[DFG][FTL] Make ArraySlice(0) code tight
[WebKit-https.git] / JSTests / ChangeLog
1 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG][FTL] Make ArraySlice(0) code tight
4         https://bugs.webkit.org/show_bug.cgi?id=183590
5
6         Reviewed by Saam Barati.
7
8         * stress/array-slice-with-zero.js: Added.
9         (shouldBe):
10         (test):
11         (test2):
12         * stress/array-slice-zero-args.js: Added.
13         (shouldBe):
14         (test):
15
16 2018-03-14  Caitlin Potter  <caitp@igalia.com>
17
18         [JSC] fix order of evaluation for ClassDefinitionEvaluation
19         https://bugs.webkit.org/show_bug.cgi?id=183523
20
21         Reviewed by Keith Miller.
22
23         Computed property names need to be evaluated in source order during class
24         definition evaluation, as it's observable (and specified to work this way).
25
26         This change improves compatibility with Chromium.
27
28         * stress/class_elements.js: Added.
29         (test):
30         (test.C.prototype.effect):
31         (test.C.effect):
32         (test.C.prototype.get effect):
33         (test.C.prototype.set effect):
34         (test.C):
35
36 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
37
38         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
39         https://bugs.webkit.org/show_bug.cgi?id=183310
40
41         Reviewed by Filip Pizlo.
42
43         * stress/ai-create-this-to-new-object-fire.js: Added.
44         (assert):
45         (test):
46         (func):
47         (check):
48         (test.body.A):
49         (test.body.B):
50         (test.body):
51         * stress/ai-create-this-to-new-object.js: Added.
52         (assert):
53         (test):
54         (func):
55         (check):
56         (test.body.A):
57         (test.body.B):
58         (test.body):
59
60 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
61
62         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
63         https://bugs.webkit.org/show_bug.cgi?id=181848
64
65         Reviewed by Sam Weinig.
66
67         * microbenchmarks/regexp-u-global-es5.js: Added.
68         (fn):
69         * microbenchmarks/regexp-u-global-es6.js: Added.
70         (fn):
71         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
72         (shouldBe):
73         (test):
74         (i.switch):
75         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
76         (shouldBe):
77         (test):
78
79 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
80
81         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
82         https://bugs.webkit.org/show_bug.cgi?id=183334
83
84         Reviewed by Žan Doberšek.
85
86         * stress/var-injection-cache-invalidation.js:
87
88 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
89
90         [ARM] Disable tests that run out of memory
91         https://bugs.webkit.org/show_bug.cgi?id=182699
92
93         Reviewed by Žan Doberšek.
94
95         Skip tests that run of of memory. Do not run
96         modules/module-jit-reachability.js without LLInt to prevent
97         running out of executable memory.
98
99         * modules.yaml:
100         * modules/module-jit-reachability.js:
101         * stress/has-own-property-name-cache-string-keys.js:
102         * stress/has-own-property-name-cache-symbol-keys.js:
103
104 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
105
106         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
107         https://bugs.webkit.org/show_bug.cgi?id=183173
108
109         Reviewed by Saam Barati.
110
111         * stress/async-arrow-function-in-class-heritage.js: Added.
112         (testSyntax):
113         (testSyntaxError):
114         (SyntaxError):
115
116 2018-03-01  Saam Barati  <sbarati@apple.com>
117
118         We need to clear cached structures when having a bad time
119         https://bugs.webkit.org/show_bug.cgi?id=183256
120         <rdar://problem/36245022>
121
122         Reviewed by Mark Lam.
123
124         * stress/having-a-bad-time-with-derived-arrays.js: Added.
125         (assert):
126         (defineSetter):
127         (iterate):
128         (doSlice):
129
130 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
131
132         JSC crash with `import("")`
133         https://bugs.webkit.org/show_bug.cgi?id=183175
134
135         Reviewed by Saam Barati.
136
137         * stress/import-with-empty-string.js: Added.
138
139 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
140
141         Unreviewed, skip FTL tests if FTL is disabled
142         https://bugs.webkit.org/show_bug.cgi?id=183071
143
144         * stress/has-indexed-property-array-storage-ftl.js:
145         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
146
147 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
148
149         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
150         https://bugs.webkit.org/show_bug.cgi?id=182965
151
152         Reviewed by Saam Barati.
153
154         * stress/put-by-val-array-storage.js: Added.
155         (shouldBe):
156         (testArrayStorageInBounds):
157         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
158         (shouldBe):
159         (testInt32.createBuiltin):
160         (set for):
161         * stress/put-by-val-slow-put-array-storage.js: Added.
162         (shouldBe):
163         (testArrayStorageInBounds):
164
165 2018-02-26  Saam Barati  <sbarati@apple.com>
166
167         validateStackAccess should not validate if the offset is within the stack bounds
168         https://bugs.webkit.org/show_bug.cgi?id=183067
169         <rdar://problem/37749988>
170
171         Reviewed by Mark Lam.
172
173         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
174         (assert):
175         (test.a):
176         (test.b):
177         (test):
178
179 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
180
181         Unreviewed, skip FTL tests if FTL is disabled
182         https://bugs.webkit.org/show_bug.cgi?id=183071
183
184         * stress/has-indexed-property-array-storage-ftl.js:
185         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
186
187 2018-02-23  Saam Barati  <sbarati@apple.com>
188
189         Make Number.isInteger an intrinsic
190         https://bugs.webkit.org/show_bug.cgi?id=183088
191
192         Reviewed by JF Bastien.
193
194         * stress/number-is-integer-intrinsic.js: Added.
195
196 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
197
198         WebAssembly: cache memory address / size on instance
199         https://bugs.webkit.org/show_bug.cgi?id=177305
200
201         Reviewed by JF Bastien.
202
203         * wasm/function-tests/memory-reuse.js: Added.
204         (createWasmInstance):
205         (doCheckTrap):
206         (doMemoryGrow):
207         (doCheck):
208         (checkWasmInstancesWithSharedMemory):
209
210 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [JSC] Implement $vm.ftlTrue function for FTL testing
213         https://bugs.webkit.org/show_bug.cgi?id=183071
214
215         Reviewed by Mark Lam.
216
217         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
218         (foo):
219         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
220         (foo):
221         * stress/dead-fiat-value-to-int52.js:
222         (foo):
223         * stress/dead-osr-entry-value.js:
224         (foo):
225         * stress/fiat-value-to-int52-then-exit-not-double.js:
226         (foo):
227         * stress/fiat-value-to-int52-then-exit-not-int52.js:
228         (foo):
229         * stress/fiat-value-to-int52-then-fail-to-fold.js:
230         (foo):
231         * stress/fiat-value-to-int52-then-fold.js:
232         (foo):
233         * stress/fiat-value-to-int52.js:
234         (foo):
235         * stress/fold-based-on-int32-proof-mul-branch.js:
236         (foo):
237         * stress/fold-profiled-call-to-call.js:
238         (foo):
239         * stress/fold-to-double-constant-then-exit.js:
240         (foo):
241         * stress/fold-to-int52-constant-then-exit.js:
242         (foo):
243         * stress/fold-to-primitive-in-cfa.js:
244         (foo):
245         * stress/fold-to-primitive-to-identity-in-cfa.js:
246         (foo):
247         * stress/has-indexed-property-array-storage-ftl.js: Added.
248         (shouldBe):
249         (test1):
250         (test2):
251         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
252         (shouldBe):
253         (test1):
254         (test2):
255         * stress/int52-ai-add-then-filter-int32.js:
256         (foo):
257         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
258         (foo):
259         * stress/int52-ai-mul-then-filter-int32.js:
260         (foo):
261         * stress/int52-ai-neg-then-filter-int32.js:
262         (foo):
263         * stress/int52-ai-sub-then-filter-int32.js:
264         (foo):
265         * stress/licm-pre-header-cannot-exit-nested.js:
266         (foo):
267         * stress/licm-pre-header-cannot-exit.js:
268         (foo):
269         * stress/sparse-array-entry-update-144067.js:
270         (useMemoryToTriggerGCs):
271         * stress/test-spec-misc.js:
272         (foo):
273         * stress/tricky-array-bounds-checks.js:
274         (foo):
275
276 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
277
278         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
279         https://bugs.webkit.org/show_bug.cgi?id=182792
280
281         Reviewed by Mark Lam.
282
283         * stress/has-indexed-property-array-storage.js: Added.
284         (shouldBe):
285         (test1):
286         (test2):
287         * stress/has-indexed-property-slow-put-array-storage.js: Added.
288         (shouldBe):
289         (test1):
290         (test2):
291
292 2018-02-20  Saam Barati  <sbarati@apple.com>
293
294         DFG::VarargsForwardingPhase should eliminate getting argument length
295         https://bugs.webkit.org/show_bug.cgi?id=182959
296
297         Reviewed by Keith Miller.
298
299         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
300
301 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
302
303         [FTL] Support ArrayPush for ArrayStorage
304         https://bugs.webkit.org/show_bug.cgi?id=182782
305
306         Reviewed by Saam Barati.
307
308         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
309
310         * stress/array-push-array-storage-beyond-int32.js: Added.
311         (shouldBe):
312         (test):
313         * stress/array-push-array-storage.js: Added.
314         (shouldBe):
315         (test):
316         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
317         (shouldBe):
318         (test):
319         * stress/array-push-multiple-storage-continuous.js: Added.
320         (shouldBe):
321         (test):
322
323 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
324
325         [FTL] Support ArrayPop for ArrayStorage
326         https://bugs.webkit.org/show_bug.cgi?id=182783
327
328         Reviewed by Saam Barati.
329
330         * stress/array-pop-array-storage.js: Added.
331         (shouldBe):
332         (test):
333
334 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
335
336         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
337         https://bugs.webkit.org/show_bug.cgi?id=182731
338
339         Reviewed by Saam Barati.
340
341         * stress/arrayify-array-storage-array.js: Added.
342         (shouldBe):
343         (testArrayStorage):
344         * stress/arrayify-array-storage-non-array.js: Added.
345         (shouldBe):
346         (testArrayStorage):
347         * stress/arrayify-array-storage.js: Added.
348         (shouldBe):
349         (testArrayStorage):
350         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
351         (shouldBe):
352         (testArrayStorage):
353         * stress/arrayify-slow-put-array-storage.js: Added.
354         (shouldBe):
355         (testArrayStorage):
356
357 2018-02-19  Saam Barati  <sbarati@apple.com>
358
359         Don't use JSFunction's allocation profile when getting the prototype can be effectful
360         https://bugs.webkit.org/show_bug.cgi?id=182942
361         <rdar://problem/37584764>
362
363         Reviewed by Mark Lam.
364
365         * stress/get-prototype-create-this-effectful.js: Added.
366
367 2018-02-16  Saam Barati  <sbarati@apple.com>
368
369         Fix bugs from r228411
370         https://bugs.webkit.org/show_bug.cgi?id=182851
371         <rdar://problem/37577732>
372
373         Reviewed by JF Bastien.
374
375         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
376
377 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
378
379         Unreviewed, roll out r228366 since it did not progress anything.
380
381         * stress/gc-error-stack.js: Removed.
382         * stress/no-gc-error-stack.js: Removed.
383
384 2018-02-15  Tomas Popela  <tpopela@redhat.com>
385
386         Many stress tests fail with JIT disabled
387         https://bugs.webkit.org/show_bug.cgi?id=182730
388
389         Reviewed by Saam Barati.
390
391         These tests are broken by design if the JIT is disabled - they test
392         the return value of numberOfDFGCompiles(), which is always set to
393         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
394
395         * stress/arith-abs-on-various-types.js:
396         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
397         * stress/arith-acos-on-various-types.js:
398         * stress/arith-acosh-on-various-types.js:
399         * stress/arith-asin-on-various-types.js:
400         * stress/arith-asinh-on-various-types.js:
401         * stress/arith-atan-on-various-types.js:
402         * stress/arith-atanh-on-various-types.js:
403         * stress/arith-cbrt-on-various-types.js:
404         * stress/arith-ceil-on-various-types.js:
405         * stress/arith-clz32-on-various-types.js:
406         * stress/arith-cos-on-various-types.js:
407         * stress/arith-cosh-on-various-types.js:
408         * stress/arith-expm1-on-various-types.js:
409         * stress/arith-floor-on-various-types.js:
410         * stress/arith-fround-on-various-types.js:
411         * stress/arith-log-on-various-types.js:
412         * stress/arith-log10-on-various-types.js:
413         * stress/arith-log2-on-various-types.js:
414         * stress/arith-negate-on-various-types.js:
415         * stress/arith-round-on-various-types.js:
416         * stress/arith-sin-on-various-types.js:
417         * stress/arith-sinh-on-various-types.js:
418         * stress/arith-sqrt-on-various-types.js:
419         * stress/arith-tan-on-various-types.js:
420         * stress/arith-tanh-on-various-types.js:
421         * stress/arith-trunc-on-various-types.js:
422         * stress/compare-strict-eq-on-various-types.js:
423
424 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
425
426         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
427
428         Unreviewed test gardening.
429
430         * stress/new-largeish-contiguous-array-with-size.js:
431
432 2018-02-14  Saam Barati  <sbarati@apple.com>
433
434         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
435         https://bugs.webkit.org/show_bug.cgi?id=182801
436
437         Reviewed by Keith Miller.
438
439         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
440
441 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
442
443         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
444         https://bugs.webkit.org/show_bug.cgi?id=182526
445
446         Unreviewed test gardening.
447
448         * stress/activation-sink-default-value-tdz-error.js:
449
450 2018-02-13  Saam Barati  <sbarati@apple.com>
451
452         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
453         https://bugs.webkit.org/show_bug.cgi?id=182755
454         <rdar://problem/37080864>
455
456         Reviewed by Keith Miller.
457
458         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
459         (test1.o.get 10005):
460         (test1):
461         (test2.o.get 1000):
462         (test2):
463
464 2018-02-13  Caitlin Potter  <caitp@igalia.com>
465
466         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
467         https://bugs.webkit.org/show_bug.cgi?id=182717
468
469         Reviewed by Yusuke Suzuki.
470
471         https://github.com/tc39/ecma262/pull/890 imposes a change to template
472         literals, to allow template callsite arrays to be collected when the
473         code containing the tagged template call is collected. This spec change
474         has received concensus and been ratified.
