-ceil-on-various-types.js:
318         * stress/arith-clz32-on-various-types.js:
319         * stress/arith-cos-on-various-types.js:
320         * stress/arith-cosh-on-various-types.js:
321         * stress/arith-expm1-on-various-types.js:
322         * stress/arith-floor-on-various-types.js:
323         * stress/arith-fround-on-various-types.js:
324         * stress/arith-log-on-various-types.js:
325         * stress/arith-log10-on-various-types.js:
326         * stress/arith-log2-on-various-types.js:
327         * stress/arith-negate-on-various-types.js:
328         * stress/arith-round-on-various-types.js:
329         * stress/arith-sin-on-various-types.js:
330         * stress/arith-sinh-on-various-types.js:
331         * stress/arith-sqrt-on-various-types.js:
332         * stress/arith-tan-on-various-types.js:
333         * stress/arith-tanh-on-various-types.js:
334         * stress/arith-trunc-on-various-types.js:
335         * stress/compare-strict-eq-on-various-types.js:
336
337 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
338
339         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
340
341         Unreviewed test gardening.
342
343         * stress/new-largeish-contiguous-array-with-size.js:
344
345 2018-02-14  Saam Barati  <sbarati@apple.com>
346
347         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
348         https://bugs.webkit.org/show_bug.cgi?id=182801
349
350         Reviewed by Keith Miller.
351
352         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
353
354 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
355
356         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
357         https://bugs.webkit.org/show_bug.cgi?id=182526
358
359         Unreviewed test gardening.
360
361         * stress/activation-sink-default-value-tdz-error.js:
362
363 2018-02-13  Saam Barati  <sbarati@apple.com>
364
365         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
366         https://bugs.webkit.org/show_bug.cgi?id=182755
367         <rdar://problem/37080864>
368
369         Reviewed by Keith Miller.
370
371         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
372         (test1.o.get 10005):
373         (test1):
374         (test2.o.get 1000):
375         (test2):
376
377 2018-02-13  Caitlin Potter  <caitp@igalia.com>
378
379         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
380         https://bugs.webkit.org/show_bug.cgi?id=182717
381
382         Reviewed by Yusuke Suzuki.
383
384         https://github.com/tc39/ecma262/pull/890 imposes a change to template
385         literals, to allow template callsite arrays to be collected when the
386         code containing the tagged template call is collected. This spec change
387         has received concensus and been ratified.
388
389         This change eliminates the eternal map associating template contents
390         with arrays.
391
392         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
393         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
394         * stress/tagged-templates-identity.js:
395         * stress/template-string-tags-eval.js:
396         * test262.yaml:
397
398 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
399
400         Support GetArrayLength on ArrayStorage in the FTL
401         https://bugs.webkit.org/show_bug.cgi?id=182625
402
403         Reviewed by Saam Barati.
404
405         * stress/array-storage-length.js: Added.
406         (shouldBe):
407         (testInBound):
408         (testUncountable):
409         (testSlowPutInBound):
410         (testSlowPutUncountable):
411         * stress/undecided-length.js: Added.
412         (shouldBe):
413         (test2):
414
415 2018-02-12  Saam Barati  <sbarati@apple.com>
416
417         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
418         https://bugs.webkit.org/show_bug.cgi?id=182706
419         <rdar://problem/36833681>
420
421         Reviewed by Filip Pizlo.
422
423         * stress/get-array-length-phantom-new-array-buffer.js: Added.
424         (effects):
425         (foo):
426
427 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
428
429         Don't waste memory for error.stack
430         https://bugs.webkit.org/show_bug.cgi?id=182656
431
432         Reviewed by Saam Barati.
433         
434         Tests the policy.
435
436         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
437         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
438
439 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
440
441         [JSC] Update Test262 to Feb 9 version
442         https://bugs.webkit.org/show_bug.cgi?id=182468
443
444         Reviewed by Saam Barati.
445
446 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
447
448         Unreviewed, fix invalid line terminator in old test262 file part 2
449         https://bugs.webkit.org/show_bug.cgi?id=182468
450
451         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
452
453 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
454
455         Unreviewed, fix invalid line terminator in old test262 file
456         https://bugs.webkit.org/show_bug.cgi?id=182468
457
458         * test262/test/language/literals/regexp/7.8.5-1.js:
459
460 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
461
462         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
463         https://bugs.webkit.org/show_bug.cgi?id=182440
464
465         Reviewed by Darin Adler.
466
467         * stress/array-flatmap.js: Added.
468         (shouldBe):
469         (shouldBeArray):
470         (shouldThrow):
471         (var):
472         * stress/array-flatten.js: Added.
473         (shouldBe):
474         (shouldBeArray):
475         * test262.yaml:
476         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
477         (3.flatMap):
478         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
479
480 2018-02-06  Keith Miller  <keith_miller@apple.com>
481
482         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
483         https://bugs.webkit.org/show_bug.cgi?id=182549
484         <rdar://problem/36189995>
485
486         Reviewed by Saam Barati.
487
488         * stress/var-injection-cache-invalidation.js: Added.
489         (allocateLotsOfThings):
490         (test):
491
492 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
493
494         Unreviewed, follow up for test262 update
495         https://bugs.webkit.org/show_bug.cgi?id=182288
496
497         * test262.yaml:
498
499 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
500
501         Update test262 to Jan 30 version
502         https://bugs.webkit.org/show_bug.cgi?id=182288
503
504         Unreviewed test gardening.
505
506         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
507
508 2018-02-02  Saam Barati  <sbarati@apple.com>
509
510         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
511         https://bugs.webkit.org/show_bug.cgi?id=182368
512         <rdar://problem/36932466>
513
514         Reviewed by Mark Lam.
515
516         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
517         (runNearStackLimit.t):
518         (runNearStackLimit):
519         (try.runNearStackLimit):
520         (catch):
521
522 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
523
524         Update test262 to Jan 30 version
525         https://bugs.webkit.org/show_bug.cgi?id=182288
526
527         Rubber stamped by Saam Barati.
528
529         This patch updates test262 to the latest one, Jan 30 version.
530         Since added and changed files are too many, we cannot create ChangeLog.
531         The following files are changed.
532
533         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
534         including some special line terminators (like u2028, u2029).
535
536         * test262.yaml:
537         * test262/test262-Revision.txt:
538         * test262/*:
539
540 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
541
542         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
543         https://bugs.webkit.org/show_bug.cgi?id=182411
544
545         Reviewed by Carlos Alberto Lopez Perez.
546
547         This is skipped only on arm memory limited platforms. Until recently
548         it was not a problem on MIPS as the butterfly was not initialized. But
549         since r227435, the butterfly is initialized in that test and therefore
550         memory is allocated, and the test typically takes around 512M, which
551         means it generally gets OOM-killed on the MIPS buildbot.
552
553         * mozilla/mozilla-tests.yaml:
554
555 2018-02-01  Mark Lam  <mark.lam@apple.com>
556
557         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
558         https://bugs.webkit.org/show_bug.cgi?id=182419
559         <rdar://problem/37044945>
560
561         Reviewed by Saam Barati.
562
563         * stress/regress-182419.js: Added.
564
565 2018-02-01  Keith Miller  <keith_miller@apple.com>
566
567         Fix crashes due to mishandling custom sections.
568         https://bugs.webkit.org/show_bug.cgi?id=182404
569         <rdar://problem/36935863>
570
571         Reviewed by Saam Barati.
572
573         * wasm/Builder.js:
574         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
575         * wasm/js-api/validate.js:
576         (assert.truthy):
577
578 2018-01-31  Saam Barati  <sbarati@apple.com>
579
580         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
581         https://bugs.webkit.org/show_bug.cgi?id=182074
582         <rdar://problem/36846261>
583
584         Reviewed by Mark Lam.
585
586         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
587         (assert):
588         (let.func):
589         (let.o.foo):
590         (varFunc):
591
592 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
593
594         Unreviewed, update test262 expects
595         https://bugs.webkit.org/show_bug.cgi?id=182232
596
597         * test262.yaml:
598
599 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
600
601         [JSC] Implement trimStart and trimEnd
602         https://bugs.webkit.org/show_bug.cgi?id=182233
603
604         Reviewed by Mark Lam.
605
606         * stress/trim.js: Added.
607         (shouldBe):
608         (startTest):
609         (endTest):
610         (trimTest):
611
612 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
613
614         [JSC] Relax line terminators in String to make JSON subset of JS
615         https://bugs.webkit.org/show_bug.cgi?id=182232
616
617         Reviewed by Keith Miller.
618
619         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
620         * stress/relaxed-line-terminators-in-string.js: Added.
621         (shouldBe):
622
623 2018-01-29  Michael Saboff  <msaboff@apple.com>
624
625         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
626         https://bugs.webkit.org/show_bug.cgi?id=182249
627
628         Reviewed by Keith Miller.
629
630         New regression test.
631
632         * stress/compare-clobber-untypeduse.js: Added.
633
634 2018-01-29  Matt Lewis  <jlewis3@apple.com>
635
636         Unreviewed, rolling out r227725.
637
638         This caused internal failures.
639
640         Reverted changeset:
641
642         "JSC Sampling Profiler: Detect tester and testee when sampling
643         in RegExp JIT"
644         https://bugs.webkit.org/show_bug.cgi?id=152729
645         https://trac.webkit.org/changeset/227725
646
647 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
648
649         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
650         https://bugs.webkit.org/show_bug.cgi?id=152729
651
652         Reviewed by Saam Barati.
653
654         * stress/sampling-profiler-regexp.js: Added.
655         (platformSupportsSamplingProfiler.test):
656         (platformSupportsSamplingProfiler.baz):
657         (platformSupportsSamplingProfiler):
658
659 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
660
661         [DFG][FTL] WeakMap#set should have DFG node
662         https://bugs.webkit.org/show_bug.cgi?id=180015
663
664         Reviewed by Saam Barati.
665
666         * stress/weakmap-set-change-get.js: Added.
667         (shouldBe):
668         (test):
669         * stress/weakmap-set-cse.js: Added.
670         (shouldBe):
671         (test):
672         * stress/weakset-add-change-get.js: Added.
673         (shouldBe):
674         * stress/weakset-add-cse.js: Added.
675         (shouldBe):
676
677 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
678
679         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
680         https://bugs.webkit.org/show_bug.cgi?id=182213
681
682         Reviewed by Mark Lam.
683
684         * stress/int32-min-to-string.js: Added.
685         (shouldBe):
686         (test2):
687         (test4):
688         (test8):
689         (test16):
690         (test32):
691         * stress/zero-to-string.js: Added.
692         (shouldBe):
693         (test2):
694         (test4):
695         (test8):
696         (test16):
697         (test32):
698
699 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         Add more module scope related tests with code evaluation by string
702         https://bugs.webkit.org/show_bug.cgi?id=181983
703
704         Reviewed by Sam Weinig.
705
706         Add more module scope related tests. When the original tests are landed,
707         we do not have browser integration. This patch adds more module scope tests
708         with dynamically created script evaluation. We add tests with Function
709         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
710
711         * modules/scopes-eval.js: Added.
712         (shouldBe):
713         * modules/scopes.js:
714         (shouldBe):
715
716 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
717
718         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
719
720         * microbenchmarks/array-push-3.js: Removed.
721         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
722         * microbenchmarks/double-to-int32.js: Removed.
723         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
724         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
725         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
726         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
727         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
728         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
729         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
730         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
731         * microbenchmarks/map-constant-key.js: Removed.
732         * microbenchmarks/nested-function-parsing.js: Removed.
733         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
734         * microbenchmarks/spread-large-array.js: Removed.
735         * microbenchmarks/string-add-constant-folding.js: Removed.
736         * microbenchmarks/to-lower-case.js: Removed.
737         * microbenchmarks/undefined-property-access.js: Removed.
738         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
739         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
740         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
741         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
742         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
743         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
744         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
745         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
746         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
747         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
748         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
749         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
750         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
751         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
752         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
753         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
754         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
755         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
756
757 2018-01-23  Robin Morisset  <rmorisset@apple.com>
758
759         Update the argument count in DFGByteCodeParser::handleRecursiveCall
760         https://bugs.webkit.org/show_bug.cgi?id=181739
761         <rdar://problem/36627662>
762
763         Reviewed by Saam Barati.
764
765         * stress/recursive-tail-call-with-different-argument-count.js: Added.
766         (foo):
767         (bar):
768
769 2018-01-22  Michael Saboff  <msaboff@apple.com>
770
771         DFG abstract interpreter needs to properly model effects of some Math ops
772         https://bugs.webkit.org/show_bug.cgi?id=181886
773
774         Reviewed by Saam Barati.
775
776         New regression test.
777
778         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
779         (test):
780
781 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
782
783         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
784         https://bugs.webkit.org/show_bug.cgi?id=181182
785
786         Reviewed by Darin Adler.
787
788         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
789         * stress/big-int-prototype-to-string-exception.js: Added.
790         * stress/big-int-prototype-to-string-wrong-values.js: Added.
791         * stress/number-prototype-to-string-cast-overflow.js: Added.
