[GTK] TERM environment variable is not passed to the test driver.
[WebKit-https.git] / JSTests / ChangeLog
1 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
4         https://bugs.webkit.org/show_bug.cgi?id=181535
5
6         Reviewed by Saam Barati.
7
8         * stress/inserted-recovery-with-set-last-index.js: Added.
9         (shouldBe):
10         (foo):
11         * stress/materialize-regexp-at-osr-exit.js: Added.
12         (shouldBe):
13         (test):
14         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
15         (shouldBe):
16         (test):
17         * stress/materialize-regexp-cyclic-regexp.js: Added.
18         (shouldBe):
19         (test):
20         (i.switch):
21         * stress/materialize-regexp-cyclic.js: Added.
22         (shouldBe):
23         (test):
24         (i.switch):
25         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
26         (bar):
27         (foo):
28         (test):
29         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
30         (bar):
31         (foo):
32         (test):
33         * stress/materialize-regexp.js: Added.
34         (shouldBe):
35         (test):
36         * stress/phantom-regexp-regexp-exec.js: Added.
37         (shouldBe):
38         (test):
39         * stress/phantom-regexp-string-match.js: Added.
40         (shouldBe):
41         (test):
42         * stress/regexp-last-index-sinking.js: Added.
43         (shouldBe):
44         (test):
45
46 2018-01-17  Saam Barati  <sbarati@apple.com>
47
48         Disable Atomics when SharedArrayBuffer isn’t enabled
49         https://bugs.webkit.org/show_bug.cgi?id=181572
50         <rdar://problem/36553206>
51
52         Reviewed by Michael Saboff.
53
54         * stress/isLockFree.js:
55
56 2018-01-17  Saam Barati  <sbarati@apple.com>
57
58         DFG::Node::convertToConstant needs to clear the varargs flags
59         https://bugs.webkit.org/show_bug.cgi?id=181697
60         <rdar://problem/36497332>
61
62         Reviewed by Yusuke Suzuki.
63
64         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
65         (doIndexOf):
66         (bar):
67         (i.bar):
68
69 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
70
71         Unreviewed, rolling out r226937.
72
73         Tests added with this change are failing due to a missing
74         exception check.
75
76         Reverted changeset:
77
78         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
79         double to int32_t"
80         https://bugs.webkit.org/show_bug.cgi?id=181182
81         https://trac.webkit.org/changeset/226937
82
83 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
84
85         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
86         https://bugs.webkit.org/show_bug.cgi?id=181182
87
88         Reviewed by Darin Adler.
89
90         * bigIntTests.yaml:
91         * stress/big-int-constructor.js:
92         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
93         (assert):
94         (assertThrowRangeError):
95         * stress/number-prototype-to-string-cast-overflow.js: Added.
96         (assert):
97         (assertThrowRangeError):
98
99 2018-01-12  Saam Barati  <sbarati@apple.com>
100
101         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
102         https://bugs.webkit.org/show_bug.cgi?id=181177
103         <rdar://problem/36205704>
104
105         Reviewed by Yusuke Suzuki.
106
107         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
108         (runNearStackLimit.t):
109         (runNearStackLimit):
110         (test.f):
111         (test):
112
113 2018-01-12  Saam Barati  <sbarati@apple.com>
114
115         Each variant of a polymorphic inlined call should be exitOK at the top of the block
116         https://bugs.webkit.org/show_bug.cgi?id=181562
117         <rdar://problem/36445624>
118
119         Reviewed by Yusuke Suzuki.
120
121         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
122         (f):
123         (foo):
124
125 2018-01-11  Saam Barati  <sbarati@apple.com>
126
127         When inserting Unreachable in byte code parser we need to flush all the right things
128         https://bugs.webkit.org/show_bug.cgi?id=181509
129         <rdar://problem/36423110>
130
131         Reviewed by Mark Lam.
132
133         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
134
135 2018-01-11  Saam Barati  <sbarati@apple.com>
136
137         JITMathIC code in the FTL is wrong when code gets duplicated
138         https://bugs.webkit.org/show_bug.cgi?id=181525
139         <rdar://problem/36351993>
140
141         Reviewed by Michael Saboff and Keith Miller.
142
143         * stress/allow-math-ic-b3-code-duplication.js: Added.
144
145 2018-01-11  Saam Barati  <sbarati@apple.com>
146
147         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
148         https://bugs.webkit.org/show_bug.cgi?id=181508
149
150         Reviewed by Yusuke Suzuki.
151
152         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
153         (assert):
154         (test1.foo):
155         (test1):
156         (test2.foo):
157         (test2):
158
159 2018-01-09  Mark Lam  <mark.lam@apple.com>
160
161         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
162         https://bugs.webkit.org/show_bug.cgi?id=181388
163         <rdar://problem/36349351>
164
165         Reviewed by Saam Barati.
166
167         * stress/regress-181388.js: Added.
168
169 2018-01-08  JF Bastien  <jfbastien@apple.com>
170
171         WebAssembly: mask indexed accesses to Table
172         https://bugs.webkit.org/show_bug.cgi?id=181412
173         <rdar://problem/36363236>
174
175         Reviewed by Saam Barati.
176
177         Update error messages.
178
179         * wasm/js-api/table.js:
180         (assert.throws.WebAssembly.Table.prototype.grow):
181
182 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
183
184         Disable SharedArrayBuffer tests missed in r226386.
185         https://bugs.webkit.org/show_bug.cgi?id=181266
186
187         Unreviewed test gardening.
188
189         * test262.yaml:
190
191 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
192
193         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
194         https://bugs.webkit.org/show_bug.cgi?id=181321
195
196         Reviewed by Saam Barati.
197
198         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
199         (shouldBe):
200         (testFunction):
201         * test262.yaml:
202
203 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
204
205         Unreviewed, attempt to fix test262 after r226386.
206
207         * test262.yaml:
208
209 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
210
211         [DFG] Define defs for MapSet/SetAdd to participate in CSE
212         https://bugs.webkit.org/show_bug.cgi?id=179911
213
214         Reviewed by Saam Barati.
215
216         In addition to these tests, map-set-cse.js and set-add-cse.js work.
217
218         * stress/map-set-change-get.js: Added.
219         (shouldBe):
220         (test):
221         * stress/map-set-create-bucket.js: Added.
222         (shouldBe):
223         (test):
224         * stress/set-add-create-bucket.js: Added.
225         (shouldBe):
226
227 2018-01-03  Michael Saboff  <msaboff@apple.com>
228
229         Disable SharedArrayBuffers from Web API
230         https://bugs.webkit.org/show_bug.cgi?id=181266
231
232         Reviewed by Saam Barati.
233
234         Disabled SharedArrayBuffer tests.
235
236         * stress/SharedArrayBuffer-opt.js:
237         * stress/SharedArrayBuffer.js:
238         * stress/array-buffer-byte-length.js:
239         * stress/atomics-add-uint32.js:
240         * stress/atomics-known-int-use.js:
241         * stress/atomics-neg-zero.js:
242         * stress/atomics-store-return.js:
243         * stress/lars-sab-workers.js:
244         * stress/regress-159779-1.js:
245         * stress/regress-159779-2.js:
246         * stress/regress-170473.js:
247         * test262.yaml:
248
249 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
250
251         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
252         https://bugs.webkit.org/show_bug.cgi?id=181258
253
254         Reviewed by Antonio Gomes.
255
256         * stress/big-int-constructor-gc.js:
257         * stress/big-int-constructor-oom.js:
258
259 2018-01-03  Robin Morisset  <rmorisset@apple.com>
260
261         Inlining of a function that ends in op_unreachable crashes
262         https://bugs.webkit.org/show_bug.cgi?id=181027
263
264         Reviewed by Filip Pizlo.
265
266         * stress/inlining-unreachable.js: Added.
267         (bar):
268         (baz):
269         (i.catch):
270
271 2018-01-02  Saam Barati  <sbarati@apple.com>
272
273         Incorrect assertion inside AccessCase
274         https://bugs.webkit.org/show_bug.cgi?id=181200
275         <rdar://problem/35494754>
276
277         Reviewed by Yusuke Suzuki.
278
279         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
280         (ctor):
281         (theFunc):
282         (run):
283
284 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
285
286         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
287         https://bugs.webkit.org/show_bug.cgi?id=175359
288
289         Reviewed by Yusuke Suzuki.
290
291         * bigIntTests.yaml:
292         * stress/big-int-as-key.js: Added.
293         * stress/big-int-constructor-gc.js: Added.
294         * stress/big-int-constructor-oom.js: Added.
295         * stress/big-int-constructor-properties.js: Added.
296         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
297         * stress/big-int-constructor-prototype.js: Added.
298         * stress/big-int-constructor.js: Added.
299         * stress/big-int-function-apply.js:
300         * stress/big-int-length.js: Added.
301         * stress/big-int-prop-descriptor.js: Added.
302         * stress/big-int-proto-constructor.js: Added.
303         * stress/big-int-proto-name.js: Added.
304         * stress/big-int-prototype-properties.js: Added.
305         * stress/big-int-prototype-proto.js: Added.
306         * stress/big-int-prototype-value-of.js: Added.
307         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
308         * stress/big-int-prototype-to-string-apply.js: Added.
309         * stress/big-int-to-object.js: Added.
310         * stress/big-int-to-string.js: Added.
311
312 2017-12-28  Saam Barati  <sbarati@apple.com>
313
314         Assertion used to determine if something is an async generator is wrong
315         https://bugs.webkit.org/show_bug.cgi?id=181168
316         <rdar://problem/35640560>
317
318         Reviewed by Yusuke Suzuki.
319
320         * stress/async-generator-assertion.js: Added.
321
322 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
323
324         Skip stress/splay-flash-access tests on memory limited platforms
325         https://bugs.webkit.org/show_bug.cgi?id=181086
326
327         Reviewed by Carlos Alberto Lopez Perez.
328
329         These tests use about 185M of memory, and occasionally get OOM-killed
330         on memory limited platforms.
331
332         * stress/splay-flash-access-1ms.js:
333         * stress/splay-flash-access.js:
334
335 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
336
337         Skip slow jsc tests on embedded platforms
338         https://bugs.webkit.org/show_bug.cgi?id=180937
339
340         Reviewed by Carlos Alberto Lopez Perez.
341
342         The tests typeProfiler/deltablue-for-of.js and
343         typeProfiler/getter-richards.js take a very long time in the
344         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
345         thus always timeout. They should be skipped on these platforms.
346
347         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
348         * typeProfiler/getter-richards.js: Skip on arm*/mips.
349
350 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
351
352         [JSC] Do not check isValid() in op_new_regexp
353         https://bugs.webkit.org/show_bug.cgi?id=180970
354
355         Reviewed by Saam Barati.
356
357         * stress/regexp-syntax-error-invalid-flags.js: Added.
358         (shouldThrow):
359
360 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
361
362         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
363         https://bugs.webkit.org/show_bug.cgi?id=180712
364
365         Reviewed by Michael Catanzaro.
366
367         stress/call-apply-exponential-bytecode-size.js crashes if the
368         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
369         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
370         should skip the test on other platforms.
371
372         * stress/call-apply-exponential-bytecode-size.js:
373
374 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
375
376         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
377         https://bugs.webkit.org/show_bug.cgi?id=179762
378
379         Reviewed by Saam Barati.
380
381         * stress/call-varargs-double-new-array-buffer.js: Added.
382         (assert):
383         (bar):
384         (foo):
385         * stress/call-varargs-spread-new-array-buffer.js: Added.
386         (assert):
387         (bar):
388         (foo):
389         * stress/call-varargs-spread-new-array-buffer2.js: Added.
390         (assert):
391         (bar):
392         (foo):
393         * stress/forward-varargs-double-new-array-buffer.js: Added.
394         (assert):
395         (test.baz):
396         (test.bar):
397         (test.foo):
398         (test):
399         * stress/new-array-buffer-sinking-osrexit.js: Added.
400         (target):
401         (test):
402         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
403         (shouldBe):
404         (test):
405         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
406         (shouldBe):
407         (target):
408         (test):
409         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
410         (assert):
411         (test1.bar):
412         (test1.foo):
413         (test1):
414         (test2.bar):
415         (test2.foo):
416         (test3.baz):
417         (test3.bar):
418         (test3.foo):
419         (test4.baz):
420         (test4.bar):
421         (test4.foo):
422         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
423         (assert):
424         (test.baz):
425         (test.bar):
426         (test.foo):
427         (test):
428         * stress/phantom-new-array-buffer-osr-exit.js: Added.
429         (assert):
430         (baz):
431         (bar):
432         (effects):
433         (foo):
434
435 2017-12-14  Saam Barati  <sbarati@apple.com>
436
437         The CleanUp after LICM is erroneously removing a Check
438         https://bugs.webkit.org/show_bug.cgi?id=180852
439         <rdar://problem/36063494>
440
441         Reviewed by Filip Pizlo.
442
443         * stress/dont-run-cleanup-after-licm.js: Added.
444
445 2017-12-14  Michael Saboff  <msaboff@apple.com>
446
447         REGRESSION (r225695): Repro crash on yahoo login page
448         https://bugs.webkit.org/show_bug.cgi?id=180761
449
450         Reviewed by JF Bastien.
451
452         New regression test.
453
454         * stress/regress-180761.js: Added.
455
456 2017-12-13  Keith Miller  <keith_miller@apple.com>
457
458         JSObjects should have a mask for loading indexed properties
459         https://bugs.webkit.org/show_bug.cgi?id=180768
460
461         Reviewed by Mark Lam.
462
463         * stress/int16-put-by-val-in-and-out-of-bounds.js:
464         (test):
465
466 2017-12-13  Saam Barati  <sbarati@apple.com>
467
468         Arrow functions need their own structure because they have different properties than sloppy functions
469         https://bugs.webkit.org/show_bug.cgi?id=180779
470         <rdar://problem/35814591>
471
472         Reviewed by Mark Lam.
473
474         * stress/arrow-function-needs-its-own-structure.js: Added.