475
476         This change eliminates the eternal map associating template contents
477         with arrays.
478
479         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
480         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
481         * stress/tagged-templates-identity.js:
482         * stress/template-string-tags-eval.js:
483         * test262.yaml:
484
485 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
486
487         Support GetArrayLength on ArrayStorage in the FTL
488         https://bugs.webkit.org/show_bug.cgi?id=182625
489
490         Reviewed by Saam Barati.
491
492         * stress/array-storage-length.js: Added.
493         (shouldBe):
494         (testInBound):
495         (testUncountable):
496         (testSlowPutInBound):
497         (testSlowPutUncountable):
498         * stress/undecided-length.js: Added.
499         (shouldBe):
500         (test2):
501
502 2018-02-12  Saam Barati  <sbarati@apple.com>
503
504         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
505         https://bugs.webkit.org/show_bug.cgi?id=182706
506         <rdar://problem/36833681>
507
508         Reviewed by Filip Pizlo.
509
510         * stress/get-array-length-phantom-new-array-buffer.js: Added.
511         (effects):
512         (foo):
513
514 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
515
516         Don't waste memory for error.stack
517         https://bugs.webkit.org/show_bug.cgi?id=182656
518
519         Reviewed by Saam Barati.
520         
521         Tests the policy.
522
523         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
524         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
525
526 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
527
528         [JSC] Update Test262 to Feb 9 version
529         https://bugs.webkit.org/show_bug.cgi?id=182468
530
531         Reviewed by Saam Barati.
532
533 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
534
535         Unreviewed, fix invalid line terminator in old test262 file part 2
536         https://bugs.webkit.org/show_bug.cgi?id=182468
537
538         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
539
540 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
541
542         Unreviewed, fix invalid line terminator in old test262 file
543         https://bugs.webkit.org/show_bug.cgi?id=182468
544
545         * test262/test/language/literals/regexp/7.8.5-1.js:
546
547 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
548
549         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
550         https://bugs.webkit.org/show_bug.cgi?id=182440
551
552         Reviewed by Darin Adler.
553
554         * stress/array-flatmap.js: Added.
555         (shouldBe):
556         (shouldBeArray):
557         (shouldThrow):
558         (var):
559         * stress/array-flatten.js: Added.
560         (shouldBe):
561         (shouldBeArray):
562         * test262.yaml:
563         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
564         (3.flatMap):
565         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
566
567 2018-02-06  Keith Miller  <keith_miller@apple.com>
568
569         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
570         https://bugs.webkit.org/show_bug.cgi?id=182549
571         <rdar://problem/36189995>
572
573         Reviewed by Saam Barati.
574
575         * stress/var-injection-cache-invalidation.js: Added.
576         (allocateLotsOfThings):
577         (test):
578
579 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
580
581         Unreviewed, follow up for test262 update
582         https://bugs.webkit.org/show_bug.cgi?id=182288
583
584         * test262.yaml:
585
586 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
587
588         Update test262 to Jan 30 version
589         https://bugs.webkit.org/show_bug.cgi?id=182288
590
591         Unreviewed test gardening.
592
593         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
594
595 2018-02-02  Saam Barati  <sbarati@apple.com>
596
597         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
598         https://bugs.webkit.org/show_bug.cgi?id=182368
599         <rdar://problem/36932466>
600
601         Reviewed by Mark Lam.
602
603         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
604         (runNearStackLimit.t):
605         (runNearStackLimit):
606         (try.runNearStackLimit):
607         (catch):
608
609 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
610
611         Update test262 to Jan 30 version
612         https://bugs.webkit.org/show_bug.cgi?id=182288
613
614         Rubber stamped by Saam Barati.
615
616         This patch updates test262 to the latest one, Jan 30 version.
617         Since added and changed files are too many, we cannot create ChangeLog.
618         The following files are changed.
619
620         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
621         including some special line terminators (like u2028, u2029).
622
623         * test262.yaml:
624         * test262/test262-Revision.txt:
625         * test262/*:
626
627 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
628
629         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
630         https://bugs.webkit.org/show_bug.cgi?id=182411
631
632         Reviewed by Carlos Alberto Lopez Perez.
633
634         This is skipped only on arm memory limited platforms. Until recently
635         it was not a problem on MIPS as the butterfly was not initialized. But
636         since r227435, the butterfly is initialized in that test and therefore
637         memory is allocated, and the test typically takes around 512M, which
638         means it generally gets OOM-killed on the MIPS buildbot.
639
640         * mozilla/mozilla-tests.yaml:
641
642 2018-02-01  Mark Lam  <mark.lam@apple.com>
643
644         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
645         https://bugs.webkit.org/show_bug.cgi?id=182419
646         <rdar://problem/37044945>
647
648         Reviewed by Saam Barati.
649
650         * stress/regress-182419.js: Added.
651
652 2018-02-01  Keith Miller  <keith_miller@apple.com>
653
654         Fix crashes due to mishandling custom sections.
655         https://bugs.webkit.org/show_bug.cgi?id=182404
656         <rdar://problem/36935863>
657
658         Reviewed by Saam Barati.
659
660         * wasm/Builder.js:
661         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
662         * wasm/js-api/validate.js:
663         (assert.truthy):
664
665 2018-01-31  Saam Barati  <sbarati@apple.com>
666
667         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
668         https://bugs.webkit.org/show_bug.cgi?id=182074
669         <rdar://problem/36846261>
670
671         Reviewed by Mark Lam.
672
673         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
674         (assert):
675         (let.func):
676         (let.o.foo):
677         (varFunc):
678
679 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
680
681         Unreviewed, update test262 expects
682         https://bugs.webkit.org/show_bug.cgi?id=182232
683
684         * test262.yaml:
685
686 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
687
688         [JSC] Implement trimStart and trimEnd
689         https://bugs.webkit.org/show_bug.cgi?id=182233
690
691         Reviewed by Mark Lam.
692
693         * stress/trim.js: Added.
694         (shouldBe):
695         (startTest):
696         (endTest):
697         (trimTest):
698
699 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         [JSC] Relax line terminators in String to make JSON subset of JS
702         https://bugs.webkit.org/show_bug.cgi?id=182232
703
704         Reviewed by Keith Miller.
705
706         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
707         * stress/relaxed-line-terminators-in-string.js: Added.
708         (shouldBe):
709
710 2018-01-29  Michael Saboff  <msaboff@apple.com>
711
712         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
713         https://bugs.webkit.org/show_bug.cgi?id=182249
714
715         Reviewed by Keith Miller.
716
717         New regression test.
718
719         * stress/compare-clobber-untypeduse.js: Added.
720
721 2018-01-29  Matt Lewis  <jlewis3@apple.com>
722
723         Unreviewed, rolling out r227725.
724
725         This caused internal failures.
726
727         Reverted changeset:
728
729         "JSC Sampling Profiler: Detect tester and testee when sampling
730         in RegExp JIT"
731         https://bugs.webkit.org/show_bug.cgi?id=152729
732         https://trac.webkit.org/changeset/227725
733
734 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
735
736         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
737         https://bugs.webkit.org/show_bug.cgi?id=152729
738
739         Reviewed by Saam Barati.
740
741         * stress/sampling-profiler-regexp.js: Added.
742         (platformSupportsSamplingProfiler.test):
743         (platformSupportsSamplingProfiler.baz):
744         (platformSupportsSamplingProfiler):
745
746 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
747
748         [DFG][FTL] WeakMap#set should have DFG node
749         https://bugs.webkit.org/show_bug.cgi?id=180015
750
751         Reviewed by Saam Barati.
752
753         * stress/weakmap-set-change-get.js: Added.
754         (shouldBe):
755         (test):
756         * stress/weakmap-set-cse.js: Added.
757         (shouldBe):
758         (test):
759         * stress/weakset-add-change-get.js: Added.
760         (shouldBe):
761         * stress/weakset-add-cse.js: Added.
762         (shouldBe):
763
764 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
765
766         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
767         https://bugs.webkit.org/show_bug.cgi?id=182213
768
769         Reviewed by Mark Lam.
770
771         * stress/int32-min-to-string.js: Added.
772         (shouldBe):
773         (test2):
774         (test4):
775         (test8):
776         (test16):
777         (test32):
778         * stress/zero-to-string.js: Added.
779         (shouldBe):
780         (test2):
781         (test4):
782         (test8):
783         (test16):
784         (test32):
785
786 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
787
788         Add more module scope related tests with code evaluation by string
789         https://bugs.webkit.org/show_bug.cgi?id=181983
790
791         Reviewed by Sam Weinig.
792
793         Add more module scope related tests. When the original tests are landed,
794         we do not have browser integration. This patch adds more module scope tests
795         with dynamically created script evaluation. We add tests with Function
796         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
797
798         * modules/scopes-eval.js: Added.
799         (shouldBe):
800         * modules/scopes.js:
801         (shouldBe):
802
803 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
804
805         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
806
807         * microbenchmarks/array-push-3.js: Removed.
808         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
809         * microbenchmarks/double-to-int32.js: Removed.
810         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
811         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
812         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
813         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
814         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
815         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
816         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
817         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
818         * microbenchmarks/map-constant-key.js: Removed.
819         * microbenchmarks/nested-function-parsing.js: Removed.
820         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
821         * microbenchmarks/spread-large-array.js: Removed.
822         * microbenchmarks/string-add-constant-folding.js: Removed.
823         * microbenchmarks/to-lower-case.js: Removed.
824         * microbenchmarks/undefined-property-access.js: Removed.
825         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
826         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
827         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
828         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
829         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
830         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
831         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
832         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
833         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
834         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
835         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
836         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
837         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
838         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
839         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
840         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
841         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
842         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
843
844 2018-01-23  Robin Morisset  <rmorisset@apple.com>
845
846         Update the argument count in DFGByteCodeParser::handleRecursiveCall
847         https://bugs.webkit.org/show_bug.cgi?id=181739
848         <rdar://problem/36627662>
849
850         Reviewed by Saam Barati.
851
852         * stress/recursive-tail-call-with-different-argument-count.js: Added.
853         (foo):
854         (bar):
855
856 2018-01-22  Michael Saboff  <msaboff@apple.com>
857
858         DFG abstract interpreter needs to properly model effects of some Math ops
859         https://bugs.webkit.org/show_bug.cgi?id=181886
860
861         Reviewed by Saam Barati.
862
863         New regression test.
864
865         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
866         (test):
867
868 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
869
870         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
871         https://bugs.webkit.org/show_bug.cgi?id=181182
872
873         Reviewed by Darin Adler.
874
875         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
876         * stress/big-int-prototype-to-string-exception.js: Added.
877         * stress/big-int-prototype-to-string-wrong-values.js: Added.
878         * stress/number-prototype-to-string-cast-overflow.js: Added.
879         * stress/number-prototype-to-string-exception.js: Added.
880         * stress/number-prototype-to-string-wrong-values.js: Added.
881
882 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
883
884         Disable Atomics when SharedArrayBuffer isn’t enabled
885         https://bugs.webkit.org/show_bug.cgi?id=181572
886
887         Unreviewed test gardening.
888
889         * test262.yaml: Skip tests that fail after this change.
890
891 2018-01-19  Saam Barati  <sbarati@apple.com>
892
893         Kill ArithNegate's ArithProfile assert inside BytecodeParser
894         https://bugs.webkit.org/show_bug.cgi?id=181877
895         <rdar://problem/36630552>
896
897         Reviewed by Mark Lam.
898
899         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
900         (runNearStackLimit):
901         (f1):
902         (f2):
903         (f3):
904         (i.catch):
905         (i.try.runNearStackLimit):
906         (catch):
907
908 2018-01-19  Saam Barati  <sbarati@apple.com>
909
910         Spread's effects are modeled incorrectly both in AI and in Clobberize
911         https://bugs.webkit.org/show_bug.cgi?id=181867
912         <rdar://problem/36290415>
913
914         Reviewed by Michael Saboff.
915
916         * stress/ai-needs-to-model-spreads-effects.js: Added.
917         (try.p.Symbol.iterator):
918         (try.go):
919         (catch):
920         * stress/clobberize-needs-to-model-spread-effects.js: Added.
921         (assert):
922         (foo):
923         (a.Symbol.iterator):
924
925 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
926
927         Unreviewed, reduce count of iteration to fix timing out debug JSC test
928         https://bugs.webkit.org/show_bug.cgi?id=181535
929
930         * stress/inserted-recovery-with-set-last-index.js:
931
932 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
933
934         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
935         https://bugs.webkit.org/show_bug.cgi?id=181535
936
937         Reviewed by Saam Barati.
938
939         * stress/inserted-recovery-with-set-last-index.js: Added.
940         (shouldBe):
941         (foo):
942         * stress/materialize-regexp-at-osr-exit.js: Added.
943         (shouldBe):
944         (test):
945         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
946         (shouldBe):
947         (test):
948         * stress/materialize-regexp-cyclic-regexp.js: Added.
949         (shouldBe):
950         (test):
951         (i.switch):
952         * stress/materialize-regexp-cyclic.js: Added.
953         (shouldBe):
954         (test):
955         (i.switch):
956         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
957         (bar):
958         (foo):
959         (test):
960         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
961         (bar):
962         (foo):
963         (test):
964         * stress/materialize-regexp.js: Added.
965         (shouldBe):
966         (test):
967         * stress/phantom-regexp-regexp-exec.js: Added.
968         (shouldBe):
969         (test):
970         * stress/phantom-regexp-string-match.js: Added.
971         (shouldBe):
972         (test):
973         * stress/regexp-last-index-sinking.js: Added.
974         (shouldBe):
975         (test):
976
977 2018-01-17  Saam Barati  <sbarati@apple.com>
978
979         Disable Atomics when SharedArrayBuffer isn’t enabled
980         https://bugs.webkit.org/show_bug.cgi?id=181572
981         <rdar://problem/36553206>
982
983         Reviewed by Michael Saboff.
984
985         * stress/isLockFree.js:
986
987 2018-01-17  Saam Barati  <sbarati@apple.com>
988
989         DFG::Node::convertToConstant needs to clear the varargs flags
990         https://bugs.webkit.org/show_bug.cgi?id=181697
991         <rdar://problem/36497332>
992
993         Reviewed by Yusuke Suzuki.
994
995         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
996         (doIndexOf):
997         (bar):
998         (i.bar):
999
1000 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1001
1002         Unreviewed, rolling out r226937.
1003
1004         Tests added with this change are failing due to a missing
1005         exception check.