792         * stress/number-prototype-to-string-exception.js: Added.
793         * stress/number-prototype-to-string-wrong-values.js: Added.
794
795 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
796
797         Disable Atomics when SharedArrayBuffer isn’t enabled
798         https://bugs.webkit.org/show_bug.cgi?id=181572
799
800         Unreviewed test gardening.
801
802         * test262.yaml: Skip tests that fail after this change.
803
804 2018-01-19  Saam Barati  <sbarati@apple.com>
805
806         Kill ArithNegate's ArithProfile assert inside BytecodeParser
807         https://bugs.webkit.org/show_bug.cgi?id=181877
808         <rdar://problem/36630552>
809
810         Reviewed by Mark Lam.
811
812         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
813         (runNearStackLimit):
814         (f1):
815         (f2):
816         (f3):
817         (i.catch):
818         (i.try.runNearStackLimit):
819         (catch):
820
821 2018-01-19  Saam Barati  <sbarati@apple.com>
822
823         Spread's effects are modeled incorrectly both in AI and in Clobberize
824         https://bugs.webkit.org/show_bug.cgi?id=181867
825         <rdar://problem/36290415>
826
827         Reviewed by Michael Saboff.
828
829         * stress/ai-needs-to-model-spreads-effects.js: Added.
830         (try.p.Symbol.iterator):
831         (try.go):
832         (catch):
833         * stress/clobberize-needs-to-model-spread-effects.js: Added.
834         (assert):
835         (foo):
836         (a.Symbol.iterator):
837
838 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
839
840         Unreviewed, reduce count of iteration to fix timing out debug JSC test
841         https://bugs.webkit.org/show_bug.cgi?id=181535
842
843         * stress/inserted-recovery-with-set-last-index.js:
844
845 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
846
847         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
848         https://bugs.webkit.org/show_bug.cgi?id=181535
849
850         Reviewed by Saam Barati.
851
852         * stress/inserted-recovery-with-set-last-index.js: Added.
853         (shouldBe):
854         (foo):
855         * stress/materialize-regexp-at-osr-exit.js: Added.
856         (shouldBe):
857         (test):
858         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
859         (shouldBe):
860         (test):
861         * stress/materialize-regexp-cyclic-regexp.js: Added.
862         (shouldBe):
863         (test):
864         (i.switch):
865         * stress/materialize-regexp-cyclic.js: Added.
866         (shouldBe):
867         (test):
868         (i.switch):
869         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
870         (bar):
871         (foo):
872         (test):
873         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
874         (bar):
875         (foo):
876         (test):
877         * stress/materialize-regexp.js: Added.
878         (shouldBe):
879         (test):
880         * stress/phantom-regexp-regexp-exec.js: Added.
881         (shouldBe):
882         (test):
883         * stress/phantom-regexp-string-match.js: Added.
884         (shouldBe):
885         (test):
886         * stress/regexp-last-index-sinking.js: Added.
887         (shouldBe):
888         (test):
889
890 2018-01-17  Saam Barati  <sbarati@apple.com>
891
892         Disable Atomics when SharedArrayBuffer isn’t enabled
893         https://bugs.webkit.org/show_bug.cgi?id=181572
894         <rdar://problem/36553206>
895
896         Reviewed by Michael Saboff.
897
898         * stress/isLockFree.js:
899
900 2018-01-17  Saam Barati  <sbarati@apple.com>
901
902         DFG::Node::convertToConstant needs to clear the varargs flags
903         https://bugs.webkit.org/show_bug.cgi?id=181697
904         <rdar://problem/36497332>
905
906         Reviewed by Yusuke Suzuki.
907
908         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
909         (doIndexOf):
910         (bar):
911         (i.bar):
912
913 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
914
915         Unreviewed, rolling out r226937.
916
917         Tests added with this change are failing due to a missing
918         exception check.
919
920         Reverted changeset:
921
922         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
923         double to int32_t"
924         https://bugs.webkit.org/show_bug.cgi?id=181182
925         https://trac.webkit.org/changeset/226937
926
927 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
928
929         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
930         https://bugs.webkit.org/show_bug.cgi?id=181182
931
932         Reviewed by Darin Adler.
933
934         * bigIntTests.yaml:
935         * stress/big-int-constructor.js:
936         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
937         (assert):
938         (assertThrowRangeError):
939         * stress/number-prototype-to-string-cast-overflow.js: Added.
940         (assert):
941         (assertThrowRangeError):
942
943 2018-01-12  Saam Barati  <sbarati@apple.com>
944
945         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
946         https://bugs.webkit.org/show_bug.cgi?id=181177
947         <rdar://problem/36205704>
948
949         Reviewed by Yusuke Suzuki.
950
951         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
952         (runNearStackLimit.t):
953         (runNearStackLimit):
954         (test.f):
955         (test):
956
957 2018-01-12  Saam Barati  <sbarati@apple.com>
958
959         Each variant of a polymorphic inlined call should be exitOK at the top of the block
960         https://bugs.webkit.org/show_bug.cgi?id=181562
961         <rdar://problem/36445624>
962
963         Reviewed by Yusuke Suzuki.
964
965         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
966         (f):
967         (foo):
968
969 2018-01-11  Saam Barati  <sbarati@apple.com>
970
971         When inserting Unreachable in byte code parser we need to flush all the right things
972         https://bugs.webkit.org/show_bug.cgi?id=181509
973         <rdar://problem/36423110>
974
975         Reviewed by Mark Lam.
976
977         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
978
979 2018-01-11  Saam Barati  <sbarati@apple.com>
980
981         JITMathIC code in the FTL is wrong when code gets duplicated
982         https://bugs.webkit.org/show_bug.cgi?id=181525
983         <rdar://problem/36351993>
984
985         Reviewed by Michael Saboff and Keith Miller.
986
987         * stress/allow-math-ic-b3-code-duplication.js: Added.
988
989 2018-01-11  Saam Barati  <sbarati@apple.com>
990
991         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
992         https://bugs.webkit.org/show_bug.cgi?id=181508
993
994         Reviewed by Yusuke Suzuki.
995
996         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
997         (assert):
998         (test1.foo):
999         (test1):
1000         (test2.foo):
1001         (test2):
1002
1003 2018-01-09  Mark Lam  <mark.lam@apple.com>
1004
1005         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1006         https://bugs.webkit.org/show_bug.cgi?id=181388
1007         <rdar://problem/36349351>
1008
1009         Reviewed by Saam Barati.
1010
1011         * stress/regress-181388.js: Added.
1012
1013 2018-01-08  JF Bastien  <jfbastien@apple.com>
1014
1015         WebAssembly: mask indexed accesses to Table
1016         https://bugs.webkit.org/show_bug.cgi?id=181412
1017         <rdar://problem/36363236>
1018
1019         Reviewed by Saam Barati.
1020
1021         Update error messages.
1022
1023         * wasm/js-api/table.js:
1024         (assert.throws.WebAssembly.Table.prototype.grow):
1025
1026 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1027
1028         Disable SharedArrayBuffer tests missed in r226386.
1029         https://bugs.webkit.org/show_bug.cgi?id=181266
1030
1031         Unreviewed test gardening.
1032
1033         * test262.yaml:
1034
1035 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1036
1037         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1038         https://bugs.webkit.org/show_bug.cgi?id=181321
1039
1040         Reviewed by Saam Barati.
1041
1042         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1043         (shouldBe):
1044         (testFunction):
1045         * test262.yaml:
1046
1047 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1048
1049         Unreviewed, attempt to fix test262 after r226386.
1050
1051         * test262.yaml:
1052
1053 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1054
1055         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1056         https://bugs.webkit.org/show_bug.cgi?id=179911
1057
1058         Reviewed by Saam Barati.
1059
1060         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1061
1062         * stress/map-set-change-get.js: Added.
1063         (shouldBe):
1064         (test):
1065         * stress/map-set-create-bucket.js: Added.
1066         (shouldBe):
1067         (test):
1068         * stress/set-add-create-bucket.js: Added.
1069         (shouldBe):
1070
1071 2018-01-03  Michael Saboff  <msaboff@apple.com>
1072
1073         Disable SharedArrayBuffers from Web API
1074         https://bugs.webkit.org/show_bug.cgi?id=181266
1075
1076         Reviewed by Saam Barati.
1077
1078         Disabled SharedArrayBuffer tests.
1079
1080         * stress/SharedArrayBuffer-opt.js:
1081         * stress/SharedArrayBuffer.js:
1082         * stress/array-buffer-byte-length.js:
1083         * stress/atomics-add-uint32.js:
1084         * stress/atomics-known-int-use.js:
1085         * stress/atomics-neg-zero.js:
1086         * stress/atomics-store-return.js:
1087         * stress/lars-sab-workers.js:
1088         * stress/regress-159779-1.js:
1089         * stress/regress-159779-2.js:
1090         * stress/regress-170473.js:
1091         * test262.yaml:
1092
1093 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1094
1095         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1096         https://bugs.webkit.org/show_bug.cgi?id=181258
1097
1098         Reviewed by Antonio Gomes.
1099
1100         * stress/big-int-constructor-gc.js:
1101         * stress/big-int-constructor-oom.js:
1102
1103 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1104
1105         Inlining of a function that ends in op_unreachable crashes
1106         https://bugs.webkit.org/show_bug.cgi?id=181027
1107
1108         Reviewed by Filip Pizlo.
1109
1110         * stress/inlining-unreachable.js: Added.
1111         (bar):
1112         (baz):
1113         (i.catch):
1114
1115 2018-01-02  Saam Barati  <sbarati@apple.com>
1116
1117         Incorrect assertion inside AccessCase
1118         https://bugs.webkit.org/show_bug.cgi?id=181200
1119         <rdar://problem/35494754>
1120
1121         Reviewed by Yusuke Suzuki.
1122
1123         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1124         (ctor):
1125         (theFunc):
1126         (run):
1127
1128 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1129
1130         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1131         https://bugs.webkit.org/show_bug.cgi?id=175359
1132
1133         Reviewed by Yusuke Suzuki.
1134
1135         * bigIntTests.yaml:
1136         * stress/big-int-as-key.js: Added.
1137         * stress/big-int-constructor-gc.js: Added.
1138         * stress/big-int-constructor-oom.js: Added.
1139         * stress/big-int-constructor-properties.js: Added.
1140         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1141         * stress/big-int-constructor-prototype.js: Added.
1142         * stress/big-int-constructor.js: Added.
1143         * stress/big-int-function-apply.js:
1144         * stress/big-int-length.js: Added.
1145         * stress/big-int-prop-descriptor.js: Added.
1146         * stress/big-int-proto-constructor.js: Added.
1147         * stress/big-int-proto-name.js: Added.
1148         * stress/big-int-prototype-properties.js: Added.
1149         * stress/big-int-prototype-proto.js: Added.
1150         * stress/big-int-prototype-value-of.js: Added.
1151         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1152         * stress/big-int-prototype-to-string-apply.js: Added.
1153         * stress/big-int-to-object.js: Added.
1154         * stress/big-int-to-string.js: Added.
1155
1156 2017-12-28  Saam Barati  <sbarati@apple.com>
1157
1158         Assertion used to determine if something is an async generator is wrong
1159         https://bugs.webkit.org/show_bug.cgi?id=181168
1160         <rdar://problem/35640560>
1161
1162         Reviewed by Yusuke Suzuki.
1163
1164         * stress/async-generator-assertion.js: Added.
1165
1166 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1167
1168         Skip stress/splay-flash-access tests on memory limited platforms
1169         https://bugs.webkit.org/show_bug.cgi?id=181086
1170
1171         Reviewed by Carlos Alberto Lopez Perez.
1172
1173         These tests use about 185M of memory, and occasionally get OOM-killed
1174         on memory limited platforms.
1175
1176         * stress/splay-flash-access-1ms.js:
1177         * stress/splay-flash-access.js:
1178
1179 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1180
1181         Skip slow jsc tests on embedded platforms
1182         https://bugs.webkit.org/show_bug.cgi?id=180937
1183
1184         Reviewed by Carlos Alberto Lopez Perez.
1185
1186         The tests typeProfiler/deltablue-for-of.js and
1187         typeProfiler/getter-richards.js take a very long time in the
1188         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1189         thus always timeout. They should be skipped on these platforms.
1190
1191         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1192         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1193
1194 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1195
1196         [JSC] Do not check isValid() in op_new_regexp
1197         https://bugs.webkit.org/show_bug.cgi?id=180970
1198
1199         Reviewed by Saam Barati.
1200
1201         * stress/regexp-syntax-error-invalid-flags.js: Added.
1202         (shouldThrow):
1203
1204 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1205
1206         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1207         https://bugs.webkit.org/show_bug.cgi?id=180712
1208
1209         Reviewed by Michael Catanzaro.
1210
1211         stress/call-apply-exponential-bytecode-size.js crashes if the
1212         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1213         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1214         should skip the test on other platforms.