475         (assert):
476         (readPrototype):
477         (noInline.let.f1):
478         (noInline):
479
480 2017-12-13  Saam Barati  <sbarati@apple.com>
481
482         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
483         https://bugs.webkit.org/show_bug.cgi?id=163579
484         <rdar://problem/35455798>
485
486         Reviewed by Mark Lam.
487
488         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
489         (assert):
490         (test1):
491         (i.test1):
492         (i.test1.C):
493         (i.test1.async.foo):
494         (i.test1.foo):
495         (test2):
496
497 2017-12-13  Saam Barati  <sbarati@apple.com>
498
499         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
500         https://bugs.webkit.org/show_bug.cgi?id=180734
501         <rdar://problem/35640547>
502
503         Reviewed by Yusuke Suzuki.
504
505         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
506         (__isPropertyOfType):
507         (__getProperties):
508         (__getObjects):
509         (__getRandomObject):
510         (theClass.):
511         (theClass):
512         (childClass):
513         (counter.catch):
514
515 2017-12-12  Saam Barati  <sbarati@apple.com>
516
517         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
518         https://bugs.webkit.org/show_bug.cgi?id=180725
519         <rdar://problem/35970511>
520
521         Reviewed by Michael Saboff.
522
523         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
524         (f1):
525         (f2):
526         (let.o2.valueOf):
527
528 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
529
530         [JSC] Implement optimized WeakMap and WeakSet
531         https://bugs.webkit.org/show_bug.cgi?id=179929
532
533         Reviewed by Saam Barati.
534
535         * microbenchmarks/weak-map-key.js:
536         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
537         (assert):
538         (objectKey):
539         (let.start.Date.now):
540         * stress/basic-weakmap.js: Added.
541         (shouldBe):
542         (test):
543         * stress/basic-weakset.js: Added.
544         (shouldBe):
545         (test.set new):
546         * stress/weakmap-cse-set-break.js: Added.
547         (shouldBe):
548         (test):
549         * stress/weakmap-cse.js: Added.
550         (shouldBe):
551         (test):
552         * stress/weakmap-gc.js: Added.
553         (test):
554         * stress/weakset-cse-add-break.js: Added.
555         (shouldBe):
556         (test.set new):
557         * stress/weakset-cse.js: Added.
558         (shouldBe):
559         (test.set new):
560         * stress/weakset-gc.js: Added.
561         (test.set add):
562         (test.set new):
563         (test):
564
565 2017-12-12  Saam Barati  <sbarati@apple.com>
566
567         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
568         https://bugs.webkit.org/show_bug.cgi?id=180723
569         <rdar://problem/35859726>
570
571         Reviewed by JF Bastien.
572
573         * stress/get-my-argument-by-val-constant-folding.js: Added.
574         (test):
575         (catch):
576
577 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
578
579         [ESNext][BigInt] Implement BigInt literals and JSBigInt
580         https://bugs.webkit.org/show_bug.cgi?id=179000
581
582         Reviewed by Darin Adler and Yusuke Suzuki.
583
584         * bigIntTests.yaml: Added.
585         * stress/big-int-literal-line-terminator.js: Added.
586         * stress/big-int-literals.js: Added.
587         * stress/big-int-operations-error.js: Added.
588         * stress/big-int-type-of.js: Added.
589         * stress/big-int-white-space-trailing-leading.js: Added.
590         * stress/big-int-function-apply.js: Added.
591
592 2017-12-11  Saam Barati  <sbarati@apple.com>
593
594         We need to disableCaching() in ErrorInstance when we materialize properties
595         https://bugs.webkit.org/show_bug.cgi?id=180343
596         <rdar://problem/35833002>
597
598         Reviewed by Mark Lam.
599
600         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
601         (assert):
602         (makeError):
603         (storeToStack):
604         (storeToStackAlreadyMaterialized):
605
606 2017-12-05  JF Bastien  <jfbastien@apple.com>
607
608         WebAssembly: don't eagerly checksum
609         https://bugs.webkit.org/show_bug.cgi?id=180441
610         <rdar://problem/35156628>
611
612         Reviewed by Saam Barati.
613
614         Checksum is now disabled, so tests only have <?> as the module
615         name.
616
617         * wasm/function-tests/nameSection.js:
618         * wasm/function-tests/stack-overflow.js:
619         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
620         (assertOverflows.assertThrows):
621         (assertOverflows):
622         * wasm/function-tests/stack-trace.js:
623
624 2017-12-04  JF Bastien  <jfbastien@apple.com>
625
626         Proxy all functions, except the $ objects
627         https://bugs.webkit.org/show_bug.cgi?id=180375
628
629         Reviewed by Saam Barati.
630
631         It looks like this test may have broken some executions because I
632         call some internal objects. Explicitly ignore objects whose name
633         starts with "$" because it's a bad idea anyways.
634
635         * stress/proxy-all-the-parameters.js:
636         (generateObjects):
637         (get throw):
638
639 2017-12-04  Saam Barati  <sbarati@apple.com>
640
641         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
642         https://bugs.webkit.org/show_bug.cgi?id=180366
643         <rdar://problem/35685877>
644
645         Reviewed by Michael Saboff.
646
647         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
648         (theParent):
649         (test1.base.getParentStaticValue):
650         (test1.base):
651         (test1.__v_24888.prototype.set prop):
652         (test1.__v_24888):
653         (test2.base.getParentStaticValue):
654         (test2.base):
655         (test2.__v_24888.prototype.set prop):
656         (test2.__v_24888):
657         (test2):
658
659 2017-12-01  JF Bastien  <jfbastien@apple.com>
660
661         Try proxying all function arguments
662         https://bugs.webkit.org/show_bug.cgi?id=180306
663
664         Reviewed by Saam Barati.
665
666         * stress/proxy-all-the-parameters.js: Added.
667         (isPropertyOfType):
668         (getProperties):
669         (generateObjects):
670         (getObjects):
671         (getFunctions):
672         (get throw):
673         (let.o.of.getObjects.let.f.of.getFunctions.catch):
674
675 2017-12-01  JF Bastien  <jfbastien@apple.com>
676
677         JavaScriptCore: missing exception checks in Math functions that take more than one argument
678         https://bugs.webkit.org/show_bug.cgi?id=180297
679         <rdar://problem/35745556>
680
681         Reviewed by Mark Lam.
682
683         * stress/math-exceptions.js: Added.
684         (get try):
685         (catch):
686
687 2017-12-01  JF Bastien  <jfbastien@apple.com>
688
689         JavaScriptCore: add test for weird class static getters
690         https://bugs.webkit.org/show_bug.cgi?id=180281
691         <rdar://problem/35592139>
692
693         Reviewed by Mark Lam.
694
695         I fixed a bug for it in r224927 and didn't add a test. Do so.
696
697         * stress/class-static-get-weird.js: Added.
698         (c.prototype.get name):
699         (c):
700         (c.prototype.get arguments):
701         (c.prototype.get caller):
702         (c.prototype.get length):
703
704 2017-12-01  Saam Barati  <sbarati@apple.com>
705
706         Having a bad time needs to handle ArrayClass indexing type as well
707         https://bugs.webkit.org/show_bug.cgi?id=180274
708         <rdar://problem/35667869>
709
710         Reviewed by Keith Miller and Mark Lam.
711
712         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
713         (assert):
714         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
715         (assert):
716
717 2017-12-01  JF Bastien  <jfbastien@apple.com>
718
719         WebAssembly: restore cached stack limit after out-call
720         https://bugs.webkit.org/show_bug.cgi?id=179106
721         <rdar://problem/35337525>
722
723         Reviewed by Saam Barati.
724
725         * wasm/function-tests/double-instance.js: Added.
726         (const.imp.boom):
727         (const.imp.get callAnother):
728
729 2017-11-30  JF Bastien  <jfbastien@apple.com>
730
731         WebAssembly: improve stack trace
732         https://bugs.webkit.org/show_bug.cgi?id=179343
733
734         Reviewed by Saam Barati.
735
736         Update the tests to follow the new format. Notably, SHA1 module
737         hash is now included in traces, and stubs are properly identified.
738
739         * wasm/assert.js: Add an assertion which matches regular expressions.
740         * wasm/function-tests/nameSection.js:
741         * wasm/function-tests/stack-overflow.js:
742         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
743         (assertOverflows.assertThrows.wasm.1):
744         (assertOverflows.assertThrows.wasm.0):
745         (assertOverflows.assertThrows):
746         (assertOverflows):
747         * wasm/function-tests/stack-trace.js:
748         (import.Builder.from.string_appeared_here.assert): Deleted.
749         * wasm/function-tests/trap-after-cross-instance-call.js:
750         (wasmFrameCountFromError):
751         * wasm/function-tests/trap-load-2.js:
752         (wasmFrameCountFromError):
753         * wasm/function-tests/trap-load.js:
754         (wasmFrameCountFromError):
755
756 2017-11-30  Mark Lam  <mark.lam@apple.com>
757
758         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
759         https://bugs.webkit.org/show_bug.cgi?id=180219
760         <rdar://problem/35696536>
761
762         Reviewed by Filip Pizlo.
763
764         * stress/regress-180219.js: Added.
765
766 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
767
768         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
769         https://bugs.webkit.org/show_bug.cgi?id=180190
770
771         Reviewed by Mark Lam.
772
773         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
774         (shouldBe):
775         (test1):
776         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
777         (shouldBe):
778         (test1):
779         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
780         (shouldBe):
781         (test1):
782         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
783         (shouldBe):
784         (test1):
785         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
786         (shouldBe):
787         (test1):
788         * stress/operation-in-may-have-negative-int32.js: Added.
789         (shouldBe):
790         (test2):
791         * stress/operation-in-negative-int32-cast.js: Added.
792         (shouldBe):
793         (test1):
794
795 2017-11-28  JF Bastien  <jfbastien@apple.com>
796
797         Strict and sloppy functions shouldn't share structure
798         https://bugs.webkit.org/show_bug.cgi?id=180103
799         <rdar://problem/35667847>
800
801         Reviewed by Saam Barati.
802
803         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
804         because the IC was wrong.
805         (foo):
806         (bar):
807         (baz):
808         (catch):
809         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
810         in this patch, but may as well test odd strict mode corner cases.
811         (bar):
812         (baz):
813         (catch):
814         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
815         (foo):
816         (bar):
817         (baz):
818         (catch):
819         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
820         next file, but with invalidation of the FunctionExecutable's
821         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
822         slower path.
823         (foo):
824         (bar.const.x):
825         (bar.const.y):
826         (bar):
827         (catch):
828         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
829         strict nesting works correctly.
830         (foo):
831         (bar.baz):
832         (bar):
833         * stress/strict-function-structure.js: Added. The test used to
834         assert in objectProtoFuncHasOwnProperty.
835         (foo):
836         (bar):
837         (baz):
838         * stress/strict-nested-function-structure.js: Added. Nesting.
839         (foo):
840         (bar):
841         (baz.boo):
842         (baz):
843
844 2017-11-29  Robin Morisset  <rmorisset@apple.com>
845
846         The recursive tail call optimisation is wrong on closures
847         https://bugs.webkit.org/show_bug.cgi?id=179835
848
849         Reviewed by Saam Barati.
850
851         * stress/closure-recursive-tail-call.js: Added.
852         (makeClosure):
853
854 2017-11-27  JF Bastien  <jfbastien@apple.com>
855
856         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
857         https://bugs.webkit.org/show_bug.cgi?id=180051
858         <rdar://problem/35614371>
859
860         Reviewed by Saam Barati.
861
862         * stress/rest-parameter-negative.js: Added.
863         (__f_5484):
864         (catch):
865         (__f_5485):
866         (__v_22598.catch):
867
868 2017-11-27  Saam Barati  <sbarati@apple.com>
869
870         Spread can escape when CreateRest does not
871         https://bugs.webkit.org/show_bug.cgi?id=180057
872         <rdar://problem/35676119>
873
874         Reviewed by JF Bastien.
875
876         * stress/spread-escapes-but-create-rest-does-not.js: Added.
877         (assert):
878         (getProperties):
879         (theFunc):
880         (let.obj.valueOf):
881
882 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
883
884         [DFG] Add NormalizeMapKey DFG IR
885         https://bugs.webkit.org/show_bug.cgi?id=179912
886
887         Reviewed by Saam Barati.
888
889         * stress/map-untyped-normalize-cse.js: Added.
890         (shouldBe):
891         (test):
892         * stress/map-untyped-normalize.js: Added.
893         (shouldBe):
894         (test):
895         * stress/set-untyped-normalize-cse.js: Added.
896         (shouldBe):
897         (set return.set has.set has):
898         * stress/set-untyped-normalize.js: Added.
899         (shouldBe):
900         (set return.set has):
901
902 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
903
904         [FTL] Support DeleteById and DeleteByVal
905         https://bugs.webkit.org/show_bug.cgi?id=180022
906
907         Reviewed by Saam Barati.
908
909         * stress/delete-by-id.js: Added.
910         (shouldBe):
911         (test1):
912         (test2):
913         * stress/delete-by-val-ftl.js: Added.
914         (shouldBe):
915         (test1):
916         (test2):
917
918 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
919
920         [DFG] Introduce {Set,Map,WeakMap}Fields
921         https://bugs.webkit.org/show_bug.cgi?id=179925
922
923         Reviewed by Saam Barati.
924
925         * stress/map-set-clobber-map-get.js: Added.
926         (shouldBe):
927         (test):
928         * stress/map-set-does-not-clobber-set-has.js: Added.
929         (shouldBe):
930         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
931         (shouldBe):
932         (test):
933         * stress/set-add-clobber-set-has.js: Added.
934         (shouldBe):
935         * stress/set-add-does-not-clobber-map-get.js: Added.