1006
1007         Reverted changeset:
1008
1009         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1010         double to int32_t"
1011         https://bugs.webkit.org/show_bug.cgi?id=181182
1012         https://trac.webkit.org/changeset/226937
1013
1014 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1015
1016         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1017         https://bugs.webkit.org/show_bug.cgi?id=181182
1018
1019         Reviewed by Darin Adler.
1020
1021         * bigIntTests.yaml:
1022         * stress/big-int-constructor.js:
1023         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1024         (assert):
1025         (assertThrowRangeError):
1026         * stress/number-prototype-to-string-cast-overflow.js: Added.
1027         (assert):
1028         (assertThrowRangeError):
1029
1030 2018-01-12  Saam Barati  <sbarati@apple.com>
1031
1032         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1033         https://bugs.webkit.org/show_bug.cgi?id=181177
1034         <rdar://problem/36205704>
1035
1036         Reviewed by Yusuke Suzuki.
1037
1038         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1039         (runNearStackLimit.t):
1040         (runNearStackLimit):
1041         (test.f):
1042         (test):
1043
1044 2018-01-12  Saam Barati  <sbarati@apple.com>
1045
1046         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1047         https://bugs.webkit.org/show_bug.cgi?id=181562
1048         <rdar://problem/36445624>
1049
1050         Reviewed by Yusuke Suzuki.
1051
1052         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1053         (f):
1054         (foo):
1055
1056 2018-01-11  Saam Barati  <sbarati@apple.com>
1057
1058         When inserting Unreachable in byte code parser we need to flush all the right things
1059         https://bugs.webkit.org/show_bug.cgi?id=181509
1060         <rdar://problem/36423110>
1061
1062         Reviewed by Mark Lam.
1063
1064         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1065
1066 2018-01-11  Saam Barati  <sbarati@apple.com>
1067
1068         JITMathIC code in the FTL is wrong when code gets duplicated
1069         https://bugs.webkit.org/show_bug.cgi?id=181525
1070         <rdar://problem/36351993>
1071
1072         Reviewed by Michael Saboff and Keith Miller.
1073
1074         * stress/allow-math-ic-b3-code-duplication.js: Added.
1075
1076 2018-01-11  Saam Barati  <sbarati@apple.com>
1077
1078         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1079         https://bugs.webkit.org/show_bug.cgi?id=181508
1080
1081         Reviewed by Yusuke Suzuki.
1082
1083         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1084         (assert):
1085         (test1.foo):
1086         (test1):
1087         (test2.foo):
1088         (test2):
1089
1090 2018-01-09  Mark Lam  <mark.lam@apple.com>
1091
1092         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1093         https://bugs.webkit.org/show_bug.cgi?id=181388
1094         <rdar://problem/36349351>
1095
1096         Reviewed by Saam Barati.
1097
1098         * stress/regress-181388.js: Added.
1099
1100 2018-01-08  JF Bastien  <jfbastien@apple.com>
1101
1102         WebAssembly: mask indexed accesses to Table
1103         https://bugs.webkit.org/show_bug.cgi?id=181412
1104         <rdar://problem/36363236>
1105
1106         Reviewed by Saam Barati.
1107
1108         Update error messages.
1109
1110         * wasm/js-api/table.js:
1111         (assert.throws.WebAssembly.Table.prototype.grow):
1112
1113 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1114
1115         Disable SharedArrayBuffer tests missed in r226386.
1116         https://bugs.webkit.org/show_bug.cgi?id=181266
1117
1118         Unreviewed test gardening.
1119
1120         * test262.yaml:
1121
1122 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1123
1124         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1125         https://bugs.webkit.org/show_bug.cgi?id=181321
1126
1127         Reviewed by Saam Barati.
1128
1129         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1130         (shouldBe):
1131         (testFunction):
1132         * test262.yaml:
1133
1134 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1135
1136         Unreviewed, attempt to fix test262 after r226386.
1137
1138         * test262.yaml:
1139
1140 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1141
1142         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1143         https://bugs.webkit.org/show_bug.cgi?id=179911
1144
1145         Reviewed by Saam Barati.
1146
1147         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1148
1149         * stress/map-set-change-get.js: Added.
1150         (shouldBe):
1151         (test):
1152         * stress/map-set-create-bucket.js: Added.
1153         (shouldBe):
1154         (test):
1155         * stress/set-add-create-bucket.js: Added.
1156         (shouldBe):
1157
1158 2018-01-03  Michael Saboff  <msaboff@apple.com>
1159
1160         Disable SharedArrayBuffers from Web API
1161         https://bugs.webkit.org/show_bug.cgi?id=181266
1162
1163         Reviewed by Saam Barati.
1164
1165         Disabled SharedArrayBuffer tests.
1166
1167         * stress/SharedArrayBuffer-opt.js:
1168         * stress/SharedArrayBuffer.js:
1169         * stress/array-buffer-byte-length.js:
1170         * stress/atomics-add-uint32.js:
1171         * stress/atomics-known-int-use.js:
1172         * stress/atomics-neg-zero.js:
1173         * stress/atomics-store-return.js:
1174         * stress/lars-sab-workers.js:
1175         * stress/regress-159779-1.js:
1176         * stress/regress-159779-2.js:
1177         * stress/regress-170473.js:
1178         * test262.yaml:
1179
1180 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1181
1182         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1183         https://bugs.webkit.org/show_bug.cgi?id=181258
1184
1185         Reviewed by Antonio Gomes.
1186
1187         * stress/big-int-constructor-gc.js:
1188         * stress/big-int-constructor-oom.js:
1189
1190 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1191
1192         Inlining of a function that ends in op_unreachable crashes
1193         https://bugs.webkit.org/show_bug.cgi?id=181027
1194
1195         Reviewed by Filip Pizlo.
1196
1197         * stress/inlining-unreachable.js: Added.
1198         (bar):
1199         (baz):
1200         (i.catch):
1201
1202 2018-01-02  Saam Barati  <sbarati@apple.com>
1203
1204         Incorrect assertion inside AccessCase
1205         https://bugs.webkit.org/show_bug.cgi?id=181200
1206         <rdar://problem/35494754>
1207
1208         Reviewed by Yusuke Suzuki.
1209
1210         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1211         (ctor):
1212         (theFunc):
1213         (run):
1214
1215 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1216
1217         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1218         https://bugs.webkit.org/show_bug.cgi?id=175359
1219
1220         Reviewed by Yusuke Suzuki.
1221
1222         * bigIntTests.yaml:
1223         * stress/big-int-as-key.js: Added.
1224         * stress/big-int-constructor-gc.js: Added.
1225         * stress/big-int-constructor-oom.js: Added.
1226         * stress/big-int-constructor-properties.js: Added.
1227         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1228         * stress/big-int-constructor-prototype.js: Added.
1229         * stress/big-int-constructor.js: Added.
1230         * stress/big-int-function-apply.js:
1231         * stress/big-int-length.js: Added.
1232         * stress/big-int-prop-descriptor.js: Added.
1233         * stress/big-int-proto-constructor.js: Added.
1234         * stress/big-int-proto-name.js: Added.
1235         * stress/big-int-prototype-properties.js: Added.
1236         * stress/big-int-prototype-proto.js: Added.
1237         * stress/big-int-prototype-value-of.js: Added.
1238         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1239         * stress/big-int-prototype-to-string-apply.js: Added.
1240         * stress/big-int-to-object.js: Added.
1241         * stress/big-int-to-string.js: Added.
1242
1243 2017-12-28  Saam Barati  <sbarati@apple.com>
1244
1245         Assertion used to determine if something is an async generator is wrong
1246         https://bugs.webkit.org/show_bug.cgi?id=181168
1247         <rdar://problem/35640560>
1248
1249         Reviewed by Yusuke Suzuki.
1250
1251         * stress/async-generator-assertion.js: Added.
1252
1253 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1254
1255         Skip stress/splay-flash-access tests on memory limited platforms
1256         https://bugs.webkit.org/show_bug.cgi?id=181086
1257
1258         Reviewed by Carlos Alberto Lopez Perez.
1259
1260         These tests use about 185M of memory, and occasionally get OOM-killed
1261         on memory limited platforms.
1262
1263         * stress/splay-flash-access-1ms.js:
1264         * stress/splay-flash-access.js:
1265
1266 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1267
1268         Skip slow jsc tests on embedded platforms
1269         https://bugs.webkit.org/show_bug.cgi?id=180937
1270
1271         Reviewed by Carlos Alberto Lopez Perez.
1272
1273         The tests typeProfiler/deltablue-for-of.js and
1274         typeProfiler/getter-richards.js take a very long time in the
1275         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1276         thus always timeout. They should be skipped on these platforms.
1277
1278         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1279         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1280
1281 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1282
1283         [JSC] Do not check isValid() in op_new_regexp
1284         https://bugs.webkit.org/show_bug.cgi?id=180970
1285
1286         Reviewed by Saam Barati.
1287
1288         * stress/regexp-syntax-error-invalid-flags.js: Added.
1289         (shouldThrow):
1290
1291 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1292
1293         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1294         https://bugs.webkit.org/show_bug.cgi?id=180712
1295
1296         Reviewed by Michael Catanzaro.
1297
1298         stress/call-apply-exponential-bytecode-size.js crashes if the
1299         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1300         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1301         should skip the test on other platforms.
1302
1303         * stress/call-apply-exponential-bytecode-size.js:
1304
1305 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1306
1307         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1308         https://bugs.webkit.org/show_bug.cgi?id=179762
1309
1310         Reviewed by Saam Barati.
1311
1312         * stress/call-varargs-double-new-array-buffer.js: Added.
1313         (assert):
1314         (bar):
1315         (foo):
1316         * stress/call-varargs-spread-new-array-buffer.js: Added.
1317         (assert):
1318         (bar):
1319         (foo):
1320         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1321         (assert):
1322         (bar):
1323         (foo):
1324         * stress/forward-varargs-double-new-array-buffer.js: Added.
1325         (assert):
1326         (test.baz):
1327         (test.bar):
1328         (test.foo):
1329         (test):
1330         * stress/new-array-buffer-sinking-osrexit.js: Added.
1331         (target):
1332         (test):
1333         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1334         (shouldBe):
1335         (test):
1336         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1337         (shouldBe):
1338         (target):
1339         (test):
1340         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1341         (assert):
1342         (test1.bar):
1343         (test1.foo):
1344         (test1):
1345         (test2.bar):
1346         (test2.foo):
1347         (test3.baz):
1348         (test3.bar):
1349         (test3.foo):
1350         (test4.baz):
1351         (test4.bar):
1352         (test4.foo):
1353         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1354         (assert):
1355         (test.baz):
1356         (test.bar):
1357         (test.foo):
1358         (test):
1359         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1360         (assert):
1361         (baz):
1362         (bar):
1363         (effects):
1364         (foo):
1365
1366 2017-12-14  Saam Barati  <sbarati@apple.com>
1367
1368         The CleanUp after LICM is erroneously removing a Check
1369         https://bugs.webkit.org/show_bug.cgi?id=180852
1370         <rdar://problem/36063494>
1371
1372         Reviewed by Filip Pizlo.
1373
1374         * stress/dont-run-cleanup-after-licm.js: Added.
1375
1376 2017-12-14  Michael Saboff  <msaboff@apple.com>
1377
1378         REGRESSION (r225695): Repro crash on yahoo login page
1379         https://bugs.webkit.org/show_bug.cgi?id=180761
1380
1381         Reviewed by JF Bastien.
1382
1383         New regression test.
1384
1385         * stress/regress-180761.js: Added.
1386
1387 2017-12-13  Keith Miller  <keith_miller@apple.com>
1388
1389         JSObjects should have a mask for loading indexed properties
1390         https://bugs.webkit.org/show_bug.cgi?id=180768
1391
1392         Reviewed by Mark Lam.
1393
1394         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1395         (test):
1396
1397 2017-12-13  Saam Barati  <sbarati@apple.com>
1398
1399         Arrow functions need their own structure because they have different properties than sloppy functions
1400         https://bugs.webkit.org/show_bug.cgi?id=180779
1401         <rdar://problem/35814591>
1402
1403         Reviewed by Mark Lam.
1404
1405         * stress/arrow-function-needs-its-own-structure.js: Added.
1406         (assert):
1407         (readPrototype):
1408         (noInline.let.f1):
1409         (noInline):
1410
1411 2017-12-13  Saam Barati  <sbarati@apple.com>
1412
1413         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1414         https://bugs.webkit.org/show_bug.cgi?id=163579
1415         <rdar://problem/35455798>
1416
1417         Reviewed by Mark Lam.
1418
1419         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1420         (assert):
1421         (test1):
1422         (i.test1):
1423         (i.test1.C):
1424         (i.test1.async.foo):
1425         (i.test1.foo):
1426         (test2):
1427
1428 2017-12-13  Saam Barati  <sbarati@apple.com>
1429
1430         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1431         https://bugs.webkit.org/show_bug.cgi?id=180734
1432         <rdar://problem/35640547>
1433
1434         Reviewed by Yusuke Suzuki.
1435
1436         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1437         (__isPropertyOfType):
1438         (__getProperties):
1439         (__getObjects):
1440         (__getRandomObject):
1441         (theClass.):
1442         (theClass):
1443         (childClass):
1444         (counter.catch):
1445
1446 2017-12-12  Saam Barati  <sbarati@apple.com>
1447
1448         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1449         https://bugs.webkit.org/show_bug.cgi?id=180725
1450         <rdar://problem/35970511>
1451
1452         Reviewed by Michael Saboff.
1453
1454         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1455         (f1):
1456         (f2):
1457         (let.o2.valueOf):
1458
1459 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1460
1461         [JSC] Implement optimized WeakMap and WeakSet
1462         https://bugs.webkit.org/show_bug.cgi?id=179929
1463
1464         Reviewed by Saam Barati.
1465
1466         * microbenchmarks/weak-map-key.js:
1467         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1468         (assert):
1469         (objectKey):
1470         (let.start.Date.now):
1471         * stress/basic-weakmap.js: Added.