1215
1216         * stress/call-apply-exponential-bytecode-size.js:
1217
1218 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1219
1220         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1221         https://bugs.webkit.org/show_bug.cgi?id=179762
1222
1223         Reviewed by Saam Barati.
1224
1225         * stress/call-varargs-double-new-array-buffer.js: Added.
1226         (assert):
1227         (bar):
1228         (foo):
1229         * stress/call-varargs-spread-new-array-buffer.js: Added.
1230         (assert):
1231         (bar):
1232         (foo):
1233         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1234         (assert):
1235         (bar):
1236         (foo):
1237         * stress/forward-varargs-double-new-array-buffer.js: Added.
1238         (assert):
1239         (test.baz):
1240         (test.bar):
1241         (test.foo):
1242         (test):
1243         * stress/new-array-buffer-sinking-osrexit.js: Added.
1244         (target):
1245         (test):
1246         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1247         (shouldBe):
1248         (test):
1249         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1250         (shouldBe):
1251         (target):
1252         (test):
1253         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1254         (assert):
1255         (test1.bar):
1256         (test1.foo):
1257         (test1):
1258         (test2.bar):
1259         (test2.foo):
1260         (test3.baz):
1261         (test3.bar):
1262         (test3.foo):
1263         (test4.baz):
1264         (test4.bar):
1265         (test4.foo):
1266         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1267         (assert):
1268         (test.baz):
1269         (test.bar):
1270         (test.foo):
1271         (test):
1272         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1273         (assert):
1274         (baz):
1275         (bar):
1276         (effects):
1277         (foo):
1278
1279 2017-12-14  Saam Barati  <sbarati@apple.com>
1280
1281         The CleanUp after LICM is erroneously removing a Check
1282         https://bugs.webkit.org/show_bug.cgi?id=180852
1283         <rdar://problem/36063494>
1284
1285         Reviewed by Filip Pizlo.
1286
1287         * stress/dont-run-cleanup-after-licm.js: Added.
1288
1289 2017-12-14  Michael Saboff  <msaboff@apple.com>
1290
1291         REGRESSION (r225695): Repro crash on yahoo login page
1292         https://bugs.webkit.org/show_bug.cgi?id=180761
1293
1294         Reviewed by JF Bastien.
1295
1296         New regression test.
1297
1298         * stress/regress-180761.js: Added.
1299
1300 2017-12-13  Keith Miller  <keith_miller@apple.com>
1301
1302         JSObjects should have a mask for loading indexed properties
1303         https://bugs.webkit.org/show_bug.cgi?id=180768
1304
1305         Reviewed by Mark Lam.
1306
1307         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1308         (test):
1309
1310 2017-12-13  Saam Barati  <sbarati@apple.com>
1311
1312         Arrow functions need their own structure because they have different properties than sloppy functions
1313         https://bugs.webkit.org/show_bug.cgi?id=180779
1314         <rdar://problem/35814591>
1315
1316         Reviewed by Mark Lam.
1317
1318         * stress/arrow-function-needs-its-own-structure.js: Added.
1319         (assert):
1320         (readPrototype):
1321         (noInline.let.f1):
1322         (noInline):
1323
1324 2017-12-13  Saam Barati  <sbarati@apple.com>
1325
1326         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1327         https://bugs.webkit.org/show_bug.cgi?id=163579
1328         <rdar://problem/35455798>
1329
1330         Reviewed by Mark Lam.
1331
1332         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1333         (assert):
1334         (test1):
1335         (i.test1):
1336         (i.test1.C):
1337         (i.test1.async.foo):
1338         (i.test1.foo):
1339         (test2):
1340
1341 2017-12-13  Saam Barati  <sbarati@apple.com>
1342
1343         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1344         https://bugs.webkit.org/show_bug.cgi?id=180734
1345         <rdar://problem/35640547>
1346
1347         Reviewed by Yusuke Suzuki.
1348
1349         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1350         (__isPropertyOfType):
1351         (__getProperties):
1352         (__getObjects):
1353         (__getRandomObject):
1354         (theClass.):
1355         (theClass):
1356         (childClass):
1357         (counter.catch):
1358
1359 2017-12-12  Saam Barati  <sbarati@apple.com>
1360
1361         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1362         https://bugs.webkit.org/show_bug.cgi?id=180725
1363         <rdar://problem/35970511>
1364
1365         Reviewed by Michael Saboff.
1366
1367         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1368         (f1):
1369         (f2):
1370         (let.o2.valueOf):
1371
1372 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1373
1374         [JSC] Implement optimized WeakMap and WeakSet
1375         https://bugs.webkit.org/show_bug.cgi?id=179929
1376
1377         Reviewed by Saam Barati.
1378
1379         * microbenchmarks/weak-map-key.js:
1380         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1381         (assert):
1382         (objectKey):
1383         (let.start.Date.now):
1384         * stress/basic-weakmap.js: Added.
1385         (shouldBe):
1386         (test):
1387         * stress/basic-weakset.js: Added.
1388         (shouldBe):
1389         (test.set new):
1390         * stress/weakmap-cse-set-break.js: Added.
1391         (shouldBe):
1392         (test):
1393         * stress/weakmap-cse.js: Added.
1394         (shouldBe):
1395         (test):
1396         * stress/weakmap-gc.js: Added.
1397         (test):
1398         * stress/weakset-cse-add-break.js: Added.
1399         (shouldBe):
1400         (test.set new):
1401         * stress/weakset-cse.js: Added.
1402         (shouldBe):
1403         (test.set new):
1404         * stress/weakset-gc.js: Added.
1405         (test.set add):
1406         (test.set new):
1407         (test):
1408
1409 2017-12-12  Saam Barati  <sbarati@apple.com>
1410
1411         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1412         https://bugs.webkit.org/show_bug.cgi?id=180723
1413         <rdar://problem/35859726>
1414
1415         Reviewed by JF Bastien.
1416
1417         * stress/get-my-argument-by-val-constant-folding.js: Added.
1418         (test):
1419         (catch):
1420
1421 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1422
1423         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1424         https://bugs.webkit.org/show_bug.cgi?id=179000
1425
1426         Reviewed by Darin Adler and Yusuke Suzuki.
1427
1428         * bigIntTests.yaml: Added.
1429         * stress/big-int-literal-line-terminator.js: Added.
1430         * stress/big-int-literals.js: Added.
1431         * stress/big-int-operations-error.js: Added.
1432         * stress/big-int-type-of.js: Added.
1433         * stress/big-int-white-space-trailing-leading.js: Added.
1434         * stress/big-int-function-apply.js: Added.
1435
1436 2017-12-11  Saam Barati  <sbarati@apple.com>
1437
1438         We need to disableCaching() in ErrorInstance when we materialize properties
1439         https://bugs.webkit.org/show_bug.cgi?id=180343
1440         <rdar://problem/35833002>
1441
1442         Reviewed by Mark Lam.
1443
1444         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1445         (assert):
1446         (makeError):
1447         (storeToStack):
1448         (storeToStackAlreadyMaterialized):
1449
1450 2017-12-05  JF Bastien  <jfbastien@apple.com>
1451
1452         WebAssembly: don't eagerly checksum
1453         https://bugs.webkit.org/show_bug.cgi?id=180441
1454         <rdar://problem/35156628>
1455
1456         Reviewed by Saam Barati.
1457
1458         Checksum is now disabled, so tests only have <?> as the module
1459         name.
1460
1461         * wasm/function-tests/nameSection.js:
1462         * wasm/function-tests/stack-overflow.js:
1463         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1464         (assertOverflows.assertThrows):
1465         (assertOverflows):
1466         * wasm/function-tests/stack-trace.js:
1467
1468 2017-12-04  JF Bastien  <jfbastien@apple.com>
1469
1470         Proxy all functions, except the $ objects
1471         https://bugs.webkit.org/show_bug.cgi?id=180375
1472
1473         Reviewed by Saam Barati.
1474
1475         It looks like this test may have broken some executions because I
1476         call some internal objects. Explicitly ignore objects whose name
1477         starts with "$" because it's a bad idea anyways.
1478
1479         * stress/proxy-all-the-parameters.js:
1480         (generateObjects):
1481         (get throw):
1482
1483 2017-12-04  Saam Barati  <sbarati@apple.com>
1484
1485         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1486         https://bugs.webkit.org/show_bug.cgi?id=180366
1487         <rdar://problem/35685877>
1488
1489         Reviewed by Michael Saboff.
1490
1491         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1492         (theParent):
1493         (test1.base.getParentStaticValue):
1494         (test1.base):
1495         (test1.__v_24888.prototype.set prop):
1496         (test1.__v_24888):
1497         (test2.base.getParentStaticValue):
1498         (test2.base):
1499         (test2.__v_24888.prototype.set prop):
1500         (test2.__v_24888):
1501         (test2):
1502
1503 2017-12-01  JF Bastien  <jfbastien@apple.com>
1504
1505         Try proxying all function arguments
1506         https://bugs.webkit.org/show_bug.cgi?id=180306
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/proxy-all-the-parameters.js: Added.
1511         (isPropertyOfType):
1512         (getProperties):
1513         (generateObjects):
1514         (getObjects):
1515         (getFunctions):
1516         (get throw):
1517         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1518
1519 2017-12-01  JF Bastien  <jfbastien@apple.com>
1520
1521         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1522         https://bugs.webkit.org/show_bug.cgi?id=180297
1523         <rdar://problem/35745556>
1524
1525         Reviewed by Mark Lam.
1526
1527         * stress/math-exceptions.js: Added.
1528         (get try):
1529         (catch):
1530
1531 2017-12-01  JF Bastien  <jfbastien@apple.com>
1532
1533         JavaScriptCore: add test for weird class static getters
1534         https://bugs.webkit.org/show_bug.cgi?id=180281
1535         <rdar://problem/35592139>
1536
1537         Reviewed by Mark Lam.
1538
1539         I fixed a bug for it in r224927 and didn't add a test. Do so.
1540
1541         * stress/class-static-get-weird.js: Added.
1542         (c.prototype.get name):
1543         (c):
1544         (c.prototype.get arguments):
1545         (c.prototype.get caller):
1546         (c.prototype.get length):
1547
1548 2017-12-01  Saam Barati  <sbarati@apple.com>
1549
1550         Having a bad time needs to handle ArrayClass indexing type as well
1551         https://bugs.webkit.org/show_bug.cgi?id=180274
1552         <rdar://problem/35667869>
1553
1554         Reviewed by Keith Miller and Mark Lam.
1555
1556         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1557         (assert):
1558         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1559         (assert):
1560
1561 2017-12-01  JF Bastien  <jfbastien@apple.com>
1562
1563         WebAssembly: restore cached stack limit after out-call
1564         https://bugs.webkit.org/show_bug.cgi?id=179106
1565         <rdar://problem/35337525>
1566
1567         Reviewed by Saam Barati.
1568
1569         * wasm/function-tests/double-instance.js: Added.
1570         (const.imp.boom):
1571         (const.imp.get callAnother):
1572
1573 2017-11-30  JF Bastien  <jfbastien@apple.com>
1574
1575         WebAssembly: improve stack trace
1576         https://bugs.webkit.org/show_bug.cgi?id=179343
1577
1578         Reviewed by Saam Barati.
1579
1580         Update the tests to follow the new format. Notably, SHA1 module
1581         hash is now included in traces, and stubs are properly identified.
1582
1583         * wasm/assert.js: Add an assertion which matches regular expressions.
1584         * wasm/function-tests/nameSection.js:
1585         * wasm/function-tests/stack-overflow.js:
1586         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1587         (assertOverflows.assertThrows.wasm.1):
1588         (assertOverflows.assertThrows.wasm.0):
1589         (assertOverflows.assertThrows):
1590         (assertOverflows):
1591         * wasm/function-tests/stack-trace.js:
1592         (import.Builder.from.string_appeared_here.assert): Deleted.
1593         * wasm/function-tests/trap-after-cross-instance-call.js:
1594         (wasmFrameCountFromError):
1595         * wasm/function-tests/trap-load-2.js:
1596         (wasmFrameCountFromError):
1597         * wasm/function-tests/trap-load.js:
1598         (wasmFrameCountFromError):
1599
1600 2017-11-30  Mark Lam  <mark.lam@apple.com>
1601
1602         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1603         https://bugs.webkit.org/show_bug.cgi?id=180219
1604         <rdar://problem/35696536>
1605
1606         Reviewed by Filip Pizlo.
1607
1608         * stress/regress-180219.js: Added.
1609
1610 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1611
1612         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1613         https://bugs.webkit.org/show_bug.cgi?id=180190
1614
1615         Reviewed by Mark Lam.
1616
1617         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1618         (shouldBe):
1619         (test1):
1620         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1621         (shouldBe):
1622         (test1):
1623         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1624         (shouldBe):
1625         (test1):
1626         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1627         (shouldBe):
1628         (test1):
1629         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1630         (shouldBe):
1631         (test1):
1632         * stress/operation-in-may-have-negative-int32.js: Added.
1633         (shouldBe):
1634         (test2):
1635         * stress/operation-in-negative-int32-cast.js: Added.