936         (shouldBe):
937
938 2017-11-24  Mark Lam  <mark.lam@apple.com>
939
940         Move unsafe jsc shell test functions to the $vm object.
941         https://bugs.webkit.org/show_bug.cgi?id=179980
942
943         Reviewed by Yusuke Suzuki.
944
945         * controlFlowProfiler/driver/driver.js:
946         * controlFlowProfiler/execution-count.js:
947         * controlFlowProfiler/if-statement.js:
948         * controlFlowProfiler/loop-statements.js:
949         * controlFlowProfiler/switch-statements.js:
950         * controlFlowProfiler/test-jit.js:
951         * exceptionFuzz/3d-cube.js:
952         * exceptionFuzz/date-format-xparb.js:
953         * exceptionFuzz/earley-boyer.js:
954         * heapProfiler/basic-edges.js:
955         * heapProfiler/property-edge-types.js:
956         * microbenchmarks/try-get-by-id-basic.js:
957         * microbenchmarks/try-get-by-id-polymorphic.js:
958         * modules/namespace-object-try-get.js:
959         * stress/argument-count-bytecode.js:
960         * stress/argument-intrinsic-basic.js:
961         * stress/argument-intrinsic-inlining-use-caller-arg.js:
962         * stress/argument-intrinsic-inlining-with-result-escape.js:
963         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
964         * stress/argument-intrinsic-inlining-with-vararg.js:
965         * stress/argument-intrinsic-nested-inlining.js:
966         * stress/argument-intrinsic-not-convert-to-get-argument.js:
967         * stress/argument-intrinsic-with-stack-write.js:
968         * stress/arity-mismatch-get-argument.js:
969         * stress/array-message-passing.js:
970         * stress/array-push-with-force-exit.js:
971         * stress/check-dom-with-signature.js:
972         * stress/check-sub-class.js:
973         * stress/compare-eq-incomplete-profile.js:
974         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
975         * stress/do-eval-virtual-call-correctly.js:
976         * stress/dom-jit-with-poly-proto.js:
977         * stress/domjit-exception-ic.js:
978         * stress/domjit-exception.js:
979         * stress/domjit-getter-complex-with-incorrect-object.js:
980         * stress/domjit-getter-complex.js:
981         * stress/domjit-getter-poly.js:
982         * stress/domjit-getter-proto.js:
983         * stress/domjit-getter-super-poly.js:
984         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
985         * stress/domjit-getter-type-check.js:
986         * stress/domjit-getter.js:
987         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
988         * stress/for-in-proxy-target-changed-structure.js:
989         * stress/for-in-proxy.js:
990         * stress/generational-opaque-roots.js:
991         * stress/global-const-redeclaration-setting-2.js:
992         * stress/global-const-redeclaration-setting-3.js:
993         * stress/global-const-redeclaration-setting-4.js:
994         * stress/global-const-redeclaration-setting-5.js:
995         * stress/global-const-redeclaration-setting.js:
996         * stress/import-basic.js:
997         * stress/import-from-eval.js:
998         * stress/import-reject-with-exception.js:
999         * stress/import-syntax.js:
1000         * stress/impure-get-own-property-slot-inline-cache.js:
1001         * stress/is-constructor.js:
1002         * stress/istypedarrayview-intrinsic.js:
1003         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1004         * stress/jsc-test-functions-should-be-more-robust.js:
1005         * stress/object-toString-with-proxy.js:
1006         * stress/poly-proto-custom-value-and-accessor.js:
1007         * stress/proxy-inline-cache.js:
1008         * stress/re-execute-error-module.js:
1009         * stress/regress-150532.js:
1010         * stress/regress-156992.js:
1011         * stress/regress-179619.js:
1012         * stress/resources/shadow-chicken-support.js:
1013         * stress/runtime-array.js:
1014         * stress/sampling-profiler-microtasks.js:
1015         * stress/shadow-chicken-enabled.js:
1016         * stress/spread-correct-global-object-on-exception.js:
1017         * stress/super-get-by-id.js:
1018         * stress/tailCallForwardArguments.js:
1019         * stress/to-object-intrinsic-boolean-edge.js:
1020         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1021         * stress/to-object-intrinsic-number-edge.js:
1022         * stress/to-object-intrinsic-object-edge.js:
1023         * stress/to-object-intrinsic-string-edge.js:
1024         * stress/to-object-intrinsic-symbol-edge.js:
1025         * stress/to-object-intrinsic.js:
1026         * stress/try-catch-custom-getter-as-get-by-id.js:
1027         * stress/try-get-by-id-poly-proto.js:
1028         * stress/try-get-by-id-should-spill-registers-dfg.js:
1029         * stress/try-get-by-id.js:
1030         * typeProfiler/arrow-functions.js:
1031         * typeProfiler/basic.js:
1032         * typeProfiler/captured.js:
1033         * typeProfiler/classes.js:
1034         * typeProfiler/dfg-jit-optimizations.js:
1035         * typeProfiler/dictionary-mode.js:
1036         * typeProfiler/es6-block-scoping.js:
1037         * typeProfiler/es6-classes.js:
1038         * typeProfiler/inheritance.js:
1039         * typeProfiler/int52-dfg.js:
1040         * typeProfiler/loop.js:
1041         * typeProfiler/optional-fields.js:
1042         * typeProfiler/overflow.js:
1043         * typeProfiler/return.js:
1044         * typeProfiler/symbol.js:
1045         * typeProfiler/weird-prototype-chain.js:
1046
1047 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1048
1049         [DFG][FTL] Support MapSet / SetAdd intrinsics
1050         https://bugs.webkit.org/show_bug.cgi?id=179858
1051
1052         Reviewed by Saam Barati.
1053
1054         * microbenchmarks/map-has-and-set.js: Added.
1055         (test):
1056         * stress/map-set-check-failure.js: Added.
1057         (shouldBe):
1058         (shouldThrow):
1059         (target):
1060         * stress/map-set-cse.js: Added.
1061         (shouldBe):
1062         (test):
1063         * stress/set-add-check-failure.js: Added.
1064         (shouldBe):
1065         (shouldThrow):
1066         (set shouldThrow):
1067         * stress/set-add-cse.js: Added.
1068         (shouldBe):
1069
1070 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1071
1072         [JSC] Allow poly proto for intrinsic getters
1073         https://bugs.webkit.org/show_bug.cgi?id=179550
1074
1075         Reviewed by Saam Barati.
1076
1077         This change is also tested by existing tests.
1078
1079             1. stress/intrinsic-getter-with-poly-proto.js
1080             2. stress/poly-proto-intrinsic-getter-correctness.js
1081
1082         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1083         (shouldBe):
1084         (makePolyProtoObject.foo.C):
1085         (makePolyProtoObject.foo):
1086         (makePolyProtoObject):
1087         (target):
1088         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1089         (shouldBe):
1090         (makePolyProtoObject.foo.C):
1091         (makePolyProtoObject.foo):
1092         (makePolyProtoObject):
1093         (target):
1094
1095 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1096
1097         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1098         https://bugs.webkit.org/show_bug.cgi?id=179744
1099
1100         Reviewed by Michael Catanzaro.
1101
1102         This test uses too much memory for our buildbots on these platforms
1103         and gets OOM-killed.
1104
1105         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1106         Skip if $memoryLimited and linux.
1107
1108 2017-11-17  JF Bastien  <jfbastien@apple.com>
1109
1110         WebAssembly JS API: throw when a promise can't be created
1111         https://bugs.webkit.org/show_bug.cgi?id=179826
1112         <rdar://problem/35455813>
1113
1114         Reviewed by Mark Lam.
1115
1116         Test WebAssembly.{compile,instantiate} where promise creation
1117         fails because of a stack overflow.
1118
1119         * wasm/js-api/promise-stack-overflow.js: Added.
1120         (const.runNearStackLimit.f.const.t):
1121         (async.testCompile):
1122         (async.testInstantiate):
1123
1124 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1125
1126         Unreviewed, mark regress-178385.js as memory exhausting
1127
1128         * stress/regress-178385.js:
1129
1130 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1131
1132         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1133
1134         Unreviewed test gardening.
1135
1136         * test262.yaml:
1137
1138 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1139
1140         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1141         https://bugs.webkit.org/show_bug.cgi?id=179763
1142         <rdar://problem/35550513>
1143
1144         Reviewed by Keith Miller.
1145
1146         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1147
1148         * stress/tdz-this-in-try-catch.js: Added.
1149         (__v_6388):
1150         (__v_6392):
1151
1152 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1153
1154         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1155         https://bugs.webkit.org/show_bug.cgi?id=179594
1156
1157         Reviewed by Saam Barati.
1158
1159         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1160         (shouldBe):
1161         (args):
1162         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1163         (shouldBe):
1164         (args):
1165
1166 2017-11-14  Saam Barati  <sbarati@apple.com>
1167
1168         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1169         https://bugs.webkit.org/show_bug.cgi?id=179639
1170         <rdar://problem/35513018>
1171
1172         Reviewed by JF Bastien.
1173
1174         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1175         (escape):
1176         (i.func):
1177
1178 2017-11-13  Mark Lam  <mark.lam@apple.com>
1179
1180         Add more overflow check book-keeping for MarkedArgumentBuffer.
1181         https://bugs.webkit.org/show_bug.cgi?id=179634
1182         <rdar://problem/35492517>
1183
1184         Reviewed by Saam Barati.
1185
1186         * stress/regress-179634.js: Added.
1187
1188 2017-11-13  Mark Lam  <mark.lam@apple.com>
1189
1190         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1191         https://bugs.webkit.org/show_bug.cgi?id=179619
1192         <rdar://problem/35492518>
1193
1194         Reviewed by Saam Barati.
1195
1196         * stress/regress-179619.js: Added.
1197
1198 2017-11-12  Mark Lam  <mark.lam@apple.com>
1199
1200         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1201         https://bugs.webkit.org/show_bug.cgi?id=179562
1202         <rdar://problem/35467022>
1203
1204         Reviewed by Saam Barati.
1205
1206         * regress-179562.js: Added.
1207
1208 2017-11-08  Saam Barati  <sbarati@apple.com>
1209
1210         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1211         https://bugs.webkit.org/show_bug.cgi?id=177792
1212
1213         Reviewed by Yusuke Suzuki.
1214
1215         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1216         (assert):
1217         (foo.Foo.prototype.ensureX):
1218         (foo.Foo):
1219         (foo):
1220         (access):
1221
1222 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1223
1224         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1225         https://bugs.webkit.org/show_bug.cgi?id=178592
1226
1227         Unreviewed test gardening.
1228
1229         * test262.yaml:
1230
1231 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1232
1233         Turn recursive tail calls into loops
1234         https://bugs.webkit.org/show_bug.cgi?id=176601
1235
1236         Reviewed by Saam Barati.
1237
1238         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1239
1240         Add some simple test that computes factorial in several ways, and other trivial computations.
1241         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1242         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1243         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1244         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1245
1246         * stress/inline-call-to-recursive-tail-call.js: Added.
1247         (factorial.aux):
1248         (factorial):
1249         (factorial2.aux2):
1250         (factorial2.id):
1251         (factorial2):
1252         (factorial3.aux3):
1253         (factorial3):
1254         (aux4):
1255         (factorial4):
1256         (foo):
1257         (auxBar):
1258         (bar):
1259         (test):
1260
1261 2017-11-07  Mark Lam  <mark.lam@apple.com>
1262
1263         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1264         https://bugs.webkit.org/show_bug.cgi?id=179355
1265         <rdar://problem/35263053>
1266
1267         Reviewed by Saam Barati.
1268
1269         * stress/regress-179355.js: Added.
1270
1271 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1272
1273         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1274         https://bugs.webkit.org/show_bug.cgi?id=144458
1275
1276         Reviewed by Saam Barati.
1277
1278         * microbenchmarks/dfg-internal-function-call.js: Added.
1279         (target):
1280         * microbenchmarks/dfg-internal-function-construct.js: Added.
1281         (target):
1282         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
1283         (target):
1284         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
1285         (target):
1286         * stress/dfg-internal-function-call.js: Added.
1287         (shouldBe):
1288         (target):
1289         * stress/dfg-internal-function-construct.js: Added.
1290         (shouldBe):
1291         (target):
1292         * stress/internal-function-call.js: Added.
1293         (shouldBe):
1294         * stress/internal-function-construct.js: Added.
1295         (shouldBe):
1296
1297 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
1298
1299         [Win] Skip stress/regress-178385.js.
1300         https://bugs.webkit.org/show_bug.cgi?id=179298
1301
1302         Unreviewed test gardening.
1303
1304         * stress/regress-178385.js:
1305
1306 2017-11-03  Keith Miller  <keith_miller@apple.com>
1307
1308         Add test for ic with side effects
1309         https://bugs.webkit.org/show_bug.cgi?id=179268
1310
1311         Reviewed by Saam Barati.
1312
1313         * stress/put-inline-cache-side-effects.js: Added.
1314         (let.i.of.objs.keys):
1315         (f):
1316
1317 2017-11-03  Mark Lam  <mark.lam@apple.com>
1318
1319         CachedCall (and its clients) needs overflow checks.
1320         https://bugs.webkit.org/show_bug.cgi?id=179185
1321
1322         Reviewed by JF Bastien.
1323
1324         * stress/regress-179185.js: Added.
1325
1326 2017-11-02  Michael Saboff  <msaboff@apple.com>
1327
1328         DFG needs to handle code motion of code in for..in loop bodies
1329         https://bugs.webkit.org/show_bug.cgi?id=179212
1330
1331         Reviewed by Keith Miller.
1332
1333         New regression test.
1334
1335         * stress/for-in-side-effects.js: Added.
1336         (getPrototypeOf):
1337         (reset):
1338         (testWithoutFTL.f):
1339         (testWithoutFTL):
1340         (testWithFTL.f):
1341         (testWithFTL):
1342
1343 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1344
1345         AI does not correctly model the clobber case of ArithClz32
1346         https://bugs.webkit.org/show_bug.cgi?id=179188
1347
1348         Reviewed by Michael Saboff.
1349
1350         * stress/arith-clz32-effects.js: Added.
1351         (foo):
1352         (valueOf):
1353
1354 2017-11-01  Michael Saboff  <msaboff@apple.com>
1355
1356         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1357         https://bugs.webkit.org/show_bug.cgi?id=179140
1358
1359         Reviewed by Saam Barati.
1360
1361         New regression test.
1362
1363         * stress/regress-179140.js: Added.
1364         (testWithoutFTL):
1365         (testWithFTL):
1366
1367 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1368
1369         [JSC] Introduce @toObject
1370         https://bugs.webkit.org/show_bug.cgi?id=178726
1371
1372         Reviewed by Saam Barati.
1373
1374         * stress/array-copywithin.js:
1375         (shouldThrow):
1376         * stress/object-constructor-boolean-edge.js: Added.
1377         (shouldBe):
1378         (test):
1379         * stress/object-constructor-global.js: Added.
1380         (shouldBe):
1381         * stress/object-constructor-null-edge.js: Added.
1382         (shouldBe):
1383         (test):
1384         * stress/object-constructor-number-edge.js: Added.
1385         (shouldBe):
1386         (test):
1387         * stress/object-constructor-object-edge.js: Added.
1388         (shouldBe):
1389         (test):
1390         (i.arg):
1391         * stress/object-constructor-string-edge.js: Added.
1392         (shouldBe):
1393         (test):
1394         * stress/object-constructor-symbol-edge.js: Added.
