Unreviewed, skip FTL tests if FTL is disabled
[WebKit-https.git] / JSTests / ChangeLog
1 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, skip FTL tests if FTL is disabled
4         https://bugs.webkit.org/show_bug.cgi?id=183071
5
6         * stress/has-indexed-property-array-storage-ftl.js:
7         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
8
9 2018-02-23  Saam Barati  <sbarati@apple.com>
10
11         Make Number.isInteger an intrinsic
12         https://bugs.webkit.org/show_bug.cgi?id=183088
13
14         Reviewed by JF Bastien.
15
16         * stress/number-is-integer-intrinsic.js: Added.
17
18 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
19
20         WebAssembly: cache memory address / size on instance
21         https://bugs.webkit.org/show_bug.cgi?id=177305
22
23         Reviewed by JF Bastien.
24
25         * wasm/function-tests/memory-reuse.js: Added.
26         (createWasmInstance):
27         (doCheckTrap):
28         (doMemoryGrow):
29         (doCheck):
30         (checkWasmInstancesWithSharedMemory):
31
32 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
33
34         [JSC] Implement $vm.ftlTrue function for FTL testing
35         https://bugs.webkit.org/show_bug.cgi?id=183071
36
37         Reviewed by Mark Lam.
38
39         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
40         (foo):
41         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
42         (foo):
43         * stress/dead-fiat-value-to-int52.js:
44         (foo):
45         * stress/dead-osr-entry-value.js:
46         (foo):
47         * stress/fiat-value-to-int52-then-exit-not-double.js:
48         (foo):
49         * stress/fiat-value-to-int52-then-exit-not-int52.js:
50         (foo):
51         * stress/fiat-value-to-int52-then-fail-to-fold.js:
52         (foo):
53         * stress/fiat-value-to-int52-then-fold.js:
54         (foo):
55         * stress/fiat-value-to-int52.js:
56         (foo):
57         * stress/fold-based-on-int32-proof-mul-branch.js:
58         (foo):
59         * stress/fold-profiled-call-to-call.js:
60         (foo):
61         * stress/fold-to-double-constant-then-exit.js:
62         (foo):
63         * stress/fold-to-int52-constant-then-exit.js:
64         (foo):
65         * stress/fold-to-primitive-in-cfa.js:
66         (foo):
67         * stress/fold-to-primitive-to-identity-in-cfa.js:
68         (foo):
69         * stress/has-indexed-property-array-storage-ftl.js: Added.
70         (shouldBe):
71         (test1):
72         (test2):
73         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
74         (shouldBe):
75         (test1):
76         (test2):
77         * stress/int52-ai-add-then-filter-int32.js:
78         (foo):
79         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
80         (foo):
81         * stress/int52-ai-mul-then-filter-int32.js:
82         (foo):
83         * stress/int52-ai-neg-then-filter-int32.js:
84         (foo):
85         * stress/int52-ai-sub-then-filter-int32.js:
86         (foo):
87         * stress/licm-pre-header-cannot-exit-nested.js:
88         (foo):
89         * stress/licm-pre-header-cannot-exit.js:
90         (foo):
91         * stress/sparse-array-entry-update-144067.js:
92         (useMemoryToTriggerGCs):
93         * stress/test-spec-misc.js:
94         (foo):
95         * stress/tricky-array-bounds-checks.js:
96         (foo):
97
98 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
99
100         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
101         https://bugs.webkit.org/show_bug.cgi?id=182792
102
103         Reviewed by Mark Lam.
104
105         * stress/has-indexed-property-array-storage.js: Added.
106         (shouldBe):
107         (test1):
108         (test2):
109         * stress/has-indexed-property-slow-put-array-storage.js: Added.
110         (shouldBe):
111         (test1):
112         (test2):
113
114 2018-02-20  Saam Barati  <sbarati@apple.com>
115
116         DFG::VarargsForwardingPhase should eliminate getting argument length
117         https://bugs.webkit.org/show_bug.cgi?id=182959
118
119         Reviewed by Keith Miller.
120
121         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
122
123 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
124
125         [FTL] Support ArrayPush for ArrayStorage
126         https://bugs.webkit.org/show_bug.cgi?id=182782
127
128         Reviewed by Saam Barati.
129
130         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
131
132         * stress/array-push-array-storage-beyond-int32.js: Added.
133         (shouldBe):
134         (test):
135         * stress/array-push-array-storage.js: Added.
136         (shouldBe):
137         (test):
138         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
139         (shouldBe):
140         (test):
141         * stress/array-push-multiple-storage-continuous.js: Added.
142         (shouldBe):
143         (test):
144
145 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
146
147         [FTL] Support ArrayPop for ArrayStorage
148         https://bugs.webkit.org/show_bug.cgi?id=182783
149
150         Reviewed by Saam Barati.
151
152         * stress/array-pop-array-storage.js: Added.
153         (shouldBe):
154         (test):
155
156 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
157
158         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
159         https://bugs.webkit.org/show_bug.cgi?id=182731
160
161         Reviewed by Saam Barati.
162
163         * stress/arrayify-array-storage-array.js: Added.
164         (shouldBe):
165         (testArrayStorage):
166         * stress/arrayify-array-storage-non-array.js: Added.
167         (shouldBe):
168         (testArrayStorage):
169         * stress/arrayify-array-storage.js: Added.
170         (shouldBe):
171         (testArrayStorage):
172         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
173         (shouldBe):
174         (testArrayStorage):
175         * stress/arrayify-slow-put-array-storage.js: Added.
176         (shouldBe):
177         (testArrayStorage):
178
179 2018-02-19  Saam Barati  <sbarati@apple.com>
180
181         Don't use JSFunction's allocation profile when getting the prototype can be effectful
182         https://bugs.webkit.org/show_bug.cgi?id=182942
183         <rdar://problem/37584764>
184
185         Reviewed by Mark Lam.
186
187         * stress/get-prototype-create-this-effectful.js: Added.
188
189 2018-02-16  Saam Barati  <sbarati@apple.com>
190
191         Fix bugs from r228411
192         https://bugs.webkit.org/show_bug.cgi?id=182851
193         <rdar://problem/37577732>
194
195         Reviewed by JF Bastien.
196
197         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
198
199 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
200
201         Unreviewed, roll out r228366 since it did not progress anything.
202
203         * stress/gc-error-stack.js: Removed.
204         * stress/no-gc-error-stack.js: Removed.
205
206 2018-02-15  Tomas Popela  <tpopela@redhat.com>
207
208         Many stress tests fail with JIT disabled
209         https://bugs.webkit.org/show_bug.cgi?id=182730
210
211         Reviewed by Saam Barati.
212
213         These tests are broken by design if the JIT is disabled - they test
214         the return value of numberOfDFGCompiles(), which is always set to
215         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
216
217         * stress/arith-abs-on-various-types.js:
218         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
219         * stress/arith-acos-on-various-types.js:
220         * stress/arith-acosh-on-various-types.js:
221         * stress/arith-asin-on-various-types.js:
222         * stress/arith-asinh-on-various-types.js:
223         * stress/arith-atan-on-various-types.js:
224         * stress/arith-atanh-on-various-types.js:
225         * stress/arith-cbrt-on-various-types.js:
226         * stress/arith-ceil-on-various-types.js:
227         * stress/arith-clz32-on-various-types.js:
228         * stress/arith-cos-on-various-types.js:
229         * stress/arith-cosh-on-various-types.js:
230         * stress/arith-expm1-on-various-types.js:
231         * stress/arith-floor-on-various-types.js:
232         * stress/arith-fround-on-various-types.js:
233         * stress/arith-log-on-various-types.js:
234         * stress/arith-log10-on-various-types.js:
235         * stress/arith-log2-on-various-types.js:
236         * stress/arith-negate-on-various-types.js:
237         * stress/arith-round-on-various-types.js:
238         * stress/arith-sin-on-various-types.js:
239         * stress/arith-sinh-on-various-types.js:
240         * stress/arith-sqrt-on-various-types.js:
241         * stress/arith-tan-on-various-types.js:
242         * stress/arith-tanh-on-various-types.js:
243         * stress/arith-trunc-on-various-types.js:
244         * stress/compare-strict-eq-on-various-types.js:
245
246 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
247
248         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
249
250         Unreviewed test gardening.
251
252         * stress/new-largeish-contiguous-array-with-size.js:
253
254 2018-02-14  Saam Barati  <sbarati@apple.com>
255
256         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
257         https://bugs.webkit.org/show_bug.cgi?id=182801
258
259         Reviewed by Keith Miller.
260
261         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
262
263 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
264
265         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
266         https://bugs.webkit.org/show_bug.cgi?id=182526
267
268         Unreviewed test gardening.
269
270         * stress/activation-sink-default-value-tdz-error.js:
271
272 2018-02-13  Saam Barati  <sbarati@apple.com>
273
274         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
275         https://bugs.webkit.org/show_bug.cgi?id=182755
276         <rdar://problem/37080864>
277
278         Reviewed by Keith Miller.
279
280         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
281         (test1.o.get 10005):
282         (test1):
283         (test2.o.get 1000):
284         (test2):
285
286 2018-02-13  Caitlin Potter  <caitp@igalia.com>
287
288         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
289         https://bugs.webkit.org/show_bug.cgi?id=182717
290
291         Reviewed by Yusuke Suzuki.
292
293         https://github.com/tc39/ecma262/pull/890 imposes a change to template
294         literals, to allow template callsite arrays to be collected when the
295         code containing the tagged template call is collected. This spec change
296         has received concensus and been ratified.
297
298         This change eliminates the eternal map associating template contents
299         with arrays.
300
301         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
302         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
303         * stress/tagged-templates-identity.js:
304         * stress/template-string-tags-eval.js:
305         * test262.yaml:
306
307 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
308
309         Support GetArrayLength on ArrayStorage in the FTL
310         https://bugs.webkit.org/show_bug.cgi?id=182625
311
312         Reviewed by Saam Barati.
313
314         * stress/array-storage-length.js: Added.
315         (shouldBe):
316         (testInBound):
317         (testUncountable):
318         (testSlowPutInBound):
319         (testSlowPutUncountable):
320         * stress/undecided-length.js: Added.
321         (shouldBe):
322         (test2):
323
324 2018-02-12  Saam Barati  <sbarati@apple.com>
325
326         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
327         https://bugs.webkit.org/show_bug.cgi?id=182706
328         <rdar://problem/36833681>
329
330         Reviewed by Filip Pizlo.
331
332         * stress/get-array-length-phantom-new-array-buffer.js: Added.
333         (effects):
334         (foo):
335
336 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
337
338         Don't waste memory for error.stack
339         https://bugs.webkit.org/show_bug.cgi?id=182656
340
341         Reviewed by Saam Barati.
342         
343         Tests the policy.
344
345         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
346         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
347
348 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
349
350         [JSC] Update Test262 to Feb 9 version
351         https://bugs.webkit.org/show_bug.cgi?id=182468
352
353         Reviewed by Saam Barati.
354
355 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
356
357         Unreviewed, fix invalid line terminator in old test262 file part 2
358         https://bugs.webkit.org/show_bug.cgi?id=182468
359
360         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
361
362 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
363
364         Unreviewed, fix invalid line terminator in old test262 file
365         https://bugs.webkit.org/show_bug.cgi?id=182468
366
367         * test262/test/language/literals/regexp/7.8.5-1.js:
368
369 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
370
371         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
372         https://bugs.webkit.org/show_bug.cgi?id=182440
373
374         Reviewed by Darin Adler.
375
376         * stress/array-flatmap.js: Added.
377         (shouldBe):
378         (shouldBeArray):
379         (shouldThrow):
380         (var):
381         * stress/array-flatten.js: Added.
382         (shouldBe):
383         (shouldBeArray):
384         * test262.yaml:
385         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
386         (3.flatMap):
387         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
388
389 2018-02-06  Keith Miller  <keith_miller@apple.com>
390
391         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
392         https://bugs.webkit.org/show_bug.cgi?id=182549
393         <rdar://problem/36189995>
394
395         Reviewed by Saam Barati.
396
397         * stress/var-injection-cache-invalidation.js: Added.
398         (allocateLotsOfThings):
399         (test):
400
401 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
402
403         Unreviewed, follow up for test262 update
404         https://bugs.webkit.org/show_bug.cgi?id=182288
405
406         * test262.yaml:
407
408 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
409
410         Update test262 to Jan 30 version
411         https://bugs.webkit.org/show_bug.cgi?id=182288
412
413         Unreviewed test gardening.
414
415         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
416
417 2018-02-02  Saam Barati  <sbarati@apple.com>
418
419         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
420         https://bugs.webkit.org/show_bug.cgi?id=182368
421         <rdar://problem/36932466>
422
423         Reviewed by Mark Lam.
424
425         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
426         (runNearStackLimit.t):
427         (runNearStackLimit):
428         (try.runNearStackLimit):
429         (catch):
430
431 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
432
433         Update test262 to Jan 30 version
434         https://bugs.webkit.org/show_bug.cgi?id=182288
435
436         Rubber stamped by Saam Barati.
437
438         This patch updates test262 to the latest one, Jan 30 version.
439         Since added and changed files are too many, we cannot create ChangeLog.
440         The following files are changed.
441
442         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
443         including some special line terminators (like u2028, u2029).
444
445         * test262.yaml:
446         * test262/test262-Revision.txt:
447         * test262/*:
448
449 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
450
451         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
452         https://bugs.webkit.org/show_bug.cgi?id=182411
453
454         Reviewed by Carlos Alberto Lopez Perez.
455
456         This is skipped only on arm memory limited platforms. Until recently
457         it was not a problem on MIPS as the butterfly was not initialized. But
458         since r227435, the butterfly is initialized in that test and therefore
459         memory is allocated, and the test typically takes around 512M, which
460         means it generally gets OOM-killed on the MIPS buildbot.
461
462         * mozilla/mozilla-tests.yaml:
463
464 2018-02-01  Mark Lam  <mark.lam@apple.com>
465
466         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
467         https://bugs.webkit.org/show_bug.cgi?id=182419
468         <rdar://problem/37044945>
469
470         Reviewed by Saam Barati.
471
472         * stress/regress-182419.js: Added.