1472         (shouldBe):
1473         (test):
1474         * stress/basic-weakset.js: Added.
1475         (shouldBe):
1476         (test.set new):
1477         * stress/weakmap-cse-set-break.js: Added.
1478         (shouldBe):
1479         (test):
1480         * stress/weakmap-cse.js: Added.
1481         (shouldBe):
1482         (test):
1483         * stress/weakmap-gc.js: Added.
1484         (test):
1485         * stress/weakset-cse-add-break.js: Added.
1486         (shouldBe):
1487         (test.set new):
1488         * stress/weakset-cse.js: Added.
1489         (shouldBe):
1490         (test.set new):
1491         * stress/weakset-gc.js: Added.
1492         (test.set add):
1493         (test.set new):
1494         (test):
1495
1496 2017-12-12  Saam Barati  <sbarati@apple.com>
1497
1498         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1499         https://bugs.webkit.org/show_bug.cgi?id=180723
1500         <rdar://problem/35859726>
1501
1502         Reviewed by JF Bastien.
1503
1504         * stress/get-my-argument-by-val-constant-folding.js: Added.
1505         (test):
1506         (catch):
1507
1508 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1509
1510         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1511         https://bugs.webkit.org/show_bug.cgi?id=179000
1512
1513         Reviewed by Darin Adler and Yusuke Suzuki.
1514
1515         * bigIntTests.yaml: Added.
1516         * stress/big-int-literal-line-terminator.js: Added.
1517         * stress/big-int-literals.js: Added.
1518         * stress/big-int-operations-error.js: Added.
1519         * stress/big-int-type-of.js: Added.
1520         * stress/big-int-white-space-trailing-leading.js: Added.
1521         * stress/big-int-function-apply.js: Added.
1522
1523 2017-12-11  Saam Barati  <sbarati@apple.com>
1524
1525         We need to disableCaching() in ErrorInstance when we materialize properties
1526         https://bugs.webkit.org/show_bug.cgi?id=180343
1527         <rdar://problem/35833002>
1528
1529         Reviewed by Mark Lam.
1530
1531         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1532         (assert):
1533         (makeError):
1534         (storeToStack):
1535         (storeToStackAlreadyMaterialized):
1536
1537 2017-12-05  JF Bastien  <jfbastien@apple.com>
1538
1539         WebAssembly: don't eagerly checksum
1540         https://bugs.webkit.org/show_bug.cgi?id=180441
1541         <rdar://problem/35156628>
1542
1543         Reviewed by Saam Barati.
1544
1545         Checksum is now disabled, so tests only have <?> as the module
1546         name.
1547
1548         * wasm/function-tests/nameSection.js:
1549         * wasm/function-tests/stack-overflow.js:
1550         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1551         (assertOverflows.assertThrows):
1552         (assertOverflows):
1553         * wasm/function-tests/stack-trace.js:
1554
1555 2017-12-04  JF Bastien  <jfbastien@apple.com>
1556
1557         Proxy all functions, except the $ objects
1558         https://bugs.webkit.org/show_bug.cgi?id=180375
1559
1560         Reviewed by Saam Barati.
1561
1562         It looks like this test may have broken some executions because I
1563         call some internal objects. Explicitly ignore objects whose name
1564         starts with "$" because it's a bad idea anyways.
1565
1566         * stress/proxy-all-the-parameters.js:
1567         (generateObjects):
1568         (get throw):
1569
1570 2017-12-04  Saam Barati  <sbarati@apple.com>
1571
1572         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1573         https://bugs.webkit.org/show_bug.cgi?id=180366
1574         <rdar://problem/35685877>
1575
1576         Reviewed by Michael Saboff.
1577
1578         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1579         (theParent):
1580         (test1.base.getParentStaticValue):
1581         (test1.base):
1582         (test1.__v_24888.prototype.set prop):
1583         (test1.__v_24888):
1584         (test2.base.getParentStaticValue):
1585         (test2.base):
1586         (test2.__v_24888.prototype.set prop):
1587         (test2.__v_24888):
1588         (test2):
1589
1590 2017-12-01  JF Bastien  <jfbastien@apple.com>
1591
1592         Try proxying all function arguments
1593         https://bugs.webkit.org/show_bug.cgi?id=180306
1594
1595         Reviewed by Saam Barati.
1596
1597         * stress/proxy-all-the-parameters.js: Added.
1598         (isPropertyOfType):
1599         (getProperties):
1600         (generateObjects):
1601         (getObjects):
1602         (getFunctions):
1603         (get throw):
1604         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1605
1606 2017-12-01  JF Bastien  <jfbastien@apple.com>
1607
1608         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1609         https://bugs.webkit.org/show_bug.cgi?id=180297
1610         <rdar://problem/35745556>
1611
1612         Reviewed by Mark Lam.
1613
1614         * stress/math-exceptions.js: Added.
1615         (get try):
1616         (catch):
1617
1618 2017-12-01  JF Bastien  <jfbastien@apple.com>
1619
1620         JavaScriptCore: add test for weird class static getters
1621         https://bugs.webkit.org/show_bug.cgi?id=180281
1622         <rdar://problem/35592139>
1623
1624         Reviewed by Mark Lam.
1625
1626         I fixed a bug for it in r224927 and didn't add a test. Do so.
1627
1628         * stress/class-static-get-weird.js: Added.
1629         (c.prototype.get name):
1630         (c):
1631         (c.prototype.get arguments):
1632         (c.prototype.get caller):
1633         (c.prototype.get length):
1634
1635 2017-12-01  Saam Barati  <sbarati@apple.com>
1636
1637         Having a bad time needs to handle ArrayClass indexing type as well
1638         https://bugs.webkit.org/show_bug.cgi?id=180274
1639         <rdar://problem/35667869>
1640
1641         Reviewed by Keith Miller and Mark Lam.
1642
1643         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1644         (assert):
1645         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1646         (assert):
1647
1648 2017-12-01  JF Bastien  <jfbastien@apple.com>
1649
1650         WebAssembly: restore cached stack limit after out-call
1651         https://bugs.webkit.org/show_bug.cgi?id=179106
1652         <rdar://problem/35337525>
1653
1654         Reviewed by Saam Barati.
1655
1656         * wasm/function-tests/double-instance.js: Added.
1657         (const.imp.boom):
1658         (const.imp.get callAnother):
1659
1660 2017-11-30  JF Bastien  <jfbastien@apple.com>
1661
1662         WebAssembly: improve stack trace
1663         https://bugs.webkit.org/show_bug.cgi?id=179343
1664
1665         Reviewed by Saam Barati.
1666
1667         Update the tests to follow the new format. Notably, SHA1 module
1668         hash is now included in traces, and stubs are properly identified.
1669
1670         * wasm/assert.js: Add an assertion which matches regular expressions.
1671         * wasm/function-tests/nameSection.js:
1672         * wasm/function-tests/stack-overflow.js:
1673         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1674         (assertOverflows.assertThrows.wasm.1):
1675         (assertOverflows.assertThrows.wasm.0):
1676         (assertOverflows.assertThrows):
1677         (assertOverflows):
1678         * wasm/function-tests/stack-trace.js:
1679         (import.Builder.from.string_appeared_here.assert): Deleted.
1680         * wasm/function-tests/trap-after-cross-instance-call.js:
1681         (wasmFrameCountFromError):
1682         * wasm/function-tests/trap-load-2.js:
1683         (wasmFrameCountFromError):
1684         * wasm/function-tests/trap-load.js:
1685         (wasmFrameCountFromError):
1686
1687 2017-11-30  Mark Lam  <mark.lam@apple.com>
1688
1689         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1690         https://bugs.webkit.org/show_bug.cgi?id=180219
1691         <rdar://problem/35696536>
1692
1693         Reviewed by Filip Pizlo.
1694
1695         * stress/regress-180219.js: Added.
1696
1697 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1698
1699         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1700         https://bugs.webkit.org/show_bug.cgi?id=180190
1701
1702         Reviewed by Mark Lam.
1703
1704         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1705         (shouldBe):
1706         (test1):
1707         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1708         (shouldBe):
1709         (test1):
1710         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1711         (shouldBe):
1712         (test1):
1713         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1714         (shouldBe):
1715         (test1):
1716         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1717         (shouldBe):
1718         (test1):
1719         * stress/operation-in-may-have-negative-int32.js: Added.
1720         (shouldBe):
1721         (test2):
1722         * stress/operation-in-negative-int32-cast.js: Added.
1723         (shouldBe):
1724         (test1):
1725
1726 2017-11-28  JF Bastien  <jfbastien@apple.com>
1727
1728         Strict and sloppy functions shouldn't share structure
1729         https://bugs.webkit.org/show_bug.cgi?id=180103
1730         <rdar://problem/35667847>
1731
1732         Reviewed by Saam Barati.
1733
1734         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1735         because the IC was wrong.
1736         (foo):
1737         (bar):
1738         (baz):
1739         (catch):
1740         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1741         in this patch, but may as well test odd strict mode corner cases.
1742         (bar):
1743         (baz):
1744         (catch):
1745         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1746         (foo):
1747         (bar):
1748         (baz):
1749         (catch):
1750         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1751         next file, but with invalidation of the FunctionExecutable's
1752         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1753         slower path.
1754         (foo):
1755         (bar.const.x):
1756         (bar.const.y):
1757         (bar):
1758         (catch):
1759         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1760         strict nesting works correctly.
1761         (foo):
1762         (bar.baz):
1763         (bar):
1764         * stress/strict-function-structure.js: Added. The test used to
1765         assert in objectProtoFuncHasOwnProperty.
1766         (foo):
1767         (bar):
1768         (baz):
1769         * stress/strict-nested-function-structure.js: Added. Nesting.
1770         (foo):
1771         (bar):
1772         (baz.boo):
1773         (baz):
1774
1775 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1776
1777         The recursive tail call optimisation is wrong on closures
1778         https://bugs.webkit.org/show_bug.cgi?id=179835
1779
1780         Reviewed by Saam Barati.
1781
1782         * stress/closure-recursive-tail-call.js: Added.
1783         (makeClosure):
1784
1785 2017-11-27  JF Bastien  <jfbastien@apple.com>
1786
1787         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1788         https://bugs.webkit.org/show_bug.cgi?id=180051
1789         <rdar://problem/35614371>
1790
1791         Reviewed by Saam Barati.
1792
1793         * stress/rest-parameter-negative.js: Added.
1794         (__f_5484):
1795         (catch):
1796         (__f_5485):
1797         (__v_22598.catch):
1798
1799 2017-11-27  Saam Barati  <sbarati@apple.com>
1800
1801         Spread can escape when CreateRest does not
1802         https://bugs.webkit.org/show_bug.cgi?id=180057
1803         <rdar://problem/35676119>
1804
1805         Reviewed by JF Bastien.
1806
1807         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1808         (assert):
1809         (getProperties):
1810         (theFunc):
1811         (let.obj.valueOf):
1812
1813 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1814
1815         [DFG] Add NormalizeMapKey DFG IR
1816         https://bugs.webkit.org/show_bug.cgi?id=179912
1817
1818         Reviewed by Saam Barati.
1819
1820         * stress/map-untyped-normalize-cse.js: Added.
1821         (shouldBe):
1822         (test):
1823         * stress/map-untyped-normalize.js: Added.
1824         (shouldBe):
1825         (test):
1826         * stress/set-untyped-normalize-cse.js: Added.
1827         (shouldBe):
1828         (set return.set has.set has):
1829         * stress/set-untyped-normalize.js: Added.
1830         (shouldBe):
1831         (set return.set has):
1832
1833 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1834
1835         [FTL] Support DeleteById and DeleteByVal
1836         https://bugs.webkit.org/show_bug.cgi?id=180022
1837
1838         Reviewed by Saam Barati.
1839
1840         * stress/delete-by-id.js: Added.
1841         (shouldBe):
1842         (test1):
1843         (test2):
1844         * stress/delete-by-val-ftl.js: Added.
1845         (shouldBe):
1846         (test1):
1847         (test2):
1848
1849 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1850
1851         [DFG] Introduce {Set,Map,WeakMap}Fields
1852         https://bugs.webkit.org/show_bug.cgi?id=179925
1853
1854         Reviewed by Saam Barati.
1855
1856         * stress/map-set-clobber-map-get.js: Added.
1857         (shouldBe):
1858         (test):
1859         * stress/map-set-does-not-clobber-set-has.js: Added.
1860         (shouldBe):
1861         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1862         (shouldBe):
1863         (test):
1864         * stress/set-add-clobber-set-has.js: Added.
1865         (shouldBe):
1866         * stress/set-add-does-not-clobber-map-get.js: Added.