1395         (shouldBe):
1396         (test):
1397         * stress/object-constructor-undefined-edge.js: Added.
1398         (shouldBe):
1399         (test):
1400         * stress/symbol-array-from.js: Added.
1401         (shouldBe):
1402         * stress/to-object-intrinsic-boolean-edge.js: Added.
1403         (shouldBe):
1404         (builtin.createBuiltin):
1405         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
1406         (shouldThrow):
1407         * stress/to-object-intrinsic-number-edge.js: Added.
1408         (shouldBe):
1409         (builtin.createBuiltin):
1410         * stress/to-object-intrinsic-object-edge.js: Added.
1411         (shouldBe):
1412         (builtin.createBuiltin):
1413         (i.arg):
1414         * stress/to-object-intrinsic-string-edge.js: Added.
1415         (shouldBe):
1416         (builtin.createBuiltin):
1417         * stress/to-object-intrinsic-symbol-edge.js: Added.
1418         (shouldBe):
1419         (builtin.createBuiltin):
1420         * stress/to-object-intrinsic.js: Added.
1421         (shouldBe):
1422         (shouldThrow):
1423         (builtin.createBuiltin):
1424
1425 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1426
1427         [DFG][FTL] Introduce StringSlice
1428         https://bugs.webkit.org/show_bug.cgi?id=178934
1429
1430         Reviewed by Saam Barati.
1431
1432         * microbenchmarks/string-slice-empty.js: Added.
1433         (slice):
1434         * microbenchmarks/string-slice-one-char.js: Added.
1435         (slice):
1436         * microbenchmarks/string-slice.js: Added.
1437         (slice):
1438
1439 2017-10-26  Michael Saboff  <msaboff@apple.com>
1440
1441         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1442         https://bugs.webkit.org/show_bug.cgi?id=178890
1443
1444         Reviewed by Keith Miller.
1445
1446         New regression test.
1447
1448         * stress/regress-178890.js: Added.
1449
1450 2017-10-26  Mark Lam  <mark.lam@apple.com>
1451
1452         JSRopeString::RopeBuilder::append() should check for overflows.
1453         https://bugs.webkit.org/show_bug.cgi?id=178385
1454         <rdar://problem/35027468>
1455
1456         Reviewed by Saam Barati.
1457
1458         * stress/regress-178385.js: Added.
1459
1460 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
1461
1462         Unreviewed, rolling out r223961.
1463
1464         The change that required this has been rolled out.
1465
1466         Reverted changeset:
1467
1468         "Mark test262.yaml/test262/test/language/statements/try/tco-
1469         catch.js as passing."
1470         https://bugs.webkit.org/show_bug.cgi?id=178592
1471         https://trac.webkit.org/changeset/223961
1472
1473 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1474
1475         Unreviewed, rolling out r223691 and r223729.
1476         https://bugs.webkit.org/show_bug.cgi?id=178834
1477
1478         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1479         by rniwa on #webkit).
1480
1481         Reverted changesets:
1482
1483         "Turn recursive tail calls into loops"
1484         https://bugs.webkit.org/show_bug.cgi?id=176601
1485         https://trac.webkit.org/changeset/223691
1486
1487         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1488         comparison is always false due to limited range of data type
1489         [-Wtype-limits]"
1490         https://bugs.webkit.org/show_bug.cgi?id=178543
1491         https://trac.webkit.org/changeset/223729
1492
1493 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
1494
1495         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1496         https://bugs.webkit.org/show_bug.cgi?id=178592
1497
1498         Unreviewed test gardening.
1499
1500         * test262.yaml:
1501
1502 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1503
1504         [FTL] Support NewStringObject
1505         https://bugs.webkit.org/show_bug.cgi?id=178737
1506
1507         Reviewed by Saam Barati.
1508
1509         * stress/new-string-object.js: Added.
1510         (shouldBe):
1511         (test):
1512
1513 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1514
1515         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1516         https://bugs.webkit.org/show_bug.cgi?id=178308
1517
1518         Reviewed by Mark Lam.
1519
1520         * test262.yaml:
1521
1522 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1523
1524         [JSC] Use fastJoin in Array#toString
1525         https://bugs.webkit.org/show_bug.cgi?id=178062
1526
1527         Reviewed by Darin Adler.
1528
1529         * microbenchmarks/contiguous-array-to-string.js: Added.
1530         (target):
1531         * microbenchmarks/double-array-to-string.js: Added.
1532         (target):
1533         * microbenchmarks/int32-array-to-string.js: Added.
1534         (target):
1535
1536 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
1537
1538         stress/check-string-ident.js is improperly skipped
1539         https://bugs.webkit.org/show_bug.cgi?id=178642
1540
1541         Reviewed by Saam Barati.
1542
1543         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
1544         since it enforces the run-jsc-stress-tests script to still set up the
1545         test to run, despite the skip directive that's used before.
1546
1547 2017-10-20  Mark Lam  <mark.lam@apple.com>
1548
1549         Add a test case for r214334.
1550         https://bugs.webkit.org/show_bug.cgi?id=169941
1551         <rdar://problem/31221258>
1552
1553         Reviewed by JF Bastien.
1554
1555         * stress/regress-169941.js: Added.
1556
1557 2017-10-19  JF Bastien  <jfbastien@apple.com>
1558
1559         WebAssembly: no VM / JS version of everything but Instance
1560         https://bugs.webkit.org/show_bug.cgi?id=177473
1561
1562         Reviewed by Filip Pizlo, Saam Barati.
1563
1564         - Exceeding max on memory growth now returns a range error as per
1565         spec. This is a (very minor) breaking change: it used to throw OOM
1566         error. Update the corresponding test.
1567
1568         * wasm/js-api/memory-grow.js:
1569         (assertEq):
1570         * wasm/js-api/table.js:
1571         (assert.throws):
1572
1573 2017-10-19  Mark Lam  <mark.lam@apple.com>
1574
1575         Stringifier::appendStringifiedValue() is missing an exception check.
1576         https://bugs.webkit.org/show_bug.cgi?id=178386
1577         <rdar://problem/35027610>
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/regress-178386.js: Added.
1582
1583 2017-10-19  Michael Saboff  <msaboff@apple.com>
1584
1585         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
1586         https://bugs.webkit.org/show_bug.cgi?id=178521
1587
1588         Reviewed by JF Bastien.
1589
1590         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
1591         now passes with the current version (5.0) of the Emoji spec.
1592
1593 2017-10-19  Robin Morisset  <rmorisset@apple.com>
1594
1595         Turn recursive tail calls into loops
1596         https://bugs.webkit.org/show_bug.cgi?id=176601
1597
1598         Reviewed by Saam Barati.
1599
1600         Add some simple test that computes factorial in several ways, and other trivial computations.
1601         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1602         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1603         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1604         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1605
1606         * stress/inline-call-to-recursive-tail-call.js: Added.
1607         (factorial.aux):
1608         (factorial):
1609         (factorial2.aux):
1610         (factorial2.id):
1611         (factorial2):
1612         (factorial3.aux):
1613         (factorial3):
1614         (aux):
1615         (factorial4):
1616         (test):
1617
1618 2017-10-18  Mark Lam  <mark.lam@apple.com>
1619
1620         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
1621         https://bugs.webkit.org/show_bug.cgi?id=177600
1622         <rdar://problem/34710985>
1623
1624         Reviewed by Saam Barati.
1625
1626         * stress/regress-177600.js: Added.
1627
1628 2017-10-18  Mark Lam  <mark.lam@apple.com>
1629
1630         The compiler should always register a structure when it adds its transitionWatchPointSet.
1631         https://bugs.webkit.org/show_bug.cgi?id=178420
1632         <rdar://problem/34814024>
1633
1634         Reviewed by Saam Barati and Filip Pizlo.
1635
1636         * stress/regress-178420.js: Added.
1637         (new.Array.10000.map):
1638
1639 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1640
1641         [JSC] __proto__ getter should be fast
1642         https://bugs.webkit.org/show_bug.cgi?id=178067
1643
1644         Reviewed by Saam Barati.
1645
1646         * stress/dfg-object-proto-accessor.js: Added.
1647         (shouldBe):
1648         (shouldThrow):
1649         (target):
1650         * stress/dfg-object-proto-getter.js: Added.
1651         (shouldBe):
1652         (shouldThrow):
1653         (target):
1654         * stress/dfg-object-prototype-of.js: Added.
1655         (shouldBe):
1656         (shouldThrow):
1657         (target):
1658         * stress/dfg-reflect-get-prototype-of.js: Added.
1659         (shouldBe):
1660         (shouldThrow):
1661         (target):
1662         * stress/intrinsic-getter-with-poly-proto.js: Added.
1663         (shouldBe):
1664         (makePolyProtoObject.foo.C):
1665         (makePolyProtoObject.foo):
1666         (makePolyProtoObject):
1667         (target):
1668         * stress/object-get-prototype-of-filtered.js: Added.
1669         (shouldBe):
1670         (shouldThrow):
1671         (target):
1672         (i.Cocoa):
1673         * stress/object-get-prototype-of-mono-proto.js: Added.
1674         (shouldBe):
1675         (makePolyProtoObject.foo.C):
1676         (makePolyProtoObject.foo):
1677         (makePolyProtoObject):
1678         (target):
1679         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
1680         (shouldBe):
1681         (makePolyProtoObject.foo.C):
1682         (makePolyProtoObject.foo):
1683         (makePolyProtoObject):
1684         (target):
1685         * stress/object-get-prototype-of-poly-proto.js: Added.
1686         (shouldBe):
1687         (makePolyProtoObject.foo.C):
1688         (makePolyProtoObject.foo):
1689         (makePolyProtoObject):
1690         (target):
1691         * stress/object-proto-getter-filtered.js: Added.
1692         (shouldBe):
1693         (shouldThrow):
1694         (target):
1695         (i.Cocoa):
1696         * stress/object-proto-getter-poly-mono-proto.js: Added.
1697         (shouldBe):
1698         (makePolyProtoObject.foo.C):
1699         (makePolyProtoObject.foo):
1700         (makePolyProtoObject):
1701         (target):
1702         * stress/object-proto-getter-poly-proto.js: Added.
1703         (shouldBe):
1704         (makePolyProtoObject.foo.C):
1705         (makePolyProtoObject.foo):
1706         (makePolyProtoObject):
1707         (target):
1708         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
1709         * stress/string-proto.js: Added.
1710         (shouldBe):
1711         (target):
1712
1713 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
1714
1715         Unreviewed, rolling out r223523.
1716
1717         A test for this change is failing on debug JSC bots.
1718
1719         Reverted changeset:
1720
1721         "[JSC] __proto__ getter should be fast"
1722         https://bugs.webkit.org/show_bug.cgi?id=178067
1723         https://trac.webkit.org/changeset/223523
1724
1725 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1726
1727         [JSC] __proto__ getter should be fast
1728         https://bugs.webkit.org/show_bug.cgi?id=178067
1729
1730         Reviewed by Saam Barati.
1731
1732         * stress/dfg-object-proto-accessor.js: Added.
1733         (shouldBe):
1734         (shouldThrow):
1735         (target):
1736         * stress/dfg-object-proto-getter.js: Added.
1737         (shouldBe):
1738         (shouldThrow):
1739         (target):
1740         * stress/dfg-object-prototype-of.js: Added.
1741         (shouldBe):
1742         (shouldThrow):
1743         (target):
1744         * stress/dfg-reflect-get-prototype-of.js: Added.
1745         (shouldBe):
1746         (shouldThrow):
1747         (target):
1748         * stress/object-get-prototype-of-filtered.js: Added.
1749         (shouldBe):
1750         (shouldThrow):
1751         (target):
1752         (i.Cocoa):
1753         * stress/object-get-prototype-of-mono-proto.js: Added.
1754         (shouldBe):
1755         (makePolyProtoObject.foo.C):
1756         (makePolyProtoObject.foo):
1757         (makePolyProtoObject):
1758         (target):
1759         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
1760         (shouldBe):
1761         (makePolyProtoObject.foo.C):
1762         (makePolyProtoObject.foo):
1763         (makePolyProtoObject):
1764         (target):
1765         * stress/object-get-prototype-of-poly-proto.js: Added.
1766         (shouldBe):
1767         (makePolyProtoObject.foo.C):
1768         (makePolyProtoObject.foo):
1769         (makePolyProtoObject):
1770         (target):
1771         * stress/object-proto-getter-filtered.js: Added.
1772         (shouldBe):
1773         (shouldThrow):
1774         (target):
1775         (i.Cocoa):
1776         * stress/object-proto-getter-poly-mono-proto.js: Added.
1777         (shouldBe):
1778         (makePolyProtoObject.foo.C):
1779         (makePolyProtoObject.foo):
1780         (makePolyProtoObject):
1781         (target):
1782         * stress/object-proto-getter-poly-proto.js: Added.
1783         (shouldBe):
1784         (makePolyProtoObject.foo.C):
1785         (makePolyProtoObject.foo):
1786         (makePolyProtoObject):
1787         (target):
1788         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
1789         * stress/string-proto.js: Added.
1790         (shouldBe):
1791         (target):
1792
1793 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1794
1795         Reland "Add Above/Below comparisons for UInt32 patterns"
1796         https://bugs.webkit.org/show_bug.cgi?id=177281
1797
1798         Reviewed by Saam Barati.
1799
1800         * stress/uint32-comparison-jump.js: Added.
1801         (shouldBe):
1802         (above):
1803         (aboveOrEqual):
1804         (below):
1805         (belowOrEqual):
1806         (notAbove):
1807         (notAboveOrEqual):
1808         (notBelow):
1809         (notBelowOrEqual):
1810         * stress/uint32-comparison.js: Added.
1811         (shouldBe):
1812         (above):
1813         (aboveOrEqual):
1814         (below):
1815         (belowOrEqual):
1816         (aboveTest):
1817         (aboveOrEqualTest):
1818         (belowTest):
1819         (belowOrEqualTest):
1820
1821 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1822
1823         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
1824         https://bugs.webkit.org/show_bug.cgi?id=178210
1825
1826         Reviewed by Saam Barati.
1827
1828         * wasm/function-tests/trap-from-start-async.js:
1829         (async.StartTrapsAsync):
1830         * wasm/function-tests/trap-from-start.js:
1831         (StartTraps):
1832         * wasm/js-api/web-assembly-function.js:
1833         (assert.eq.Object.getPrototypeOf):
1834         * wasm/js-api/wrapper-function.js:
1835         (return.new.WebAssembly.Module):
1836         (assert.throws.makeInstance): Deleted.