473
474 2018-02-01  Keith Miller  <keith_miller@apple.com>
475
476         Fix crashes due to mishandling custom sections.
477         https://bugs.webkit.org/show_bug.cgi?id=182404
478         <rdar://problem/36935863>
479
480         Reviewed by Saam Barati.
481
482         * wasm/Builder.js:
483         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
484         * wasm/js-api/validate.js:
485         (assert.truthy):
486
487 2018-01-31  Saam Barati  <sbarati@apple.com>
488
489         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
490         https://bugs.webkit.org/show_bug.cgi?id=182074
491         <rdar://problem/36846261>
492
493         Reviewed by Mark Lam.
494
495         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
496         (assert):
497         (let.func):
498         (let.o.foo):
499         (varFunc):
500
501 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
502
503         Unreviewed, update test262 expects
504         https://bugs.webkit.org/show_bug.cgi?id=182232
505
506         * test262.yaml:
507
508 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
509
510         [JSC] Implement trimStart and trimEnd
511         https://bugs.webkit.org/show_bug.cgi?id=182233
512
513         Reviewed by Mark Lam.
514
515         * stress/trim.js: Added.
516         (shouldBe):
517         (startTest):
518         (endTest):
519         (trimTest):
520
521 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
522
523         [JSC] Relax line terminators in String to make JSON subset of JS
524         https://bugs.webkit.org/show_bug.cgi?id=182232
525
526         Reviewed by Keith Miller.
527
528         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
529         * stress/relaxed-line-terminators-in-string.js: Added.
530         (shouldBe):
531
532 2018-01-29  Michael Saboff  <msaboff@apple.com>
533
534         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
535         https://bugs.webkit.org/show_bug.cgi?id=182249
536
537         Reviewed by Keith Miller.
538
539         New regression test.
540
541         * stress/compare-clobber-untypeduse.js: Added.
542
543 2018-01-29  Matt Lewis  <jlewis3@apple.com>
544
545         Unreviewed, rolling out r227725.
546
547         This caused internal failures.
548
549         Reverted changeset:
550
551         "JSC Sampling Profiler: Detect tester and testee when sampling
552         in RegExp JIT"
553         https://bugs.webkit.org/show_bug.cgi?id=152729
554         https://trac.webkit.org/changeset/227725
555
556 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
557
558         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
559         https://bugs.webkit.org/show_bug.cgi?id=152729
560
561         Reviewed by Saam Barati.
562
563         * stress/sampling-profiler-regexp.js: Added.
564         (platformSupportsSamplingProfiler.test):
565         (platformSupportsSamplingProfiler.baz):
566         (platformSupportsSamplingProfiler):
567
568 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         [DFG][FTL] WeakMap#set should have DFG node
571         https://bugs.webkit.org/show_bug.cgi?id=180015
572
573         Reviewed by Saam Barati.
574
575         * stress/weakmap-set-change-get.js: Added.
576         (shouldBe):
577         (test):
578         * stress/weakmap-set-cse.js: Added.
579         (shouldBe):
580         (test):
581         * stress/weakset-add-change-get.js: Added.
582         (shouldBe):
583         * stress/weakset-add-cse.js: Added.
584         (shouldBe):
585
586 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
587
588         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
589         https://bugs.webkit.org/show_bug.cgi?id=182213
590
591         Reviewed by Mark Lam.
592
593         * stress/int32-min-to-string.js: Added.
594         (shouldBe):
595         (test2):
596         (test4):
597         (test8):
598         (test16):
599         (test32):
600         * stress/zero-to-string.js: Added.
601         (shouldBe):
602         (test2):
603         (test4):
604         (test8):
605         (test16):
606         (test32):
607
608 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
609
610         Add more module scope related tests with code evaluation by string
611         https://bugs.webkit.org/show_bug.cgi?id=181983
612
613         Reviewed by Sam Weinig.
614
615         Add more module scope related tests. When the original tests are landed,
616         we do not have browser integration. This patch adds more module scope tests
617         with dynamically created script evaluation. We add tests with Function
618         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
619
620         * modules/scopes-eval.js: Added.
621         (shouldBe):
622         * modules/scopes.js:
623         (shouldBe):
624
625 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
626
627         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
628
629         * microbenchmarks/array-push-3.js: Removed.
630         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
631         * microbenchmarks/double-to-int32.js: Removed.
632         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
633         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
634         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
635         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
636         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
637         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
638         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
639         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
640         * microbenchmarks/map-constant-key.js: Removed.
641         * microbenchmarks/nested-function-parsing.js: Removed.
642         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
643         * microbenchmarks/spread-large-array.js: Removed.
644         * microbenchmarks/string-add-constant-folding.js: Removed.
645         * microbenchmarks/to-lower-case.js: Removed.
646         * microbenchmarks/undefined-property-access.js: Removed.
647         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
648         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
649         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
650         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
651         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
652         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
653         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
654         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
655         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
656         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
657         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
658         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
659         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
660         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
661         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
662         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
663         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
664         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
665
666 2018-01-23  Robin Morisset  <rmorisset@apple.com>
667
668         Update the argument count in DFGByteCodeParser::handleRecursiveCall
669         https://bugs.webkit.org/show_bug.cgi?id=181739
670         <rdar://problem/36627662>
671
672         Reviewed by Saam Barati.
673
674         * stress/recursive-tail-call-with-different-argument-count.js: Added.
675         (foo):
676         (bar):
677
678 2018-01-22  Michael Saboff  <msaboff@apple.com>
679
680         DFG abstract interpreter needs to properly model effects of some Math ops
681         https://bugs.webkit.org/show_bug.cgi?id=181886
682
683         Reviewed by Saam Barati.
684
685         New regression test.
686
687         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
688         (test):
689
690 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
691
692         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
693         https://bugs.webkit.org/show_bug.cgi?id=181182
694
695         Reviewed by Darin Adler.
696
697         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
698         * stress/big-int-prototype-to-string-exception.js: Added.
699         * stress/big-int-prototype-to-string-wrong-values.js: Added.
700         * stress/number-prototype-to-string-cast-overflow.js: Added.
701         * stress/number-prototype-to-string-exception.js: Added.
702         * stress/number-prototype-to-string-wrong-values.js: Added.
703
704 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
705
706         Disable Atomics when SharedArrayBuffer isn’t enabled
707         https://bugs.webkit.org/show_bug.cgi?id=181572
708
709         Unreviewed test gardening.
710
711         * test262.yaml: Skip tests that fail after this change.
712
713 2018-01-19  Saam Barati  <sbarati@apple.com>
714
715         Kill ArithNegate's ArithProfile assert inside BytecodeParser
716         https://bugs.webkit.org/show_bug.cgi?id=181877
717         <rdar://problem/36630552>
718
719         Reviewed by Mark Lam.
720
721         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
722         (runNearStackLimit):
723         (f1):
724         (f2):
725         (f3):
726         (i.catch):
727         (i.try.runNearStackLimit):
728         (catch):
729
730 2018-01-19  Saam Barati  <sbarati@apple.com>
731
732         Spread's effects are modeled incorrectly both in AI and in Clobberize
733         https://bugs.webkit.org/show_bug.cgi?id=181867
734         <rdar://problem/36290415>
735
736         Reviewed by Michael Saboff.
737
738         * stress/ai-needs-to-model-spreads-effects.js: Added.
739         (try.p.Symbol.iterator):
740         (try.go):
741         (catch):
742         * stress/clobberize-needs-to-model-spread-effects.js: Added.
743         (assert):
744         (foo):
745         (a.Symbol.iterator):
746
747 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
748
749         Unreviewed, reduce count of iteration to fix timing out debug JSC test
750         https://bugs.webkit.org/show_bug.cgi?id=181535
751
752         * stress/inserted-recovery-with-set-last-index.js:
753
754 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
755
756         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
757         https://bugs.webkit.org/show_bug.cgi?id=181535
758
759         Reviewed by Saam Barati.
760
761         * stress/inserted-recovery-with-set-last-index.js: Added.
762         (shouldBe):
763         (foo):
764         * stress/materialize-regexp-at-osr-exit.js: Added.
765         (shouldBe):
766         (test):
767         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
768         (shouldBe):
769         (test):
770         * stress/materialize-regexp-cyclic-regexp.js: Added.
771         (shouldBe):
772         (test):
773         (i.switch):
774         * stress/materialize-regexp-cyclic.js: Added.
775         (shouldBe):
776         (test):
777         (i.switch):
778         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
779         (bar):
780         (foo):
781         (test):
782         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
783         (bar):
784         (foo):
785         (test):
786         * stress/materialize-regexp.js: Added.
787         (shouldBe):
788         (test):
789         * stress/phantom-regexp-regexp-exec.js: Added.
790         (shouldBe):
791         (test):
792         * stress/phantom-regexp-string-match.js: Added.
793         (shouldBe):
794         (test):
795         * stress/regexp-last-index-sinking.js: Added.
796         (shouldBe):
797         (test):
798
799 2018-01-17  Saam Barati  <sbarati@apple.com>
800
801         Disable Atomics when SharedArrayBuffer isn’t enabled
802         https://bugs.webkit.org/show_bug.cgi?id=181572
803         <rdar://problem/36553206>
804
805         Reviewed by Michael Saboff.
806
807         * stress/isLockFree.js:
808
809 2018-01-17  Saam Barati  <sbarati@apple.com>
810
811         DFG::Node::convertToConstant needs to clear the varargs flags
812         https://bugs.webkit.org/show_bug.cgi?id=181697
813         <rdar://problem/36497332>
814
815         Reviewed by Yusuke Suzuki.
816
817         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
818         (doIndexOf):
819         (bar):
820         (i.bar):
821
822 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
823
824         Unreviewed, rolling out r226937.
825
826         Tests added with this change are failing due to a missing
827         exception check.
828
829         Reverted changeset:
830
831         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
832         double to int32_t"
833         https://bugs.webkit.org/show_bug.cgi?id=181182
834         https://trac.webkit.org/changeset/226937
835
836 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
837
838         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
839         https://bugs.webkit.org/show_bug.cgi?id=181182
840
841         Reviewed by Darin Adler.
842
843         * bigIntTests.yaml:
844         * stress/big-int-constructor.js:
845         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
846         (assert):
847         (assertThrowRangeError):
848         * stress/number-prototype-to-string-cast-overflow.js: Added.
849         (assert):
850         (assertThrowRangeError):
851
852 2018-01-12  Saam Barati  <sbarati@apple.com>
853
854         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
855         https://bugs.webkit.org/show_bug.cgi?id=181177
856         <rdar://problem/36205704>
857
858         Reviewed by Yusuke Suzuki.
859
860         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
861         (runNearStackLimit.t):
862         (runNearStackLimit):
863         (test.f):
864         (test):
865
866 2018-01-12  Saam Barati  <sbarati@apple.com>
867
868         Each variant of a polymorphic inlined call should be exitOK at the top of the block
869         https://bugs.webkit.org/show_bug.cgi?id=181562
870         <rdar://problem/36445624>
871
872         Reviewed by Yusuke Suzuki.
873
874         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
875         (f):
876         (foo):
877
878 2018-01-11  Saam Barati  <sbarati@apple.com>
879
880         When inserting Unreachable in byte code parser we need to flush all the right things
881         https://bugs.webkit.org/show_bug.cgi?id=181509
882         <rdar://problem/36423110>
883
884         Reviewed by Mark Lam.
885
886         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
887
888 2018-01-11  Saam Barati  <sbarati@apple.com>
889
890         JITMathIC code in the FTL is wrong when code gets duplicated
891         https://bugs.webkit.org/show_bug.cgi?id=181525
892         <rdar://problem/36351993>
893
894         Reviewed by Michael Saboff and Keith Miller.
895
896         * stress/allow-math-ic-b3-code-duplication.js: Added.
897
898 2018-01-11  Saam Barati  <sbarati@apple.com>
899
900         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
901         https://bugs.webkit.org/show_bug.cgi?id=181508
902
903         Reviewed by Yusuke Suzuki.
904
905         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
906         (assert):
907         (test1.foo):
908         (test1):
909         (test2.foo):
910         (test2):
911
912 2018-01-09  Mark Lam  <mark.lam@apple.com>
913
914         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
915         https://bugs.webkit.org/show_bug.cgi?id=181388
916         <rdar://problem/36349351>
917
918         Reviewed by Saam Barati.
919
920         * stress/regress-181388.js: Added.
921
922 2018-01-08  JF Bastien  <jfbastien@apple.com>
923
924         WebAssembly: mask indexed accesses to Table
925         https://bugs.webkit.org/show_bug.cgi?id=181412
926         <rdar://problem/36363236>
927
928         Reviewed by Saam Barati.
929
930         Update error messages.
931
932         * wasm/js-api/table.js:
933         (assert.throws.WebAssembly.Table.prototype.grow):
934
935 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
936
937         Disable SharedArrayBuffer tests missed in r226386.
938         https://bugs.webkit.org/show_bug.cgi?id=181266
939
940         Unreviewed test gardening.
941
942         * test262.yaml:
943
944 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
945
946         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
947         https://bugs.webkit.org/show_bug.cgi?id=181321
948
949         Reviewed by Saam Barati.
950
951         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
952         (shouldBe):
953         (testFunction):
954         * test262.yaml:
955
956 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
957
958         Unreviewed, attempt to fix test262 after r226386.
959
960         * test262.yaml:
961
962 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
963
964         [DFG] Define defs for MapSet/SetAdd to participate in CSE
965         https://bugs.webkit.org/show_bug.cgi?id=179911
966
967         Reviewed by Saam Barati.
968
969         In addition to these tests, map-set-cse.js and set-add-cse.js work.
970
971         * stress/map-set-change-get.js: Added.
972         (shouldBe):
973         (test):
974         * stress/map-set-create-bucket.js: Added.
975         (shouldBe):
976         (test):
977         * stress/set-add-create-bucket.js: Added.