1636         (shouldBe):
1637         (test1):
1638
1639 2017-11-28  JF Bastien  <jfbastien@apple.com>
1640
1641         Strict and sloppy functions shouldn't share structure
1642         https://bugs.webkit.org/show_bug.cgi?id=180103
1643         <rdar://problem/35667847>
1644
1645         Reviewed by Saam Barati.
1646
1647         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1648         because the IC was wrong.
1649         (foo):
1650         (bar):
1651         (baz):
1652         (catch):
1653         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1654         in this patch, but may as well test odd strict mode corner cases.
1655         (bar):
1656         (baz):
1657         (catch):
1658         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1659         (foo):
1660         (bar):
1661         (baz):
1662         (catch):
1663         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1664         next file, but with invalidation of the FunctionExecutable's
1665         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1666         slower path.
1667         (foo):
1668         (bar.const.x):
1669         (bar.const.y):
1670         (bar):
1671         (catch):
1672         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1673         strict nesting works correctly.
1674         (foo):
1675         (bar.baz):
1676         (bar):
1677         * stress/strict-function-structure.js: Added. The test used to
1678         assert in objectProtoFuncHasOwnProperty.
1679         (foo):
1680         (bar):
1681         (baz):
1682         * stress/strict-nested-function-structure.js: Added. Nesting.
1683         (foo):
1684         (bar):
1685         (baz.boo):
1686         (baz):
1687
1688 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1689
1690         The recursive tail call optimisation is wrong on closures
1691         https://bugs.webkit.org/show_bug.cgi?id=179835
1692
1693         Reviewed by Saam Barati.
1694
1695         * stress/closure-recursive-tail-call.js: Added.
1696         (makeClosure):
1697
1698 2017-11-27  JF Bastien  <jfbastien@apple.com>
1699
1700         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1701         https://bugs.webkit.org/show_bug.cgi?id=180051
1702         <rdar://problem/35614371>
1703
1704         Reviewed by Saam Barati.
1705
1706         * stress/rest-parameter-negative.js: Added.
1707         (__f_5484):
1708         (catch):
1709         (__f_5485):
1710         (__v_22598.catch):
1711
1712 2017-11-27  Saam Barati  <sbarati@apple.com>
1713
1714         Spread can escape when CreateRest does not
1715         https://bugs.webkit.org/show_bug.cgi?id=180057
1716         <rdar://problem/35676119>
1717
1718         Reviewed by JF Bastien.
1719
1720         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1721         (assert):
1722         (getProperties):
1723         (theFunc):
1724         (let.obj.valueOf):
1725
1726 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1727
1728         [DFG] Add NormalizeMapKey DFG IR
1729         https://bugs.webkit.org/show_bug.cgi?id=179912
1730
1731         Reviewed by Saam Barati.
1732
1733         * stress/map-untyped-normalize-cse.js: Added.
1734         (shouldBe):
1735         (test):
1736         * stress/map-untyped-normalize.js: Added.
1737         (shouldBe):
1738         (test):
1739         * stress/set-untyped-normalize-cse.js: Added.
1740         (shouldBe):
1741         (set return.set has.set has):
1742         * stress/set-untyped-normalize.js: Added.
1743         (shouldBe):
1744         (set return.set has):
1745
1746 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1747
1748         [FTL] Support DeleteById and DeleteByVal
1749         https://bugs.webkit.org/show_bug.cgi?id=180022
1750
1751         Reviewed by Saam Barati.
1752
1753         * stress/delete-by-id.js: Added.
1754         (shouldBe):
1755         (test1):
1756         (test2):
1757         * stress/delete-by-val-ftl.js: Added.
1758         (shouldBe):
1759         (test1):
1760         (test2):
1761
1762 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1763
1764         [DFG] Introduce {Set,Map,WeakMap}Fields
1765         https://bugs.webkit.org/show_bug.cgi?id=179925
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/map-set-clobber-map-get.js: Added.
1770         (shouldBe):
1771         (test):
1772         * stress/map-set-does-not-clobber-set-has.js: Added.
1773         (shouldBe):
1774         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1775         (shouldBe):
1776         (test):
1777         * stress/set-add-clobber-set-has.js: Added.
1778         (shouldBe):
1779         * stress/set-add-does-not-clobber-map-get.js: Added.
1780         (shouldBe):
1781
1782 2017-11-24  Mark Lam  <mark.lam@apple.com>
1783
1784         Move unsafe jsc shell test functions to the $vm object.
1785         https://bugs.webkit.org/show_bug.cgi?id=179980
1786
1787         Reviewed by Yusuke Suzuki.
1788
1789         * controlFlowProfiler/driver/driver.js:
1790         * controlFlowProfiler/execution-count.js:
1791         * controlFlowProfiler/if-statement.js:
1792         * controlFlowProfiler/loop-statements.js:
1793         * controlFlowProfiler/switch-statements.js:
1794         * controlFlowProfiler/test-jit.js:
1795         * exceptionFuzz/3d-cube.js:
1796         * exceptionFuzz/date-format-xparb.js:
1797         * exceptionFuzz/earley-boyer.js:
1798         * heapProfiler/basic-edges.js:
1799         * heapProfiler/property-edge-types.js:
1800         * microbenchmarks/try-get-by-id-basic.js:
1801         * microbenchmarks/try-get-by-id-polymorphic.js:
1802         * modules/namespace-object-try-get.js:
1803         * stress/argument-count-bytecode.js:
1804         * stress/argument-intrinsic-basic.js:
1805         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1806         * stress/argument-intrinsic-inlining-with-result-escape.js:
1807         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1808         * stress/argument-intrinsic-inlining-with-vararg.js:
1809         * stress/argument-intrinsic-nested-inlining.js:
1810         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1811         * stress/argument-intrinsic-with-stack-write.js:
1812         * stress/arity-mismatch-get-argument.js:
1813         * stress/array-message-passing.js:
1814         * stress/array-push-with-force-exit.js:
1815         * stress/check-dom-with-signature.js:
1816         * stress/check-sub-class.js:
1817         * stress/compare-eq-incomplete-profile.js:
1818         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1819         * stress/do-eval-virtual-call-correctly.js:
1820         * stress/dom-jit-with-poly-proto.js:
1821         * stress/domjit-exception-ic.js:
1822         * stress/domjit-exception.js:
1823         * stress/domjit-getter-complex-with-incorrect-object.js:
1824         * stress/domjit-getter-complex.js:
1825         * stress/domjit-getter-poly.js:
1826         * stress/domjit-getter-proto.js:
1827         * stress/domjit-getter-super-poly.js:
1828         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1829         * stress/domjit-getter-type-check.js:
1830         * stress/domjit-getter.js:
1831         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1832         * stress/for-in-proxy-target-changed-structure.js:
1833         * stress/for-in-proxy.js:
1834         * stress/generational-opaque-roots.js:
1835         * stress/global-const-redeclaration-setting-2.js:
1836         * stress/global-const-redeclaration-setting-3.js:
1837         * stress/global-const-redeclaration-setting-4.js:
1838         * stress/global-const-redeclaration-setting-5.js:
1839         * stress/global-const-redeclaration-setting.js:
1840         * stress/import-basic.js:
1841         * stress/import-from-eval.js:
1842         * stress/import-reject-with-exception.js:
1843         * stress/import-syntax.js:
1844         * stress/impure-get-own-property-slot-inline-cache.js:
1845         * stress/is-constructor.js:
1846         * stress/istypedarrayview-intrinsic.js:
1847         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1848         * stress/jsc-test-functions-should-be-more-robust.js:
1849         * stress/object-toString-with-proxy.js:
1850         * stress/poly-proto-custom-value-and-accessor.js:
1851         * stress/proxy-inline-cache.js:
1852         * stress/re-execute-error-module.js:
1853         * stress/regress-150532.js:
1854         * stress/regress-156992.js:
1855         * stress/regress-179619.js:
1856         * stress/resources/shadow-chicken-support.js:
1857         * stress/runtime-array.js:
1858         * stress/sampling-profiler-microtasks.js:
1859         * stress/shadow-chicken-enabled.js:
1860         * stress/spread-correct-global-object-on-exception.js:
1861         * stress/super-get-by-id.js:
1862         * stress/tailCallForwardArguments.js:
1863         * stress/to-object-intrinsic-boolean-edge.js:
1864         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1865         * stress/to-object-intrinsic-number-edge.js:
1866         * stress/to-object-intrinsic-object-edge.js:
1867         * stress/to-object-intrinsic-string-edge.js:
1868         * stress/to-object-intrinsic-symbol-edge.js:
1869         * stress/to-object-intrinsic.js:
1870         * stress/try-catch-custom-getter-as-get-by-id.js:
1871         * stress/try-get-by-id-poly-proto.js:
1872         * stress/try-get-by-id-should-spill-registers-dfg.js:
1873         * stress/try-get-by-id.js:
1874         * typeProfiler/arrow-functions.js:
1875         * typeProfiler/basic.js:
1876         * typeProfiler/captured.js:
1877         * typeProfiler/classes.js:
1878         * typeProfiler/dfg-jit-optimizations.js:
1879         * typeProfiler/dictionary-mode.js:
1880         * typeProfiler/es6-block-scoping.js:
1881         * typeProfiler/es6-classes.js:
1882         * typeProfiler/inheritance.js:
1883         * typeProfiler/int52-dfg.js:
1884         * typeProfiler/loop.js:
1885         * typeProfiler/optional-fields.js:
1886         * typeProfiler/overflow.js:
1887         * typeProfiler/return.js:
1888         * typeProfiler/symbol.js:
1889         * typeProfiler/weird-prototype-chain.js:
1890
1891 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1892
1893         [DFG][FTL] Support MapSet / SetAdd intrinsics
1894         https://bugs.webkit.org/show_bug.cgi?id=179858
1895
1896         Reviewed by Saam Barati.
1897
1898         * microbenchmarks/map-has-and-set.js: Added.
1899         (test):
1900         * stress/map-set-check-failure.js: Added.
1901         (shouldBe):
1902         (shouldThrow):
1903         (target):
1904         * stress/map-set-cse.js: Added.
1905         (shouldBe):
1906         (test):
1907         * stress/set-add-check-failure.js: Added.
1908         (shouldBe):
1909         (shouldThrow):
1910         (set shouldThrow):
1911         * stress/set-add-cse.js: Added.
1912         (shouldBe):
1913
1914 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1915
1916         [JSC] Allow poly proto for intrinsic getters
1917         https://bugs.webkit.org/show_bug.cgi?id=179550
1918
1919         Reviewed by Saam Barati.
1920
1921         This change is also tested by existing tests.
1922
1923             1. stress/intrinsic-getter-with-poly-proto.js
1924             2. stress/poly-proto-intrinsic-getter-correctness.js
1925
1926         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1927         (shouldBe):
1928         (makePolyProtoObject.foo.C):
1929         (makePolyProtoObject.foo):
1930         (makePolyProtoObject):
1931         (target):
1932         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1933         (shouldBe):
1934         (makePolyProtoObject.foo.C):
1935         (makePolyProtoObject.foo):
1936         (makePolyProtoObject):
1937         (target):
1938
1939 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1940
1941         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1942         https://bugs.webkit.org/show_bug.cgi?id=179744
1943
1944         Reviewed by Michael Catanzaro.
1945
1946         This test uses too much memory for our buildbots on these platforms
1947         and gets OOM-killed.
1948
1949         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1950         Skip if $memoryLimited and linux.
1951
1952 2017-11-17  JF Bastien  <jfbastien@apple.com>
1953
1954         WebAssembly JS API: throw when a promise can't be created
1955         https://bugs.webkit.org/show_bug.cgi?id=179826
1956         <rdar://problem/35455813>
1957
1958         Reviewed by Mark Lam.
1959
1960         Test WebAssembly.{compile,instantiate} where promise creation
1961         fails because of a stack overflow.
1962
1963         * wasm/js-api/promise-stack-overflow.js: Added.
1964         (const.runNearStackLimit.f.const.t):
1965         (async.testCompile):
1966         (async.testInstantiate):
1967
1968 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1969
1970         Unreviewed, mark regress-178385.js as memory exhausting
1971
1972         * stress/regress-178385.js:
1973
1974 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1975
1976         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1977
1978         Unreviewed test gardening.
1979
1980         * test262.yaml:
1981
1982 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1983
1984         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1985         https://bugs.webkit.org/show_bug.cgi?id=179763
1986         <rdar://problem/35550513>
1987
1988         Reviewed by Keith Miller.
1989
1990         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1991
1992         * stress/tdz-this-in-try-catch.js: Added.