1837         (assert.throws.Bar): Deleted.
1838         (assert.throws): Deleted.
1839
1840 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
1841
1842         Enable gigacage on iOS
1843         https://bugs.webkit.org/show_bug.cgi?id=177586
1844
1845         Reviewed by JF Bastien.
1846         
1847         Add tests for when Gigacage gets runtime disabled.
1848
1849         * stress/disable-gigacage-arrays.js: Added.
1850         (foo):
1851         * stress/disable-gigacage-strings.js: Added.
1852         (foo):
1853         * stress/disable-gigacage-typed-arrays.js: Added.
1854         (foo):
1855
1856 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1857
1858         import.meta should not be assignable
1859         https://bugs.webkit.org/show_bug.cgi?id=178202
1860
1861         Reviewed by Saam Barati.
1862
1863         * modules/import-meta-assignment.js: Added.
1864         (shouldThrow):
1865         (SyntaxError.import.meta.can.shouldThrow):
1866
1867 2017-10-11  Saam Barati  <sbarati@apple.com>
1868
1869         Unreviewed. Actually skip certain type profiler tests in debug.
1870
1871         * typeProfiler.yaml:
1872         * typeProfiler/deltablue-for-of.js:
1873         * typeProfiler/getter-richards.js:
1874
1875 2017-10-11  Commit Queue  <commit-queue@webkit.org>
1876
1877         Unreviewed, rolling out r223113 and r223121.
1878         https://bugs.webkit.org/show_bug.cgi?id=178182
1879
1880         Reintroduced 20% regression on Kraken (Requested by rniwa on
1881         #webkit).
1882
1883         Reverted changesets:
1884
1885         "Enable gigacage on iOS"
1886         https://bugs.webkit.org/show_bug.cgi?id=177586
1887         https://trac.webkit.org/changeset/223113
1888
1889         "Use one virtual allocation for all gigacages and their
1890         runways"
1891         https://bugs.webkit.org/show_bug.cgi?id=178050
1892         https://trac.webkit.org/changeset/223121
1893
1894 2017-10-11  Michael Saboff  <msaboff@apple.com>
1895
1896         Disable test262 named capture group tests with direct unicode names and with references before definitions
1897         https://bugs.webkit.org/show_bug.cgi?id=178177
1898
1899         Reviewed by Keith Miller.
1900
1901         Bugs to track fixing these test are:
1902         https://bugs.webkit.org/show_bug.cgi?id=178174 -
1903             "Add support in named capture group identifiers for direct surrogate pairs"
1904         https://bugs.webkit.org/show_bug.cgi?id=178175 -
1905             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
1906
1907         * test262.yaml:
1908
1909 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
1910
1911         Object properties are undefined in super.call() but not in this.call()
1912         https://bugs.webkit.org/show_bug.cgi?id=177230
1913
1914         Reviewed by Saam Barati.
1915
1916         * stress/super-call-function-subclass.js: Added.
1917         (assert):
1918         (A.prototype.t):
1919         (A):
1920         * stress/super-dot-call-and-apply.js: Added.
1921         (assert):
1922         (A):
1923         (A.prototype.call):
1924         (A.prototype.apply):
1925         (B.prototype.testSuper):
1926         (B):
1927         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
1928         (D.prototype.testSuper):
1929         (D):
1930
1931 2017-10-10  Saam Barati  <sbarati@apple.com>
1932
1933         The prototype cache should be aware of the Executable it generates a Structure for
1934         https://bugs.webkit.org/show_bug.cgi?id=177907
1935
1936         Reviewed by Filip Pizlo.
1937
1938         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
1939         (assert):
1940         (foo.C):
1941         (foo):
1942         (bar.C):
1943         (bar):
1944         (access):
1945         (makeLongChain):
1946         (accessY):
1947
1948 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1949
1950         `async` should be able to be used as an imported binding name
1951         https://bugs.webkit.org/show_bug.cgi?id=176573
1952
1953         Reviewed by Saam Barati.
1954
1955         * modules/import-default-async.js: Added.
1956         * modules/import-named-async-as.js: Added.
1957         * modules/import-named-async.js: Added.
1958         * modules/import-named-async/target.js: Added.
1959         * modules/import-namespace-async.js: Added.
1960         * test262.yaml:
1961
1962 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
1963
1964         Enable gigacage on iOS
1965         https://bugs.webkit.org/show_bug.cgi?id=177586
1966
1967         Reviewed by JF Bastien.
1968         
1969         Add tests for when Gigacage gets runtime disabled.
1970
1971         * stress/disable-gigacage-arrays.js: Added.
1972         (foo):
1973         * stress/disable-gigacage-strings.js: Added.
1974         (foo):
1975         * stress/disable-gigacage-typed-arrays.js: Added.
1976         (foo):
1977
1978 2017-10-09  Michael Saboff  <msaboff@apple.com>
1979
1980         Implement RegExp Unicode property escapes
1981         https://bugs.webkit.org/show_bug.cgi?id=172069
1982
1983         Reviewed by JF Bastien.
1984
1985         Enabled Unicode Property tests.
1986
1987         * test262.yaml:
1988
1989 2017-10-09  Commit Queue  <commit-queue@webkit.org>
1990
1991         Unreviewed, rolling out r223015 and r223025.
1992         https://bugs.webkit.org/show_bug.cgi?id=178093
1993
1994         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
1995         #webkit).
1996
1997         Reverted changesets:
1998
1999         "Enable gigacage on iOS"
2000         https://bugs.webkit.org/show_bug.cgi?id=177586
2001         http://trac.webkit.org/changeset/223015
2002
2003         "Unreviewed, disable Gigacage on ARM64 Linux"
2004         https://bugs.webkit.org/show_bug.cgi?id=177586
2005         http://trac.webkit.org/changeset/223025
2006
2007 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2008
2009         Update expectations for test262 tests that pass after r223043.
2010         https://bugs.webkit.org/show_bug.cgi?id=176685
2011
2012         Unreviewed test gardening.
2013
2014         * test262.yaml:
2015
2016 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2017
2018         Unreviewed, rolling out r223022.
2019
2020         This change introduced 18 test262 failures.
2021
2022         Reverted changeset:
2023
2024         "`async` should be able to be used as an imported binding
2025         name"
2026         https://bugs.webkit.org/show_bug.cgi?id=176573
2027         http://trac.webkit.org/changeset/223022
2028
2029 2017-10-09  Saam Barati  <sbarati@apple.com>
2030
2031         3 poly-proto JSC tests timing out on debug after r222827
2032         https://bugs.webkit.org/show_bug.cgi?id=177880
2033         <rdar://problem/34817122>
2034
2035         Unreviewed.
2036
2037         I'm skipping these type profiler tests on debug since they are long running.
2038
2039         * typeProfiler/deltablue-for-of.js:
2040         * typeProfiler/getter-richards.js:
2041
2042 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2043
2044         Safari 10 /11 problem with if (!await get(something)).
2045         https://bugs.webkit.org/show_bug.cgi?id=176685
2046
2047         Reviewed by Saam Barati.
2048
2049         * stress/async-await-basic.js:
2050         (awaitEpression.async):
2051         * stress/async-await-syntax.js:
2052         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2053         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2054
2055 2017-10-08  Saam Barati  <sbarati@apple.com>
2056
2057         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2058
2059         * typeProfiler/deltablue-for-of.js:
2060         * typeProfiler/getter-richards.js:
2061
2062 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2063
2064         `async` should be able to be used as an imported binding name
2065         https://bugs.webkit.org/show_bug.cgi?id=176573
2066
2067         Reviewed by Darin Adler.
2068
2069         * modules/import-default-async.js: Added.
2070         * modules/import-named-async-as.js: Added.
2071         * modules/import-named-async.js: Added.
2072         * modules/import-named-async/target.js: Added.
2073         * modules/import-namespace-async.js: Added.
2074
2075 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2076
2077         Enable gigacage on iOS
2078         https://bugs.webkit.org/show_bug.cgi?id=177586
2079
2080         Reviewed by JF Bastien.
2081         
2082         Add tests for when Gigacage gets runtime disabled.
2083
2084         * stress/disable-gigacage-arrays.js: Added.
2085         (foo):
2086         * stress/disable-gigacage-strings.js: Added.
2087         (foo):
2088         * stress/disable-gigacage-typed-arrays.js: Added.
2089         (foo):
2090
2091 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2092
2093         Unreviewed, rolling out r222791 and r222873.
2094         https://bugs.webkit.org/show_bug.cgi?id=178031
2095
2096         Caused crashes with workers/wasm LayoutTests (Requested by
2097         ryanhaddad on #webkit).
2098
2099         Reverted changesets:
2100
2101         "WebAssembly: no VM / JS version of everything but Instance"
2102         https://bugs.webkit.org/show_bug.cgi?id=177473
2103         http://trac.webkit.org/changeset/222791
2104
2105         "WebAssembly: address no VM / JS follow-ups"
2106         https://bugs.webkit.org/show_bug.cgi?id=177887
2107         http://trac.webkit.org/changeset/222873
2108
2109 2017-10-05  Saam Barati  <sbarati@apple.com>
2110
2111         Make sure all prototypes under poly proto get added into the VM's prototype map
2112         https://bugs.webkit.org/show_bug.cgi?id=177909
2113
2114         Reviewed by Keith Miller.
2115
2116         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2117         (assert):
2118         (foo.C):
2119         (foo):
2120         (set x):
2121
2122 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2123
2124         [JSC] Introduce import.meta
2125         https://bugs.webkit.org/show_bug.cgi?id=177703
2126
2127         Reviewed by Filip Pizlo.
2128
2129         * modules/import-meta-syntax.js: Added.
2130         (shouldThrow):
2131         (shouldNotThrow):
2132         * modules/import-meta.js: Added.
2133         * modules/import-meta/cocoa.js: Added.
2134         * modules/resources/assert.js:
2135         (export.shouldNotThrow):
2136         * stress/import-syntax.js:
2137
2138 2017-10-04  Saam Barati  <sbarati@apple.com>
2139
2140         Make pertinent AccessCases watch the poly proto watchpoint
2141         https://bugs.webkit.org/show_bug.cgi?id=177765
2142
2143         Reviewed by Keith Miller.
2144
2145         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2146         (assert):
2147         (foo.C):
2148         (foo):
2149         (validate):
2150         * stress/poly-proto-clear-stub.js: Added.
2151         (assert):
2152         (foo.C):
2153         (foo):
2154
2155 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2156
2157         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2158
2159         Unreviewed test gardening.
2160
2161         * test262.yaml:
2162
2163 2017-10-04  Saam Barati  <sbarati@apple.com>
2164
2165         3 poly-proto JSC tests timing out on debug after r222827
2166         https://bugs.webkit.org/show_bug.cgi?id=177880
2167
2168         Rubber stamped by Mark Lam.
2169
2170         * microbenchmarks/poly-proto-access.js:
2171         * typeProfiler/deltablue-for-of.js:
2172         * typeProfiler/getter-richards.js:
2173
2174 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2175
2176         Unreviewed, marking tco-catch.js as a failure after test262 update
2177         https://bugs.webkit.org/show_bug.cgi?id=177859
2178
2179         * test262.yaml:
2180
2181 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2182
2183         Unreviewed, marking one async iterator test262 test failed
2184         https://bugs.webkit.org/show_bug.cgi?id=177859
2185
2186         * test262.yaml:
2187
2188 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2189
2190         [Test262] Update Test262 to Oct 4 version
2191         https://bugs.webkit.org/show_bug.cgi?id=177859
2192
2193         Reviewed by Sam Weinig.
2194
2195         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2196         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2197
2198         * test262.yaml:
2199         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2200         (checkSequence):
2201         * test262/harness/typeCoercion.js:
2202         (testCoercibleToIndexZero):
2203         (testCoercibleToIndexOne):
2204         (testCoercibleToIndexFromIndex):
2205         (testNotCoercibleToIndex.testPrimitiveValue):
2206         (testNotCoercibleToInteger):
2207         (testCoercibleToBigIntZero.testPrimitiveValue):
2208         (testCoercibleToBigIntZero):
2209         (testCoercibleToBigIntOne.testPrimitiveValue):
2210         (testCoercibleToBigIntOne):
2211         (testPrimitiveValue):
2212         (testCoercibleToBigIntFromBigInt):
2213         (testNotCoercibleToBigInt.testPrimitiveValue):
2214         (testNotCoercibleToBigInt.testStringValue):
2215         (testNotCoercibleToBigInt):
2216         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2217         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2218         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2219         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2220         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2221         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2222         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2223         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2224         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2225         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2226         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2227         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2228         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2229         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2230         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2231         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2232         (testCoercibleToBigIntZero):
2233         (testCoercibleToBigIntOne):
2234         (testNotCoercibleToBigInt):
2235         (MyError): Deleted.
2236         (valueOf): Deleted.
2237         (toString): Deleted.
2238         (Symbol.toPrimitive): Deleted.
2239         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2240         (testCoercibleToIndexZero):
2241         (testCoercibleToIndexOne):
2242         (testNotCoercibleToIndex):
2243         (MyError): Deleted.
2244         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2245         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2246         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2247         (BigInt.asIntN.valueOf): Deleted.
2248         (BigInt.asIntN.toString): Deleted.
2249         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2250         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2251         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2252         (testCoercibleToBigIntZero):
2253         (testCoercibleToBigIntOne):
2254         (testNotCoercibleToBigInt):
2255         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
2256         (testCoercibleToIndexZero):
2257         (testCoercibleToIndexOne):
2258         (testNotCoercibleToIndex):
2259         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
2260         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
2261         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
2262         (bits.valueOf):
2263         (bigint.valueOf):
2264         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
2265         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
2266         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
2267         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
2268         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
2269         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
2270         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
2271         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
2272         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
2273         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
2274         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
2275         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
2276         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
2277         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
2278         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
2279         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
2280         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
2281         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
2282         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
2283         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
2284         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
2285         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
2286         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
2287         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
2288         (replacer):
2289         (BigInt.prototype.toJSON):
2290         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
2291         (replacer):
2292         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
2293         (BigInt.prototype.toJSON):
2294         * test262/test/built-ins/JSON/stringify/bigint.js:
2295         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
2296         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
2297         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
2298         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
2299         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
2300         * test262/test/built-ins/Object/proto-from-ctor.js:
2301         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
2302         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
2303         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
2304         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
2305         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
2306         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
2307         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
2308         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
2309         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
2310         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
2311         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
2312         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
2313         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
2314         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
2315         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
2316         * test262/test/built-ins/Proxy/get-fn-realm.js:
2317         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
2318         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
2319         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
2320         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
2321         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
2322         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
2323         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
2324         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
2325         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
2326         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
2327         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
2328         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
2329         (i6.replace):
2330         (i6b.replace):
2331         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
2332         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
2333         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
2334         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
2335         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
2336         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
2337         * test262/test/built-ins/RegExp/u180e.js: Added.