978         (shouldBe):
979
980 2018-01-03  Michael Saboff  <msaboff@apple.com>
981
982         Disable SharedArrayBuffers from Web API
983         https://bugs.webkit.org/show_bug.cgi?id=181266
984
985         Reviewed by Saam Barati.
986
987         Disabled SharedArrayBuffer tests.
988
989         * stress/SharedArrayBuffer-opt.js:
990         * stress/SharedArrayBuffer.js:
991         * stress/array-buffer-byte-length.js:
992         * stress/atomics-add-uint32.js:
993         * stress/atomics-known-int-use.js:
994         * stress/atomics-neg-zero.js:
995         * stress/atomics-store-return.js:
996         * stress/lars-sab-workers.js:
997         * stress/regress-159779-1.js:
998         * stress/regress-159779-2.js:
999         * stress/regress-170473.js:
1000         * test262.yaml:
1001
1002 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1003
1004         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1005         https://bugs.webkit.org/show_bug.cgi?id=181258
1006
1007         Reviewed by Antonio Gomes.
1008
1009         * stress/big-int-constructor-gc.js:
1010         * stress/big-int-constructor-oom.js:
1011
1012 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1013
1014         Inlining of a function that ends in op_unreachable crashes
1015         https://bugs.webkit.org/show_bug.cgi?id=181027
1016
1017         Reviewed by Filip Pizlo.
1018
1019         * stress/inlining-unreachable.js: Added.
1020         (bar):
1021         (baz):
1022         (i.catch):
1023
1024 2018-01-02  Saam Barati  <sbarati@apple.com>
1025
1026         Incorrect assertion inside AccessCase
1027         https://bugs.webkit.org/show_bug.cgi?id=181200
1028         <rdar://problem/35494754>
1029
1030         Reviewed by Yusuke Suzuki.
1031
1032         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1033         (ctor):
1034         (theFunc):
1035         (run):
1036
1037 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1038
1039         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1040         https://bugs.webkit.org/show_bug.cgi?id=175359
1041
1042         Reviewed by Yusuke Suzuki.
1043
1044         * bigIntTests.yaml:
1045         * stress/big-int-as-key.js: Added.
1046         * stress/big-int-constructor-gc.js: Added.
1047         * stress/big-int-constructor-oom.js: Added.
1048         * stress/big-int-constructor-properties.js: Added.
1049         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1050         * stress/big-int-constructor-prototype.js: Added.
1051         * stress/big-int-constructor.js: Added.
1052         * stress/big-int-function-apply.js:
1053         * stress/big-int-length.js: Added.
1054         * stress/big-int-prop-descriptor.js: Added.
1055         * stress/big-int-proto-constructor.js: Added.
1056         * stress/big-int-proto-name.js: Added.
1057         * stress/big-int-prototype-properties.js: Added.
1058         * stress/big-int-prototype-proto.js: Added.
1059         * stress/big-int-prototype-value-of.js: Added.
1060         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1061         * stress/big-int-prototype-to-string-apply.js: Added.
1062         * stress/big-int-to-object.js: Added.
1063         * stress/big-int-to-string.js: Added.
1064
1065 2017-12-28  Saam Barati  <sbarati@apple.com>
1066
1067         Assertion used to determine if something is an async generator is wrong
1068         https://bugs.webkit.org/show_bug.cgi?id=181168
1069         <rdar://problem/35640560>
1070
1071         Reviewed by Yusuke Suzuki.
1072
1073         * stress/async-generator-assertion.js: Added.
1074
1075 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1076
1077         Skip stress/splay-flash-access tests on memory limited platforms
1078         https://bugs.webkit.org/show_bug.cgi?id=181086
1079
1080         Reviewed by Carlos Alberto Lopez Perez.
1081
1082         These tests use about 185M of memory, and occasionally get OOM-killed
1083         on memory limited platforms.
1084
1085         * stress/splay-flash-access-1ms.js:
1086         * stress/splay-flash-access.js:
1087
1088 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1089
1090         Skip slow jsc tests on embedded platforms
1091         https://bugs.webkit.org/show_bug.cgi?id=180937
1092
1093         Reviewed by Carlos Alberto Lopez Perez.
1094
1095         The tests typeProfiler/deltablue-for-of.js and
1096         typeProfiler/getter-richards.js take a very long time in the
1097         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1098         thus always timeout. They should be skipped on these platforms.
1099
1100         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1101         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1102
1103 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1104
1105         [JSC] Do not check isValid() in op_new_regexp
1106         https://bugs.webkit.org/show_bug.cgi?id=180970
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/regexp-syntax-error-invalid-flags.js: Added.
1111         (shouldThrow):
1112
1113 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1114
1115         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1116         https://bugs.webkit.org/show_bug.cgi?id=180712
1117
1118         Reviewed by Michael Catanzaro.
1119
1120         stress/call-apply-exponential-bytecode-size.js crashes if the
1121         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1122         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1123         should skip the test on other platforms.
1124
1125         * stress/call-apply-exponential-bytecode-size.js:
1126
1127 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1128
1129         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1130         https://bugs.webkit.org/show_bug.cgi?id=179762
1131
1132         Reviewed by Saam Barati.
1133
1134         * stress/call-varargs-double-new-array-buffer.js: Added.
1135         (assert):
1136         (bar):
1137         (foo):
1138         * stress/call-varargs-spread-new-array-buffer.js: Added.
1139         (assert):
1140         (bar):
1141         (foo):
1142         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1143         (assert):
1144         (bar):
1145         (foo):
1146         * stress/forward-varargs-double-new-array-buffer.js: Added.
1147         (assert):
1148         (test.baz):
1149         (test.bar):
1150         (test.foo):
1151         (test):
1152         * stress/new-array-buffer-sinking-osrexit.js: Added.
1153         (target):
1154         (test):
1155         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1156         (shouldBe):
1157         (test):
1158         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1159         (shouldBe):
1160         (target):
1161         (test):
1162         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1163         (assert):
1164         (test1.bar):
1165         (test1.foo):
1166         (test1):
1167         (test2.bar):
1168         (test2.foo):
1169         (test3.baz):
1170         (test3.bar):
1171         (test3.foo):
1172         (test4.baz):
1173         (test4.bar):
1174         (test4.foo):
1175         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1176         (assert):
1177         (test.baz):
1178         (test.bar):
1179         (test.foo):
1180         (test):
1181         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1182         (assert):
1183         (baz):
1184         (bar):
1185         (effects):
1186         (foo):
1187
1188 2017-12-14  Saam Barati  <sbarati@apple.com>
1189
1190         The CleanUp after LICM is erroneously removing a Check
1191         https://bugs.webkit.org/show_bug.cgi?id=180852
1192         <rdar://problem/36063494>
1193
1194         Reviewed by Filip Pizlo.
1195
1196         * stress/dont-run-cleanup-after-licm.js: Added.
1197
1198 2017-12-14  Michael Saboff  <msaboff@apple.com>
1199
1200         REGRESSION (r225695): Repro crash on yahoo login page
1201         https://bugs.webkit.org/show_bug.cgi?id=180761
1202
1203         Reviewed by JF Bastien.
1204
1205         New regression test.
1206
1207         * stress/regress-180761.js: Added.
1208
1209 2017-12-13  Keith Miller  <keith_miller@apple.com>
1210
1211         JSObjects should have a mask for loading indexed properties
1212         https://bugs.webkit.org/show_bug.cgi?id=180768
1213
1214         Reviewed by Mark Lam.
1215
1216         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1217         (test):
1218
1219 2017-12-13  Saam Barati  <sbarati@apple.com>
1220
1221         Arrow functions need their own structure because they have different properties than sloppy functions
1222         https://bugs.webkit.org/show_bug.cgi?id=180779
1223         <rdar://problem/35814591>
1224
1225         Reviewed by Mark Lam.
1226
1227         * stress/arrow-function-needs-its-own-structure.js: Added.
1228         (assert):
1229         (readPrototype):
1230         (noInline.let.f1):
1231         (noInline):
1232
1233 2017-12-13  Saam Barati  <sbarati@apple.com>
1234
1235         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1236         https://bugs.webkit.org/show_bug.cgi?id=163579
1237         <rdar://problem/35455798>
1238
1239         Reviewed by Mark Lam.
1240
1241         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1242         (assert):
1243         (test1):
1244         (i.test1):
1245         (i.test1.C):
1246         (i.test1.async.foo):
1247         (i.test1.foo):
1248         (test2):
1249
1250 2017-12-13  Saam Barati  <sbarati@apple.com>
1251
1252         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1253         https://bugs.webkit.org/show_bug.cgi?id=180734
1254         <rdar://problem/35640547>
1255
1256         Reviewed by Yusuke Suzuki.
1257
1258         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1259         (__isPropertyOfType):
1260         (__getProperties):
1261         (__getObjects):
1262         (__getRandomObject):
1263         (theClass.):
1264         (theClass):
1265         (childClass):
1266         (counter.catch):
1267
1268 2017-12-12  Saam Barati  <sbarati@apple.com>
1269
1270         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1271         https://bugs.webkit.org/show_bug.cgi?id=180725
1272         <rdar://problem/35970511>
1273
1274         Reviewed by Michael Saboff.
1275
1276         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1277         (f1):
1278         (f2):
1279         (let.o2.valueOf):
1280
1281 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1282
1283         [JSC] Implement optimized WeakMap and WeakSet
1284         https://bugs.webkit.org/show_bug.cgi?id=179929
1285
1286         Reviewed by Saam Barati.
1287
1288         * microbenchmarks/weak-map-key.js:
1289         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1290         (assert):
1291         (objectKey):
1292         (let.start.Date.now):
1293         * stress/basic-weakmap.js: Added.
1294         (shouldBe):
1295         (test):
1296         * stress/basic-weakset.js: Added.
1297         (shouldBe):
1298         (test.set new):
1299         * stress/weakmap-cse-set-break.js: Added.
1300         (shouldBe):
1301         (test):
1302         * stress/weakmap-cse.js: Added.
1303         (shouldBe):
1304         (test):
1305         * stress/weakmap-gc.js: Added.
1306         (test):
1307         * stress/weakset-cse-add-break.js: Added.
1308         (shouldBe):
1309         (test.set new):
1310         * stress/weakset-cse.js: Added.
1311         (shouldBe):
1312         (test.set new):
1313         * stress/weakset-gc.js: Added.
1314         (test.set add):
1315         (test.set new):
1316         (test):
1317
1318 2017-12-12  Saam Barati  <sbarati@apple.com>
1319
1320         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1321         https://bugs.webkit.org/show_bug.cgi?id=180723
1322         <rdar://problem/35859726>
1323
1324         Reviewed by JF Bastien.
1325
1326         * stress/get-my-argument-by-val-constant-folding.js: Added.
1327         (test):
1328         (catch):
1329
1330 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1331
1332         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1333         https://bugs.webkit.org/show_bug.cgi?id=179000
1334
1335         Reviewed by Darin Adler and Yusuke Suzuki.
1336
1337         * bigIntTests.yaml: Added.
1338         * stress/big-int-literal-line-terminator.js: Added.
1339         * stress/big-int-literals.js: Added.
1340         * stress/big-int-operations-error.js: Added.
1341         * stress/big-int-type-of.js: Added.
1342         * stress/big-int-white-space-trailing-leading.js: Added.
1343         * stress/big-int-function-apply.js: Added.
1344
1345 2017-12-11  Saam Barati  <sbarati@apple.com>
1346
1347         We need to disableCaching() in ErrorInstance when we materialize properties
1348         https://bugs.webkit.org/show_bug.cgi?id=180343
1349         <rdar://problem/35833002>
1350
1351         Reviewed by Mark Lam.
1352
1353         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1354         (assert):
1355         (makeError):
1356         (storeToStack):
1357         (storeToStackAlreadyMaterialized):
1358
1359 2017-12-05  JF Bastien  <jfbastien@apple.com>
1360
1361         WebAssembly: don't eagerly checksum
1362         https://bugs.webkit.org/show_bug.cgi?id=180441
1363         <rdar://problem/35156628>
1364
1365         Reviewed by Saam Barati.
1366
1367         Checksum is now disabled, so tests only have <?> as the module
1368         name.
1369
1370         * wasm/function-tests/nameSection.js:
1371         * wasm/function-tests/stack-overflow.js:
1372         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1373         (assertOverflows.assertThrows):
1374         (assertOverflows):
1375         * wasm/function-tests/stack-trace.js:
1376
1377 2017-12-04  JF Bastien  <jfbastien@apple.com>
1378
1379         Proxy all functions, except the $ objects
1380         https://bugs.webkit.org/show_bug.cgi?id=180375
1381
1382         Reviewed by Saam Barati.
1383
1384         It looks like this test may have broken some executions because I
1385         call some internal objects. Explicitly ignore objects whose name
1386         starts with "$" because it's a bad idea anyways.
1387
1388         * stress/proxy-all-the-parameters.js:
1389         (generateObjects):
1390         (get throw):
1391
1392 2017-12-04  Saam Barati  <sbarati@apple.com>
1393
1394         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1395         https://bugs.webkit.org/show_bug.cgi?id=180366
1396         <rdar://problem/35685877>
1397
1398         Reviewed by Michael Saboff.
1399
1400         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1401         (theParent):
1402         (test1.base.getParentStaticValue):
1403         (test1.base):
1404         (test1.__v_24888.prototype.set prop):
1405         (test1.__v_24888):
1406         (test2.base.getParentStaticValue):
1407         (test2.base):
1408         (test2.__v_24888.prototype.set prop):
1409         (test2.__v_24888):
1410         (test2):
1411
1412 2017-12-01  JF Bastien  <jfbastien@apple.com>
1413
1414         Try proxying all function arguments
1415         https://bugs.webkit.org/show_bug.cgi?id=180306
1416
1417         Reviewed by Saam Barati.
1418
1419         * stress/proxy-all-the-parameters.js: Added.
1420         (isPropertyOfType):
1421         (getProperties):
1422         (generateObjects):
1423         (getObjects):
1424         (getFunctions):
1425         (get throw):
1426         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1427
1428 2017-12-01  JF Bastien  <jfbastien@apple.com>
1429
1430         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1431         https://bugs.webkit.org/show_bug.cgi?id=180297
1432         <rdar://problem/35745556>
1433
1434         Reviewed by Mark Lam.
1435
1436         * stress/math-exceptions.js: Added.
1437         (get try):
1438         (catch):
1439
1440 2017-12-01  JF Bastien  <jfbastien@apple.com>
1441
1442         JavaScriptCore: add test for weird class static getters
1443         https://bugs.webkit.org/show_bug.cgi?id=180281
1444         <rdar://problem/35592139>
1445
1446         Reviewed by Mark Lam.
1447
1448         I fixed a bug for it in r224927 and didn't add a test. Do so.
1449
1450         * stress/class-static-get-weird.js: Added.