1993         (__v_6388):
1994         (__v_6392):
1995
1996 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1997
1998         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1999         https://bugs.webkit.org/show_bug.cgi?id=179594
2000
2001         Reviewed by Saam Barati.
2002
2003         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2004         (shouldBe):
2005         (args):
2006         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2007         (shouldBe):
2008         (args):
2009
2010 2017-11-14  Saam Barati  <sbarati@apple.com>
2011
2012         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2013         https://bugs.webkit.org/show_bug.cgi?id=179639
2014         <rdar://problem/35513018>
2015
2016         Reviewed by JF Bastien.
2017
2018         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2019         (escape):
2020         (i.func):
2021
2022 2017-11-13  Mark Lam  <mark.lam@apple.com>
2023
2024         Add more overflow check book-keeping for MarkedArgumentBuffer.
2025         https://bugs.webkit.org/show_bug.cgi?id=179634
2026         <rdar://problem/35492517>
2027
2028         Reviewed by Saam Barati.
2029
2030         * stress/regress-179634.js: Added.
2031
2032 2017-11-13  Mark Lam  <mark.lam@apple.com>
2033
2034         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2035         https://bugs.webkit.org/show_bug.cgi?id=179619
2036         <rdar://problem/35492518>
2037
2038         Reviewed by Saam Barati.
2039
2040         * stress/regress-179619.js: Added.
2041
2042 2017-11-12  Mark Lam  <mark.lam@apple.com>
2043
2044         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2045         https://bugs.webkit.org/show_bug.cgi?id=179562
2046         <rdar://problem/35467022>
2047
2048         Reviewed by Saam Barati.
2049
2050         * regress-179562.js: Added.
2051
2052 2017-11-08  Saam Barati  <sbarati@apple.com>
2053
2054         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2055         https://bugs.webkit.org/show_bug.cgi?id=177792
2056
2057         Reviewed by Yusuke Suzuki.
2058
2059         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2060         (assert):
2061         (foo.Foo.prototype.ensureX):
2062         (foo.Foo):
2063         (foo):
2064         (access):
2065
2066 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2067
2068         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2069         https://bugs.webkit.org/show_bug.cgi?id=178592
2070
2071         Unreviewed test gardening.
2072
2073         * test262.yaml:
2074
2075 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2076
2077         Turn recursive tail calls into loops
2078         https://bugs.webkit.org/show_bug.cgi?id=176601
2079
2080         Reviewed by Saam Barati.
2081
2082         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2083
2084         Add some simple test that computes factorial in several ways, and other trivial computations.
2085         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2086         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2087         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2088         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2089
2090         * stress/inline-call-to-recursive-tail-call.js: Added.
2091         (factorial.aux):
2092         (factorial):
2093         (factorial2.aux2):
2094         (factorial2.id):
2095         (factorial2):
2096         (factorial3.aux3):
2097         (factorial3):
2098         (aux4):
2099         (factorial4):
2100         (foo):
2101         (auxBar):
2102         (bar):
2103         (test):
2104
2105 2017-11-07  Mark Lam  <mark.lam@apple.com>
2106
2107         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2108         https://bugs.webkit.org/show_bug.cgi?id=179355
2109         <rdar://problem/35263053>
2110
2111         Reviewed by Saam Barati.
2112
2113         * stress/regress-179355.js: Added.
2114
2115 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2116
2117         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2118         https://bugs.webkit.org/show_bug.cgi?id=144458
2119
2120         Reviewed by Saam Barati.
2121
2122         * microbenchmarks/dfg-internal-function-call.js: Added.
2123         (target):
2124         * microbenchmarks/dfg-internal-function-construct.js: Added.
2125         (target):
2126         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2127         (target):
2128         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2129         (target):
2130         * stress/dfg-internal-function-call.js: Added.
2131         (shouldBe):
2132         (target):
2133         * stress/dfg-internal-function-construct.js: Added.
2134         (shouldBe):
2135         (target):
2136         * stress/internal-function-call.js: Added.
2137         (shouldBe):
2138         * stress/internal-function-construct.js: Added.
2139         (shouldBe):
2140
2141 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2142
2143         [Win] Skip stress/regress-178385.js.
2144         https://bugs.webkit.org/show_bug.cgi?id=179298
2145
2146         Unreviewed test gardening.
2147
2148         * stress/regress-178385.js:
2149
2150 2017-11-03  Keith Miller  <keith_miller@apple.com>
2151
2152         Add test for ic with side effects
2153         https://bugs.webkit.org/show_bug.cgi?id=179268
2154
2155         Reviewed by Saam Barati.
2156
2157         * stress/put-inline-cache-side-effects.js: Added.
2158         (let.i.of.objs.keys):
2159         (f):
2160
2161 2017-11-03  Mark Lam  <mark.lam@apple.com>
2162
2163         CachedCall (and its clients) needs overflow checks.
2164         https://bugs.webkit.org/show_bug.cgi?id=179185
2165
2166         Reviewed by JF Bastien.
2167
2168         * stress/regress-179185.js: Added.
2169
2170 2017-11-02  Michael Saboff  <msaboff@apple.com>
2171
2172         DFG needs to handle code motion of code in for..in loop bodies
2173         https://bugs.webkit.org/show_bug.cgi?id=179212
2174
2175         Reviewed by Keith Miller.
2176
2177         New regression test.
2178
2179         * stress/for-in-side-effects.js: Added.
2180         (getPrototypeOf):
2181         (reset):
2182         (testWithoutFTL.f):
2183         (testWithoutFTL):
2184         (testWithFTL.f):
2185         (testWithFTL):
2186
2187 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2188
2189         AI does not correctly model the clobber case of ArithClz32
2190         https://bugs.webkit.org/show_bug.cgi?id=179188
2191
2192         Reviewed by Michael Saboff.
2193
2194         * stress/arith-clz32-effects.js: Added.
2195         (foo):
2196         (valueOf):
2197
2198 2017-11-01  Michael Saboff  <msaboff@apple.com>
2199
2200         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2201         https://bugs.webkit.org/show_bug.cgi?id=179140
2202
2203         Reviewed by Saam Barati.
2204
2205         New regression test.
2206
2207         * stress/regress-179140.js: Added.
2208         (testWithoutFTL):
2209         (testWithFTL):
2210
2211 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2212
2213         [JSC] Introduce @toObject
2214         https://bugs.webkit.org/show_bug.cgi?id=178726
2215
2216         Reviewed by Saam Barati.
2217
2218         * stress/array-copywithin.js:
2219         (shouldThrow):
2220         * stress/object-constructor-boolean-edge.js: Added.
2221         (shouldBe):
2222         (test):
2223         * stress/object-constructor-global.js: Added.
2224         (shouldBe):
2225         * stress/object-constructor-null-edge.js: Added.
2226         (shouldBe):
2227         (test):
2228         * stress/object-constructor-number-edge.js: Added.
2229         (shouldBe):
2230         (test):
2231         * stress/object-constructor-object-edge.js: Added.
2232         (shouldBe):
2233         (test):
2234         (i.arg):
2235         * stress/object-constructor-string-edge.js: Added.
2236         (shouldBe):
2237         (test):
2238         * stress/object-constructor-symbol-edge.js: Added.
2239         (shouldBe):
2240         (test):
2241         * stress/object-constructor-undefined-edge.js: Added.
2242         (shouldBe):
2243         (test):
2244         * stress/symbol-array-from.js: Added.
2245         (shouldBe):
2246         * stress/to-object-intrinsic-boolean-edge.js: Added.
2247         (shouldBe):
2248         (builtin.createBuiltin):
2249         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2250         (shouldThrow):
2251         * stress/to-object-intrinsic-number-edge.js: Added.
2252         (shouldBe):
2253         (builtin.createBuiltin):
2254         * stress/to-object-intrinsic-object-edge.js: Added.
2255         (shouldBe):
2256         (builtin.createBuiltin):
2257         (i.arg):
2258         * stress/to-object-intrinsic-string-edge.js: Added.
2259         (shouldBe):
2260         (builtin.createBuiltin):
2261         * stress/to-object-intrinsic-symbol-edge.js: Added.
2262         (shouldBe):
2263         (builtin.createBuiltin):
2264         * stress/to-object-intrinsic.js: Added.
2265         (shouldBe):
2266         (shouldThrow):
2267         (builtin.createBuiltin):
2268
2269 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2270
2271         [DFG][FTL] Introduce StringSlice
2272         https://bugs.webkit.org/show_bug.cgi?id=178934
2273
2274         Reviewed by Saam Barati.
2275
2276         * microbenchmarks/string-slice-empty.js: Added.
2277         (slice):
2278         * microbenchmarks/string-slice-one-char.js: Added.
2279         (slice):
2280         * microbenchmarks/string-slice.js: Added.
2281         (slice):
2282
2283 2017-10-26  Michael Saboff  <msaboff@apple.com>
2284
2285         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2286         https://bugs.webkit.org/show_bug.cgi?id=178890
2287
2288         Reviewed by Keith Miller.
2289
2290         New regression test.
2291
2292         * stress/regress-178890.js: Added.
2293
2294 2017-10-26  Mark Lam  <mark.lam@apple.com>
2295
2296         JSRopeString::RopeBuilder::append() should check for overflows.
2297         https://bugs.webkit.org/show_bug.cgi?id=178385
2298         <rdar://problem/35027468>
2299
2300         Reviewed by Saam Barati.
2301
2302         * stress/regress-178385.js: Added.
2303
2304 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2305
2306         Unreviewed, rolling out r223961.
2307
2308         The change that required this has been rolled out.
2309
2310         Reverted changeset:
2311
2312         "Mark test262.yaml/test262/test/language/statements/try/tco-
2313         catch.js as passing."
2314         https://bugs.webkit.org/show_bug.cgi?id=178592
2315         https://trac.webkit.org/changeset/223961
2316
2317 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2318
2319         Unreviewed, rolling out r223691 and r223729.
2320         https://bugs.webkit.org/show_bug.cgi?id=178834
2321
2322         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2323         by rniwa on #webkit).
2324
2325         Reverted changesets:
2326
2327         "Turn recursive tail calls into loops"
2328         https://bugs.webkit.org/show_bug.cgi?id=176601
2329         https://trac.webkit.org/changeset/223691
2330
2331         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2332         comparison is always false due to limited range of data type
2333         [-Wtype-limits]"
2334         https://bugs.webkit.org/show_bug.cgi?id=178543
2335         https://trac.webkit.org/changeset/223729
2336
2337 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2338
2339         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2340         https://bugs.webkit.org/show_bug.cgi?id=178592
2341
2342         Unreviewed test gardening.
2343
2344         * test262.yaml:
2345
2346 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2347
2348         [FTL] Support NewStringObject
2349         https://bugs.webkit.org/show_bug.cgi?id=178737
2350
2351         Reviewed by Saam Barati.
2352
2353         * stress/new-string-object.js: Added.
2354         (shouldBe):
2355         (test):
2356
2357 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2358
2359         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2360         https://bugs.webkit.org/show_bug.cgi?id=178308
2361
2362         Reviewed by Mark Lam.
2363
2364         * test262.yaml:
2365
2366 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2367
2368         [JSC] Use fastJoin in Array#toString
2369         https://bugs.webkit.org/show_bug.cgi?id=178062
2370
2371         Reviewed by Darin Adler.
2372
2373         * microbenchmarks/contiguous-array-to-string.js: Added.
2374         (target):
2375         * microbenchmarks/double-array-to-string.js: Added.
2376         (target):
2377         * microbenchmarks/int32-array-to-string.js: Added.
2378         (target):
2379
2380 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2381
2382         stress/check-string-ident.js is improperly skipped
2383         https://bugs.webkit.org/show_bug.cgi?id=178642
2384
2385         Reviewed by Saam Barati.
2386
2387         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2388         since it enforces the run-jsc-stress-tests script to still set up the
2389         test to run, despite the skip directive that's used before.
2390
2391 2017-10-20  Mark Lam  <mark.lam@apple.com>
2392
2393         Add a test case for r214334.
2394         https://bugs.webkit.org/show_bug.cgi?id=169941
2395         <rdar://problem/31221258>
2396
2397         Reviewed by JF Bastien.
2398
2399         * stress/regress-169941.js: Added.
2400
2401 2017-10-19  JF Bastien  <jfbastien@apple.com>
2402
2403         WebAssembly: no VM / JS version of everything but Instance
2404         https://bugs.webkit.org/show_bug.cgi?id=177473
2405
2406         Reviewed by Filip Pizlo, Saam Barati.
2407
2408         - Exceeding max on memory growth now returns a range error as per
2409         spec. This is a (very minor) breaking change: it used to throw OOM
2410         error. Update the corresponding test.
2411
2412         * wasm/js-api/memory-grow.js:
2413         (assertEq):
2414         * wasm/js-api/table.js:
2415         (assert.throws):
2416
2417 2017-10-19  Mark Lam  <mark.lam@apple.com>
2418
2419         Stringifier::appendStringifiedValue() is missing an exception check.
2420         https://bugs.webkit.org/show_bug.cgi?id=178386
2421         <rdar://problem/35027610>
2422
2423         Reviewed by Saam Barati.
2424
2425         * stress/regress-178386.js: Added.
2426
2427 2017-10-19  Michael Saboff  <msaboff@apple.com>
2428
2429         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2430         https://bugs.webkit.org/show_bug.cgi?id=178521
2431
2432         Reviewed by JF Bastien.
2433
2434         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2435         now passes with the current version (5.0) of the Emoji spec.