2338         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
2339         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
2340         * test262/test/built-ins/String/proto-from-ctor-realm.js:
2341         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
2342         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
2343         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
2344         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
2345         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
2346         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
2347         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
2348         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
2349         * test262/test/built-ins/String/prototype/endsWith/length.js:
2350         * test262/test/built-ins/String/prototype/endsWith/name.js:
2351         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
2352         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
2353         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
2354         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
2355         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
2356         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
2357         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
2358         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
2359         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
2360         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
2361         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
2362         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
2363         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
2364         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
2365         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
2366         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
2367         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
2368         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
2369         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
2370         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
2371         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
2372         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
2373         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
2374         * test262/test/built-ins/String/prototype/includes/includes.js:
2375         * test262/test/built-ins/String/prototype/includes/length.js:
2376         * test262/test/built-ins/String/prototype/includes/name.js:
2377         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
2378         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
2379         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
2380         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
2381         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
2382         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
2383         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
2384         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
2385         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
2386         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
2387         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
2388         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
2389         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
2390         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
2391         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
2392         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
2393         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
2394         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
2395         * test262/test/built-ins/String/prototype/trim/u180e.js:
2396         * test262/test/built-ins/Symbol/for/cross-realm.js:
2397         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
2398         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
2399         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
2400         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
2401         * test262/test/built-ins/Symbol/match/cross-realm.js:
2402         * test262/test/built-ins/Symbol/replace/cross-realm.js:
2403         * test262/test/built-ins/Symbol/search/cross-realm.js:
2404         * test262/test/built-ins/Symbol/species/cross-realm.js:
2405         * test262/test/built-ins/Symbol/split/cross-realm.js:
2406         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
2407         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
2408         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
2409         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
2410         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
2411         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
2412         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
2413         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
2414         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
2415         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
2416         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
2417         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
2418         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
2419         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
2420         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
2421         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
2422         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
2423         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
2424         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
2425         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
2426         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
2427         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
2428         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
2429         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
2430         * test262/test/language/comments/mongolian-vowel-separator-single.js:
2431         * test262/test/language/eval-code/indirect/realm.js:
2432         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
2433         (o.get z):
2434         (o.get a):
2435         * test262/test/language/expressions/call/eval-realm-indirect.js:
2436         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
2437         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
2438         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
2439         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
2440         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
2441         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
2442         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
2443         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
2444         * test262/test/language/expressions/greater-than/bigint-and-number.js:
2445         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
2446         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
2447         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
2448         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
2449         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
2450         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
2451         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
2452         * test262/test/language/expressions/less-than/bigint-and-number.js:
2453         * test262/test/language/expressions/new/non-ctor-err-realm.js:
2454         * test262/test/language/expressions/super/realm.js:
2455         * test262/test/language/expressions/tagged-template/cache-realm.js:
2456         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
2457         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
2458         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
2459         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
2460         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
2461         * test262/test/language/literals/string/mongolian-vowel-separator.js:
2462         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
2463         (o.get z):
2464         (o.get a):
2465         * test262/test/language/statements/for-of/iterator-next-reference.js:
2466         (next):
2467         (iterator.next): Deleted.
2468         (x.of.iterable.): Deleted.
2469         (x.of.iterable.get return): Deleted.
2470         (x.of.iterable.iterator.next): Deleted.
2471         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
2472         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
2473         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
2474         * test262/test/language/white-space/mongolian-vowel-separator.js:
2475         * test262/test262-Revision.txt:
2476
2477 2017-10-03  Saam Barati  <sbarati@apple.com>
2478
2479         Implement polymorphic prototypes
2480         https://bugs.webkit.org/show_bug.cgi?id=176391
2481
2482         Reviewed by Filip Pizlo.
2483
2484         * microbenchmarks/poly-proto-access.js: Added.
2485         (assert):
2486         (foo.C):
2487         (foo.C.prototype.get bar):
2488         (foo):
2489         (bar):
2490         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
2491         (assert):
2492         (makePolyProtoObject.foo.C):
2493         (makePolyProtoObject.foo):
2494         (makePolyProtoObject):
2495         (performSet):
2496         * microbenchmarks/poly-proto-setter-speed.js: Added.
2497         (assert):
2498         (makePolyProtoObject.foo.C):
2499         (makePolyProtoObject.foo.C.prototype.set p):
2500         (makePolyProtoObject.foo):
2501         (makePolyProtoObject):
2502         (performSet):
2503         * stress/constructor-with-return.js:
2504         (i.tests.forEach.Constructor):
2505         (i.tests.forEach):
2506         (tests.forEach.Constructor): Deleted.
2507         (tests.forEach): Deleted.
2508         * stress/dom-jit-with-poly-proto.js: Added.
2509         (assert):
2510         (makePolyProtoObject.foo.C):
2511         (makePolyProtoObject.foo):
2512         (makePolyProtoObject):
2513         (validate):
2514         * stress/poly-proto-custom-value-and-accessor.js: Added.
2515         (assert):
2516         (makePolyProtoObject.foo.C):
2517         (makePolyProtoObject.foo):
2518         (makePolyProtoObject):
2519         (items.forEach):
2520         (set get for):
2521         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
2522         (assert):
2523         (makePolyProtoObject.foo.C):
2524         (makePolyProtoObject.foo):
2525         (makePolyProtoObject):
2526         (foo):
2527         * stress/poly-proto-miss.js: Added.
2528         (makePolyProtoInstanceWithNullPrototype.foo.C):
2529         (makePolyProtoInstanceWithNullPrototype.foo):
2530         (makePolyProtoInstanceWithNullPrototype):
2531         (assert):
2532         (validate):
2533         * stress/poly-proto-op-in-caching.js: Added.
2534         (assert):
2535         (makePolyProtoObject.foo.C):
2536         (makePolyProtoObject.foo):
2537         (makePolyProtoObject):
2538         (validate):
2539         (validate2):
2540         * stress/poly-proto-put-transition.js: Added.
2541         (assert):
2542         (makePolyProtoObject.foo.C):
2543         (makePolyProtoObject.foo):
2544         (makePolyProtoObject):
2545         (performSet):
2546         (i.obj.__proto__.set p):
2547         * stress/poly-proto-set-prototype.js: Added.
2548         (assert):
2549         (let.alternateProto.get x):
2550         (let.alternateProto2.get y):
2551         (let.alternateProto2.get x):
2552         (foo.C):
2553         (foo):
2554         (validate):
2555         * stress/poly-proto-setter.js: Added.
2556         (assert):
2557         (makePolyProtoObject.foo.C):
2558         (makePolyProtoObject.foo.C.prototype.set p):
2559         (makePolyProtoObject.foo.C.prototype.get p):
2560         (makePolyProtoObject.foo):
2561         (makePolyProtoObject):
2562         (performSet):
2563         * stress/poly-proto-using-inheritance.js: Added.
2564         (assert):
2565         (foo.C):
2566         (foo.C.prototype.get baz):
2567         (foo):
2568         (bar.C):
2569         (bar):
2570         (validate):
2571         * stress/primitive-poly-proto.js: Added.
2572         (makePolyProtoInstance.foo.C):
2573         (makePolyProtoInstance.foo):
2574         (makePolyProtoInstance):
2575         (assert):
2576         (validate):
2577         * stress/prototype-is-not-js-object.js: Added.
2578         (foo.bar):
2579         (foo):
2580         (assert):
2581         (validate):
2582         * stress/try-get-by-id-poly-proto.js: Added.
2583         (assert):
2584         (makePolyProtoObject.foo.C):
2585         (makePolyProtoObject.foo):
2586         (makePolyProtoObject):
2587         (tryGetByIdText):
2588         (x.__proto__.get bar):
2589         (validate):
2590         * typeProfiler/overflow.js:
2591
2592 2017-10-03  JF Bastien  <jfbastien@apple.com>
2593
2594         WebAssembly: no VM / JS version of everything but Instance
2595         https://bugs.webkit.org/show_bug.cgi?id=177473
2596
2597         Reviewed by Filip Pizlo.
2598
2599         - Exceeding max on memory growth now returns a range error as per
2600         spec. This is a (very minor) breaking change: it used to throw OOM
2601         error. Update the corresponding test.
2602
2603         * wasm/js-api/memory-grow.js:
2604         (assertEq):
2605         * wasm/js-api/table.js:
2606         (assert.throws):
2607
2608 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
2609
2610         Skip JSC test stress/regress-159779-2.js on debug.
2611         https://bugs.webkit.org/show_bug.cgi?id=177204
2612
2613         Unreviewed test gardening.
2614
2615         * stress/regress-159779-2.js:
2616
2617 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
2618
2619         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
2620         https://bugs.webkit.org/show_bug.cgi?id=175642
2621
2622         Reviewed by Darin Adler.
2623
2624         * ChakraCore/test/Function/apply3.baseline-jsc:
2625
2626 2017-10-01  Commit Queue  <commit-queue@webkit.org>
2627
2628         Unreviewed, rolling out r222564.
2629         https://bugs.webkit.org/show_bug.cgi?id=177720
2630
2631         "It regressed JetStream by 2% on iOS caused by a 50%
2632         regression on the bigfib subtest" (Requested by saamyjoon on
2633         #webkit).
2634
2635         Reverted changeset:
2636
2637         "Add Above/Below comparisons for UInt32 patterns"
2638         https://bugs.webkit.org/show_bug.cgi?id=177281
2639         http://trac.webkit.org/changeset/222564
2640
2641 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2642
2643         [DFG] Support ArrayPush with multiple args
2644         https://bugs.webkit.org/show_bug.cgi?id=175823
2645
2646         Reviewed by Saam Barati.
2647
2648         * microbenchmarks/array-push-0.js: Added.
2649         (arrayPush0):
2650         * microbenchmarks/array-push-1.js: Added.
2651         (arrayPush1):
2652         * microbenchmarks/array-push-2.js: Added.
2653         (arrayPush2):
2654         * microbenchmarks/array-push-3.js: Added.
2655         (arrayPush3):
2656         * stress/array-push-multiple-contiguous.js: Added.
2657         (shouldBe):
2658         (test):
2659         * stress/array-push-multiple-double-nan.js: Added.
2660         (shouldBe):
2661         (test):
2662         * stress/array-push-multiple-double.js: Added.
2663         (shouldBe):
2664         (test):
2665         * stress/array-push-multiple-int32.js: Added.
2666         (shouldBe):
2667         (test):
2668         * stress/array-push-multiple-many-contiguous.js: Added.
2669         (shouldBe):
2670         (test):
2671         * stress/array-push-multiple-many-double.js: Added.
2672         (shouldBe):
2673         (test):
2674         * stress/array-push-multiple-many-int32.js: Added.
2675         (shouldBe):
2676         (test):
2677         * stress/array-push-multiple-many-storage.js: Added.
2678         (shouldBe):
2679         (test):
2680         * stress/array-push-multiple-storage.js: Added.
2681         (shouldBe):
2682         (test):
2683         * stress/array-push-with-force-exit.js: Added.
2684         (target.createBuiltin):
2685
2686 2017-09-29  Saam Barati  <sbarati@apple.com>
2687
2688         Custom GetterSetterAccessCase does not use the correct slotBase when making call
2689         https://bugs.webkit.org/show_bug.cgi?id=177639
2690
2691         Reviewed by Geoffrey Garen.
2692
2693         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
2694         (assert):
2695         (Class):
2696         (items.forEach):
2697         (set get for):
2698
2699 2017-09-29  Commit Queue  <commit-queue@webkit.org>
2700
2701         Unreviewed, rolling out r222563, r222565, and r222581.
2702         https://bugs.webkit.org/show_bug.cgi?id=177675
2703
2704         "It causes a crash when playing youtube videos" (Requested by
2705         saamyjoon on #webkit).
2706
2707         Reverted changesets:
2708
2709         "[DFG] Support ArrayPush with multiple args"
2710         https://bugs.webkit.org/show_bug.cgi?id=175823
2711         http://trac.webkit.org/changeset/222563
2712
2713         "Unreviewed, build fix after r222563"
2714         https://bugs.webkit.org/show_bug.cgi?id=175823
2715         http://trac.webkit.org/changeset/222565
2716
2717         "Unreviewed, fix x86 breaking due to exhausted registers"
2718         https://bugs.webkit.org/show_bug.cgi?id=175823
2719         http://trac.webkit.org/changeset/222581
2720
2721 2017-09-28  Mark Lam  <mark.lam@apple.com>
2722
2723         test262: Unexpected passes after r222617 and r222618.
2724         https://bugs.webkit.org/show_bug.cgi?id=177622
2725         <rdar://problem/34725960>
2726
2727         Reviewed by Saam Barati.
2728
2729         Update test262.yaml for tests that are now passing.
2730
2731         * test262.yaml:
2732
2733 2017-09-27  Michael Saboff  <msaboff@apple.com>
2734
2735         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
2736         https://bugs.webkit.org/show_bug.cgi?id=177570
2737
2738         Reviewed by Filip Pizlo.
2739
2740         New regression test.
2741
2742         * stress/regress-177570.js: Added.
2743
2744 2017-09-28  Michael Saboff  <msaboff@apple.com>
2745
2746         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
2747         https://bugs.webkit.org/show_bug.cgi?id=177423
2748
2749         Reviewed by Mark Lam.
2750
2751         Updated regression test.
2752
2753         * stress/regress-177423.js:
2754         (catch):
2755
2756 2017-09-27  Mark Lam  <mark.lam@apple.com>
2757
2758         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
2759         https://bugs.webkit.org/show_bug.cgi?id=177584
2760         <rdar://problem/34463903>
2761
2762         Reviewed by Saam Barati.
2763
2764         * stress/regress-177584.js: Added.