1451         (c.prototype.get name):
1452         (c):
1453         (c.prototype.get arguments):
1454         (c.prototype.get caller):
1455         (c.prototype.get length):
1456
1457 2017-12-01  Saam Barati  <sbarati@apple.com>
1458
1459         Having a bad time needs to handle ArrayClass indexing type as well
1460         https://bugs.webkit.org/show_bug.cgi?id=180274
1461         <rdar://problem/35667869>
1462
1463         Reviewed by Keith Miller and Mark Lam.
1464
1465         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1466         (assert):
1467         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1468         (assert):
1469
1470 2017-12-01  JF Bastien  <jfbastien@apple.com>
1471
1472         WebAssembly: restore cached stack limit after out-call
1473         https://bugs.webkit.org/show_bug.cgi?id=179106
1474         <rdar://problem/35337525>
1475
1476         Reviewed by Saam Barati.
1477
1478         * wasm/function-tests/double-instance.js: Added.
1479         (const.imp.boom):
1480         (const.imp.get callAnother):
1481
1482 2017-11-30  JF Bastien  <jfbastien@apple.com>
1483
1484         WebAssembly: improve stack trace
1485         https://bugs.webkit.org/show_bug.cgi?id=179343
1486
1487         Reviewed by Saam Barati.
1488
1489         Update the tests to follow the new format. Notably, SHA1 module
1490         hash is now included in traces, and stubs are properly identified.
1491
1492         * wasm/assert.js: Add an assertion which matches regular expressions.
1493         * wasm/function-tests/nameSection.js:
1494         * wasm/function-tests/stack-overflow.js:
1495         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1496         (assertOverflows.assertThrows.wasm.1):
1497         (assertOverflows.assertThrows.wasm.0):
1498         (assertOverflows.assertThrows):
1499         (assertOverflows):
1500         * wasm/function-tests/stack-trace.js:
1501         (import.Builder.from.string_appeared_here.assert): Deleted.
1502         * wasm/function-tests/trap-after-cross-instance-call.js:
1503         (wasmFrameCountFromError):
1504         * wasm/function-tests/trap-load-2.js:
1505         (wasmFrameCountFromError):
1506         * wasm/function-tests/trap-load.js:
1507         (wasmFrameCountFromError):
1508
1509 2017-11-30  Mark Lam  <mark.lam@apple.com>
1510
1511         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1512         https://bugs.webkit.org/show_bug.cgi?id=180219
1513         <rdar://problem/35696536>
1514
1515         Reviewed by Filip Pizlo.
1516
1517         * stress/regress-180219.js: Added.
1518
1519 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1520
1521         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1522         https://bugs.webkit.org/show_bug.cgi?id=180190
1523
1524         Reviewed by Mark Lam.
1525
1526         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1527         (shouldBe):
1528         (test1):
1529         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1530         (shouldBe):
1531         (test1):
1532         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1533         (shouldBe):
1534         (test1):
1535         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1536         (shouldBe):
1537         (test1):
1538         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1539         (shouldBe):
1540         (test1):
1541         * stress/operation-in-may-have-negative-int32.js: Added.
1542         (shouldBe):
1543         (test2):
1544         * stress/operation-in-negative-int32-cast.js: Added.
1545         (shouldBe):
1546         (test1):
1547
1548 2017-11-28  JF Bastien  <jfbastien@apple.com>
1549
1550         Strict and sloppy functions shouldn't share structure
1551         https://bugs.webkit.org/show_bug.cgi?id=180103
1552         <rdar://problem/35667847>
1553
1554         Reviewed by Saam Barati.
1555
1556         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1557         because the IC was wrong.
1558         (foo):
1559         (bar):
1560         (baz):
1561         (catch):
1562         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1563         in this patch, but may as well test odd strict mode corner cases.
1564         (bar):
1565         (baz):
1566         (catch):
1567         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1568         (foo):
1569         (bar):
1570         (baz):
1571         (catch):
1572         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1573         next file, but with invalidation of the FunctionExecutable's
1574         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1575         slower path.
1576         (foo):
1577         (bar.const.x):
1578         (bar.const.y):
1579         (bar):
1580         (catch):
1581         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1582         strict nesting works correctly.
1583         (foo):
1584         (bar.baz):
1585         (bar):
1586         * stress/strict-function-structure.js: Added. The test used to
1587         assert in objectProtoFuncHasOwnProperty.
1588         (foo):
1589         (bar):
1590         (baz):
1591         * stress/strict-nested-function-structure.js: Added. Nesting.
1592         (foo):
1593         (bar):
1594         (baz.boo):
1595         (baz):
1596
1597 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1598
1599         The recursive tail call optimisation is wrong on closures
1600         https://bugs.webkit.org/show_bug.cgi?id=179835
1601
1602         Reviewed by Saam Barati.
1603
1604         * stress/closure-recursive-tail-call.js: Added.
1605         (makeClosure):
1606
1607 2017-11-27  JF Bastien  <jfbastien@apple.com>
1608
1609         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1610         https://bugs.webkit.org/show_bug.cgi?id=180051
1611         <rdar://problem/35614371>
1612
1613         Reviewed by Saam Barati.
1614
1615         * stress/rest-parameter-negative.js: Added.
1616         (__f_5484):
1617         (catch):
1618         (__f_5485):
1619         (__v_22598.catch):
1620
1621 2017-11-27  Saam Barati  <sbarati@apple.com>
1622
1623         Spread can escape when CreateRest does not
1624         https://bugs.webkit.org/show_bug.cgi?id=180057
1625         <rdar://problem/35676119>
1626
1627         Reviewed by JF Bastien.
1628
1629         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1630         (assert):
1631         (getProperties):
1632         (theFunc):
1633         (let.obj.valueOf):
1634
1635 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1636
1637         [DFG] Add NormalizeMapKey DFG IR
1638         https://bugs.webkit.org/show_bug.cgi?id=179912
1639
1640         Reviewed by Saam Barati.
1641
1642         * stress/map-untyped-normalize-cse.js: Added.
1643         (shouldBe):
1644         (test):
1645         * stress/map-untyped-normalize.js: Added.
1646         (shouldBe):
1647         (test):
1648         * stress/set-untyped-normalize-cse.js: Added.
1649         (shouldBe):
1650         (set return.set has.set has):
1651         * stress/set-untyped-normalize.js: Added.
1652         (shouldBe):
1653         (set return.set has):
1654
1655 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1656
1657         [FTL] Support DeleteById and DeleteByVal
1658         https://bugs.webkit.org/show_bug.cgi?id=180022
1659
1660         Reviewed by Saam Barati.
1661
1662         * stress/delete-by-id.js: Added.
1663         (shouldBe):
1664         (test1):
1665         (test2):
1666         * stress/delete-by-val-ftl.js: Added.
1667         (shouldBe):
1668         (test1):
1669         (test2):
1670
1671 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1672
1673         [DFG] Introduce {Set,Map,WeakMap}Fields
1674         https://bugs.webkit.org/show_bug.cgi?id=179925
1675
1676         Reviewed by Saam Barati.
1677
1678         * stress/map-set-clobber-map-get.js: Added.
1679         (shouldBe):
1680         (test):
1681         * stress/map-set-does-not-clobber-set-has.js: Added.
1682         (shouldBe):
1683         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1684         (shouldBe):
1685         (test):
1686         * stress/set-add-clobber-set-has.js: Added.
1687         (shouldBe):
1688         * stress/set-add-does-not-clobber-map-get.js: Added.
1689         (shouldBe):
1690
1691 2017-11-24  Mark Lam  <mark.lam@apple.com>
1692
1693         Move unsafe jsc shell test functions to the $vm object.
1694         https://bugs.webkit.org/show_bug.cgi?id=179980
1695
1696         Reviewed by Yusuke Suzuki.
1697
1698         * controlFlowProfiler/driver/driver.js:
1699         * controlFlowProfiler/execution-count.js:
1700         * controlFlowProfiler/if-statement.js:
1701         * controlFlowProfiler/loop-statements.js:
1702         * controlFlowProfiler/switch-statements.js:
1703         * controlFlowProfiler/test-jit.js:
1704         * exceptionFuzz/3d-cube.js:
1705         * exceptionFuzz/date-format-xparb.js:
1706         * exceptionFuzz/earley-boyer.js:
1707         * heapProfiler/basic-edges.js:
1708         * heapProfiler/property-edge-types.js:
1709         * microbenchmarks/try-get-by-id-basic.js:
1710         * microbenchmarks/try-get-by-id-polymorphic.js:
1711         * modules/namespace-object-try-get.js:
1712         * stress/argument-count-bytecode.js:
1713         * stress/argument-intrinsic-basic.js:
1714         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1715         * stress/argument-intrinsic-inlining-with-result-escape.js:
1716         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1717         * stress/argument-intrinsic-inlining-with-vararg.js:
1718         * stress/argument-intrinsic-nested-inlining.js:
1719         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1720         * stress/argument-intrinsic-with-stack-write.js:
1721         * stress/arity-mismatch-get-argument.js:
1722         * stress/array-message-passing.js:
1723         * stress/array-push-with-force-exit.js:
1724         * stress/check-dom-with-signature.js:
1725         * stress/check-sub-class.js:
1726         * stress/compare-eq-incomplete-profile.js:
1727         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1728         * stress/do-eval-virtual-call-correctly.js:
1729         * stress/dom-jit-with-poly-proto.js:
1730         * stress/domjit-exception-ic.js:
1731         * stress/domjit-exception.js:
1732         * stress/domjit-getter-complex-with-incorrect-object.js:
1733         * stress/domjit-getter-complex.js:
1734         * stress/domjit-getter-poly.js:
1735         * stress/domjit-getter-proto.js:
1736         * stress/domjit-getter-super-poly.js:
1737         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1738         * stress/domjit-getter-type-check.js:
1739         * stress/domjit-getter.js:
1740         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1741         * stress/for-in-proxy-target-changed-structure.js:
1742         * stress/for-in-proxy.js:
1743         * stress/generational-opaque-roots.js:
1744         * stress/global-const-redeclaration-setting-2.js:
1745         * stress/global-const-redeclaration-setting-3.js:
1746         * stress/global-const-redeclaration-setting-4.js:
1747         * stress/global-const-redeclaration-setting-5.js:
1748         * stress/global-const-redeclaration-setting.js:
1749         * stress/import-basic.js:
1750         * stress/import-from-eval.js:
1751         * stress/import-reject-with-exception.js:
1752         * stress/import-syntax.js:
1753         * stress/impure-get-own-property-slot-inline-cache.js:
1754         * stress/is-constructor.js:
1755         * stress/istypedarrayview-intrinsic.js:
1756         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1757         * stress/jsc-test-functions-should-be-more-robust.js:
1758         * stress/object-toString-with-proxy.js:
1759         * stress/poly-proto-custom-value-and-accessor.js:
1760         * stress/proxy-inline-cache.js:
1761         * stress/re-execute-error-module.js:
1762         * stress/regress-150532.js:
1763         * stress/regress-156992.js:
1764         * stress/regress-179619.js:
1765         * stress/resources/shadow-chicken-support.js:
1766         * stress/runtime-array.js:
1767         * stress/sampling-profiler-microtasks.js:
1768         * stress/shadow-chicken-enabled.js:
1769         * stress/spread-correct-global-object-on-exception.js:
1770         * stress/super-get-by-id.js:
1771         * stress/tailCallForwardArguments.js:
1772         * stress/to-object-intrinsic-boolean-edge.js:
1773         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1774         * stress/to-object-intrinsic-number-edge.js:
1775         * stress/to-object-intrinsic-object-edge.js:
1776         * stress/to-object-intrinsic-string-edge.js:
1777         * stress/to-object-intrinsic-symbol-edge.js:
1778         * stress/to-object-intrinsic.js:
1779         * stress/try-catch-custom-getter-as-get-by-id.js:
1780         * stress/try-get-by-id-poly-proto.js:
1781         * stress/try-get-by-id-should-spill-registers-dfg.js:
1782         * stress/try-get-by-id.js:
1783         * typeProfiler/arrow-functions.js:
1784         * typeProfiler/basic.js:
1785         * typeProfiler/captured.js:
1786         * typeProfiler/classes.js:
1787         * typeProfiler/dfg-jit-optimizations.js:
1788         * typeProfiler/dictionary-mode.js:
1789         * typeProfiler/es6-block-scoping.js:
1790         * typeProfiler/es6-classes.js:
1791         * typeProfiler/inheritance.js:
1792         * typeProfiler/int52-dfg.js:
1793         * typeProfiler/loop.js:
1794         * typeProfiler/optional-fields.js:
1795         * typeProfiler/overflow.js:
1796         * typeProfiler/return.js:
1797         * typeProfiler/symbol.js:
1798         * typeProfiler/weird-prototype-chain.js:
1799
1800 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1801
1802         [DFG][FTL] Support MapSet / SetAdd intrinsics
1803         https://bugs.webkit.org/show_bug.cgi?id=179858
1804
1805         Reviewed by Saam Barati.
1806
1807         * microbenchmarks/map-has-and-set.js: Added.
1808         (test):
1809         * stress/map-set-check-failure.js: Added.
1810         (shouldBe):
1811         (shouldThrow):
1812         (target):
1813         * stress/map-set-cse.js: Added.
1814         (shouldBe):
1815         (test):
1816         * stress/set-add-check-failure.js: Added.
1817         (shouldBe):
1818         (shouldThrow):
1819         (set shouldThrow):
1820         * stress/set-add-cse.js: Added.
1821         (shouldBe):
1822
1823 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1824
1825         [JSC] Allow poly proto for intrinsic getters
1826         https://bugs.webkit.org/show_bug.cgi?id=179550
1827
1828         Reviewed by Saam Barati.
1829
1830         This change is also tested by existing tests.
1831
1832             1. stress/intrinsic-getter-with-poly-proto.js
1833             2. stress/poly-proto-intrinsic-getter-correctness.js
1834
1835         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1836         (shouldBe):
1837         (makePolyProtoObject.foo.C):
1838         (makePolyProtoObject.foo):
1839         (makePolyProtoObject):
1840         (target):
1841         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1842         (shouldBe):
1843         (makePolyProtoObject.foo.C):
1844         (makePolyProtoObject.foo):
1845         (makePolyProtoObject):
1846         (target):
1847
1848 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1849
1850         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1851         https://bugs.webkit.org/show_bug.cgi?id=179744
1852
1853         Reviewed by Michael Catanzaro.
1854
1855         This test uses too much memory for our buildbots on these platforms
1856         and gets OOM-killed.