1867         (shouldBe):
1868
1869 2017-11-24  Mark Lam  <mark.lam@apple.com>
1870
1871         Move unsafe jsc shell test functions to the $vm object.
1872         https://bugs.webkit.org/show_bug.cgi?id=179980
1873
1874         Reviewed by Yusuke Suzuki.
1875
1876         * controlFlowProfiler/driver/driver.js:
1877         * controlFlowProfiler/execution-count.js:
1878         * controlFlowProfiler/if-statement.js:
1879         * controlFlowProfiler/loop-statements.js:
1880         * controlFlowProfiler/switch-statements.js:
1881         * controlFlowProfiler/test-jit.js:
1882         * exceptionFuzz/3d-cube.js:
1883         * exceptionFuzz/date-format-xparb.js:
1884         * exceptionFuzz/earley-boyer.js:
1885         * heapProfiler/basic-edges.js:
1886         * heapProfiler/property-edge-types.js:
1887         * microbenchmarks/try-get-by-id-basic.js:
1888         * microbenchmarks/try-get-by-id-polymorphic.js:
1889         * modules/namespace-object-try-get.js:
1890         * stress/argument-count-bytecode.js:
1891         * stress/argument-intrinsic-basic.js:
1892         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1893         * stress/argument-intrinsic-inlining-with-result-escape.js:
1894         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1895         * stress/argument-intrinsic-inlining-with-vararg.js:
1896         * stress/argument-intrinsic-nested-inlining.js:
1897         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1898         * stress/argument-intrinsic-with-stack-write.js:
1899         * stress/arity-mismatch-get-argument.js:
1900         * stress/array-message-passing.js:
1901         * stress/array-push-with-force-exit.js:
1902         * stress/check-dom-with-signature.js:
1903         * stress/check-sub-class.js:
1904         * stress/compare-eq-incomplete-profile.js:
1905         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1906         * stress/do-eval-virtual-call-correctly.js:
1907         * stress/dom-jit-with-poly-proto.js:
1908         * stress/domjit-exception-ic.js:
1909         * stress/domjit-exception.js:
1910         * stress/domjit-getter-complex-with-incorrect-object.js:
1911         * stress/domjit-getter-complex.js:
1912         * stress/domjit-getter-poly.js:
1913         * stress/domjit-getter-proto.js:
1914         * stress/domjit-getter-super-poly.js:
1915         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1916         * stress/domjit-getter-type-check.js:
1917         * stress/domjit-getter.js:
1918         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1919         * stress/for-in-proxy-target-changed-structure.js:
1920         * stress/for-in-proxy.js:
1921         * stress/generational-opaque-roots.js:
1922         * stress/global-const-redeclaration-setting-2.js:
1923         * stress/global-const-redeclaration-setting-3.js:
1924         * stress/global-const-redeclaration-setting-4.js:
1925         * stress/global-const-redeclaration-setting-5.js:
1926         * stress/global-const-redeclaration-setting.js:
1927         * stress/import-basic.js:
1928         * stress/import-from-eval.js:
1929         * stress/import-reject-with-exception.js:
1930         * stress/import-syntax.js:
1931         * stress/impure-get-own-property-slot-inline-cache.js:
1932         * stress/is-constructor.js:
1933         * stress/istypedarrayview-intrinsic.js:
1934         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1935         * stress/jsc-test-functions-should-be-more-robust.js:
1936         * stress/object-toString-with-proxy.js:
1937         * stress/poly-proto-custom-value-and-accessor.js:
1938         * stress/proxy-inline-cache.js:
1939         * stress/re-execute-error-module.js:
1940         * stress/regress-150532.js:
1941         * stress/regress-156992.js:
1942         * stress/regress-179619.js:
1943         * stress/resources/shadow-chicken-support.js:
1944         * stress/runtime-array.js:
1945         * stress/sampling-profiler-microtasks.js:
1946         * stress/shadow-chicken-enabled.js:
1947         * stress/spread-correct-global-object-on-exception.js:
1948         * stress/super-get-by-id.js:
1949         * stress/tailCallForwardArguments.js:
1950         * stress/to-object-intrinsic-boolean-edge.js:
1951         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1952         * stress/to-object-intrinsic-number-edge.js:
1953         * stress/to-object-intrinsic-object-edge.js:
1954         * stress/to-object-intrinsic-string-edge.js:
1955         * stress/to-object-intrinsic-symbol-edge.js:
1956         * stress/to-object-intrinsic.js:
1957         * stress/try-catch-custom-getter-as-get-by-id.js:
1958         * stress/try-get-by-id-poly-proto.js:
1959         * stress/try-get-by-id-should-spill-registers-dfg.js:
1960         * stress/try-get-by-id.js:
1961         * typeProfiler/arrow-functions.js:
1962         * typeProfiler/basic.js:
1963         * typeProfiler/captured.js:
1964         * typeProfiler/classes.js:
1965         * typeProfiler/dfg-jit-optimizations.js:
1966         * typeProfiler/dictionary-mode.js:
1967         * typeProfiler/es6-block-scoping.js:
1968         * typeProfiler/es6-classes.js:
1969         * typeProfiler/inheritance.js:
1970         * typeProfiler/int52-dfg.js:
1971         * typeProfiler/loop.js:
1972         * typeProfiler/optional-fields.js:
1973         * typeProfiler/overflow.js:
1974         * typeProfiler/return.js:
1975         * typeProfiler/symbol.js:
1976         * typeProfiler/weird-prototype-chain.js:
1977
1978 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1979
1980         [DFG][FTL] Support MapSet / SetAdd intrinsics
1981         https://bugs.webkit.org/show_bug.cgi?id=179858
1982
1983         Reviewed by Saam Barati.
1984
1985         * microbenchmarks/map-has-and-set.js: Added.
1986         (test):
1987         * stress/map-set-check-failure.js: Added.
1988         (shouldBe):
1989         (shouldThrow):
1990         (target):
1991         * stress/map-set-cse.js: Added.
1992         (shouldBe):
1993         (test):
1994         * stress/set-add-check-failure.js: Added.
1995         (shouldBe):
1996         (shouldThrow):
1997         (set shouldThrow):
1998         * stress/set-add-cse.js: Added.
1999         (shouldBe):
2000
2001 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2002
2003         [JSC] Allow poly proto for intrinsic getters
2004         https://bugs.webkit.org/show_bug.cgi?id=179550
2005
2006         Reviewed by Saam Barati.
2007
2008         This change is also tested by existing tests.
2009
2010             1. stress/intrinsic-getter-with-poly-proto.js
2011             2. stress/poly-proto-intrinsic-getter-correctness.js
2012
2013         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2014         (shouldBe):
2015         (makePolyProtoObject.foo.C):
2016         (makePolyProtoObject.foo):
2017         (makePolyProtoObject):
2018         (target):
2019         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2020         (shouldBe):
2021         (makePolyProtoObject.foo.C):
2022         (makePolyProtoObject.foo):
2023         (makePolyProtoObject):
2024         (target):
2025
2026 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2027
2028         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2029         https://bugs.webkit.org/show_bug.cgi?id=179744
2030
2031         Reviewed by Michael Catanzaro.
2032
2033         This test uses too much memory for our buildbots on these platforms
2034         and gets OOM-killed.
2035
2036         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2037         Skip if $memoryLimited and linux.
2038
2039 2017-11-17  JF Bastien  <jfbastien@apple.com>
2040
2041         WebAssembly JS API: throw when a promise can't be created
2042         https://bugs.webkit.org/show_bug.cgi?id=179826
2043         <rdar://problem/35455813>
2044
2045         Reviewed by Mark Lam.
2046
2047         Test WebAssembly.{compile,instantiate} where promise creation
2048         fails because of a stack overflow.
2049
2050         * wasm/js-api/promise-stack-overflow.js: Added.
2051         (const.runNearStackLimit.f.const.t):
2052         (async.testCompile):
2053         (async.testInstantiate):
2054
2055 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2056
2057         Unreviewed, mark regress-178385.js as memory exhausting
2058
2059         * stress/regress-178385.js:
2060
2061 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2062
2063         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2064
2065         Unreviewed test gardening.
2066
2067         * test262.yaml:
2068
2069 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2070
2071         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2072         https://bugs.webkit.org/show_bug.cgi?id=179763
2073         <rdar://problem/35550513>
2074
2075         Reviewed by Keith Miller.
2076
2077         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2078
2079         * stress/tdz-this-in-try-catch.js: Added.
2080         (__v_6388):
2081         (__v_6392):
2082
2083 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2084
2085         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2086         https://bugs.webkit.org/show_bug.cgi?id=179594
2087
2088         Reviewed by Saam Barati.
2089
2090         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2091         (shouldBe):
2092         (args):
2093         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2094         (shouldBe):
2095         (args):
2096
2097 2017-11-14  Saam Barati  <sbarati@apple.com>
2098
2099         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2100         https://bugs.webkit.org/show_bug.cgi?id=179639
2101         <rdar://problem/35513018>
2102
2103         Reviewed by JF Bastien.
2104
2105         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2106         (escape):
2107         (i.func):
2108
2109 2017-11-13  Mark Lam  <mark.lam@apple.com>
2110
2111         Add more overflow check book-keeping for MarkedArgumentBuffer.
2112         https://bugs.webkit.org/show_bug.cgi?id=179634
2113         <rdar://problem/35492517>
2114
2115         Reviewed by Saam Barati.
2116
2117         * stress/regress-179634.js: Added.
2118
2119 2017-11-13  Mark Lam  <mark.lam@apple.com>
2120
2121         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2122         https://bugs.webkit.org/show_bug.cgi?id=179619
2123         <rdar://problem/35492518>
2124
2125         Reviewed by Saam Barati.
2126
2127         * stress/regress-179619.js: Added.
2128
2129 2017-11-12  Mark Lam  <mark.lam@apple.com>
2130
2131         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2132         https://bugs.webkit.org/show_bug.cgi?id=179562
2133         <rdar://problem/35467022>
2134
2135         Reviewed by Saam Barati.
2136
2137         * regress-179562.js: Added.
2138
2139 2017-11-08  Saam Barati  <sbarati@apple.com>
2140
2141         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2142         https://bugs.webkit.org/show_bug.cgi?id=177792
2143
2144         Reviewed by Yusuke Suzuki.
2145
2146         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2147         (assert):
2148         (foo.Foo.prototype.ensureX):
2149         (foo.Foo):
2150         (foo):
2151         (access):
2152
2153 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2154
2155         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2156         https://bugs.webkit.org/show_bug.cgi?id=178592
2157
2158         Unreviewed test gardening.
2159
2160         * test262.yaml:
2161
2162 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2163
2164         Turn recursive tail calls into loops
2165         https://bugs.webkit.org/show_bug.cgi?id=176601
2166
2167         Reviewed by Saam Barati.
2168
2169         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2170
2171         Add some simple test that computes factorial in several ways, and other trivial computations.
2172         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2173         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2174         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2175         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2176
2177         * stress/inline-call-to-recursive-tail-call.js: Added.
2178         (factorial.aux):
2179         (factorial):
2180         (factorial2.aux2):
2181         (factorial2.id):
2182         (factorial2):
2183         (factorial3.aux3):
2184         (factorial3):
2185         (aux4):
2186         (factorial4):
2187         (foo):
2188         (auxBar):
2189         (bar):
2190         (test):
2191
2192 2017-11-07  Mark Lam  <mark.lam@apple.com>
2193
2194         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2195         https://bugs.webkit.org/show_bug.cgi?id=179355
2196         <rdar://problem/35263053>
2197
2198         Reviewed by Saam Barati.
2199
2200         * stress/regress-179355.js: Added.
2201
2202 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2203
2204         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2205         https://bugs.webkit.org/show_bug.cgi?id=144458
2206
2207         Reviewed by Saam Barati.
2208
2209         * microbenchmarks/dfg-internal-function-call.js: Added.
2210         (target):
2211         * microbenchmarks/dfg-internal-function-construct.js: Added.
2212         (target):
2213         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2214         (target):
2215         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2216         (target):
2217         * stress/dfg-internal-function-call.js: Added.
2218         (shouldBe):
2219         (target):
2220         * stress/dfg-internal-function-construct.js: Added.
2221         (shouldBe):
2222         (target):
2223         * stress/internal-function-call.js: Added.
2224         (shouldBe):
2225         * stress/internal-function-construct.js: Added.
2226         (shouldBe):
2227
2228 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2229
2230         [Win] Skip stress/regress-178385.js.
2231         https://bugs.webkit.org/show_bug.cgi?id=179298
2232
2233         Unreviewed test gardening.
2234
2235         * stress/regress-178385.js:
2236
2237 2017-11-03  Keith Miller  <keith_miller@apple.com>
2238
2239         Add test for ic with side effects
2240         https://bugs.webkit.org/show_bug.cgi?id=179268
2241
2242         Reviewed by Saam Barati.
2243
2244         * stress/put-inline-cache-side-effects.js: Added.
2245         (let.i.of.objs.keys):
2246         (f):
2247
2248 2017-11-03  Mark Lam  <mark.lam@apple.com>
2249
2250         CachedCall (and its clients) needs overflow checks.
2251         https://bugs.webkit.org/show_bug.cgi?id=179185
2252
2253         Reviewed by JF Bastien.
2254
2255         * stress/regress-179185.js: Added.
2256
2257 2017-11-02  Michael Saboff  <msaboff@apple.com>
2258
2259         DFG needs to handle code motion of code in for..in loop bodies
2260         https://bugs.webkit.org/show_bug.cgi?id=179212
2261
2262         Reviewed by Keith Miller.
2263
2264         New regression test.
2265
2266         * stress/for-in-side-effects.js: Added.
2267         (getPrototypeOf):
2268         (reset):
2269         (testWithoutFTL.f):
2270         (testWithoutFTL):
2271         (testWithFTL.f):
2272         (testWithFTL):
2273
2274 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2275
2276         AI does not correctly model the clobber case of ArithClz32
2277         https://bugs.webkit.org/show_bug.cgi?id=179188
2278
2279         Reviewed by Michael Saboff.
2280
2281         * stress/arith-clz32-effects.js: Added.
2282         (foo):
2283         (valueOf):
2284
2285 2017-11-01  Michael Saboff  <msaboff@apple.com>
2286
2287         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2288         https://bugs.webkit.org/show_bug.cgi?id=179140
2289
2290         Reviewed by Saam Barati.
2291
2292         New regression test.
2293
2294         * stress/regress-179140.js: Added.
2295         (testWithoutFTL):
2296         (testWithFTL):
2297
2298 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2299
2300         [JSC] Introduce @toObject
2301         https://bugs.webkit.org/show_bug.cgi?id=178726
2302
2303         Reviewed by Saam Barati.
2304
2305         * stress/array-copywithin.js:
2306         (shouldThrow):
2307         * stress/object-constructor-boolean-edge.js: Added.
2308         (shouldBe):
2309         (test):
2310         * stress/object-constructor-global.js: Added.
2311         (shouldBe):
2312         * stress/object-constructor-null-edge.js: Added.
2313         (shouldBe):
2314         (test):
2315         * stress/object-constructor-number-edge.js: Added.
2316         (shouldBe):
2317         (test):
2318         * stress/object-constructor-object-edge.js: Added.
2319         (shouldBe):
2320         (test):
2321         (i.arg):
2322         * stress/object-constructor-string-edge.js: Added.
2323         (shouldBe):
2324         (test):
2325         * stress/object-constructor-symbol-edge.js: Added.