2765         (assertEqual):
2766         (Array.prototype.Symbol.species):
2767
2768 2017-09-27  Saam Barati  <sbarati@apple.com>
2769
2770         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
2771         https://bugs.webkit.org/show_bug.cgi?id=177523
2772
2773         Reviewed by Mark Lam.
2774
2775         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
2776         (assert):
2777         (Test):
2778         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
2779         (addMethods):
2780         (i.Test.prototype.propName):
2781
2782 2017-09-27  Mark Lam  <mark.lam@apple.com>
2783
2784         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
2785         https://bugs.webkit.org/show_bug.cgi?id=177423
2786         <rdar://problem/34621320>
2787
2788         Reviewed by Keith Miller.
2789
2790         * stress/regress-177423.js: Added.
2791
2792 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2793
2794         Add Above/Below comparisons for UInt32 patterns
2795         https://bugs.webkit.org/show_bug.cgi?id=177281
2796
2797         Reviewed by Saam Barati.
2798
2799         * stress/uint32-comparison-jump.js: Added.
2800         (shouldBe):
2801         (above):
2802         (aboveOrEqual):
2803         (below):
2804         (belowOrEqual):
2805         (notAbove):
2806         (notAboveOrEqual):
2807         (notBelow):
2808         (notBelowOrEqual):
2809         * stress/uint32-comparison.js: Added.
2810         (shouldBe):
2811         (above):
2812         (aboveOrEqual):
2813         (below):
2814         (belowOrEqual):
2815         (aboveTest):
2816         (aboveOrEqualTest):
2817         (belowTest):
2818         (belowOrEqualTest):
2819
2820 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2821
2822         [DFG] Support ArrayPush with multiple args
2823         https://bugs.webkit.org/show_bug.cgi?id=175823
2824
2825         Reviewed by Saam Barati.
2826
2827         * microbenchmarks/array-push-0.js: Added.
2828         (arrayPush0):
2829         * microbenchmarks/array-push-1.js: Added.
2830         (arrayPush1):
2831         * microbenchmarks/array-push-2.js: Added.
2832         (arrayPush2):
2833         * microbenchmarks/array-push-3.js: Added.
2834         (arrayPush3):
2835         * stress/array-push-multiple-contiguous.js: Added.
2836         (shouldBe):
2837         (test):
2838         * stress/array-push-multiple-double-nan.js: Added.
2839         (shouldBe):
2840         (test):
2841         * stress/array-push-multiple-double.js: Added.
2842         (shouldBe):
2843         (test):
2844         * stress/array-push-multiple-int32.js: Added.
2845         (shouldBe):
2846         (test):
2847         * stress/array-push-multiple-many-contiguous.js: Added.
2848         (shouldBe):
2849         (test):
2850         * stress/array-push-multiple-many-double.js: Added.
2851         (shouldBe):
2852         (test):
2853         * stress/array-push-multiple-many-int32.js: Added.
2854         (shouldBe):
2855         (test):
2856         * stress/array-push-multiple-many-storage.js: Added.
2857         (shouldBe):
2858         (test):
2859         * stress/array-push-multiple-storage.js: Added.
2860         (shouldBe):
2861         (test):
2862
2863 2017-09-26  Commit Queue  <commit-queue@webkit.org>
2864
2865         Unreviewed, rolling out r222518.
2866         https://bugs.webkit.org/show_bug.cgi?id=177507
2867
2868         Break the High Sierra build (Requested by yusukesuzuki on
2869         #webkit).
2870
2871         Reverted changeset:
2872
2873         "Add Above/Below comparisons for UInt32 patterns"
2874         https://bugs.webkit.org/show_bug.cgi?id=177281
2875         http://trac.webkit.org/changeset/222518
2876
2877 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2878
2879         Add Above/Below comparisons for UInt32 patterns
2880         https://bugs.webkit.org/show_bug.cgi?id=177281
2881
2882         Reviewed by Saam Barati.
2883
2884         * stress/uint32-comparison-jump.js: Added.
2885         (shouldBe):
2886         (above):
2887         (aboveOrEqual):
2888         (below):
2889         (belowOrEqual):
2890         (notAbove):
2891         (notAboveOrEqual):
2892         (notBelow):
2893         (notBelowOrEqual):
2894         * stress/uint32-comparison.js: Added.
2895         (shouldBe):
2896         (above):
2897         (aboveOrEqual):
2898         (below):
2899         (belowOrEqual):
2900         (aboveTest):
2901         (aboveOrEqualTest):
2902         (belowTest):
2903         (belowOrEqualTest):
2904
2905 2017-09-23  Keith Miller  <keith_miller@apple.com>
2906
2907         Fix infinite looping test262 test
2908         https://bugs.webkit.org/show_bug.cgi?id=177412
2909
2910         Reviewed by Yusuke Suzuki.
2911
2912         This test was poorly designed since failing it would cause the vm
2913         to inifinite loop. I've fixed it locally and will fix it on github pending
2914         the results of next weeks tc39 meeting.
2915
2916         * test262.yaml:
2917         * test262/test/language/statements/for-of/iterator-next-reference.js:
2918
2919 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
2920
2921         test262: $.agent became $262.agent in test262 update
2922         https://bugs.webkit.org/show_bug.cgi?id=177407
2923
2924         Reviewed by Yusuke Suzuki.
2925
2926         * test262.yaml:
2927         ~320 tests pass now that we correctly make $262 available.
2928
2929 2017-09-22  Keith Miller  <keith_miller@apple.com>
2930
2931         Speculatively change iteration protocall to use the same next function
2932         https://bugs.webkit.org/show_bug.cgi?id=175653
2933
2934         Reviewed by Saam Barati.
2935
2936         Change test to match the new iteration behavior.
2937
2938         * stress/spread-optimized-properly.js:
2939
2940 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2941
2942         [DFG][FTL] Profile array vector length for array allocation
2943         https://bugs.webkit.org/show_bug.cgi?id=177051
2944
2945         Reviewed by Saam Barati.
2946
2947         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
2948         (target):
2949
2950 2017-09-22  Commit Queue  <commit-queue@webkit.org>
2951
2952         Unreviewed, rolling out r222380.
2953         https://bugs.webkit.org/show_bug.cgi?id=177352
2954
2955         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
2956         #webkit).
2957
2958         Reverted changeset:
2959
2960         "[DFG][FTL] Profile array vector length for array allocation"
2961         https://bugs.webkit.org/show_bug.cgi?id=177051
2962         http://trac.webkit.org/changeset/222380
2963
2964 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2965
2966         [DFG][FTL] Profile array vector length for array allocation
2967         https://bugs.webkit.org/show_bug.cgi?id=177051
2968
2969         Reviewed by Saam Barati.
2970
2971         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
2972         (target):
2973
2974 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
2975
2976         Skip new hanging test262 tests.
2977         https://bugs.webkit.org/show_bug.cgi?id=177326
2978
2979         Unreviewed test gardening.
2980
2981         * test262.yaml:
2982
2983 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2984
2985         Mark 6 test262 tests as passing.
2986         https://bugs.webkit.org/show_bug.cgi?id=177307
2987
2988         Unreviewed test gardening.
2989
2990         * test262.yaml:
2991
2992 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
2993
2994         Unreviewed follow-up to r222311.
2995
2996         * test262/harness/sta.js:
2997         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
2998         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
2999         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3000         * test262/test/built-ins/Array/from/elements-added-after.js:
3001         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3002         * test262/test/built-ins/Array/from/elements-updated-after.js:
3003         * test262/test/built-ins/Array/from/from-array.js:
3004         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3005         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3006         * test262/test/built-ins/Array/from/source-array-boundary.js:
3007         * test262/test/built-ins/Array/from/source-object-constructor.js:
3008         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3009         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3010         * test262/test/built-ins/Array/from/source-object-length.js:
3011         * test262/test/built-ins/Array/from/source-object-missing.js:
3012         * test262/test/built-ins/Array/from/source-object-without.js:
3013         * test262/test/built-ins/Array/from/this-null.js:
3014         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3015         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3016         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3017         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3018         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3019         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3020         * test262/test/language/literals/string/7.8.4-1gs.js:
3021         Fix some files that I failed to update when I applied my patch.
3022
3023 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3024
3025         Update test262 tests
3026         https://bugs.webkit.org/show_bug.cgi?id=177220
3027
3028         Reviewed by Saam Barati and Yusuke Suzuki.
3029
3030         * test262.yaml:
3031         * test262/test262-Revision.txt:
3032         New rebaselined expectations for all tests.
3033
3034         * test262/*:
3035         Updated.
3036
3037 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3038
3039         [DFG] Remove ToThis more aggressively
3040         https://bugs.webkit.org/show_bug.cgi?id=177056
3041
3042         Reviewed by Saam Barati.
3043
3044         * stress/generator-with-this-strict.js: Added.
3045         (shouldBe):
3046         (generator):
3047         (target):
3048         * stress/generator-with-this.js: Added.
3049         (shouldBe):
3050         (generator):
3051         (target):
3052
3053 2017-09-17  Michael Saboff  <msaboff@apple.com>
3054
3055         https://bugs.webkit.org/show_bug.cgi?id=177038
3056         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3057
3058         Reviewed by JF Bastien.
3059
3060         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3061         as it dies using too much memory.
3062
3063 2017-09-15  Saam Barati  <sbarati@apple.com>
3064
3065         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3066         https://bugs.webkit.org/show_bug.cgi?id=176981
3067
3068         Reviewed by Yusuke Suzuki.
3069
3070         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3071         (assert):
3072         (verify):
3073         (func):
3074         (const.bar.createBuiltin):
3075
3076 2017-09-14  Saam Barati  <sbarati@apple.com>
3077
3078         It should be valid to exit before each set when doing arity fixup when inlining
3079         https://bugs.webkit.org/show_bug.cgi?id=176948
3080
3081         Reviewed by Keith Miller.
3082
3083         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3084         (baz):
3085         (bar):
3086         (foo):
3087
3088 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3089
3090         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3091         https://bugs.webkit.org/show_bug.cgi?id=176867
3092
3093         Reviewed by Sam Weinig.
3094
3095         * microbenchmarks/object-get-own-property-symbols.js: Added.
3096         (test):
3097
3098 2017-09-13  Mark Lam  <mark.lam@apple.com>
3099
3100         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3101         https://bugs.webkit.org/show_bug.cgi?id=176888
3102         <rdar://problem/34381832>
3103
3104         Not reviewed.
3105
3106         * stress/op_mod-ConstVar.js:
3107         * stress/op_mod-VarConst.js:
3108         * stress/op_mod-VarVar.js:
3109
3110 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3111
3112         Skip 3 op_mod tests on Debug JSC bots.
3113         https://bugs.webkit.org/show_bug.cgi?id=176630
3114
3115         Unreviewed test gardening.
3116
3117         * stress/op_mod-ConstVar.js:
3118         * stress/op_mod-VarConst.js:
3119         * stress/op_mod-VarVar.js:
3120
3121 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         [JSC] Fix Array allocation in Object.keys
3124         https://bugs.webkit.org/show_bug.cgi?id=176826
3125
3126         Reviewed by Saam Barati.
3127
3128         * stress/object-own-property-keys.js: Added.
3129         (shouldBe):
3130
3131 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3132
3133         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3134         https://bugs.webkit.org/show_bug.cgi?id=176010
3135
3136         Reviewed by Filip Pizlo.
3137
3138         * microbenchmarks/weak-map-key.js: Added.
3139         (assert):
3140         (objectKey):
3141         (let.start.Date.now):
3142
3143 2017-09-12  Mark Lam  <mark.lam@apple.com>
3144
3145         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3146         https://bugs.webkit.org/show_bug.cgi?id=176630
3147
3148         Reviewed by JF Bastien.
3149
3150         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3151         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3152         a speculative fix for the bots that are seeing these fail.
3153
3154         I also undid the skipping of the op_mod tests for debug builds.
3155
3156         * stress/op_div-ConstVar.js:
3157         * stress/op_div-VarConst.js:
3158         * stress/op_div-VarVar.js:
3159         * stress/op_mod-ConstVar.js:
3160         * stress/op_mod-VarConst.js:
3161         * stress/op_mod-VarVar.js:
3162
3163 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3164
3165         Skip stress/value-to-boolean.js on Debug bots.
3166         https://bugs.webkit.org/show_bug.cgi?id=176787
3167
3168         Unreviewed test gardening.
3169
3170         * stress/value-to-boolean.js:
3171
3172 2017-09-11  Mark Lam  <mark.lam@apple.com>
3173
3174         Change test expectation for test262/test/language/statements/try/tco-catch.js
3175         https://bugs.webkit.org/show_bug.cgi?id=176749
3176
3177         Rubber stamped by Keith Miller.
3178
3179         It's been failing since at least r221821.  I'm changing the test expectation to
3180         fail to green the bots while I investigate some more.
3181
3182         * test262.yaml:
3183
3184 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3185
3186         Unreviewed, rolling out r221854.
3187
3188         The test added with this change fails on 32-bit JSC bots.
3189
3190         Reverted changeset:
3191
3192         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3193         https://bugs.webkit.org/show_bug.cgi?id=176010
3194         http://trac.webkit.org/changeset/221854
3195
3196 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3197
3198         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3199         https://bugs.webkit.org/show_bug.cgi?id=176010
3200
3201         Reviewed by Filip Pizlo.
3202
3203         * microbenchmarks/weak-map-key.js: Added.
3204         (assert):
3205         (objectKey):
3206         (let.start.Date.now):
3207
3208 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3209
3210         [JSC] Optimize Object.keys by using careful array allocation
3211         https://bugs.webkit.org/show_bug.cgi?id=176654
3212
3213         Reviewed by Darin Adler.
3214
3215         * microbenchmarks/object-keys.js: Added.
3216         (test):
3217
3218 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3219
3220         Error should compute .stack and friends lazily
3221         https://bugs.webkit.org/show_bug.cgi?id=176645
3222
3223         Reviewed by Saam Barati.
3224
3225         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
3226         * microbenchmarks/new-error.js: Added.
3227         * microbenchmarks/throw.js: Added.
3228
3229 2017-09-09  Mark Lam  <mark.lam@apple.com>
3230
3231         [Re-landing] Use JIT probes for DFG OSR exit.