1857
1858         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1859         Skip if $memoryLimited and linux.
1860
1861 2017-11-17  JF Bastien  <jfbastien@apple.com>
1862
1863         WebAssembly JS API: throw when a promise can't be created
1864         https://bugs.webkit.org/show_bug.cgi?id=179826
1865         <rdar://problem/35455813>
1866
1867         Reviewed by Mark Lam.
1868
1869         Test WebAssembly.{compile,instantiate} where promise creation
1870         fails because of a stack overflow.
1871
1872         * wasm/js-api/promise-stack-overflow.js: Added.
1873         (const.runNearStackLimit.f.const.t):
1874         (async.testCompile):
1875         (async.testInstantiate):
1876
1877 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1878
1879         Unreviewed, mark regress-178385.js as memory exhausting
1880
1881         * stress/regress-178385.js:
1882
1883 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1884
1885         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1886
1887         Unreviewed test gardening.
1888
1889         * test262.yaml:
1890
1891 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1892
1893         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1894         https://bugs.webkit.org/show_bug.cgi?id=179763
1895         <rdar://problem/35550513>
1896
1897         Reviewed by Keith Miller.
1898
1899         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1900
1901         * stress/tdz-this-in-try-catch.js: Added.
1902         (__v_6388):
1903         (__v_6392):
1904
1905 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1906
1907         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1908         https://bugs.webkit.org/show_bug.cgi?id=179594
1909
1910         Reviewed by Saam Barati.
1911
1912         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1913         (shouldBe):
1914         (args):
1915         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1916         (shouldBe):
1917         (args):
1918
1919 2017-11-14  Saam Barati  <sbarati@apple.com>
1920
1921         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1922         https://bugs.webkit.org/show_bug.cgi?id=179639
1923         <rdar://problem/35513018>
1924
1925         Reviewed by JF Bastien.
1926
1927         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1928         (escape):
1929         (i.func):
1930
1931 2017-11-13  Mark Lam  <mark.lam@apple.com>
1932
1933         Add more overflow check book-keeping for MarkedArgumentBuffer.
1934         https://bugs.webkit.org/show_bug.cgi?id=179634
1935         <rdar://problem/35492517>
1936
1937         Reviewed by Saam Barati.
1938
1939         * stress/regress-179634.js: Added.
1940
1941 2017-11-13  Mark Lam  <mark.lam@apple.com>
1942
1943         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1944         https://bugs.webkit.org/show_bug.cgi?id=179619
1945         <rdar://problem/35492518>
1946
1947         Reviewed by Saam Barati.
1948
1949         * stress/regress-179619.js: Added.
1950
1951 2017-11-12  Mark Lam  <mark.lam@apple.com>
1952
1953         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1954         https://bugs.webkit.org/show_bug.cgi?id=179562
1955         <rdar://problem/35467022>
1956
1957         Reviewed by Saam Barati.
1958
1959         * regress-179562.js: Added.
1960
1961 2017-11-08  Saam Barati  <sbarati@apple.com>
1962
1963         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1964         https://bugs.webkit.org/show_bug.cgi?id=177792
1965
1966         Reviewed by Yusuke Suzuki.
1967
1968         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1969         (assert):
1970         (foo.Foo.prototype.ensureX):
1971         (foo.Foo):
1972         (foo):
1973         (access):
1974
1975 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1976
1977         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1978         https://bugs.webkit.org/show_bug.cgi?id=178592
1979
1980         Unreviewed test gardening.
1981
1982         * test262.yaml:
1983
1984 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1985
1986         Turn recursive tail calls into loops
1987         https://bugs.webkit.org/show_bug.cgi?id=176601
1988
1989         Reviewed by Saam Barati.
1990
1991         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1992
1993         Add some simple test that computes factorial in several ways, and other trivial computations.
1994         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1995         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1996         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1997         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1998
1999         * stress/inline-call-to-recursive-tail-call.js: Added.
2000         (factorial.aux):
2001         (factorial):
2002         (factorial2.aux2):
2003         (factorial2.id):
2004         (factorial2):
2005         (factorial3.aux3):
2006         (factorial3):
2007         (aux4):
2008         (factorial4):
2009         (foo):
2010         (auxBar):
2011         (bar):
2012         (test):
2013
2014 2017-11-07  Mark Lam  <mark.lam@apple.com>
2015
2016         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2017         https://bugs.webkit.org/show_bug.cgi?id=179355
2018         <rdar://problem/35263053>
2019
2020         Reviewed by Saam Barati.
2021
2022         * stress/regress-179355.js: Added.
2023
2024 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2025
2026         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2027         https://bugs.webkit.org/show_bug.cgi?id=144458
2028
2029         Reviewed by Saam Barati.
2030
2031         * microbenchmarks/dfg-internal-function-call.js: Added.
2032         (target):
2033         * microbenchmarks/dfg-internal-function-construct.js: Added.
2034         (target):
2035         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2036         (target):
2037         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2038         (target):
2039         * stress/dfg-internal-function-call.js: Added.
2040         (shouldBe):
2041         (target):
2042         * stress/dfg-internal-function-construct.js: Added.
2043         (shouldBe):
2044         (target):
2045         * stress/internal-function-call.js: Added.
2046         (shouldBe):
2047         * stress/internal-function-construct.js: Added.
2048         (shouldBe):
2049
2050 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2051
2052         [Win] Skip stress/regress-178385.js.
2053         https://bugs.webkit.org/show_bug.cgi?id=179298
2054
2055         Unreviewed test gardening.
2056
2057         * stress/regress-178385.js:
2058
2059 2017-11-03  Keith Miller  <keith_miller@apple.com>
2060
2061         Add test for ic with side effects
2062         https://bugs.webkit.org/show_bug.cgi?id=179268
2063
2064         Reviewed by Saam Barati.
2065
2066         * stress/put-inline-cache-side-effects.js: Added.
2067         (let.i.of.objs.keys):
2068         (f):
2069
2070 2017-11-03  Mark Lam  <mark.lam@apple.com>
2071
2072         CachedCall (and its clients) needs overflow checks.
2073         https://bugs.webkit.org/show_bug.cgi?id=179185
2074
2075         Reviewed by JF Bastien.
2076
2077         * stress/regress-179185.js: Added.
2078
2079 2017-11-02  Michael Saboff  <msaboff@apple.com>
2080
2081         DFG needs to handle code motion of code in for..in loop bodies
2082         https://bugs.webkit.org/show_bug.cgi?id=179212
2083
2084         Reviewed by Keith Miller.
2085
2086         New regression test.
2087
2088         * stress/for-in-side-effects.js: Added.
2089         (getPrototypeOf):
2090         (reset):
2091         (testWithoutFTL.f):
2092         (testWithoutFTL):
2093         (testWithFTL.f):
2094         (testWithFTL):
2095
2096 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2097
2098         AI does not correctly model the clobber case of ArithClz32
2099         https://bugs.webkit.org/show_bug.cgi?id=179188
2100
2101         Reviewed by Michael Saboff.
2102
2103         * stress/arith-clz32-effects.js: Added.
2104         (foo):
2105         (valueOf):
2106
2107 2017-11-01  Michael Saboff  <msaboff@apple.com>
2108
2109         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2110         https://bugs.webkit.org/show_bug.cgi?id=179140
2111
2112         Reviewed by Saam Barati.
2113
2114         New regression test.
2115
2116         * stress/regress-179140.js: Added.
2117         (testWithoutFTL):
2118         (testWithFTL):
2119
2120 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2121
2122         [JSC] Introduce @toObject
2123         https://bugs.webkit.org/show_bug.cgi?id=178726
2124
2125         Reviewed by Saam Barati.
2126
2127         * stress/array-copywithin.js:
2128         (shouldThrow):
2129         * stress/object-constructor-boolean-edge.js: Added.
2130         (shouldBe):
2131         (test):
2132         * stress/object-constructor-global.js: Added.
2133         (shouldBe):
2134         * stress/object-constructor-null-edge.js: Added.
2135         (shouldBe):
2136         (test):
2137         * stress/object-constructor-number-edge.js: Added.
2138         (shouldBe):
2139         (test):
2140         * stress/object-constructor-object-edge.js: Added.
2141         (shouldBe):
2142         (test):
2143         (i.arg):
2144         * stress/object-constructor-string-edge.js: Added.
2145         (shouldBe):
2146         (test):
2147         * stress/object-constructor-symbol-edge.js: Added.
2148         (shouldBe):
2149         (test):
2150         * stress/object-constructor-undefined-edge.js: Added.
2151         (shouldBe):
2152         (test):
2153         * stress/symbol-array-from.js: Added.
2154         (shouldBe):
2155         * stress/to-object-intrinsic-boolean-edge.js: Added.
2156         (shouldBe):
2157         (builtin.createBuiltin):
2158         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2159         (shouldThrow):
2160         * stress/to-object-intrinsic-number-edge.js: Added.
2161         (shouldBe):
2162         (builtin.createBuiltin):
2163         * stress/to-object-intrinsic-object-edge.js: Added.
2164         (shouldBe):
2165         (builtin.createBuiltin):
2166         (i.arg):
2167         * stress/to-object-intrinsic-string-edge.js: Added.
2168         (shouldBe):
2169         (builtin.createBuiltin):
2170         * stress/to-object-intrinsic-symbol-edge.js: Added.
2171         (shouldBe):
2172         (builtin.createBuiltin):
2173         * stress/to-object-intrinsic.js: Added.
2174         (shouldBe):
2175         (shouldThrow):
2176         (builtin.createBuiltin):
2177
2178 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2179
2180         [DFG][FTL] Introduce StringSlice
2181         https://bugs.webkit.org/show_bug.cgi?id=178934
2182
2183         Reviewed by Saam Barati.
2184
2185         * microbenchmarks/string-slice-empty.js: Added.
2186         (slice):
2187         * microbenchmarks/string-slice-one-char.js: Added.
2188         (slice):
2189         * microbenchmarks/string-slice.js: Added.
2190         (slice):
2191
2192 2017-10-26  Michael Saboff  <msaboff@apple.com>
2193
2194         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2195         https://bugs.webkit.org/show_bug.cgi?id=178890
2196
2197         Reviewed by Keith Miller.
2198
2199         New regression test.
2200
2201         * stress/regress-178890.js: Added.
2202
2203 2017-10-26  Mark Lam  <mark.lam@apple.com>
2204
2205         JSRopeString::RopeBuilder::append() should check for overflows.
2206         https://bugs.webkit.org/show_bug.cgi?id=178385
2207         <rdar://problem/35027468>
2208
2209         Reviewed by Saam Barati.
2210
2211         * stress/regress-178385.js: Added.
2212
2213 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2214
2215         Unreviewed, rolling out r223961.
2216
2217         The change that required this has been rolled out.
2218
2219         Reverted changeset:
2220
2221         "Mark test262.yaml/test262/test/language/statements/try/tco-
2222         catch.js as passing."
2223         https://bugs.webkit.org/show_bug.cgi?id=178592
2224         https://trac.webkit.org/changeset/223961
2225
2226 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2227
2228         Unreviewed, rolling out r223691 and r223729.
2229         https://bugs.webkit.org/show_bug.cgi?id=178834
2230
2231         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2232         by rniwa on #webkit).
2233
2234         Reverted changesets:
2235
2236         "Turn recursive tail calls into loops"
2237         https://bugs.webkit.org/show_bug.cgi?id=176601
2238         https://trac.webkit.org/changeset/223691
2239
2240         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2241         comparison is always false due to limited range of data type
2242         [-Wtype-limits]"
2243         https://bugs.webkit.org/show_bug.cgi?id=178543
2244         https://trac.webkit.org/changeset/223729
2245
2246 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2247
2248         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2249         https://bugs.webkit.org/show_bug.cgi?id=178592
2250
2251         Unreviewed test gardening.
2252
2253         * test262.yaml:
2254
2255 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2256
2257         [FTL] Support NewStringObject
2258         https://bugs.webkit.org/show_bug.cgi?id=178737
2259
2260         Reviewed by Saam Barati.
2261
2262         * stress/new-string-object.js: Added.
2263         (shouldBe):
2264         (test):
2265
2266 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2267
2268         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2269         https://bugs.webkit.org/show_bug.cgi?id=178308
2270
2271         Reviewed by Mark Lam.
2272
2273         * test262.yaml:
2274
2275 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2276
2277         [JSC] Use fastJoin in Array#toString
2278         https://bugs.webkit.org/show_bug.cgi?id=178062
2279
2280         Reviewed by Darin Adler.
2281
2282         * microbenchmarks/contiguous-array-to-string.js: Added.
2283         (target):
2284         * microbenchmarks/double-array-to-string.js: Added.
2285         (target):
2286         * microbenchmarks/int32-array-to-string.js: Added.
2287         (target):
2288
2289 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2290
2291         stress/check-string-ident.js is improperly skipped
2292         https://bugs.webkit.org/show_bug.cgi?id=178642
2293
2294         Reviewed by Saam Barati.
2295
2296         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2297         since it enforces the run-jsc-stress-tests script to still set up the
2298         test to run, despite the skip directive that's used before.
2299
2300 2017-10-20  Mark Lam  <mark.lam@apple.com>
2301
2302         Add a test case for r214334.
2303         https://bugs.webkit.org/show_bug.cgi?id=169941
2304         <rdar://problem/31221258>
2305
2306         Reviewed by JF Bastien.
2307
2308         * stress/regress-169941.js: Added.
2309
2310 2017-10-19  JF Bastien  <jfbastien@apple.com>
2311
2312         WebAssembly: no VM / JS version of everything but Instance
2313         https://bugs.webkit.org/show_bug.cgi?id=177473
2314
2315         Reviewed by Filip Pizlo, Saam Barati.
2316
2317         - Exceeding max on memory growth now returns a range error as per
2318         spec. This is a (very minor) breaking change: it used to throw OOM
2319         error. Update the corresponding test.