2436
2437 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2438
2439         Turn recursive tail calls into loops
2440         https://bugs.webkit.org/show_bug.cgi?id=176601
2441
2442         Reviewed by Saam Barati.
2443
2444         Add some simple test that computes factorial in several ways, and other trivial computations.
2445         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2446         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2447         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2448         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2449
2450         * stress/inline-call-to-recursive-tail-call.js: Added.
2451         (factorial.aux):
2452         (factorial):
2453         (factorial2.aux):
2454         (factorial2.id):
2455         (factorial2):
2456         (factorial3.aux):
2457         (factorial3):
2458         (aux):
2459         (factorial4):
2460         (test):
2461
2462 2017-10-18  Mark Lam  <mark.lam@apple.com>
2463
2464         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2465         https://bugs.webkit.org/show_bug.cgi?id=177600
2466         <rdar://problem/34710985>
2467
2468         Reviewed by Saam Barati.
2469
2470         * stress/regress-177600.js: Added.
2471
2472 2017-10-18  Mark Lam  <mark.lam@apple.com>
2473
2474         The compiler should always register a structure when it adds its transitionWatchPointSet.
2475         https://bugs.webkit.org/show_bug.cgi?id=178420
2476         <rdar://problem/34814024>
2477
2478         Reviewed by Saam Barati and Filip Pizlo.
2479
2480         * stress/regress-178420.js: Added.
2481         (new.Array.10000.map):
2482
2483 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2484
2485         [JSC] __proto__ getter should be fast
2486         https://bugs.webkit.org/show_bug.cgi?id=178067
2487
2488         Reviewed by Saam Barati.
2489
2490         * stress/dfg-object-proto-accessor.js: Added.
2491         (shouldBe):
2492         (shouldThrow):
2493         (target):
2494         * stress/dfg-object-proto-getter.js: Added.
2495         (shouldBe):
2496         (shouldThrow):
2497         (target):
2498         * stress/dfg-object-prototype-of.js: Added.
2499         (shouldBe):
2500         (shouldThrow):
2501         (target):
2502         * stress/dfg-reflect-get-prototype-of.js: Added.
2503         (shouldBe):
2504         (shouldThrow):
2505         (target):
2506         * stress/intrinsic-getter-with-poly-proto.js: Added.
2507         (shouldBe):
2508         (makePolyProtoObject.foo.C):
2509         (makePolyProtoObject.foo):
2510         (makePolyProtoObject):
2511         (target):
2512         * stress/object-get-prototype-of-filtered.js: Added.
2513         (shouldBe):
2514         (shouldThrow):
2515         (target):
2516         (i.Cocoa):
2517         * stress/object-get-prototype-of-mono-proto.js: Added.
2518         (shouldBe):
2519         (makePolyProtoObject.foo.C):
2520         (makePolyProtoObject.foo):
2521         (makePolyProtoObject):
2522         (target):
2523         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2524         (shouldBe):
2525         (makePolyProtoObject.foo.C):
2526         (makePolyProtoObject.foo):
2527         (makePolyProtoObject):
2528         (target):
2529         * stress/object-get-prototype-of-poly-proto.js: Added.
2530         (shouldBe):
2531         (makePolyProtoObject.foo.C):
2532         (makePolyProtoObject.foo):
2533         (makePolyProtoObject):
2534         (target):
2535         * stress/object-proto-getter-filtered.js: Added.
2536         (shouldBe):
2537         (shouldThrow):
2538         (target):
2539         (i.Cocoa):
2540         * stress/object-proto-getter-poly-mono-proto.js: Added.
2541         (shouldBe):
2542         (makePolyProtoObject.foo.C):
2543         (makePolyProtoObject.foo):
2544         (makePolyProtoObject):
2545         (target):
2546         * stress/object-proto-getter-poly-proto.js: Added.
2547         (shouldBe):
2548         (makePolyProtoObject.foo.C):
2549         (makePolyProtoObject.foo):
2550         (makePolyProtoObject):
2551         (target):
2552         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2553         * stress/string-proto.js: Added.
2554         (shouldBe):
2555         (target):
2556
2557 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2558
2559         Unreviewed, rolling out r223523.
2560
2561         A test for this change is failing on debug JSC bots.
2562
2563         Reverted changeset:
2564
2565         "[JSC] __proto__ getter should be fast"
2566         https://bugs.webkit.org/show_bug.cgi?id=178067
2567         https://trac.webkit.org/changeset/223523
2568
2569 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2570
2571         [JSC] __proto__ getter should be fast
2572         https://bugs.webkit.org/show_bug.cgi?id=178067
2573
2574         Reviewed by Saam Barati.
2575
2576         * stress/dfg-object-proto-accessor.js: Added.
2577         (shouldBe):
2578         (shouldThrow):
2579         (target):
2580         * stress/dfg-object-proto-getter.js: Added.
2581         (shouldBe):
2582         (shouldThrow):
2583         (target):
2584         * stress/dfg-object-prototype-of.js: Added.
2585         (shouldBe):
2586         (shouldThrow):
2587         (target):
2588         * stress/dfg-reflect-get-prototype-of.js: Added.
2589         (shouldBe):
2590         (shouldThrow):
2591         (target):
2592         * stress/object-get-prototype-of-filtered.js: Added.
2593         (shouldBe):
2594         (shouldThrow):
2595         (target):
2596         (i.Cocoa):
2597         * stress/object-get-prototype-of-mono-proto.js: Added.
2598         (shouldBe):
2599         (makePolyProtoObject.foo.C):
2600         (makePolyProtoObject.foo):
2601         (makePolyProtoObject):
2602         (target):
2603         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2604         (shouldBe):
2605         (makePolyProtoObject.foo.C):
2606         (makePolyProtoObject.foo):
2607         (makePolyProtoObject):
2608         (target):
2609         * stress/object-get-prototype-of-poly-proto.js: Added.
2610         (shouldBe):
2611         (makePolyProtoObject.foo.C):
2612         (makePolyProtoObject.foo):
2613         (makePolyProtoObject):
2614         (target):
2615         * stress/object-proto-getter-filtered.js: Added.
2616         (shouldBe):
2617         (shouldThrow):
2618         (target):
2619         (i.Cocoa):
2620         * stress/object-proto-getter-poly-mono-proto.js: Added.
2621         (shouldBe):
2622         (makePolyProtoObject.foo.C):
2623         (makePolyProtoObject.foo):
2624         (makePolyProtoObject):
2625         (target):
2626         * stress/object-proto-getter-poly-proto.js: Added.
2627         (shouldBe):
2628         (makePolyProtoObject.foo.C):
2629         (makePolyProtoObject.foo):
2630         (makePolyProtoObject):
2631         (target):
2632         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2633         * stress/string-proto.js: Added.
2634         (shouldBe):
2635         (target):
2636
2637 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2638
2639         Reland "Add Above/Below comparisons for UInt32 patterns"
2640         https://bugs.webkit.org/show_bug.cgi?id=177281
2641
2642         Reviewed by Saam Barati.
2643
2644         * stress/uint32-comparison-jump.js: Added.
2645         (shouldBe):
2646         (above):
2647         (aboveOrEqual):
2648         (below):
2649         (belowOrEqual):
2650         (notAbove):
2651         (notAboveOrEqual):
2652         (notBelow):
2653         (notBelowOrEqual):
2654         * stress/uint32-comparison.js: Added.
2655         (shouldBe):
2656         (above):
2657         (aboveOrEqual):
2658         (below):
2659         (belowOrEqual):
2660         (aboveTest):
2661         (aboveOrEqualTest):
2662         (belowTest):
2663         (belowOrEqualTest):
2664
2665 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2666
2667         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2668         https://bugs.webkit.org/show_bug.cgi?id=178210
2669
2670         Reviewed by Saam Barati.
2671
2672         * wasm/function-tests/trap-from-start-async.js:
2673         (async.StartTrapsAsync):
2674         * wasm/function-tests/trap-from-start.js:
2675         (StartTraps):
2676         * wasm/js-api/web-assembly-function.js:
2677         (assert.eq.Object.getPrototypeOf):
2678         * wasm/js-api/wrapper-function.js:
2679         (return.new.WebAssembly.Module):
2680         (assert.throws.makeInstance): Deleted.
2681         (assert.throws.Bar): Deleted.
2682         (assert.throws): Deleted.
2683
2684 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2685
2686         Enable gigacage on iOS
2687         https://bugs.webkit.org/show_bug.cgi?id=177586
2688
2689         Reviewed by JF Bastien.
2690         
2691         Add tests for when Gigacage gets runtime disabled.
2692
2693         * stress/disable-gigacage-arrays.js: Added.
2694         (foo):
2695         * stress/disable-gigacage-strings.js: Added.
2696         (foo):
2697         * stress/disable-gigacage-typed-arrays.js: Added.
2698         (foo):
2699
2700 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2701
2702         import.meta should not be assignable
2703         https://bugs.webkit.org/show_bug.cgi?id=178202
2704
2705         Reviewed by Saam Barati.
2706
2707         * modules/import-meta-assignment.js: Added.
2708         (shouldThrow):
2709         (SyntaxError.import.meta.can.shouldThrow):
2710
2711 2017-10-11  Saam Barati  <sbarati@apple.com>
2712
2713         Unreviewed. Actually skip certain type profiler tests in debug.
2714
2715         * typeProfiler.yaml:
2716         * typeProfiler/deltablue-for-of.js:
2717         * typeProfiler/getter-richards.js:
2718
2719 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2720
2721         Unreviewed, rolling out r223113 and r223121.
2722         https://bugs.webkit.org/show_bug.cgi?id=178182
2723
2724         Reintroduced 20% regression on Kraken (Requested by rniwa on
2725         #webkit).
2726
2727         Reverted changesets:
2728
2729         "Enable gigacage on iOS"
2730         https://bugs.webkit.org/show_bug.cgi?id=177586
2731         https://trac.webkit.org/changeset/223113
2732
2733         "Use one virtual allocation for all gigacages and their
2734         runways"
2735         https://bugs.webkit.org/show_bug.cgi?id=178050
2736         https://trac.webkit.org/changeset/223121
2737
2738 2017-10-11  Michael Saboff  <msaboff@apple.com>
2739
2740         Disable test262 named capture group tests with direct unicode names and with references before definitions
2741         https://bugs.webkit.org/show_bug.cgi?id=178177
2742
2743         Reviewed by Keith Miller.
2744
2745         Bugs to track fixing these test are:
2746         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2747             "Add support in named capture group identifiers for direct surrogate pairs"
2748         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2749             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2750
2751         * test262.yaml:
2752
2753 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2754
2755         Object properties are undefined in super.call() but not in this.call()
2756         https://bugs.webkit.org/show_bug.cgi?id=177230
2757
2758         Reviewed by Saam Barati.
2759
2760         * stress/super-call-function-subclass.js: Added.
2761         (assert):
2762         (A.prototype.t):
2763         (A):
2764         * stress/super-dot-call-and-apply.js: Added.
2765         (assert):
2766         (A):
2767         (A.prototype.call):
2768         (A.prototype.apply):
2769         (B.prototype.testSuper):
2770         (B):
2771         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2772         (D.prototype.testSuper):
2773         (D):
2774
2775 2017-10-10  Saam Barati  <sbarati@apple.com>
2776
2777         The prototype cache should be aware of the Executable it generates a Structure for
2778         https://bugs.webkit.org/show_bug.cgi?id=177907
2779
2780         Reviewed by Filip Pizlo.
2781
2782         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2783         (assert):
2784         (foo.C):
2785         (foo):
2786         (bar.C):
2787         (bar):
2788         (access):
2789         (makeLongChain):
2790         (accessY):
2791
2792 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2793
2794         `async` should be able to be used as an imported binding name
2795         https://bugs.webkit.org/show_bug.cgi?id=176573
2796
2797         Reviewed by Saam Barati.
2798
2799         * modules/import-default-async.js: Added.
2800         * modules/import-named-async-as.js: Added.
2801         * modules/import-named-async.js: Added.
2802         * modules/import-named-async/target.js: Added.
2803         * modules/import-namespace-async.js: Added.
2804         * test262.yaml:
2805
2806 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2807
2808         Enable gigacage on iOS
2809         https://bugs.webkit.org/show_bug.cgi?id=177586
2810
2811         Reviewed by JF Bastien.
2812         
2813         Add tests for when Gigacage gets runtime disabled.
2814
2815         * stress/disable-gigacage-arrays.js: Added.
2816         (foo):
2817         * stress/disable-gigacage-strings.js: Added.
2818         (foo):
2819         * stress/disable-gigacage-typed-arrays.js: Added.
2820         (foo):
2821
2822 2017-10-09  Michael Saboff  <msaboff@apple.com>
2823
2824         Implement RegExp Unicode property escapes
2825         https://bugs.webkit.org/show_bug.cgi?id=172069
2826
2827         Reviewed by JF Bastien.
2828
2829         Enabled Unicode Property tests.
2830
2831         * test262.yaml:
2832
2833 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2834
2835         Unreviewed, rolling out r223015 and r223025.
2836         https://bugs.webkit.org/show_bug.cgi?id=178093
2837
2838         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2839         #webkit).