2326         (shouldBe):
2327         (test):
2328         * stress/object-constructor-undefined-edge.js: Added.
2329         (shouldBe):
2330         (test):
2331         * stress/symbol-array-from.js: Added.
2332         (shouldBe):
2333         * stress/to-object-intrinsic-boolean-edge.js: Added.
2334         (shouldBe):
2335         (builtin.createBuiltin):
2336         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2337         (shouldThrow):
2338         * stress/to-object-intrinsic-number-edge.js: Added.
2339         (shouldBe):
2340         (builtin.createBuiltin):
2341         * stress/to-object-intrinsic-object-edge.js: Added.
2342         (shouldBe):
2343         (builtin.createBuiltin):
2344         (i.arg):
2345         * stress/to-object-intrinsic-string-edge.js: Added.
2346         (shouldBe):
2347         (builtin.createBuiltin):
2348         * stress/to-object-intrinsic-symbol-edge.js: Added.
2349         (shouldBe):
2350         (builtin.createBuiltin):
2351         * stress/to-object-intrinsic.js: Added.
2352         (shouldBe):
2353         (shouldThrow):
2354         (builtin.createBuiltin):
2355
2356 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2357
2358         [DFG][FTL] Introduce StringSlice
2359         https://bugs.webkit.org/show_bug.cgi?id=178934
2360
2361         Reviewed by Saam Barati.
2362
2363         * microbenchmarks/string-slice-empty.js: Added.
2364         (slice):
2365         * microbenchmarks/string-slice-one-char.js: Added.
2366         (slice):
2367         * microbenchmarks/string-slice.js: Added.
2368         (slice):
2369
2370 2017-10-26  Michael Saboff  <msaboff@apple.com>
2371
2372         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2373         https://bugs.webkit.org/show_bug.cgi?id=178890
2374
2375         Reviewed by Keith Miller.
2376
2377         New regression test.
2378
2379         * stress/regress-178890.js: Added.
2380
2381 2017-10-26  Mark Lam  <mark.lam@apple.com>
2382
2383         JSRopeString::RopeBuilder::append() should check for overflows.
2384         https://bugs.webkit.org/show_bug.cgi?id=178385
2385         <rdar://problem/35027468>
2386
2387         Reviewed by Saam Barati.
2388
2389         * stress/regress-178385.js: Added.
2390
2391 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2392
2393         Unreviewed, rolling out r223961.
2394
2395         The change that required this has been rolled out.
2396
2397         Reverted changeset:
2398
2399         "Mark test262.yaml/test262/test/language/statements/try/tco-
2400         catch.js as passing."
2401         https://bugs.webkit.org/show_bug.cgi?id=178592
2402         https://trac.webkit.org/changeset/223961
2403
2404 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2405
2406         Unreviewed, rolling out r223691 and r223729.
2407         https://bugs.webkit.org/show_bug.cgi?id=178834
2408
2409         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2410         by rniwa on #webkit).
2411
2412         Reverted changesets:
2413
2414         "Turn recursive tail calls into loops"
2415         https://bugs.webkit.org/show_bug.cgi?id=176601
2416         https://trac.webkit.org/changeset/223691
2417
2418         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2419         comparison is always false due to limited range of data type
2420         [-Wtype-limits]"
2421         https://bugs.webkit.org/show_bug.cgi?id=178543
2422         https://trac.webkit.org/changeset/223729
2423
2424 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2425
2426         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2427         https://bugs.webkit.org/show_bug.cgi?id=178592
2428
2429         Unreviewed test gardening.
2430
2431         * test262.yaml:
2432
2433 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2434
2435         [FTL] Support NewStringObject
2436         https://bugs.webkit.org/show_bug.cgi?id=178737
2437
2438         Reviewed by Saam Barati.
2439
2440         * stress/new-string-object.js: Added.
2441         (shouldBe):
2442         (test):
2443
2444 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2445
2446         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2447         https://bugs.webkit.org/show_bug.cgi?id=178308
2448
2449         Reviewed by Mark Lam.
2450
2451         * test262.yaml:
2452
2453 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2454
2455         [JSC] Use fastJoin in Array#toString
2456         https://bugs.webkit.org/show_bug.cgi?id=178062
2457
2458         Reviewed by Darin Adler.
2459
2460         * microbenchmarks/contiguous-array-to-string.js: Added.
2461         (target):
2462         * microbenchmarks/double-array-to-string.js: Added.
2463         (target):
2464         * microbenchmarks/int32-array-to-string.js: Added.
2465         (target):
2466
2467 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2468
2469         stress/check-string-ident.js is improperly skipped
2470         https://bugs.webkit.org/show_bug.cgi?id=178642
2471
2472         Reviewed by Saam Barati.
2473
2474         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2475         since it enforces the run-jsc-stress-tests script to still set up the
2476         test to run, despite the skip directive that's used before.
2477
2478 2017-10-20  Mark Lam  <mark.lam@apple.com>
2479
2480         Add a test case for r214334.
2481         https://bugs.webkit.org/show_bug.cgi?id=169941
2482         <rdar://problem/31221258>
2483
2484         Reviewed by JF Bastien.
2485
2486         * stress/regress-169941.js: Added.
2487
2488 2017-10-19  JF Bastien  <jfbastien@apple.com>
2489
2490         WebAssembly: no VM / JS version of everything but Instance
2491         https://bugs.webkit.org/show_bug.cgi?id=177473
2492
2493         Reviewed by Filip Pizlo, Saam Barati.
2494
2495         - Exceeding max on memory growth now returns a range error as per
2496         spec. This is a (very minor) breaking change: it used to throw OOM
2497         error. Update the corresponding test.
2498
2499         * wasm/js-api/memory-grow.js:
2500         (assertEq):
2501         * wasm/js-api/table.js:
2502         (assert.throws):
2503
2504 2017-10-19  Mark Lam  <mark.lam@apple.com>
2505
2506         Stringifier::appendStringifiedValue() is missing an exception check.
2507         https://bugs.webkit.org/show_bug.cgi?id=178386
2508         <rdar://problem/35027610>
2509
2510         Reviewed by Saam Barati.
2511
2512         * stress/regress-178386.js: Added.
2513
2514 2017-10-19  Michael Saboff  <msaboff@apple.com>
2515
2516         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2517         https://bugs.webkit.org/show_bug.cgi?id=178521
2518
2519         Reviewed by JF Bastien.
2520
2521         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2522         now passes with the current version (5.0) of the Emoji spec.
2523
2524 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2525
2526         Turn recursive tail calls into loops
2527         https://bugs.webkit.org/show_bug.cgi?id=176601
2528
2529         Reviewed by Saam Barati.
2530
2531         Add some simple test that computes factorial in several ways, and other trivial computations.
2532         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2533         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2534         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2535         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2536
2537         * stress/inline-call-to-recursive-tail-call.js: Added.
2538         (factorial.aux):
2539         (factorial):
2540         (factorial2.aux):
2541         (factorial2.id):
2542         (factorial2):
2543         (factorial3.aux):
2544         (factorial3):
2545         (aux):
2546         (factorial4):
2547         (test):
2548
2549 2017-10-18  Mark Lam  <mark.lam@apple.com>
2550
2551         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2552         https://bugs.webkit.org/show_bug.cgi?id=177600
2553         <rdar://problem/34710985>
2554
2555         Reviewed by Saam Barati.
2556
2557         * stress/regress-177600.js: Added.
2558
2559 2017-10-18  Mark Lam  <mark.lam@apple.com>
2560
2561         The compiler should always register a structure when it adds its transitionWatchPointSet.
2562         https://bugs.webkit.org/show_bug.cgi?id=178420
2563         <rdar://problem/34814024>
2564
2565         Reviewed by Saam Barati and Filip Pizlo.
2566
2567         * stress/regress-178420.js: Added.
2568         (new.Array.10000.map):
2569
2570 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2571
2572         [JSC] __proto__ getter should be fast
2573         https://bugs.webkit.org/show_bug.cgi?id=178067
2574
2575         Reviewed by Saam Barati.
2576
2577         * stress/dfg-object-proto-accessor.js: Added.
2578         (shouldBe):
2579         (shouldThrow):
2580         (target):
2581         * stress/dfg-object-proto-getter.js: Added.
2582         (shouldBe):
2583         (shouldThrow):
2584         (target):
2585         * stress/dfg-object-prototype-of.js: Added.
2586         (shouldBe):
2587         (shouldThrow):
2588         (target):
2589         * stress/dfg-reflect-get-prototype-of.js: Added.
2590         (shouldBe):
2591         (shouldThrow):
2592         (target):
2593         * stress/intrinsic-getter-with-poly-proto.js: Added.
2594         (shouldBe):
2595         (makePolyProtoObject.foo.C):
2596         (makePolyProtoObject.foo):
2597         (makePolyProtoObject):
2598         (target):
2599         * stress/object-get-prototype-of-filtered.js: Added.
2600         (shouldBe):
2601         (shouldThrow):
2602         (target):
2603         (i.Cocoa):
2604         * stress/object-get-prototype-of-mono-proto.js: Added.
2605         (shouldBe):
2606         (makePolyProtoObject.foo.C):
2607         (makePolyProtoObject.foo):
2608         (makePolyProtoObject):
2609         (target):
2610         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2611         (shouldBe):
2612         (makePolyProtoObject.foo.C):
2613         (makePolyProtoObject.foo):
2614         (makePolyProtoObject):
2615         (target):
2616         * stress/object-get-prototype-of-poly-proto.js: Added.
2617         (shouldBe):
2618         (makePolyProtoObject.foo.C):
2619         (makePolyProtoObject.foo):
2620         (makePolyProtoObject):
2621         (target):
2622         * stress/object-proto-getter-filtered.js: Added.
2623         (shouldBe):
2624         (shouldThrow):
2625         (target):
2626         (i.Cocoa):
2627         * stress/object-proto-getter-poly-mono-proto.js: Added.
2628         (shouldBe):
2629         (makePolyProtoObject.foo.C):
2630         (makePolyProtoObject.foo):
2631         (makePolyProtoObject):
2632         (target):
2633         * stress/object-proto-getter-poly-proto.js: Added.
2634         (shouldBe):
2635         (makePolyProtoObject.foo.C):
2636         (makePolyProtoObject.foo):
2637         (makePolyProtoObject):
2638         (target):
2639         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2640         * stress/string-proto.js: Added.
2641         (shouldBe):
2642         (target):
2643
2644 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2645
2646         Unreviewed, rolling out r223523.
2647
2648         A test for this change is failing on debug JSC bots.
2649
2650         Reverted changeset:
2651
2652         "[JSC] __proto__ getter should be fast"
2653         https://bugs.webkit.org/show_bug.cgi?id=178067
2654         https://trac.webkit.org/changeset/223523
2655
2656 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2657
2658         [JSC] __proto__ getter should be fast
2659         https://bugs.webkit.org/show_bug.cgi?id=178067
2660
2661         Reviewed by Saam Barati.
2662
2663         * stress/dfg-object-proto-accessor.js: Added.
2664         (shouldBe):
2665         (shouldThrow):
2666         (target):
2667         * stress/dfg-object-proto-getter.js: Added.
2668         (shouldBe):
2669         (shouldThrow):
2670         (target):
2671         * stress/dfg-object-prototype-of.js: Added.
2672         (shouldBe):
2673         (shouldThrow):
2674         (target):
2675         * stress/dfg-reflect-get-prototype-of.js: Added.
2676         (shouldBe):
2677         (shouldThrow):
2678         (target):
2679         * stress/object-get-prototype-of-filtered.js: Added.
2680         (shouldBe):
2681         (shouldThrow):
2682         (target):
2683         (i.Cocoa):
2684         * stress/object-get-prototype-of-mono-proto.js: Added.
2685         (shouldBe):
2686         (makePolyProtoObject.foo.C):
2687         (makePolyProtoObject.foo):
2688         (makePolyProtoObject):
2689         (target):
2690         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2691         (shouldBe):
2692         (makePolyProtoObject.foo.C):
2693         (makePolyProtoObject.foo):
2694         (makePolyProtoObject):
2695         (target):
2696         * stress/object-get-prototype-of-poly-proto.js: Added.
2697         (shouldBe):
2698         (makePolyProtoObject.foo.C):
2699         (makePolyProtoObject.foo):
2700         (makePolyProtoObject):
2701         (target):
2702         * stress/object-proto-getter-filtered.js: Added.
2703         (shouldBe):
2704         (shouldThrow):
2705         (target):
2706         (i.Cocoa):
2707         * stress/object-proto-getter-poly-mono-proto.js: Added.
2708         (shouldBe):
2709         (makePolyProtoObject.foo.C):
2710         (makePolyProtoObject.foo):
2711         (makePolyProtoObject):
2712         (target):
2713         * stress/object-proto-getter-poly-proto.js: Added.
2714         (shouldBe):
2715         (makePolyProtoObject.foo.C):
2716         (makePolyProtoObject.foo):
2717         (makePolyProtoObject):
2718         (target):
2719         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2720         * stress/string-proto.js: Added.
2721         (shouldBe):
2722         (target):
2723
2724 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2725
2726         Reland "Add Above/Below comparisons for UInt32 patterns"
2727         https://bugs.webkit.org/show_bug.cgi?id=177281
2728
2729         Reviewed by Saam Barati.
2730
2731         * stress/uint32-comparison-jump.js: Added.
2732         (shouldBe):
2733         (above):
2734         (aboveOrEqual):
2735         (below):
2736         (belowOrEqual):
2737         (notAbove):
2738         (notAboveOrEqual):
2739         (notBelow):
2740         (notBelowOrEqual):
2741         * stress/uint32-comparison.js: Added.
2742         (shouldBe):
2743         (above):
2744         (aboveOrEqual):
2745         (below):
2746         (belowOrEqual):
2747         (aboveTest):
2748         (aboveOrEqualTest):
2749         (belowTest):
2750         (belowOrEqualTest):
2751
2752 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2753
2754         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2755         https://bugs.webkit.org/show_bug.cgi?id=178210
2756
2757         Reviewed by Saam Barati.
2758
2759         * wasm/function-tests/trap-from-start-async.js:
2760         (async.StartTrapsAsync):
2761         * wasm/function-tests/trap-from-start.js:
2762         (StartTraps):
2763         * wasm/js-api/web-assembly-function.js:
2764         (assert.eq.Object.getPrototypeOf):
2765         * wasm/js-api/wrapper-function.js:
2766         (return.new.WebAssembly.Module):
2767         (assert.throws.makeInstance): Deleted.