2320
2321         * wasm/js-api/memory-grow.js:
2322         (assertEq):
2323         * wasm/js-api/table.js:
2324         (assert.throws):
2325
2326 2017-10-19  Mark Lam  <mark.lam@apple.com>
2327
2328         Stringifier::appendStringifiedValue() is missing an exception check.
2329         https://bugs.webkit.org/show_bug.cgi?id=178386
2330         <rdar://problem/35027610>
2331
2332         Reviewed by Saam Barati.
2333
2334         * stress/regress-178386.js: Added.
2335
2336 2017-10-19  Michael Saboff  <msaboff@apple.com>
2337
2338         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2339         https://bugs.webkit.org/show_bug.cgi?id=178521
2340
2341         Reviewed by JF Bastien.
2342
2343         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2344         now passes with the current version (5.0) of the Emoji spec.
2345
2346 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2347
2348         Turn recursive tail calls into loops
2349         https://bugs.webkit.org/show_bug.cgi?id=176601
2350
2351         Reviewed by Saam Barati.
2352
2353         Add some simple test that computes factorial in several ways, and other trivial computations.
2354         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2355         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2356         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2357         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2358
2359         * stress/inline-call-to-recursive-tail-call.js: Added.
2360         (factorial.aux):
2361         (factorial):
2362         (factorial2.aux):
2363         (factorial2.id):
2364         (factorial2):
2365         (factorial3.aux):
2366         (factorial3):
2367         (aux):
2368         (factorial4):
2369         (test):
2370
2371 2017-10-18  Mark Lam  <mark.lam@apple.com>
2372
2373         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2374         https://bugs.webkit.org/show_bug.cgi?id=177600
2375         <rdar://problem/34710985>
2376
2377         Reviewed by Saam Barati.
2378
2379         * stress/regress-177600.js: Added.
2380
2381 2017-10-18  Mark Lam  <mark.lam@apple.com>
2382
2383         The compiler should always register a structure when it adds its transitionWatchPointSet.
2384         https://bugs.webkit.org/show_bug.cgi?id=178420
2385         <rdar://problem/34814024>
2386
2387         Reviewed by Saam Barati and Filip Pizlo.
2388
2389         * stress/regress-178420.js: Added.
2390         (new.Array.10000.map):
2391
2392 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2393
2394         [JSC] __proto__ getter should be fast
2395         https://bugs.webkit.org/show_bug.cgi?id=178067
2396
2397         Reviewed by Saam Barati.
2398
2399         * stress/dfg-object-proto-accessor.js: Added.
2400         (shouldBe):
2401         (shouldThrow):
2402         (target):
2403         * stress/dfg-object-proto-getter.js: Added.
2404         (shouldBe):
2405         (shouldThrow):
2406         (target):
2407         * stress/dfg-object-prototype-of.js: Added.
2408         (shouldBe):
2409         (shouldThrow):
2410         (target):
2411         * stress/dfg-reflect-get-prototype-of.js: Added.
2412         (shouldBe):
2413         (shouldThrow):
2414         (target):
2415         * stress/intrinsic-getter-with-poly-proto.js: Added.
2416         (shouldBe):
2417         (makePolyProtoObject.foo.C):
2418         (makePolyProtoObject.foo):
2419         (makePolyProtoObject):
2420         (target):
2421         * stress/object-get-prototype-of-filtered.js: Added.
2422         (shouldBe):
2423         (shouldThrow):
2424         (target):
2425         (i.Cocoa):
2426         * stress/object-get-prototype-of-mono-proto.js: Added.
2427         (shouldBe):
2428         (makePolyProtoObject.foo.C):
2429         (makePolyProtoObject.foo):
2430         (makePolyProtoObject):
2431         (target):
2432         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2433         (shouldBe):
2434         (makePolyProtoObject.foo.C):
2435         (makePolyProtoObject.foo):
2436         (makePolyProtoObject):
2437         (target):
2438         * stress/object-get-prototype-of-poly-proto.js: Added.
2439         (shouldBe):
2440         (makePolyProtoObject.foo.C):
2441         (makePolyProtoObject.foo):
2442         (makePolyProtoObject):
2443         (target):
2444         * stress/object-proto-getter-filtered.js: Added.
2445         (shouldBe):
2446         (shouldThrow):
2447         (target):
2448         (i.Cocoa):
2449         * stress/object-proto-getter-poly-mono-proto.js: Added.
2450         (shouldBe):
2451         (makePolyProtoObject.foo.C):
2452         (makePolyProtoObject.foo):
2453         (makePolyProtoObject):
2454         (target):
2455         * stress/object-proto-getter-poly-proto.js: Added.
2456         (shouldBe):
2457         (makePolyProtoObject.foo.C):
2458         (makePolyProtoObject.foo):
2459         (makePolyProtoObject):
2460         (target):
2461         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2462         * stress/string-proto.js: Added.
2463         (shouldBe):
2464         (target):
2465
2466 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2467
2468         Unreviewed, rolling out r223523.
2469
2470         A test for this change is failing on debug JSC bots.
2471
2472         Reverted changeset:
2473
2474         "[JSC] __proto__ getter should be fast"
2475         https://bugs.webkit.org/show_bug.cgi?id=178067
2476         https://trac.webkit.org/changeset/223523
2477
2478 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2479
2480         [JSC] __proto__ getter should be fast
2481         https://bugs.webkit.org/show_bug.cgi?id=178067
2482
2483         Reviewed by Saam Barati.
2484
2485         * stress/dfg-object-proto-accessor.js: Added.
2486         (shouldBe):
2487         (shouldThrow):
2488         (target):
2489         * stress/dfg-object-proto-getter.js: Added.
2490         (shouldBe):
2491         (shouldThrow):
2492         (target):
2493         * stress/dfg-object-prototype-of.js: Added.
2494         (shouldBe):
2495         (shouldThrow):
2496         (target):
2497         * stress/dfg-reflect-get-prototype-of.js: Added.
2498         (shouldBe):
2499         (shouldThrow):
2500         (target):
2501         * stress/object-get-prototype-of-filtered.js: Added.
2502         (shouldBe):
2503         (shouldThrow):
2504         (target):
2505         (i.Cocoa):
2506         * stress/object-get-prototype-of-mono-proto.js: Added.
2507         (shouldBe):
2508         (makePolyProtoObject.foo.C):
2509         (makePolyProtoObject.foo):
2510         (makePolyProtoObject):
2511         (target):
2512         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2513         (shouldBe):
2514         (makePolyProtoObject.foo.C):
2515         (makePolyProtoObject.foo):
2516         (makePolyProtoObject):
2517         (target):
2518         * stress/object-get-prototype-of-poly-proto.js: Added.
2519         (shouldBe):
2520         (makePolyProtoObject.foo.C):
2521         (makePolyProtoObject.foo):
2522         (makePolyProtoObject):
2523         (target):
2524         * stress/object-proto-getter-filtered.js: Added.
2525         (shouldBe):
2526         (shouldThrow):
2527         (target):
2528         (i.Cocoa):
2529         * stress/object-proto-getter-poly-mono-proto.js: Added.
2530         (shouldBe):
2531         (makePolyProtoObject.foo.C):
2532         (makePolyProtoObject.foo):
2533         (makePolyProtoObject):
2534         (target):
2535         * stress/object-proto-getter-poly-proto.js: Added.
2536         (shouldBe):
2537         (makePolyProtoObject.foo.C):
2538         (makePolyProtoObject.foo):
2539         (makePolyProtoObject):
2540         (target):
2541         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2542         * stress/string-proto.js: Added.
2543         (shouldBe):
2544         (target):
2545
2546 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2547
2548         Reland "Add Above/Below comparisons for UInt32 patterns"
2549         https://bugs.webkit.org/show_bug.cgi?id=177281
2550
2551         Reviewed by Saam Barati.
2552
2553         * stress/uint32-comparison-jump.js: Added.
2554         (shouldBe):
2555         (above):
2556         (aboveOrEqual):
2557         (below):
2558         (belowOrEqual):
2559         (notAbove):
2560         (notAboveOrEqual):
2561         (notBelow):
2562         (notBelowOrEqual):
2563         * stress/uint32-comparison.js: Added.
2564         (shouldBe):
2565         (above):
2566         (aboveOrEqual):
2567         (below):
2568         (belowOrEqual):
2569         (aboveTest):
2570         (aboveOrEqualTest):
2571         (belowTest):
2572         (belowOrEqualTest):
2573
2574 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2575
2576         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2577         https://bugs.webkit.org/show_bug.cgi?id=178210
2578
2579         Reviewed by Saam Barati.
2580
2581         * wasm/function-tests/trap-from-start-async.js:
2582         (async.StartTrapsAsync):
2583         * wasm/function-tests/trap-from-start.js:
2584         (StartTraps):
2585         * wasm/js-api/web-assembly-function.js:
2586         (assert.eq.Object.getPrototypeOf):
2587         * wasm/js-api/wrapper-function.js:
2588         (return.new.WebAssembly.Module):
2589         (assert.throws.makeInstance): Deleted.
2590         (assert.throws.Bar): Deleted.
2591         (assert.throws): Deleted.
2592
2593 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2594
2595         Enable gigacage on iOS
2596         https://bugs.webkit.org/show_bug.cgi?id=177586
2597
2598         Reviewed by JF Bastien.
2599         
2600         Add tests for when Gigacage gets runtime disabled.
2601
2602         * stress/disable-gigacage-arrays.js: Added.
2603         (foo):
2604         * stress/disable-gigacage-strings.js: Added.
2605         (foo):
2606         * stress/disable-gigacage-typed-arrays.js: Added.
2607         (foo):
2608
2609 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2610
2611         import.meta should not be assignable
2612         https://bugs.webkit.org/show_bug.cgi?id=178202
2613
2614         Reviewed by Saam Barati.
2615
2616         * modules/import-meta-assignment.js: Added.
2617         (shouldThrow):
2618         (SyntaxError.import.meta.can.shouldThrow):
2619
2620 2017-10-11  Saam Barati  <sbarati@apple.com>
2621
2622         Unreviewed. Actually skip certain type profiler tests in debug.
2623
2624         * typeProfiler.yaml:
2625         * typeProfiler/deltablue-for-of.js:
2626         * typeProfiler/getter-richards.js:
2627
2628 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2629
2630         Unreviewed, rolling out r223113 and r223121.
2631         https://bugs.webkit.org/show_bug.cgi?id=178182
2632
2633         Reintroduced 20% regression on Kraken (Requested by rniwa on
2634         #webkit).
2635
2636         Reverted changesets:
2637
2638         "Enable gigacage on iOS"
2639         https://bugs.webkit.org/show_bug.cgi?id=177586
2640         https://trac.webkit.org/changeset/223113
2641
2642         "Use one virtual allocation for all gigacages and their
2643         runways"
2644         https://bugs.webkit.org/show_bug.cgi?id=178050
2645         https://trac.webkit.org/changeset/223121
2646
2647 2017-10-11  Michael Saboff  <msaboff@apple.com>
2648
2649         Disable test262 named capture group tests with direct unicode names and with references before definitions
2650         https://bugs.webkit.org/show_bug.cgi?id=178177
2651
2652         Reviewed by Keith Miller.
2653
2654         Bugs to track fixing these test are:
2655         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2656             "Add support in named capture group identifiers for direct surrogate pairs"
2657         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2658             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2659
2660         * test262.yaml:
2661
2662 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2663
2664         Object properties are undefined in super.call() but not in this.call()
2665         https://bugs.webkit.org/show_bug.cgi?id=177230
2666
2667         Reviewed by Saam Barati.
2668
2669         * stress/super-call-function-subclass.js: Added.
2670         (assert):
2671         (A.prototype.t):
2672         (A):
2673         * stress/super-dot-call-and-apply.js: Added.
2674         (assert):
2675         (A):
2676         (A.prototype.call):
2677         (A.prototype.apply):
2678         (B.prototype.testSuper):
2679         (B):
2680         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2681         (D.prototype.testSuper):
2682         (D):
2683
2684 2017-10-10  Saam Barati  <sbarati@apple.com>
2685
2686         The prototype cache should be aware of the Executable it generates a Structure for
2687         https://bugs.webkit.org/show_bug.cgi?id=177907
2688
2689         Reviewed by Filip Pizlo.
2690
2691         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2692         (assert):
2693         (foo.C):
2694         (foo):
2695         (bar.C):
2696         (bar):
2697         (access):
2698         (makeLongChain):
2699         (accessY):
2700
2701 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2702
2703         `async` should be able to be used as an imported binding name
2704         https://bugs.webkit.org/show_bug.cgi?id=176573
2705
2706         Reviewed by Saam Barati.
2707
2708         * modules/import-default-async.js: Added.
2709         * modules/import-named-async-as.js: Added.
2710         * modules/import-named-async.js: Added.
2711         * modules/import-named-async/target.js: Added.
2712         * modules/import-namespace-async.js: Added.
2713         * test262.yaml:
2714
2715 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2716
2717         Enable gigacage on iOS
2718         https://bugs.webkit.org/show_bug.cgi?id=177586
2719
2720         Reviewed by JF Bastien.
2721         
2722         Add tests for when Gigacage gets runtime disabled.
2723
2724         * stress/disable-gigacage-arrays.js: Added.
2725         (foo):
2726         * stress/disable-gigacage-strings.js: Added.
2727         (foo):
2728         * stress/disable-gigacage-typed-arrays.js: Added.
2729         (foo):
2730
2731 2017-10-09  Michael Saboff  <msaboff@apple.com>
2732
2733         Implement RegExp Unicode property escapes
2734         https://bugs.webkit.org/show_bug.cgi?id=172069
2735
2736         Reviewed by JF Bastien.
2737
2738         Enabled Unicode Property tests.
2739
2740         * test262.yaml:
2741
2742 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2743
2744         Unreviewed, rolling out r223015 and r223025.
2745         https://bugs.webkit.org/show_bug.cgi?id=178093
2746
2747         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2748         #webkit).