2840
2841         Reverted changesets:
2842
2843         "Enable gigacage on iOS"
2844         https://bugs.webkit.org/show_bug.cgi?id=177586
2845         http://trac.webkit.org/changeset/223015
2846
2847         "Unreviewed, disable Gigacage on ARM64 Linux"
2848         https://bugs.webkit.org/show_bug.cgi?id=177586
2849         http://trac.webkit.org/changeset/223025
2850
2851 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2852
2853         Update expectations for test262 tests that pass after r223043.
2854         https://bugs.webkit.org/show_bug.cgi?id=176685
2855
2856         Unreviewed test gardening.
2857
2858         * test262.yaml:
2859
2860 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2861
2862         Unreviewed, rolling out r223022.
2863
2864         This change introduced 18 test262 failures.
2865
2866         Reverted changeset:
2867
2868         "`async` should be able to be used as an imported binding
2869         name"
2870         https://bugs.webkit.org/show_bug.cgi?id=176573
2871         http://trac.webkit.org/changeset/223022
2872
2873 2017-10-09  Saam Barati  <sbarati@apple.com>
2874
2875         3 poly-proto JSC tests timing out on debug after r222827
2876         https://bugs.webkit.org/show_bug.cgi?id=177880
2877         <rdar://problem/34817122>
2878
2879         Unreviewed.
2880
2881         I'm skipping these type profiler tests on debug since they are long running.
2882
2883         * typeProfiler/deltablue-for-of.js:
2884         * typeProfiler/getter-richards.js:
2885
2886 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2887
2888         Safari 10 /11 problem with if (!await get(something)).
2889         https://bugs.webkit.org/show_bug.cgi?id=176685
2890
2891         Reviewed by Saam Barati.
2892
2893         * stress/async-await-basic.js:
2894         (awaitEpression.async):
2895         * stress/async-await-syntax.js:
2896         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2897         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2898
2899 2017-10-08  Saam Barati  <sbarati@apple.com>
2900
2901         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2902
2903         * typeProfiler/deltablue-for-of.js:
2904         * typeProfiler/getter-richards.js:
2905
2906 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2907
2908         `async` should be able to be used as an imported binding name
2909         https://bugs.webkit.org/show_bug.cgi?id=176573
2910
2911         Reviewed by Darin Adler.
2912
2913         * modules/import-default-async.js: Added.
2914         * modules/import-named-async-as.js: Added.
2915         * modules/import-named-async.js: Added.
2916         * modules/import-named-async/target.js: Added.
2917         * modules/import-namespace-async.js: Added.
2918
2919 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2920
2921         Enable gigacage on iOS
2922         https://bugs.webkit.org/show_bug.cgi?id=177586
2923
2924         Reviewed by JF Bastien.
2925         
2926         Add tests for when Gigacage gets runtime disabled.
2927
2928         * stress/disable-gigacage-arrays.js: Added.
2929         (foo):
2930         * stress/disable-gigacage-strings.js: Added.
2931         (foo):
2932         * stress/disable-gigacage-typed-arrays.js: Added.
2933         (foo):
2934
2935 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2936
2937         Unreviewed, rolling out r222791 and r222873.
2938         https://bugs.webkit.org/show_bug.cgi?id=178031
2939
2940         Caused crashes with workers/wasm LayoutTests (Requested by
2941         ryanhaddad on #webkit).
2942
2943         Reverted changesets:
2944
2945         "WebAssembly: no VM / JS version of everything but Instance"
2946         https://bugs.webkit.org/show_bug.cgi?id=177473
2947         http://trac.webkit.org/changeset/222791
2948
2949         "WebAssembly: address no VM / JS follow-ups"
2950         https://bugs.webkit.org/show_bug.cgi?id=177887
2951         http://trac.webkit.org/changeset/222873
2952
2953 2017-10-05  Saam Barati  <sbarati@apple.com>
2954
2955         Make sure all prototypes under poly proto get added into the VM's prototype map
2956         https://bugs.webkit.org/show_bug.cgi?id=177909
2957
2958         Reviewed by Keith Miller.
2959
2960         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2961         (assert):
2962         (foo.C):
2963         (foo):
2964         (set x):
2965
2966 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2967
2968         [JSC] Introduce import.meta
2969         https://bugs.webkit.org/show_bug.cgi?id=177703
2970
2971         Reviewed by Filip Pizlo.
2972
2973         * modules/import-meta-syntax.js: Added.
2974         (shouldThrow):
2975         (shouldNotThrow):
2976         * modules/import-meta.js: Added.
2977         * modules/import-meta/cocoa.js: Added.
2978         * modules/resources/assert.js:
2979         (export.shouldNotThrow):
2980         * stress/import-syntax.js:
2981
2982 2017-10-04  Saam Barati  <sbarati@apple.com>
2983
2984         Make pertinent AccessCases watch the poly proto watchpoint
2985         https://bugs.webkit.org/show_bug.cgi?id=177765
2986
2987         Reviewed by Keith Miller.
2988
2989         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2990         (assert):
2991         (foo.C):
2992         (foo):
2993         (validate):
2994         * stress/poly-proto-clear-stub.js: Added.
2995         (assert):
2996         (foo.C):
2997         (foo):
2998
2999 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3000
3001         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3002
3003         Unreviewed test gardening.
3004
3005         * test262.yaml:
3006
3007 2017-10-04  Saam Barati  <sbarati@apple.com>
3008
3009         3 poly-proto JSC tests timing out on debug after r222827
3010         https://bugs.webkit.org/show_bug.cgi?id=177880
3011
3012         Rubber stamped by Mark Lam.
3013
3014         * microbenchmarks/poly-proto-access.js:
3015         * typeProfiler/deltablue-for-of.js:
3016         * typeProfiler/getter-richards.js:
3017
3018 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3019
3020         Unreviewed, marking tco-catch.js as a failure after test262 update
3021         https://bugs.webkit.org/show_bug.cgi?id=177859
3022
3023         * test262.yaml:
3024
3025 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3026
3027         Unreviewed, marking one async iterator test262 test failed
3028         https://bugs.webkit.org/show_bug.cgi?id=177859
3029
3030         * test262.yaml:
3031
3032 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3033
3034         [Test262] Update Test262 to Oct 4 version
3035         https://bugs.webkit.org/show_bug.cgi?id=177859
3036
3037         Reviewed by Sam Weinig.
3038
3039         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3040         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3041
3042         * test262.yaml:
3043         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3044         (checkSequence):
3045         * test262/harness/typeCoercion.js:
3046         (testCoercibleToIndexZero):
3047         (testCoercibleToIndexOne):
3048         (testCoercibleToIndexFromIndex):
3049         (testNotCoercibleToIndex.testPrimitiveValue):
3050         (testNotCoercibleToInteger):
3051         (testCoercibleToBigIntZero.testPrimitiveValue):
3052         (testCoercibleToBigIntZero):
3053         (testCoercibleToBigIntOne.testPrimitiveValue):
3054         (testCoercibleToBigIntOne):
3055         (testPrimitiveValue):
3056         (testCoercibleToBigIntFromBigInt):
3057         (testNotCoercibleToBigInt.testPrimitiveValue):
3058         (testNotCoercibleToBigInt.testStringValue):
3059         (testNotCoercibleToBigInt):
3060         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3061         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3062         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3063         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3064         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3065         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3066         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3067         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3068         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3069         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3070         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3071         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3072         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3073         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3074         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3075         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3076         (testCoercibleToBigIntZero):
3077         (testCoercibleToBigIntOne):
3078         (testNotCoercibleToBigInt):
3079         (MyError): Deleted.
3080         (valueOf): Deleted.
3081         (toString): Deleted.
3082         (Symbol.toPrimitive): Deleted.
3083         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3084         (testCoercibleToIndexZero):
3085         (testCoercibleToIndexOne):
3086         (testNotCoercibleToIndex):
3087         (MyError): Deleted.
3088         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3089         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3090         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3091         (BigInt.asIntN.valueOf): Deleted.
3092         (BigInt.asIntN.toString): Deleted.
3093         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3094         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3095         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3096         (testCoercibleToBigIntZero):
3097         (testCoercibleToBigIntOne):
3098         (testNotCoercibleToBigInt):
3099         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3100         (testCoercibleToIndexZero):
3101         (testCoercibleToIndexOne):
3102         (testNotCoercibleToIndex):
3103         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3104         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3105         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3106         (bits.valueOf):
3107         (bigint.valueOf):
3108         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3109         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3110         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3111         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3112         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3113         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3114         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3115         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3116         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3117         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3118         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3119         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3120         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3121         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3122         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3123         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3124         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3125         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3126         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3127         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3128         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3129         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3130         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3131         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3132         (replacer):
3133         (BigInt.prototype.toJSON):
3134         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3135         (replacer):
3136         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3137         (BigInt.prototype.toJSON):
3138         * test262/test/built-ins/JSON/stringify/bigint.js:
3139         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3140         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3141         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3142         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3143         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3144         * test262/test/built-ins/Object/proto-from-ctor.js:
3145         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3146         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3147         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3148         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3149         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3150         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3151         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3152         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3153         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3154         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3155         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3156         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3157         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3158         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3159         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3160         * test262/test/built-ins/Proxy/get-fn-realm.js:
3161         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3162         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3163         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3164         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3165         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3166         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3167         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3168         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3169         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3170         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3171         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3172         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3173         (i6.replace):
3174         (i6b.replace):
3175         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3176         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3177         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3178         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3179         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3180         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3181         * test262/test/built-ins/RegExp/u180e.js: Added.
3182         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3183         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3184         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3185         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3186         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3187         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3188         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3189         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3190         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3191         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3192         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3193         * test262/test/built-ins/String/prototype/endsWith/length.js:
3194         * test262/test/built-ins/String/prototype/endsWith/name.js:
3195         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3196         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3197         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3198         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3199         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3200         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3201         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3202         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3203         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3204         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3205         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3206         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3207         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3208         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3209         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3210         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3211         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3212         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3213         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3214         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3215         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3216         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3217         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3218         * test262/test/built-ins/String/prototype/includes/includes.js:
3219         * test262/test/built-ins/String/prototype/includes/length.js:
3220         * test262/test/built-ins/String/prototype/includes/name.js:
3221         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3222         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3223         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3224         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3225         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3226         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3227         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3228         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3229         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3230         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3231         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3232         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3233         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3234         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3235         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3236         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3237         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3238         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3239         * test262/test/built-ins/String/prototype/trim/u180e.js:
3240         * test262/test/built-ins/Symbol/for/cross-realm.js:
3241         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3242         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3243         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3244         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3245         * test262/test/built-ins/Symbol/match/cross-realm.js:
3246         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3247         * test262/test/built-ins/Symbol/search/cross-realm.js:
3248         * test262/test/built-ins/Symbol/species/cross-realm.js:
3249         * test262/test/built-ins/Symbol/split/cross-realm.js:
3250         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3251         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3252         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3253         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3254         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3255         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3256         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3257         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3258         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3259         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3260         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3261         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3262         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3263         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3264         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3265         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3266         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3267         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3268         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3269         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3270         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3271         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3272         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3273         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3274         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3275         * test262/test/language/eval-code/indirect/realm.js:
3276         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3277         (o.get z):
3278         (o.get a):
3279         * test262/test/language/expressions/call/eval-realm-indirect.js:
3280         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3281         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3282         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3283         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3284         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3285         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3286         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3287         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3288         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3289         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3290         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3291         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3292         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3293         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3294         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3295         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3296         * test262/test/language/expressions/less-than/bigint-and-number.js:
3297         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3298         * test262/test/language/expressions/super/realm.js:
3299         * test262/test/language/expressions/tagged-template/cache-realm.js:
3300         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3301         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3302         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3303         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3304         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3305         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3306         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3307         (o.get z):
3308         (o.get a):
3309         * test262/test/language/statements/for-of/iterator-next-reference.js:
3310         (next):
3311         (iterator.next): Deleted.
3312         (x.of.iterable.): Deleted.
3313         (x.of.iterable.get return): Deleted.
3314         (x.of.iterable.iterator.next): Deleted.
3315         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3316         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3317         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3318         * test262/test/language/white-space/mongolian-vowel-separator.js:
3319         * test262/test262-Revision.txt:
3320
3321 2017-10-03  Saam Barati  <sbarati@apple.com>
3322
3323         Implement polymorphic prototypes
3324         https://bugs.webkit.org/show_bug.cgi?id=176391
3325
3326         Reviewed by Filip Pizlo.
3327
3328         * microbenchmarks/poly-proto-access.js: Added.
3329         (assert):
3330         (foo.C):
3331         (foo.C.prototype.get bar):
3332         (foo):
3333         (bar):
3334         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3335         (assert):
3336         (makePolyProtoObject.foo.C):
3337         (makePolyProtoObject.foo):
3338         (makePolyProtoObject):
3339         (performSet):
3340         * microbenchmarks/poly-proto-setter-speed.js: Added.