2768         (assert.throws.Bar): Deleted.
2769         (assert.throws): Deleted.
2770
2771 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2772
2773         Enable gigacage on iOS
2774         https://bugs.webkit.org/show_bug.cgi?id=177586
2775
2776         Reviewed by JF Bastien.
2777         
2778         Add tests for when Gigacage gets runtime disabled.
2779
2780         * stress/disable-gigacage-arrays.js: Added.
2781         (foo):
2782         * stress/disable-gigacage-strings.js: Added.
2783         (foo):
2784         * stress/disable-gigacage-typed-arrays.js: Added.
2785         (foo):
2786
2787 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2788
2789         import.meta should not be assignable
2790         https://bugs.webkit.org/show_bug.cgi?id=178202
2791
2792         Reviewed by Saam Barati.
2793
2794         * modules/import-meta-assignment.js: Added.
2795         (shouldThrow):
2796         (SyntaxError.import.meta.can.shouldThrow):
2797
2798 2017-10-11  Saam Barati  <sbarati@apple.com>
2799
2800         Unreviewed. Actually skip certain type profiler tests in debug.
2801
2802         * typeProfiler.yaml:
2803         * typeProfiler/deltablue-for-of.js:
2804         * typeProfiler/getter-richards.js:
2805
2806 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2807
2808         Unreviewed, rolling out r223113 and r223121.
2809         https://bugs.webkit.org/show_bug.cgi?id=178182
2810
2811         Reintroduced 20% regression on Kraken (Requested by rniwa on
2812         #webkit).
2813
2814         Reverted changesets:
2815
2816         "Enable gigacage on iOS"
2817         https://bugs.webkit.org/show_bug.cgi?id=177586
2818         https://trac.webkit.org/changeset/223113
2819
2820         "Use one virtual allocation for all gigacages and their
2821         runways"
2822         https://bugs.webkit.org/show_bug.cgi?id=178050
2823         https://trac.webkit.org/changeset/223121
2824
2825 2017-10-11  Michael Saboff  <msaboff@apple.com>
2826
2827         Disable test262 named capture group tests with direct unicode names and with references before definitions
2828         https://bugs.webkit.org/show_bug.cgi?id=178177
2829
2830         Reviewed by Keith Miller.
2831
2832         Bugs to track fixing these test are:
2833         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2834             "Add support in named capture group identifiers for direct surrogate pairs"
2835         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2836             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2837
2838         * test262.yaml:
2839
2840 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2841
2842         Object properties are undefined in super.call() but not in this.call()
2843         https://bugs.webkit.org/show_bug.cgi?id=177230
2844
2845         Reviewed by Saam Barati.
2846
2847         * stress/super-call-function-subclass.js: Added.
2848         (assert):
2849         (A.prototype.t):
2850         (A):
2851         * stress/super-dot-call-and-apply.js: Added.
2852         (assert):
2853         (A):
2854         (A.prototype.call):
2855         (A.prototype.apply):
2856         (B.prototype.testSuper):
2857         (B):
2858         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2859         (D.prototype.testSuper):
2860         (D):
2861
2862 2017-10-10  Saam Barati  <sbarati@apple.com>
2863
2864         The prototype cache should be aware of the Executable it generates a Structure for
2865         https://bugs.webkit.org/show_bug.cgi?id=177907
2866
2867         Reviewed by Filip Pizlo.
2868
2869         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2870         (assert):
2871         (foo.C):
2872         (foo):
2873         (bar.C):
2874         (bar):
2875         (access):
2876         (makeLongChain):
2877         (accessY):
2878
2879 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2880
2881         `async` should be able to be used as an imported binding name
2882         https://bugs.webkit.org/show_bug.cgi?id=176573
2883
2884         Reviewed by Saam Barati.
2885
2886         * modules/import-default-async.js: Added.
2887         * modules/import-named-async-as.js: Added.
2888         * modules/import-named-async.js: Added.
2889         * modules/import-named-async/target.js: Added.
2890         * modules/import-namespace-async.js: Added.
2891         * test262.yaml:
2892
2893 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2894
2895         Enable gigacage on iOS
2896         https://bugs.webkit.org/show_bug.cgi?id=177586
2897
2898         Reviewed by JF Bastien.
2899         
2900         Add tests for when Gigacage gets runtime disabled.
2901
2902         * stress/disable-gigacage-arrays.js: Added.
2903         (foo):
2904         * stress/disable-gigacage-strings.js: Added.
2905         (foo):
2906         * stress/disable-gigacage-typed-arrays.js: Added.
2907         (foo):
2908
2909 2017-10-09  Michael Saboff  <msaboff@apple.com>
2910
2911         Implement RegExp Unicode property escapes
2912         https://bugs.webkit.org/show_bug.cgi?id=172069
2913
2914         Reviewed by JF Bastien.
2915
2916         Enabled Unicode Property tests.
2917
2918         * test262.yaml:
2919
2920 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2921
2922         Unreviewed, rolling out r223015 and r223025.
2923         https://bugs.webkit.org/show_bug.cgi?id=178093
2924
2925         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2926         #webkit).
2927
2928         Reverted changesets:
2929
2930         "Enable gigacage on iOS"
2931         https://bugs.webkit.org/show_bug.cgi?id=177586
2932         http://trac.webkit.org/changeset/223015
2933
2934         "Unreviewed, disable Gigacage on ARM64 Linux"
2935         https://bugs.webkit.org/show_bug.cgi?id=177586
2936         http://trac.webkit.org/changeset/223025
2937
2938 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2939
2940         Update expectations for test262 tests that pass after r223043.
2941         https://bugs.webkit.org/show_bug.cgi?id=176685
2942
2943         Unreviewed test gardening.
2944
2945         * test262.yaml:
2946
2947 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2948
2949         Unreviewed, rolling out r223022.
2950
2951         This change introduced 18 test262 failures.
2952
2953         Reverted changeset:
2954
2955         "`async` should be able to be used as an imported binding
2956         name"
2957         https://bugs.webkit.org/show_bug.cgi?id=176573
2958         http://trac.webkit.org/changeset/223022
2959
2960 2017-10-09  Saam Barati  <sbarati@apple.com>
2961
2962         3 poly-proto JSC tests timing out on debug after r222827
2963         https://bugs.webkit.org/show_bug.cgi?id=177880
2964         <rdar://problem/34817122>
2965
2966         Unreviewed.
2967
2968         I'm skipping these type profiler tests on debug since they are long running.
2969
2970         * typeProfiler/deltablue-for-of.js:
2971         * typeProfiler/getter-richards.js:
2972
2973 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2974
2975         Safari 10 /11 problem with if (!await get(something)).
2976         https://bugs.webkit.org/show_bug.cgi?id=176685
2977
2978         Reviewed by Saam Barati.
2979
2980         * stress/async-await-basic.js:
2981         (awaitEpression.async):
2982         * stress/async-await-syntax.js:
2983         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2984         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2985
2986 2017-10-08  Saam Barati  <sbarati@apple.com>
2987
2988         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2989
2990         * typeProfiler/deltablue-for-of.js:
2991         * typeProfiler/getter-richards.js:
2992
2993 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2994
2995         `async` should be able to be used as an imported binding name
2996         https://bugs.webkit.org/show_bug.cgi?id=176573
2997
2998         Reviewed by Darin Adler.
2999
3000         * modules/import-default-async.js: Added.
3001         * modules/import-named-async-as.js: Added.
3002         * modules/import-named-async.js: Added.
3003         * modules/import-named-async/target.js: Added.
3004         * modules/import-namespace-async.js: Added.
3005
3006 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3007
3008         Enable gigacage on iOS
3009         https://bugs.webkit.org/show_bug.cgi?id=177586
3010
3011         Reviewed by JF Bastien.
3012         
3013         Add tests for when Gigacage gets runtime disabled.
3014
3015         * stress/disable-gigacage-arrays.js: Added.
3016         (foo):
3017         * stress/disable-gigacage-strings.js: Added.
3018         (foo):
3019         * stress/disable-gigacage-typed-arrays.js: Added.
3020         (foo):
3021
3022 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3023
3024         Unreviewed, rolling out r222791 and r222873.
3025         https://bugs.webkit.org/show_bug.cgi?id=178031
3026
3027         Caused crashes with workers/wasm LayoutTests (Requested by
3028         ryanhaddad on #webkit).
3029
3030         Reverted changesets:
3031
3032         "WebAssembly: no VM / JS version of everything but Instance"
3033         https://bugs.webkit.org/show_bug.cgi?id=177473
3034         http://trac.webkit.org/changeset/222791
3035
3036         "WebAssembly: address no VM / JS follow-ups"
3037         https://bugs.webkit.org/show_bug.cgi?id=177887
3038         http://trac.webkit.org/changeset/222873
3039
3040 2017-10-05  Saam Barati  <sbarati@apple.com>
3041
3042         Make sure all prototypes under poly proto get added into the VM's prototype map
3043         https://bugs.webkit.org/show_bug.cgi?id=177909
3044
3045         Reviewed by Keith Miller.
3046
3047         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3048         (assert):
3049         (foo.C):
3050         (foo):
3051         (set x):
3052
3053 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3054
3055         [JSC] Introduce import.meta
3056         https://bugs.webkit.org/show_bug.cgi?id=177703
3057
3058         Reviewed by Filip Pizlo.
3059
3060         * modules/import-meta-syntax.js: Added.
3061         (shouldThrow):
3062         (shouldNotThrow):
3063         * modules/import-meta.js: Added.
3064         * modules/import-meta/cocoa.js: Added.
3065         * modules/resources/assert.js:
3066         (export.shouldNotThrow):
3067         * stress/import-syntax.js:
3068
3069 2017-10-04  Saam Barati  <sbarati@apple.com>
3070
3071         Make pertinent AccessCases watch the poly proto watchpoint
3072         https://bugs.webkit.org/show_bug.cgi?id=177765
3073
3074         Reviewed by Keith Miller.
3075
3076         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3077         (assert):
3078         (foo.C):
3079         (foo):
3080         (validate):
3081         * stress/poly-proto-clear-stub.js: Added.
3082         (assert):
3083         (foo.C):
3084         (foo):
3085
3086 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3087
3088         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3089
3090         Unreviewed test gardening.
3091
3092         * test262.yaml:
3093
3094 2017-10-04  Saam Barati  <sbarati@apple.com>
3095
3096         3 poly-proto JSC tests timing out on debug after r222827
3097         https://bugs.webkit.org/show_bug.cgi?id=177880
3098
3099         Rubber stamped by Mark Lam.
3100
3101         * microbenchmarks/poly-proto-access.js:
3102         * typeProfiler/deltablue-for-of.js:
3103         * typeProfiler/getter-richards.js:
3104
3105 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3106
3107         Unreviewed, marking tco-catch.js as a failure after test262 update
3108         https://bugs.webkit.org/show_bug.cgi?id=177859
3109
3110         * test262.yaml:
3111
3112 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3113
3114         Unreviewed, marking one async iterator test262 test failed
3115         https://bugs.webkit.org/show_bug.cgi?id=177859
3116
3117         * test262.yaml:
3118
3119 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3120
3121         [Test262] Update Test262 to Oct 4 version
3122         https://bugs.webkit.org/show_bug.cgi?id=177859
3123
3124         Reviewed by Sam Weinig.
3125
3126         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3127         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3128
3129         * test262.yaml:
3130         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3131         (checkSequence):
3132         * test262/harness/typeCoercion.js:
3133         (testCoercibleToIndexZero):
3134         (testCoercibleToIndexOne):
3135         (testCoercibleToIndexFromIndex):
3136         (testNotCoercibleToIndex.testPrimitiveValue):
3137         (testNotCoercibleToInteger):
3138         (testCoercibleToBigIntZero.testPrimitiveValue):
3139         (testCoercibleToBigIntZero):
3140         (testCoercibleToBigIntOne.testPrimitiveValue):
3141         (testCoercibleToBigIntOne):
3142         (testPrimitiveValue):
3143         (testCoercibleToBigIntFromBigInt):
3144         (testNotCoercibleToBigInt.testPrimitiveValue):
3145         (testNotCoercibleToBigInt.testStringValue):
3146         (testNotCoercibleToBigInt):
3147         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3148         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3149         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3150         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3151         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3152         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3153         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3154         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3155         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3156         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3157         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3158         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3159         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3160         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3161         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3162         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3163         (testCoercibleToBigIntZero):
3164         (testCoercibleToBigIntOne):
3165         (testNotCoercibleToBigInt):
3166         (MyError): Deleted.
3167         (valueOf): Deleted.
3168         (toString): Deleted.
3169         (Symbol.toPrimitive): Deleted.
3170         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3171         (testCoercibleToIndexZero):
3172         (testCoercibleToIndexOne):
3173         (testNotCoercibleToIndex):
3174         (MyError): Deleted.
3175         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3176         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3177         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3178         (BigInt.asIntN.valueOf): Deleted.
3179         (BigInt.asIntN.toString): Deleted.
3180         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3181         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3182         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3183         (testCoercibleToBigIntZero):
3184         (testCoercibleToBigIntOne):
3185         (testNotCoercibleToBigInt):
3186         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3187         (testCoercibleToIndexZero):
3188         (testCoercibleToIndexOne):
3189         (testNotCoercibleToIndex):
3190         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3191         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3192         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3193         (bits.valueOf):
3194         (bigint.valueOf):
3195         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3196         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3197         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3198         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3199         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3200         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3201         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3202         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3203         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3204         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3205         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3206         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3207         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3208         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3209         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3210         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3211         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3212         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3213         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3214         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3215         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3216         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3217         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3218         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3219         (replacer):
3220         (BigInt.prototype.toJSON):
3221         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3222         (replacer):
3223         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3224         (BigInt.prototype.toJSON):
3225         * test262/test/built-ins/JSON/stringify/bigint.js:
3226         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3227         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3228         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3229         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3230         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3231         * test262/test/built-ins/Object/proto-from-ctor.js:
3232         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3233         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3234         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3235         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3236         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3237         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3238         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3239         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3240         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3241         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3242         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3243         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3244         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3245         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3246         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3247         * test262/test/built-ins/Proxy/get-fn-realm.js:
3248         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3249         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3250         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3251         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3252         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3253         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3254         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3255         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3256         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3257         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3258         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3259         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3260         (i6.replace):
3261         (i6b.replace):
3262         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3263         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3264         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3265         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3266         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3267         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3268         * test262/test/built-ins/RegExp/u180e.js: Added.