2749
2750         Reverted changesets:
2751
2752         "Enable gigacage on iOS"
2753         https://bugs.webkit.org/show_bug.cgi?id=177586
2754         http://trac.webkit.org/changeset/223015
2755
2756         "Unreviewed, disable Gigacage on ARM64 Linux"
2757         https://bugs.webkit.org/show_bug.cgi?id=177586
2758         http://trac.webkit.org/changeset/223025
2759
2760 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2761
2762         Update expectations for test262 tests that pass after r223043.
2763         https://bugs.webkit.org/show_bug.cgi?id=176685
2764
2765         Unreviewed test gardening.
2766
2767         * test262.yaml:
2768
2769 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2770
2771         Unreviewed, rolling out r223022.
2772
2773         This change introduced 18 test262 failures.
2774
2775         Reverted changeset:
2776
2777         "`async` should be able to be used as an imported binding
2778         name"
2779         https://bugs.webkit.org/show_bug.cgi?id=176573
2780         http://trac.webkit.org/changeset/223022
2781
2782 2017-10-09  Saam Barati  <sbarati@apple.com>
2783
2784         3 poly-proto JSC tests timing out on debug after r222827
2785         https://bugs.webkit.org/show_bug.cgi?id=177880
2786         <rdar://problem/34817122>
2787
2788         Unreviewed.
2789
2790         I'm skipping these type profiler tests on debug since they are long running.
2791
2792         * typeProfiler/deltablue-for-of.js:
2793         * typeProfiler/getter-richards.js:
2794
2795 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2796
2797         Safari 10 /11 problem with if (!await get(something)).
2798         https://bugs.webkit.org/show_bug.cgi?id=176685
2799
2800         Reviewed by Saam Barati.
2801
2802         * stress/async-await-basic.js:
2803         (awaitEpression.async):
2804         * stress/async-await-syntax.js:
2805         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2806         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2807
2808 2017-10-08  Saam Barati  <sbarati@apple.com>
2809
2810         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2811
2812         * typeProfiler/deltablue-for-of.js:
2813         * typeProfiler/getter-richards.js:
2814
2815 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2816
2817         `async` should be able to be used as an imported binding name
2818         https://bugs.webkit.org/show_bug.cgi?id=176573
2819
2820         Reviewed by Darin Adler.
2821
2822         * modules/import-default-async.js: Added.
2823         * modules/import-named-async-as.js: Added.
2824         * modules/import-named-async.js: Added.
2825         * modules/import-named-async/target.js: Added.
2826         * modules/import-namespace-async.js: Added.
2827
2828 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2829
2830         Enable gigacage on iOS
2831         https://bugs.webkit.org/show_bug.cgi?id=177586
2832
2833         Reviewed by JF Bastien.
2834         
2835         Add tests for when Gigacage gets runtime disabled.
2836
2837         * stress/disable-gigacage-arrays.js: Added.
2838         (foo):
2839         * stress/disable-gigacage-strings.js: Added.
2840         (foo):
2841         * stress/disable-gigacage-typed-arrays.js: Added.
2842         (foo):
2843
2844 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2845
2846         Unreviewed, rolling out r222791 and r222873.
2847         https://bugs.webkit.org/show_bug.cgi?id=178031
2848
2849         Caused crashes with workers/wasm LayoutTests (Requested by
2850         ryanhaddad on #webkit).
2851
2852         Reverted changesets:
2853
2854         "WebAssembly: no VM / JS version of everything but Instance"
2855         https://bugs.webkit.org/show_bug.cgi?id=177473
2856         http://trac.webkit.org/changeset/222791
2857
2858         "WebAssembly: address no VM / JS follow-ups"
2859         https://bugs.webkit.org/show_bug.cgi?id=177887
2860         http://trac.webkit.org/changeset/222873
2861
2862 2017-10-05  Saam Barati  <sbarati@apple.com>
2863
2864         Make sure all prototypes under poly proto get added into the VM's prototype map
2865         https://bugs.webkit.org/show_bug.cgi?id=177909
2866
2867         Reviewed by Keith Miller.
2868
2869         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2870         (assert):
2871         (foo.C):
2872         (foo):
2873         (set x):
2874
2875 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2876
2877         [JSC] Introduce import.meta
2878         https://bugs.webkit.org/show_bug.cgi?id=177703
2879
2880         Reviewed by Filip Pizlo.
2881
2882         * modules/import-meta-syntax.js: Added.
2883         (shouldThrow):
2884         (shouldNotThrow):
2885         * modules/import-meta.js: Added.
2886         * modules/import-meta/cocoa.js: Added.
2887         * modules/resources/assert.js:
2888         (export.shouldNotThrow):
2889         * stress/import-syntax.js:
2890
2891 2017-10-04  Saam Barati  <sbarati@apple.com>
2892
2893         Make pertinent AccessCases watch the poly proto watchpoint
2894         https://bugs.webkit.org/show_bug.cgi?id=177765
2895
2896         Reviewed by Keith Miller.
2897
2898         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2899         (assert):
2900         (foo.C):
2901         (foo):
2902         (validate):
2903         * stress/poly-proto-clear-stub.js: Added.
2904         (assert):
2905         (foo.C):
2906         (foo):
2907
2908 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2909
2910         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2911
2912         Unreviewed test gardening.
2913
2914         * test262.yaml:
2915
2916 2017-10-04  Saam Barati  <sbarati@apple.com>
2917
2918         3 poly-proto JSC tests timing out on debug after r222827
2919         https://bugs.webkit.org/show_bug.cgi?id=177880
2920
2921         Rubber stamped by Mark Lam.
2922
2923         * microbenchmarks/poly-proto-access.js:
2924         * typeProfiler/deltablue-for-of.js:
2925         * typeProfiler/getter-richards.js:
2926
2927 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2928
2929         Unreviewed, marking tco-catch.js as a failure after test262 update
2930         https://bugs.webkit.org/show_bug.cgi?id=177859
2931
2932         * test262.yaml:
2933
2934 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2935
2936         Unreviewed, marking one async iterator test262 test failed
2937         https://bugs.webkit.org/show_bug.cgi?id=177859
2938
2939         * test262.yaml:
2940
2941 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2942
2943         [Test262] Update Test262 to Oct 4 version
2944         https://bugs.webkit.org/show_bug.cgi?id=177859
2945
2946         Reviewed by Sam Weinig.
2947
2948         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2949         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2950
2951         * test262.yaml:
2952         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2953         (checkSequence):
2954         * test262/harness/typeCoercion.js:
2955         (testCoercibleToIndexZero):
2956         (testCoercibleToIndexOne):
2957         (testCoercibleToIndexFromIndex):
2958         (testNotCoercibleToIndex.testPrimitiveValue):
2959         (testNotCoercibleToInteger):
2960         (testCoercibleToBigIntZero.testPrimitiveValue):
2961         (testCoercibleToBigIntZero):
2962         (testCoercibleToBigIntOne.testPrimitiveValue):
2963         (testCoercibleToBigIntOne):
2964         (testPrimitiveValue):
2965         (testCoercibleToBigIntFromBigInt):
2966         (testNotCoercibleToBigInt.testPrimitiveValue):
2967         (testNotCoercibleToBigInt.testStringValue):
2968         (testNotCoercibleToBigInt):
2969         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2970         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2971         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2972         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2973         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2974         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2975         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2976         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2977         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2978         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2979         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2980         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2981         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2982         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2983         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2984         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2985         (testCoercibleToBigIntZero):
2986         (testCoercibleToBigIntOne):
2987         (testNotCoercibleToBigInt):
2988         (MyError): Deleted.
2989         (valueOf): Deleted.
2990         (toString): Deleted.
2991         (Symbol.toPrimitive): Deleted.
2992         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2993         (testCoercibleToIndexZero):
2994         (testCoercibleToIndexOne):
2995         (testNotCoercibleToIndex):
2996         (MyError): Deleted.
2997         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2998         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2999         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3000         (BigInt.asIntN.valueOf): Deleted.
3001         (BigInt.asIntN.toString): Deleted.
3002         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3003         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3004         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3005         (testCoercibleToBigIntZero):
3006         (testCoercibleToBigIntOne):
3007         (testNotCoercibleToBigInt):
3008         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3009         (testCoercibleToIndexZero):
3010         (testCoercibleToIndexOne):
3011         (testNotCoercibleToIndex):
3012         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3013         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3014         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3015         (bits.valueOf):
3016         (bigint.valueOf):
3017         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3018         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3019         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3020         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3021         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3022         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3023         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3024         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3025         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3026         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3027         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3028         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3029         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3030         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3031         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3032         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3033         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3034         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3035         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3036         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3037         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3038         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3039         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3040         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3041         (replacer):
3042         (BigInt.prototype.toJSON):
3043         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3044         (replacer):
3045         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3046         (BigInt.prototype.toJSON):
3047         * test262/test/built-ins/JSON/stringify/bigint.js:
3048         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3049         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3050         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3051         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3052         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3053         * test262/test/built-ins/Object/proto-from-ctor.js:
3054         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3055         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3056         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3057         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3058         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3059         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3060         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3061         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3062         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3063         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3064         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3065         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3066         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3067         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3068         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3069         * test262/test/built-ins/Proxy/get-fn-realm.js:
3070         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3071         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3072         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3073         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3074         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3075         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3076         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3077         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3078         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3079         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3080         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3081         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3082         (i6.replace):
3083         (i6b.replace):
3084         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3085         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3086         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3087         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3088         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3089         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3090         * test262/test/built-ins/RegExp/u180e.js: Added.
3091         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3092         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3093         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3094         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3095         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3096         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3097         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3098         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3099         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3100         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3101         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3102         * test262/test/built-ins/String/prototype/endsWith/length.js:
3103         * test262/test/built-ins/String/prototype/endsWith/name.js:
3104         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3105         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3106         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3107         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3108         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3109         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3110         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3111         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3112         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3113         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3114         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3115         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3116         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3117         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3118         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3119         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3120         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3121         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3122         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3123         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3124         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3125         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3126         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3127         * test262/test/built-ins/String/prototype/includes/includes.js:
3128         * test262/test/built-ins/String/prototype/includes/length.js:
3129         * test262/test/built-ins/String/prototype/includes/name.js:
3130         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3131         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3132         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3133         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3134         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3135         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3136         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3137         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3138         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3139         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3140         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3141         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3142         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3143         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3144         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3145         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3146         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3147         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3148         * test262/test/built-ins/String/prototype/trim/u180e.js:
3149         * test262/test/built-ins/Symbol/for/cross-realm.js:
3150         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3151         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3152         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3153         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3154         * test262/test/built-ins/Symbol/match/cross-realm.js:
3155         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3156         * test262/test/built-ins/Symbol/search/cross-realm.js:
3157         * test262/test/built-ins/Symbol/species/cross-realm.js:
3158         * test262/test/built-ins/Symbol/split/cross-realm.js:
3159         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3160         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3161         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3162         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3163         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3164         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3165         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3166         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3167         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3168         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3169         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3170         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3171         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3172         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3173         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3174         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3175         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3176         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3177         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3178         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3179         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3180         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3181         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3182         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3183         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3184         * test262/test/language/eval-code/indirect/realm.js:
3185         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3186         (o.get z):
3187         (o.get a):
3188         * test262/test/language/expressions/call/eval-realm-indirect.js:
3189         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3190         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3191         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3192         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3193         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3194         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3195         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3196         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3197         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3198         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3199         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3200         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3201         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3202         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3203         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3204         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3205         * test262/test/language/expressions/less-than/bigint-and-number.js:
3206         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3207         * test262/test/language/expressions/super/realm.js:
3208         * test262/test/language/expressions/tagged-template/cache-realm.js:
3209         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3210         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3211         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3212         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3213         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3214         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3215         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3216         (o.get z):
3217         (o.get a):
3218         * test262/test/language/statements/for-of/iterator-next-reference.js:
3219         (next):
3220         (iterator.next): Deleted.
3221         (x.of.iterable.): Deleted.
3222         (x.of.iterable.get return): Deleted.
3223         (x.of.iterable.iterator.next): Deleted.
3224         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3225         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3226         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3227         * test262/test/language/white-space/mongolian-vowel-separator.js:
3228         * test262/test262-Revision.txt:
3229
3230 2017-10-03  Saam Barati  <sbarati@apple.com>
3231
3232         Implement polymorphic prototypes
3233         https://bugs.webkit.org/show_bug.cgi?id=176391
3234
3235         Reviewed by Filip Pizlo.
3236
3237         * microbenchmarks/poly-proto-access.js: Added.
3238         (assert):
3239         (foo.C):
3240         (foo.C.prototype.get bar):
3241         (foo):
3242         (bar):
3243         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3244         (assert):
3245         (makePolyProtoObject.foo.C):
3246         (makePolyProtoObject.foo):
3247         (makePolyProtoObject):
3248         (performSet):
3249         * microbenchmarks/poly-proto-setter-speed.js: Added.
3250         (assert):
3251         (makePolyProtoObject.foo.C):
3252         (makePolyProtoObject.foo.C.prototype.set p):
3253         (makePolyProtoObject.foo):
3254         (makePolyProtoObject):
3255         (performSet):
3256         * stress/constructor-with-return.js:
3257         (i.tests.forEach.Constructor):
3258         (i.tests.forEach):
3259         (tests.forEach.Constructor): Deleted.
3260         (tests.forEach): Deleted.
3261         * stress/dom-jit-with-poly-proto.js: Added.
3262         (assert):
3263         (makePolyProtoObject.foo.C):
3264         (makePolyProtoObject.foo):
3265         (makePolyProtoObject):
3266         (validate):
3267         * stress/poly-proto-custom-value-and-accessor.js: Added.
3268         (assert):
3269         (makePolyProtoObject.foo.C):
3270         (makePolyProtoObject.foo):
3271         (makePolyProtoObject):
3272         (items.forEach):
3273         (set get for):
3274         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3275         (assert):
3276         (makePolyProtoObject.foo.C):
3277         (makePolyProtoObject.foo):
3278         (makePolyProtoObject):
3279         (foo):
3280         * stress/poly-proto-miss.js: Added.
3281         (makePolyProtoInstanceWithNullPrototype.foo.C):
3282         (makePolyProtoInstanceWithNullPrototype.foo):
3283         (makePolyProtoInstanceWithNullPrototype):
3284         (assert):
3285         (validate):
3286         * stress/poly-proto-op-in-caching.js: Added.