3341         (assert):
3342         (makePolyProtoObject.foo.C):
3343         (makePolyProtoObject.foo.C.prototype.set p):
3344         (makePolyProtoObject.foo):
3345         (makePolyProtoObject):
3346         (performSet):
3347         * stress/constructor-with-return.js:
3348         (i.tests.forEach.Constructor):
3349         (i.tests.forEach):
3350         (tests.forEach.Constructor): Deleted.
3351         (tests.forEach): Deleted.
3352         * stress/dom-jit-with-poly-proto.js: Added.
3353         (assert):
3354         (makePolyProtoObject.foo.C):
3355         (makePolyProtoObject.foo):
3356         (makePolyProtoObject):
3357         (validate):
3358         * stress/poly-proto-custom-value-and-accessor.js: Added.
3359         (assert):
3360         (makePolyProtoObject.foo.C):
3361         (makePolyProtoObject.foo):
3362         (makePolyProtoObject):
3363         (items.forEach):
3364         (set get for):
3365         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3366         (assert):
3367         (makePolyProtoObject.foo.C):
3368         (makePolyProtoObject.foo):
3369         (makePolyProtoObject):
3370         (foo):
3371         * stress/poly-proto-miss.js: Added.
3372         (makePolyProtoInstanceWithNullPrototype.foo.C):
3373         (makePolyProtoInstanceWithNullPrototype.foo):
3374         (makePolyProtoInstanceWithNullPrototype):
3375         (assert):
3376         (validate):
3377         * stress/poly-proto-op-in-caching.js: Added.
3378         (assert):
3379         (makePolyProtoObject.foo.C):
3380         (makePolyProtoObject.foo):
3381         (makePolyProtoObject):
3382         (validate):
3383         (validate2):
3384         * stress/poly-proto-put-transition.js: Added.
3385         (assert):
3386         (makePolyProtoObject.foo.C):
3387         (makePolyProtoObject.foo):
3388         (makePolyProtoObject):
3389         (performSet):
3390         (i.obj.__proto__.set p):
3391         * stress/poly-proto-set-prototype.js: Added.
3392         (assert):
3393         (let.alternateProto.get x):
3394         (let.alternateProto2.get y):
3395         (let.alternateProto2.get x):
3396         (foo.C):
3397         (foo):
3398         (validate):
3399         * stress/poly-proto-setter.js: Added.
3400         (assert):
3401         (makePolyProtoObject.foo.C):
3402         (makePolyProtoObject.foo.C.prototype.set p):
3403         (makePolyProtoObject.foo.C.prototype.get p):
3404         (makePolyProtoObject.foo):
3405         (makePolyProtoObject):
3406         (performSet):
3407         * stress/poly-proto-using-inheritance.js: Added.
3408         (assert):
3409         (foo.C):
3410         (foo.C.prototype.get baz):
3411         (foo):
3412         (bar.C):
3413         (bar):
3414         (validate):
3415         * stress/primitive-poly-proto.js: Added.
3416         (makePolyProtoInstance.foo.C):
3417         (makePolyProtoInstance.foo):
3418         (makePolyProtoInstance):
3419         (assert):
3420         (validate):
3421         * stress/prototype-is-not-js-object.js: Added.
3422         (foo.bar):
3423         (foo):
3424         (assert):
3425         (validate):
3426         * stress/try-get-by-id-poly-proto.js: Added.
3427         (assert):
3428         (makePolyProtoObject.foo.C):
3429         (makePolyProtoObject.foo):
3430         (makePolyProtoObject):
3431         (tryGetByIdText):
3432         (x.__proto__.get bar):
3433         (validate):
3434         * typeProfiler/overflow.js:
3435
3436 2017-10-03  JF Bastien  <jfbastien@apple.com>
3437
3438         WebAssembly: no VM / JS version of everything but Instance
3439         https://bugs.webkit.org/show_bug.cgi?id=177473
3440
3441         Reviewed by Filip Pizlo.
3442
3443         - Exceeding max on memory growth now returns a range error as per
3444         spec. This is a (very minor) breaking change: it used to throw OOM
3445         error. Update the corresponding test.
3446
3447         * wasm/js-api/memory-grow.js:
3448         (assertEq):
3449         * wasm/js-api/table.js:
3450         (assert.throws):
3451
3452 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3453
3454         Skip JSC test stress/regress-159779-2.js on debug.
3455         https://bugs.webkit.org/show_bug.cgi?id=177204
3456
3457         Unreviewed test gardening.
3458
3459         * stress/regress-159779-2.js:
3460
3461 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3462
3463         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3464         https://bugs.webkit.org/show_bug.cgi?id=175642
3465
3466         Reviewed by Darin Adler.
3467
3468         * ChakraCore/test/Function/apply3.baseline-jsc:
3469
3470 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3471
3472         Unreviewed, rolling out r222564.
3473         https://bugs.webkit.org/show_bug.cgi?id=177720
3474
3475         "It regressed JetStream by 2% on iOS caused by a 50%
3476         regression on the bigfib subtest" (Requested by saamyjoon on
3477         #webkit).
3478
3479         Reverted changeset:
3480
3481         "Add Above/Below comparisons for UInt32 patterns"
3482         https://bugs.webkit.org/show_bug.cgi?id=177281
3483         http://trac.webkit.org/changeset/222564
3484
3485 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3486
3487         [DFG] Support ArrayPush with multiple args
3488         https://bugs.webkit.org/show_bug.cgi?id=175823
3489
3490         Reviewed by Saam Barati.
3491
3492         * microbenchmarks/array-push-0.js: Added.
3493         (arrayPush0):
3494         * microbenchmarks/array-push-1.js: Added.
3495         (arrayPush1):
3496         * microbenchmarks/array-push-2.js: Added.
3497         (arrayPush2):
3498         * microbenchmarks/array-push-3.js: Added.
3499         (arrayPush3):
3500         * stress/array-push-multiple-contiguous.js: Added.
3501         (shouldBe):
3502         (test):
3503         * stress/array-push-multiple-double-nan.js: Added.
3504         (shouldBe):
3505         (test):
3506         * stress/array-push-multiple-double.js: Added.
3507         (shouldBe):
3508         (test):
3509         * stress/array-push-multiple-int32.js: Added.
3510         (shouldBe):
3511         (test):
3512         * stress/array-push-multiple-many-contiguous.js: Added.
3513         (shouldBe):
3514         (test):
3515         * stress/array-push-multiple-many-double.js: Added.
3516         (shouldBe):
3517         (test):
3518         * stress/array-push-multiple-many-int32.js: Added.
3519         (shouldBe):
3520         (test):
3521         * stress/array-push-multiple-many-storage.js: Added.
3522         (shouldBe):
3523         (test):
3524         * stress/array-push-multiple-storage.js: Added.
3525         (shouldBe):
3526         (test):
3527         * stress/array-push-with-force-exit.js: Added.
3528         (target.createBuiltin):
3529
3530 2017-09-29  Saam Barati  <sbarati@apple.com>
3531
3532         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3533         https://bugs.webkit.org/show_bug.cgi?id=177639
3534
3535         Reviewed by Geoffrey Garen.
3536
3537         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3538         (assert):
3539         (Class):
3540         (items.forEach):
3541         (set get for):
3542
3543 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3544
3545         Unreviewed, rolling out r222563, r222565, and r222581.
3546         https://bugs.webkit.org/show_bug.cgi?id=177675
3547
3548         "It causes a crash when playing youtube videos" (Requested by
3549         saamyjoon on #webkit).
3550
3551         Reverted changesets:
3552
3553         "[DFG] Support ArrayPush with multiple args"
3554         https://bugs.webkit.org/show_bug.cgi?id=175823
3555         http://trac.webkit.org/changeset/222563
3556
3557         "Unreviewed, build fix after r222563"
3558         https://bugs.webkit.org/show_bug.cgi?id=175823
3559         http://trac.webkit.org/changeset/222565
3560
3561         "Unreviewed, fix x86 breaking due to exhausted registers"
3562         https://bugs.webkit.org/show_bug.cgi?id=175823
3563         http://trac.webkit.org/changeset/222581
3564
3565 2017-09-28  Mark Lam  <mark.lam@apple.com>
3566
3567         test262: Unexpected passes after r222617 and r222618.
3568         https://bugs.webkit.org/show_bug.cgi?id=177622
3569         <rdar://problem/34725960>
3570
3571         Reviewed by Saam Barati.
3572
3573         Update test262.yaml for tests that are now passing.
3574
3575         * test262.yaml:
3576
3577 2017-09-27  Michael Saboff  <msaboff@apple.com>
3578
3579         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3580         https://bugs.webkit.org/show_bug.cgi?id=177570
3581
3582         Reviewed by Filip Pizlo.
3583
3584         New regression test.
3585
3586         * stress/regress-177570.js: Added.
3587
3588 2017-09-28  Michael Saboff  <msaboff@apple.com>
3589
3590         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3591         https://bugs.webkit.org/show_bug.cgi?id=177423
3592
3593         Reviewed by Mark Lam.
3594
3595         Updated regression test.
3596
3597         * stress/regress-177423.js:
3598         (catch):
3599
3600 2017-09-27  Mark Lam  <mark.lam@apple.com>
3601
3602         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3603         https://bugs.webkit.org/show_bug.cgi?id=177584
3604         <rdar://problem/34463903>
3605
3606         Reviewed by Saam Barati.
3607
3608         * stress/regress-177584.js: Added.
3609         (assertEqual):
3610         (Array.prototype.Symbol.species):
3611
3612 2017-09-27  Saam Barati  <sbarati@apple.com>
3613
3614         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3615         https://bugs.webkit.org/show_bug.cgi?id=177523
3616
3617         Reviewed by Mark Lam.
3618
3619         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3620         (assert):
3621         (Test):
3622         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3623         (addMethods):
3624         (i.Test.prototype.propName):
3625
3626 2017-09-27  Mark Lam  <mark.lam@apple.com>
3627
3628         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3629         https://bugs.webkit.org/show_bug.cgi?id=177423
3630         <rdar://problem/34621320>
3631
3632         Reviewed by Keith Miller.
3633
3634         * stress/regress-177423.js: Added.
3635
3636 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3637
3638         Add Above/Below comparisons for UInt32 patterns
3639         https://bugs.webkit.org/show_bug.cgi?id=177281
3640
3641         Reviewed by Saam Barati.
3642
3643         * stress/uint32-comparison-jump.js: Added.
3644         (shouldBe):
3645         (above):
3646         (aboveOrEqual):
3647         (below):
3648         (belowOrEqual):
3649         (notAbove):
3650         (notAboveOrEqual):
3651         (notBelow):
3652         (notBelowOrEqual):
3653         * stress/uint32-comparison.js: Added.
3654         (shouldBe):
3655         (above):
3656         (aboveOrEqual):
3657         (below):
3658         (belowOrEqual):
3659         (aboveTest):
3660         (aboveOrEqualTest):
3661         (belowTest):
3662         (belowOrEqualTest):
3663
3664 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3665
3666         [DFG] Support ArrayPush with multiple args
3667         https://bugs.webkit.org/show_bug.cgi?id=175823
3668
3669         Reviewed by Saam Barati.
3670
3671         * microbenchmarks/array-push-0.js: Added.
3672         (arrayPush0):
3673         * microbenchmarks/array-push-1.js: Added.
3674         (arrayPush1):
3675         * microbenchmarks/array-push-2.js: Added.
3676         (arrayPush2):
3677         * microbenchmarks/array-push-3.js: Added.
3678         (arrayPush3):
3679         * stress/array-push-multiple-contiguous.js: Added.
3680         (shouldBe):
3681         (test):
3682         * stress/array-push-multiple-double-nan.js: Added.
3683         (shouldBe):
3684         (test):
3685         * stress/array-push-multiple-double.js: Added.
3686         (shouldBe):
3687         (test):
3688         * stress/array-push-multiple-int32.js: Added.
3689         (shouldBe):
3690         (test):
3691         * stress/array-push-multiple-many-contiguous.js: Added.
3692         (shouldBe):
3693         (test):
3694         * stress/array-push-multiple-many-double.js: Added.
3695         (shouldBe):
3696         (test):
3697         * stress/array-push-multiple-many-int32.js: Added.
3698         (shouldBe):
3699         (test):
3700         * stress/array-push-multiple-many-storage.js: Added.
3701         (shouldBe):
3702         (test):
3703         * stress/array-push-multiple-storage.js: Added.
3704         (shouldBe):
3705         (test):
3706
3707 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3708
3709         Unreviewed, rolling out r222518.
3710         https://bugs.webkit.org/show_bug.cgi?id=177507
3711
3712         Break the High Sierra build (Requested by yusukesuzuki on
3713         #webkit).
3714
3715         Reverted changeset:
3716
3717         "Add Above/Below comparisons for UInt32 patterns"
3718         https://bugs.webkit.org/show_bug.cgi?id=177281
3719         http://trac.webkit.org/changeset/222518
3720