3269         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3270         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3271         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3272         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3273         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3274         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3275         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3276         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3277         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3278         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3279         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3280         * test262/test/built-ins/String/prototype/endsWith/length.js:
3281         * test262/test/built-ins/String/prototype/endsWith/name.js:
3282         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3283         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3284         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3285         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3286         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3287         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3288         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3289         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3290         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3291         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3292         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3293         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3294         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3295         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3296         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3297         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3298         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3299         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3300         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3301         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3302         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3303         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3304         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3305         * test262/test/built-ins/String/prototype/includes/includes.js:
3306         * test262/test/built-ins/String/prototype/includes/length.js:
3307         * test262/test/built-ins/String/prototype/includes/name.js:
3308         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3309         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3310         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3311         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3312         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3313         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3314         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3315         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3316         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3317         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3318         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3319         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3320         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3321         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3322         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3323         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3324         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3325         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3326         * test262/test/built-ins/String/prototype/trim/u180e.js:
3327         * test262/test/built-ins/Symbol/for/cross-realm.js:
3328         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3329         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3330         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3331         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3332         * test262/test/built-ins/Symbol/match/cross-realm.js:
3333         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3334         * test262/test/built-ins/Symbol/search/cross-realm.js:
3335         * test262/test/built-ins/Symbol/species/cross-realm.js:
3336         * test262/test/built-ins/Symbol/split/cross-realm.js:
3337         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3338         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3339         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3340         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3341         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3342         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3343         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3344         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3345         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3346         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3347         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3348         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3349         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3350         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3351         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3352         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3353         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3354         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3355         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3356         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3357         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3358         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3359         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3360         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3361         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3362         * test262/test/language/eval-code/indirect/realm.js:
3363         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3364         (o.get z):
3365         (o.get a):
3366         * test262/test/language/expressions/call/eval-realm-indirect.js:
3367         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3368         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3369         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3370         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3371         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3372         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3373         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3374         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3375         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3376         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3377         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3378         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3379         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3380         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3381         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3382         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3383         * test262/test/language/expressions/less-than/bigint-and-number.js:
3384         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3385         * test262/test/language/expressions/super/realm.js:
3386         * test262/test/language/expressions/tagged-template/cache-realm.js:
3387         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3388         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3389         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3390         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3391         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3392         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3393         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3394         (o.get z):
3395         (o.get a):
3396         * test262/test/language/statements/for-of/iterator-next-reference.js:
3397         (next):
3398         (iterator.next): Deleted.
3399         (x.of.iterable.): Deleted.
3400         (x.of.iterable.get return): Deleted.
3401         (x.of.iterable.iterator.next): Deleted.
3402         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3403         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3404         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3405         * test262/test/language/white-space/mongolian-vowel-separator.js:
3406         * test262/test262-Revision.txt:
3407
3408 2017-10-03  Saam Barati  <sbarati@apple.com>
3409
3410         Implement polymorphic prototypes
3411         https://bugs.webkit.org/show_bug.cgi?id=176391
3412
3413         Reviewed by Filip Pizlo.
3414
3415         * microbenchmarks/poly-proto-access.js: Added.
3416         (assert):
3417         (foo.C):
3418         (foo.C.prototype.get bar):
3419         (foo):
3420         (bar):
3421         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3422         (assert):
3423         (makePolyProtoObject.foo.C):
3424         (makePolyProtoObject.foo):
3425         (makePolyProtoObject):
3426         (performSet):
3427         * microbenchmarks/poly-proto-setter-speed.js: Added.
3428         (assert):
3429         (makePolyProtoObject.foo.C):
3430         (makePolyProtoObject.foo.C.prototype.set p):
3431         (makePolyProtoObject.foo):
3432         (makePolyProtoObject):
3433         (performSet):
3434         * stress/constructor-with-return.js:
3435         (i.tests.forEach.Constructor):
3436         (i.tests.forEach):
3437         (tests.forEach.Constructor): Deleted.
3438         (tests.forEach): Deleted.
3439         * stress/dom-jit-with-poly-proto.js: Added.
3440         (assert):
3441         (makePolyProtoObject.foo.C):
3442         (makePolyProtoObject.foo):
3443         (makePolyProtoObject):
3444         (validate):
3445         * stress/poly-proto-custom-value-and-accessor.js: Added.
3446         (assert):
3447         (makePolyProtoObject.foo.C):
3448         (makePolyProtoObject.foo):
3449         (makePolyProtoObject):
3450         (items.forEach):
3451         (set get for):
3452         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3453         (assert):
3454         (makePolyProtoObject.foo.C):
3455         (makePolyProtoObject.foo):
3456         (makePolyProtoObject):
3457         (foo):
3458         * stress/poly-proto-miss.js: Added.
3459         (makePolyProtoInstanceWithNullPrototype.foo.C):
3460         (makePolyProtoInstanceWithNullPrototype.foo):
3461         (makePolyProtoInstanceWithNullPrototype):
3462         (assert):
3463         (validate):
3464         * stress/poly-proto-op-in-caching.js: Added.
3465         (assert):
3466         (makePolyProtoObject.foo.C):
3467         (makePolyProtoObject.foo):
3468         (makePolyProtoObject):
3469         (validate):
3470         (validate2):
3471         * stress/poly-proto-put-transition.js: Added.
3472         (assert):
3473         (makePolyProtoObject.foo.C):
3474         (makePolyProtoObject.foo):
3475         (makePolyProtoObject):
3476         (performSet):
3477         (i.obj.__proto__.set p):
3478         * stress/poly-proto-set-prototype.js: Added.
3479         (assert):
3480         (let.alternateProto.get x):
3481         (let.alternateProto2.get y):
3482         (let.alternateProto2.get x):
3483         (foo.C):
3484         (foo):
3485         (validate):
3486         * stress/poly-proto-setter.js: Added.
3487         (assert):
3488         (makePolyProtoObject.foo.C):
3489         (makePolyProtoObject.foo.C.prototype.set p):
3490         (makePolyProtoObject.foo.C.prototype.get p):
3491         (makePolyProtoObject.foo):
3492         (makePolyProtoObject):
3493         (performSet):
3494         * stress/poly-proto-using-inheritance.js: Added.
3495         (assert):
3496         (foo.C):
3497         (foo.C.prototype.get baz):
3498         (foo):
3499         (bar.C):
3500         (bar):
3501         (validate):
3502         * stress/primitive-poly-proto.js: Added.
3503         (makePolyProtoInstance.foo.C):
3504         (makePolyProtoInstance.foo):
3505         (makePolyProtoInstance):
3506         (assert):
3507         (validate):
3508         * stress/prototype-is-not-js-object.js: Added.
3509         (foo.bar):
3510         (foo):
3511         (assert):
3512         (validate):
3513         * stress/try-get-by-id-poly-proto.js: Added.
3514         (assert):
3515         (makePolyProtoObject.foo.C):
3516         (makePolyProtoObject.foo):
3517         (makePolyProtoObject):
3518         (tryGetByIdText):
3519         (x.__proto__.get bar):
3520         (validate):
3521         * typeProfiler/overflow.js:
3522
3523 2017-10-03  JF Bastien  <jfbastien@apple.com>
3524
3525         WebAssembly: no VM / JS version of everything but Instance
3526         https://bugs.webkit.org/show_bug.cgi?id=177473
3527
3528         Reviewed by Filip Pizlo.
3529
3530         - Exceeding max on memory growth now returns a range error as per
3531         spec. This is a (very minor) breaking change: it used to throw OOM
3532         error. Update the corresponding test.
3533
3534         * wasm/js-api/memory-grow.js:
3535         (assertEq):
3536         * wasm/js-api/table.js:
3537         (assert.throws):
3538
3539 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3540
3541         Skip JSC test stress/regress-159779-2.js on debug.
3542         https://bugs.webkit.org/show_bug.cgi?id=177204
3543
3544         Unreviewed test gardening.
3545
3546         * stress/regress-159779-2.js:
3547
3548 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3549
3550         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3551         https://bugs.webkit.org/show_bug.cgi?id=175642
3552
3553         Reviewed by Darin Adler.
3554
3555         * ChakraCore/test/Function/apply3.baseline-jsc:
3556
3557 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3558
3559         Unreviewed, rolling out r222564.
3560         https://bugs.webkit.org/show_bug.cgi?id=177720
3561
3562         "It regressed JetStream by 2% on iOS caused by a 50%
3563         regression on the bigfib subtest" (Requested by saamyjoon on
3564         #webkit).
3565
3566         Reverted changeset:
3567
3568         "Add Above/Below comparisons for UInt32 patterns"
3569         https://bugs.webkit.org/show_bug.cgi?id=177281
3570         http://trac.webkit.org/changeset/222564
3571
3572 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3573
3574         [DFG] Support ArrayPush with multiple args
3575         https://bugs.webkit.org/show_bug.cgi?id=175823
3576
3577         Reviewed by Saam Barati.
3578
3579         * microbenchmarks/array-push-0.js: Added.
3580         (arrayPush0):
3581         * microbenchmarks/array-push-1.js: Added.
3582         (arrayPush1):
3583         * microbenchmarks/array-push-2.js: Added.
3584         (arrayPush2):
3585         * microbenchmarks/array-push-3.js: Added.
3586         (arrayPush3):
3587         * stress/array-push-multiple-contiguous.js: Added.
3588         (shouldBe):
3589         (test):
3590         * stress/array-push-multiple-double-nan.js: Added.
3591         (shouldBe):
3592         (test):
3593         * stress/array-push-multiple-double.js: Added.
3594         (shouldBe):
3595         (test):
3596         * stress/array-push-multiple-int32.js: Added.
3597         (shouldBe):
3598         (test):
3599         * stress/array-push-multiple-many-contiguous.js: Added.
3600         (shouldBe):
3601         (test):
3602         * stress/array-push-multiple-many-double.js: Added.
3603         (shouldBe):
3604         (test):
3605         * stress/array-push-multiple-many-int32.js: Added.
3606         (shouldBe):
3607         (test):
3608         * stress/array-push-multiple-many-storage.js: Added.
3609         (shouldBe):
3610         (test):
3611         * stress/array-push-multiple-storage.js: Added.
3612         (shouldBe):
3613         (test):
3614         * stress/array-push-with-force-exit.js: Added.
3615         (target.createBuiltin):
3616
3617 2017-09-29  Saam Barati  <sbarati@apple.com>
3618
3619         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3620         https://bugs.webkit.org/show_bug.cgi?id=177639
3621
3622         Reviewed by Geoffrey Garen.
3623
3624         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3625         (assert):
3626         (Class):
3627         (items.forEach):
3628         (set get for):
3629
3630 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3631
3632         Unreviewed, rolling out r222563, r222565, and r222581.
3633         https://bugs.webkit.org/show_bug.cgi?id=177675
3634
3635         "It causes a crash when playing youtube videos" (Requested by
3636         saamyjoon on #webkit).
3637
3638         Reverted changesets:
3639
3640         "[DFG] Support ArrayPush with multiple args"
3641         https://bugs.webkit.org/show_bug.cgi?id=175823
3642         http://trac.webkit.org/changeset/222563
3643
3644         "Unreviewed, build fix after r222563"
3645         https://bugs.webkit.org/show_bug.cgi?id=175823
3646         http://trac.webkit.org/changeset/222565
3647
3648         "Unreviewed, fix x86 breaking due to exhausted registers"
3649         https://bugs.webkit.org/show_bug.cgi?id=175823
3650         http://trac.webkit.org/changeset/222581
3651
3652 2017-09-28  Mark Lam  <mark.lam@apple.com>
3653
3654         test262: Unexpected passes after r222617 and r222618.
3655         https://bugs.webkit.org/show_bug.cgi?id=177622
3656         <rdar://problem/34725960>
3657
3658         Reviewed by Saam Barati.
3659
3660         Update test262.yaml for tests that are now passing.
3661
3662         * test262.yaml:
3663
3664 2017-09-27  Michael Saboff  <msaboff@apple.com>
3665
3666         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3667         https://bugs.webkit.org/show_bug.cgi?id=177570
3668
3669         Reviewed by Filip Pizlo.
3670
3671         New regression test.
3672
3673         * stress/regress-177570.js: Added.
3674
3675 2017-09-28  Michael Saboff  <msaboff@apple.com>
3676
3677         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3678         https://bugs.webkit.org/show_bug.cgi?id=177423
3679
3680         Reviewed by Mark Lam.
3681
3682         Updated regression test.
3683
3684         * stress/regress-177423.js:
3685         (catch):
3686
3687 2017-09-27  Mark Lam  <mark.lam@apple.com>
3688
3689         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3690         https://bugs.webkit.org/show_bug.cgi?id=177584
3691         <rdar://problem/34463903>
3692
3693         Reviewed by Saam Barati.
3694
3695         * stress/regress-177584.js: Added.
3696         (assertEqual):
3697         (Array.prototype.Symbol.species):
3698
3699 2017-09-27  Saam Barati  <sbarati@apple.com>
3700
3701         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3702         https://bugs.webkit.org/show_bug.cgi?id=177523
3703
3704         Reviewed by Mark Lam.
3705
3706         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3707         (assert):
3708         (Test):
3709         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3710         (addMethods):
3711         (i.Test.prototype.propName):
3712
3713 2017-09-27  Mark Lam  <mark.lam@apple.com>
3714
3715         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3716         https://bugs.webkit.org/show_bug.cgi?id=177423
3717         <rdar://problem/34621320>
3718
3719         Reviewed by Keith Miller.
3720
3721         *&nbs