3287         (assert):
3288         (makePolyProtoObject.foo.C):
3289         (makePolyProtoObject.foo):
3290         (makePolyProtoObject):
3291         (validate):
3292         (validate2):
3293         * stress/poly-proto-put-transition.js: Added.
3294         (assert):
3295         (makePolyProtoObject.foo.C):
3296         (makePolyProtoObject.foo):
3297         (makePolyProtoObject):
3298         (performSet):
3299         (i.obj.__proto__.set p):
3300         * stress/poly-proto-set-prototype.js: Added.
3301         (assert):
3302         (let.alternateProto.get x):
3303         (let.alternateProto2.get y):
3304         (let.alternateProto2.get x):
3305         (foo.C):
3306         (foo):
3307         (validate):
3308         * stress/poly-proto-setter.js: Added.
3309         (assert):
3310         (makePolyProtoObject.foo.C):
3311         (makePolyProtoObject.foo.C.prototype.set p):
3312         (makePolyProtoObject.foo.C.prototype.get p):
3313         (makePolyProtoObject.foo):
3314         (makePolyProtoObject):
3315         (performSet):
3316         * stress/poly-proto-using-inheritance.js: Added.
3317         (assert):
3318         (foo.C):
3319         (foo.C.prototype.get baz):
3320         (foo):
3321         (bar.C):
3322         (bar):
3323         (validate):
3324         * stress/primitive-poly-proto.js: Added.
3325         (makePolyProtoInstance.foo.C):
3326         (makePolyProtoInstance.foo):
3327         (makePolyProtoInstance):
3328         (assert):
3329         (validate):
3330         * stress/prototype-is-not-js-object.js: Added.
3331         (foo.bar):
3332         (foo):
3333         (assert):
3334         (validate):
3335         * stress/try-get-by-id-poly-proto.js: Added.
3336         (assert):
3337         (makePolyProtoObject.foo.C):
3338         (makePolyProtoObject.foo):
3339         (makePolyProtoObject):
3340         (tryGetByIdText):
3341         (x.__proto__.get bar):
3342         (validate):
3343         * typeProfiler/overflow.js:
3344
3345 2017-10-03  JF Bastien  <jfbastien@apple.com>
3346
3347         WebAssembly: no VM / JS version of everything but Instance
3348         https://bugs.webkit.org/show_bug.cgi?id=177473
3349
3350         Reviewed by Filip Pizlo.
3351
3352         - Exceeding max on memory growth now returns a range error as per
3353         spec. This is a (very minor) breaking change: it used to throw OOM
3354         error. Update the corresponding test.
3355
3356         * wasm/js-api/memory-grow.js:
3357         (assertEq):
3358         * wasm/js-api/table.js:
3359         (assert.throws):
3360
3361 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3362
3363         Skip JSC test stress/regress-159779-2.js on debug.
3364         https://bugs.webkit.org/show_bug.cgi?id=177204
3365
3366         Unreviewed test gardening.
3367
3368         * stress/regress-159779-2.js:
3369
3370 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3371
3372         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3373         https://bugs.webkit.org/show_bug.cgi?id=175642
3374
3375         Reviewed by Darin Adler.
3376
3377         * ChakraCore/test/Function/apply3.baseline-jsc:
3378
3379 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3380
3381         Unreviewed, rolling out r222564.
3382         https://bugs.webkit.org/show_bug.cgi?id=177720
3383
3384         "It regressed JetStream by 2% on iOS caused by a 50%
3385         regression on the bigfib subtest" (Requested by saamyjoon on
3386         #webkit).
3387
3388         Reverted changeset:
3389
3390         "Add Above/Below comparisons for UInt32 patterns"
3391         https://bugs.webkit.org/show_bug.cgi?id=177281
3392         http://trac.webkit.org/changeset/222564
3393
3394 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3395
3396         [DFG] Support ArrayPush with multiple args
3397         https://bugs.webkit.org/show_bug.cgi?id=175823
3398
3399         Reviewed by Saam Barati.
3400
3401         * microbenchmarks/array-push-0.js: Added.
3402         (arrayPush0):
3403         * microbenchmarks/array-push-1.js: Added.
3404         (arrayPush1):
3405         * microbenchmarks/array-push-2.js: Added.
3406         (arrayPush2):
3407         * microbenchmarks/array-push-3.js: Added.
3408         (arrayPush3):
3409         * stress/array-push-multiple-contiguous.js: Added.
3410         (shouldBe):
3411         (test):
3412         * stress/array-push-multiple-double-nan.js: Added.
3413         (shouldBe):
3414         (test):
3415         * stress/array-push-multiple-double.js: Added.
3416         (shouldBe):
3417         (test):
3418         * stress/array-push-multiple-int32.js: Added.
3419         (shouldBe):
3420         (test):
3421         * stress/array-push-multiple-many-contiguous.js: Added.
3422         (shouldBe):
3423         (test):
3424         * stress/array-push-multiple-many-double.js: Added.
3425         (shouldBe):
3426         (test):
3427         * stress/array-push-multiple-many-int32.js: Added.
3428         (shouldBe):
3429         (test):
3430         * stress/array-push-multiple-many-storage.js: Added.
3431         (shouldBe):
3432         (test):
3433         * stress/array-push-multiple-storage.js: Added.
3434         (shouldBe):
3435         (test):
3436         * stress/array-push-with-force-exit.js: Added.
3437         (target.createBuiltin):
3438
3439 2017-09-29  Saam Barati  <sbarati@apple.com>
3440
3441         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3442         https://bugs.webkit.org/show_bug.cgi?id=177639
3443
3444         Reviewed by Geoffrey Garen.
3445
3446         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3447         (assert):
3448         (Class):
3449         (items.forEach):
3450         (set get for):
3451
3452 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3453
3454         Unreviewed, rolling out r222563, r222565, and r222581.
3455         https://bugs.webkit.org/show_bug.cgi?id=177675
3456
3457         "It causes a crash when playing youtube videos" (Requested by
3458         saamyjoon on #webkit).
3459
3460         Reverted changesets:
3461
3462         "[DFG] Support ArrayPush with multiple args"
3463         https://bugs.webkit.org/show_bug.cgi?id=175823
3464         http://trac.webkit.org/changeset/222563
3465
3466         "Unreviewed, build fix after r222563"
3467         https://bugs.webkit.org/show_bug.cgi?id=175823
3468         http://trac.webkit.org/changeset/222565
3469
3470         "Unreviewed, fix x86 breaking due to exhausted registers"
3471         https://bugs.webkit.org/show_bug.cgi?id=175823
3472         http://trac.webkit.org/changeset/222581
3473
3474 2017-09-28  Mark Lam  <mark.lam@apple.com>
3475
3476         test262: Unexpected passes after r222617 and r222618.
3477         https://bugs.webkit.org/show_bug.cgi?id=177622
3478         <rdar://problem/34725960>
3479
3480         Reviewed by Saam Barati.
3481
3482         Update test262.yaml for tests that are now passing.
3483
3484         * test262.yaml:
3485
3486 2017-09-27  Michael Saboff  <msaboff@apple.com>
3487
3488         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3489         https://bugs.webkit.org/show_bug.cgi?id=177570
3490
3491         Reviewed by Filip Pizlo.
3492
3493         New regression test.
3494
3495         * stress/regress-177570.js: Added.
3496
3497 2017-09-28  Michael Saboff  <msaboff@apple.com>
3498
3499         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3500         https://bugs.webkit.org/show_bug.cgi?id=177423
3501
3502         Reviewed by Mark Lam.
3503
3504         Updated regression test.
3505
3506         * stress/regress-177423.js:
3507         (catch):
3508
3509 2017-09-27  Mark Lam  <mark.lam@apple.com>
3510
3511         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3512         https://bugs.webkit.org/show_bug.cgi?id=177584
3513         <rdar://problem/34463903>
3514
3515         Reviewed by Saam Barati.
3516
3517         * stress/regress-177584.js: Added.
3518         (assertEqual):
3519         (Array.prototype.Symbol.species):
3520
3521 2017-09-27  Saam Barati  <sbarati@apple.com>
3522
3523         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3524         https://bugs.webkit.org/show_bug.cgi?id=177523
3525
3526         Reviewed by Mark Lam.
3527
3528         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3529         (assert):
3530         (Test):
3531         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3532         (addMethods):
3533         (i.Test.prototype.propName):
3534
3535 2017-09-27  Mark Lam  <mark.lam@apple.com>
3536
3537         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3538         https://bugs.webkit.org/show_bug.cgi?id=177423
3539         <rdar://problem/34621320>
3540
3541         Reviewed by Keith Miller.
3542
3543         * stress/regress-177423.js: Added.
3544
3545 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3546
3547         Add Above/Below comparisons for UInt32 patterns
3548         https://bugs.webkit.org/show_bug.cgi?id=177281
3549
3550         Reviewed by Saam Barati.
3551
3552         * stress/uint32-comparison-jump.js: Added.
3553         (shouldBe):
3554         (above):
3555         (aboveOrEqual):
3556         (below):
3557         (belowOrEqual):
3558         (notAbove):
3559         (notAboveOrEqual):
3560         (notBelow):
3561         (notBelowOrEqual):
3562         * stress/uint32-comparison.js: Added.
3563         (shouldBe):
3564         (above):
3565         (aboveOrEqual):
3566         (below):
3567         (belowOrEqual):
3568         (aboveTest):
3569         (aboveOrEqualTest):
3570         (belowTest):
3571         (belowOrEqualTest):
3572
3573 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3574
3575         [DFG] Support ArrayPush with multiple args
3576         https://bugs.webkit.org/show_bug.cgi?id=175823
3577
3578         Reviewed by Saam Barati.
3579
3580         * microbenchmarks/array-push-0.js: Added.
3581         (arrayPush0):
3582         * microbenchmarks/array-push-1.js: Added.
3583         (arrayPush1):
3584         * microbenchmarks/array-push-2.js: Added.
3585         (arrayPush2):
3586         * microbenchmarks/array-push-3.js: Added.
3587         (arrayPush3):
3588         * stress/array-push-multiple-contiguous.js: Added.
3589         (shouldBe):
3590         (test):
3591         * stress/array-push-multiple-double-nan.js: Added.
3592         (shouldBe):
3593         (test):
3594         * stress/array-push-multiple-double.js: Added.
3595         (shouldBe):
3596         (test):
3597         * stress/array-push-multiple-int32.js: Added.
3598         (shouldBe):
3599         (test):
3600         * stress/array-push-multiple-many-contiguous.js: Added.
3601         (shouldBe):
3602         (test):
3603         * stress/array-push-multiple-many-double.js: Added.
3604         (shouldBe):
3605         (test):
3606         * stress/array-push-multiple-many-int32.js: Added.
3607         (shouldBe):
3608         (test):
3609         * stress/array-push-multiple-many-storage.js: Added.
3610         (shouldBe):
3611         (test):
3612         * stress/array-push-multiple-storage.js: Added.
3613         (shouldBe):
3614         (test):
3615
3616 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3617
3618         Unreviewed, rolling out r222518.
3619         https://bugs.webkit.org/show_bug.cgi?id=177507
3620
3621         Break the High Sierra build (Requested by yusukesuzuki on
3622         #webkit).
3623
3624         Reverted changeset:
3625
3626         "Add Above/Below comparisons for UInt32 patterns"
3627         https://bugs.webkit.org/show_bug.cgi?id=177281
3628         http://trac.webkit.org/changeset/222518
3629
3630 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3631
3632         Add Above/Below comparisons for UInt32 patterns
3633         https://bugs.webkit.org/show_bug.cgi?id=177281
3634
3635         Reviewed by Saam Barati.
3636
3637         * stress/uint32-comparison-jump.js: Added.
3638         (shouldBe):
3639         (above):
3640         (aboveOrEqual):
3641         (below):
3642         (belowOrEqual):
3643         (notAbove):
3644         (notAboveOrEqual):
3645         (notBelow):
3646         (notBelowOrEqual):
3647         * stress/uint32-comparison.js: Added.
3648         (shouldBe):
3649         (above):
3650         (aboveOrEqual):
3651         (below):
3652         (belowOrEqual):
3653         (aboveTest):
3654         (aboveOrEqualTest):
3655         (belowTest):
3656         (belowOrEqualTest):
3657
3658 2017-09-23  Keith Miller  <keith_miller@apple.com>
3659
3660         Fix infinite looping test262 test
3661         https://bugs.webkit.org/show_bug.cgi?id=177412
3662
3663         Reviewed by Yusuke Suzuki.
3664
3665         This test was poorly designed since failing it would cause the vm
3666         to inifinite loop. I've fixed it locally and will fix it on github pending
3667         the results of next weeks tc39 meeting.
3668
3669         * test262.yaml:
3670         * test262/test/language/statements/for-of/iterator-next-reference.js:
3671
3672 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3673
3674         test262: $.agent became $262.agent in test262 update
3675         https://bugs.webkit.org/show_bug.cgi?id=177407
3676
3677         Reviewed by Yusuke Suzuki.
3678
3679         * test262.yaml:
3680         ~320 tests pass now that we correctly make $262 available.
3681
3682 2017-09-22  Keith Miller  <keith_miller@apple.com>
3683
3684         Speculatively change iteration protocall to use the same next function
3685         https://bugs.webkit.org/show_bug.cgi?id=175653
3686
3687         Reviewed by Saam Barati.
3688
3689         Change test to match the new iteration behavior.
3690
3691         * stress/spread-optimized-properly.js:
3692
3693 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3694
3695         [DFG][FTL] Profile array vector length for array allocation
3696         https://bugs.webkit.org/show_bug.cgi?id=177051
3697
3698         Reviewed by Saam Barati.
3699
3700         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3701         (target):
3702
3703 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3704
3705         Unreviewed, rolling out r222380.
3706         https://bugs.webkit.org/show_bug.cgi?id=177352
3707
3708         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3709         #webkit).
3710
3711         Reverted changeset:
3712
3713         "[DFG][FTL] Profile array vector length for array allocation"
3714         https://bugs.webkit.org/show_bug.cgi?id=177051
3715         http://trac.webkit.org/changeset/222380
3716
3717 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3718
3719         [DFG][FTL] Profile array vector length for array allocation
3720         https://bugs.webkit.org/show_bug.cgi?id=177051