3232         https://bugs.webkit.org/show_bug.cgi?id=175144
3233         <rdar://problem/33437050>
3234
3235         Not reviewed.  Original patch reviewed by Saam Barati.
3236
3237         Disable these tests for debug builds because they run too slow with the new OSR exit.
3238
3239         * stress/op_mod-ConstVar.js:
3240         * stress/op_mod-VarConst.js:
3241         * stress/op_mod-VarVar.js:
3242
3243 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3244
3245         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3246         https://bugs.webkit.org/show_bug.cgi?id=176300
3247
3248         Reviewed by Saam Barati.
3249
3250         * stress/new-array-with-size-div.js: Added.
3251         (shouldBe):
3252         (test):
3253         (i.i):
3254
3255 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3256
3257         [DFG] PutByVal with Array::Generic is too generic
3258         https://bugs.webkit.org/show_bug.cgi?id=176345
3259
3260         Reviewed by Filip Pizlo.
3261
3262         * stress/object-assign-symbols.js: Added.
3263         (shouldBe):
3264         (test):
3265         * stress/object-assign.js: Added.
3266         (shouldBe):
3267         (test):
3268         (i.shouldBe.JSON.stringify.test):
3269
3270 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3271
3272         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3273         https://bugs.webkit.org/show_bug.cgi?id=176590
3274
3275         Reviewed by Saam Barati.
3276
3277         * microbenchmarks/object-iterate-symbols.js: Added.
3278         (test):
3279         * microbenchmarks/object-iterate.js: Added.
3280         (test):
3281         * stress/object-iterate-symbols.js: Added.
3282         (shouldBe):
3283         (test):
3284         * stress/object-iterate.js: Added.
3285         (shouldBe):
3286         (test):
3287
3288 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
3289
3290         [Win32] 10 JSC stress tests are failing.
3291         https://bugs.webkit.org/show_bug.cgi?id=176538
3292
3293         Reviewed by Mark Lam.
3294
3295         Skip tests on Windows to make the bots green.
3296
3297         * ChakraCore.yaml:
3298         * stress/date-relaxed.js:
3299
3300 2017-09-06  Mark Lam  <mark.lam@apple.com>
3301
3302         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3303         https://bugs.webkit.org/show_bug.cgi?id=176485
3304         <rdar://problem/33898874>
3305
3306         Reviewed by Keith Miller.
3307
3308         * stress/regress-176485.js: Added.
3309
3310 2017-09-05  Saam Barati  <sbarati@apple.com>
3311
3312         isNotCellSpeculation is wrong with respect to SpecEmpty
3313         https://bugs.webkit.org/show_bug.cgi?id=176429
3314
3315         Reviewed by Michael Saboff.
3316
3317         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
3318         (Foo):
3319
3320 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3321
3322         test262: Completion values for control flow do not match the spec
3323         https://bugs.webkit.org/show_bug.cgi?id=171265
3324
3325         Reviewed by Saam Barati.
3326
3327         * stress/completion-value.js:
3328         Condensed test for completion values in top level statements.
3329
3330         * stress/super-get-by-id.js:
3331         ClassDeclaration when evaled no longer produce values. Convert
3332         these to ClassExpressions so they produce the class value.
3333         
3334         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
3335         This is a progression for currect spec behavior.
3336
3337         * mozilla/mozilla-tests.yaml:
3338         This test is now outdated, so mark it as failing for that reason.
3339
3340         * test262.yaml:
3341         Passing all "cptn" completion value tests.
3342
3343 2017-09-04  Saam Barati  <sbarati@apple.com>
3344
3345         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3346         https://bugs.webkit.org/show_bug.cgi?id=176317
3347
3348         Reviewed by Keith Miller.
3349
3350         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
3351         (Foo):
3352
3353 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3354
3355         [DFG][FTL] Efficiently execute number#toString()
3356         https://bugs.webkit.org/show_bug.cgi?id=170007
3357
3358         Reviewed by Keith Miller.
3359
3360         * microbenchmarks/number-to-string-strength-reduction.js: Added.
3361         (test):
3362         * microbenchmarks/number-to-string-with-radix-10.js: Added.
3363         (test):
3364         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
3365         (test):
3366         * microbenchmarks/number-to-string-with-radix.js: Added.
3367         (test):
3368         * stress/number-to-string-strength-reduction.js: Added.
3369         (shouldBe):
3370         (test):
3371         * stress/number-to-string-with-radix-10.js: Added.
3372         (shouldBe):
3373         (test):
3374         * stress/number-to-string-with-radix-cse.js: Added.
3375         (shouldBe):
3376         (test):
3377         * stress/number-to-string-with-radix-invalid.js: Added.
3378         (shouldThrow):
3379         * stress/number-to-string-with-radix-watchpoint.js: Added.
3380         (shouldBe):
3381         (test):
3382         (i.i.1e3.Number.prototype.toString):
3383         * stress/number-to-string-with-radix.js: Added.
3384         (shouldBe):
3385         (test):
3386
3387 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3388
3389         [DFG] Relax arity requirement
3390         https://bugs.webkit.org/show_bug.cgi?id=175523
3391
3392         Reviewed by Saam Barati.
3393
3394         * stress/arity-mismatch-arguments-length.js: Added.
3395         (shouldBe):
3396         (test1):
3397         (test):
3398         * stress/arity-mismatch-get-argument.js: Added.
3399         (shouldBe):
3400         (builtin.createBuiltin):
3401         (test):
3402         * stress/arity-mismatch-inlining-extra-slots.js: Added.
3403         (shouldBe):
3404         (inlineTarget):
3405         (test):
3406         * stress/arity-mismatch-inlining.js: Added.
3407         (shouldBe):
3408         (inlineTarget):
3409         (test):
3410         * stress/arity-mismatch-rest.js: Added.
3411         (shouldBe):
3412         (test2):
3413         (test1):
3414         (test):
3415
3416 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3417
3418         [JSC] Fix "name" and "length" of Proxy revoke function
3419         https://bugs.webkit.org/show_bug.cgi?id=176155
3420
3421         Reviewed by Mark Lam.
3422
3423         * test262.yaml:
3424
3425 2017-08-31  Saam Barati  <sbarati@apple.com>
3426
3427         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
3428         https://bugs.webkit.org/show_bug.cgi?id=176206
3429
3430         Reviewed by Keith Miller.
3431
3432         * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
3433         (a):
3434         (b):
3435         (foo):
3436
3437 2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>
3438
3439         Skip two slow JSC tests after r221422.
3440
3441         Unreviewed test gardening.
3442
3443         * stress/regexp-prototype-match-on-too-long-rope.js:
3444         * stress/regexp-prototype-test-on-too-long-rope.js:
3445
3446 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
3447
3448         Unreviewed, skipping slow tests.
3449         
3450         These tests are now timing out. They would have always been slow. The timeouts are probably because OOMs
3451         work differently now.
3452
3453         * stress/regexp-prototype-exec-on-too-long-rope.js:
3454         * stress/string-prototype-charCodeAt-on-too-long-rope.js:
3455
3456 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3457
3458         [JSC] Use reifying system for "name" property of builtin JSFunction
3459         https://bugs.webkit.org/show_bug.cgi?id=175260
3460
3461         Reviewed by Saam Barati.
3462
3463         * stress/accessors-get-set-prefix.js:
3464         * stress/builtin-function-name.js: Added.
3465         (shouldBe):
3466         (shouldThrow):
3467         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3468         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3469         * stress/private-name-as-anonymous-builtin.js: Added.
3470         (shouldBe):
3471         (NotPromise):
3472
3473 2017-08-30  Saam Barati  <sbarati@apple.com>
3474
3475         Unreviewed. Make test stop printing.
3476
3477         * microbenchmarks/fake-iterators-that-throw-when-finished.js:
3478
3479 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
3480
3481         Unreviewed, rolling out r221327.
3482
3483         This change caused test262 failures.
3484
3485         Reverted changeset:
3486
3487         "[JSC] Use reifying system for "name" property of builtin
3488         JSFunction"
3489         https://bugs.webkit.org/show_bug.cgi?id=175260
3490         http://trac.webkit.org/changeset/221327
3491
3492 2017-08-30  Saam Barati  <sbarati@apple.com>
3493
3494         semicolon is being interpreted as an = in the LiteralParser
3495         https://bugs.webkit.org/show_bug.cgi?id=176114
3496
3497         Reviewed by Oliver Hunt.
3498
3499         * stress/jsonp-literal-parser-semicolon-is-not-assignment.js: Added.
3500         * stress/resources/literal-parser-test-case.js: Added.
3501
3502 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3503
3504         [ESNext] Async iteration - Implement async iteration statement: for-await-of
3505         https://bugs.webkit.org/show_bug.cgi?id=166698
3506
3507         Reviewed by Yusuke Suzuki.
3508
3509         * stress/async-iteration-for-await-of-syntax.js: Added.
3510         (assert):
3511         (checkSyntax):
3512         (checkSyntaxError):
3513         (checkSimpleAsyncGeneratorSloppyMode):
3514         (checkSimpleAsyncGeneratorStrictMode):
3515         (checkNestedAsyncGenerators):
3516         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
3517         * stress/async-iteration-for-await-of.js: Added.
3518         (assert):
3519         (async.foo):
3520         (async.boo):
3521         (const.boo.async):
3522
3523 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3524
3525         [JSC] Use reifying system for "name" property of builtin JSFunction
3526         https://bugs.webkit.org/show_bug.cgi?id=175260
3527
3528         Reviewed by Saam Barati.
3529
3530         * stress/accessors-get-set-prefix.js:
3531         * stress/builtin-function-name.js: Added.
3532         (shouldBe):
3533         (shouldThrow):
3534         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3535         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3536
3537 2017-08-25  Saam Barati  <sbarati@apple.com>
3538
3539         Support compiling catch in the DFG
3540         https://bugs.webkit.org/show_bug.cgi?id=174590
3541         <rdar://problem/34047845>
3542
3543         Reviewed by Filip Pizlo.
3544
3545         * microbenchmarks/delta-blue-try-catch.js: Added.
3546         (exception):
3547         (value):
3548         (OrderedCollection):
3549         (OrderedCollection.prototype.add):
3550         (OrderedCollection.prototype.at):
3551         (OrderedCollection.prototype.size):
3552         (OrderedCollection.prototype.removeFirst):
3553         (OrderedCollection.prototype.remove):
3554         (Strength):
3555         (Strength.stronger):
3556         (Strength.weaker):
3557         (Strength.weakestOf):
3558         (Strength.strongest):
3559         (Strength.prototype.nextWeaker):
3560         (Constraint):
3561         (Constraint.prototype.addConstraint):
3562         (Constraint.prototype.satisfy):
3563         (Constraint.prototype.destroyConstraint):
3564         (Constraint.prototype.isInput):
3565         (UnaryConstraint):
3566         (UnaryConstraint.prototype.addToGraph):
3567         (UnaryConstraint.prototype.chooseMethod):
3568         (UnaryConstraint.prototype.isSatisfied):
3569         (UnaryConstraint.prototype.markInputs):
3570         (UnaryConstraint.prototype.output):
3571         (UnaryConstraint.prototype.recalculate):
3572         (UnaryConstraint.prototype.markUnsatisfied):
3573         (UnaryConstraint.prototype.inputsKnown):
3574         (UnaryConstraint.prototype.removeFromGraph):
3575         (StayConstraint):
3576         (StayConstraint.prototype.execute):
3577         (EditConstraint.prototype.isInput):
3578         (EditConstraint.prototype.execute):
3579         (BinaryConstraint):
3580         (BinaryConstraint.prototype.chooseMethod):
3581         (BinaryConstraint.prototype.addToGraph):
3582         (BinaryConstraint.prototype.isSatisfied):
3583         (BinaryConstraint.prototype.markInputs):
3584         (BinaryConstraint.prototype.input):
3585         (BinaryConstraint.prototype.output):
3586         (BinaryConstraint.prototype.recalculate):
3587         (BinaryConstraint.prototype.markUnsatisfied):
3588         (BinaryConstraint.prototype.inputsKnown):
3589         (BinaryConstraint.prototype.removeFromGraph):
3590         (ScaleConstraint):
3591         (ScaleConstraint.prototype.addToGraph):
3592         (ScaleConstraint.prototype.removeFromGraph):
3593         (ScaleConstraint.prototype.markInputs):
3594         (ScaleConstraint.prototype.execute):
3595         (ScaleConstraint.prototype.recalculate):
3596         (EqualityConstraint):
3597         (EqualityConstraint.prototype.execute):
3598         (Variable):
3599         (Variable.prototype.addConstraint):
3600         (Variable.prototype.removeConstraint):
3601         (Planner):
3602         (Planner.prototype.incrementalAdd):
3603         (Planner.prototype.incrementalRemove):
3604         (Planner.prototype.newMark):
3605         (Planner.prototype.makePlan):
3606         (Planner.prototype.extractPlanFromConstraints):
3607         (Planner.prototype.addPropagate):
3608         (Planner.prototype.removePropagateFrom):
3609         (Planner.prototype.addConstraintsConsumingTo):
3610         (Plan):
3611         (Plan.prototype.addConstraint):
3612         (Plan.prototype.size):
3613         (Plan.prototype.constraintAt):
3614         (Plan.prototype.execute):
3615         (chainTest):
3616         (projectionTest):
3617         (change):
3618         (deltaBlue):
3619         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Added.
3620         (assert):
3621         (Numbers):
3622         (Numbers.prototype.next):
3623         (return.Transpose):
3624         (return.Transpose.prototype.next):
3625         (transpose):
3626         (verifyEven):
3627         (verifyString):
3628         (foo):
3629         (runIterators):
3630         * microbenchmarks/try-catch-word-count.js: Added.
3631         (let.assert):
3632         (EOF):
3633         (let.texts):
3634         (let.o.apply):
3635         (foo):
3636         (bar):
3637         (f):
3638         (run):
3639         (test1):
3640         (test2):
3641         (test3):
3642         (fn):
3643         (A):
3644         (B):
3645         (A.prototype.getValue):
3646         (B.prototype.getParentValue):
3647         (strlen):
3648         (sum.0):
3649         (test):
3650         (result.test.o):
3651         (set add.set add):
3652         (set forEach):
3653         (stringHash):
3654         (set if):
3655         (testFunction):
3656         (set delete.set has.set add):
3657         * stress/catch-set-argument-speculation-failure.js: Added.
3658         (o):
3659         (e):
3660         (e2):
3661         (escape):
3662         (baz):
3663         (noInline.run):
3664         (noInline):
3665         * stress/osr-enter-to-catch-with-set-local-type-check-failure.js: Added.
3666         (foo):
3667         (e):
3668         (baz):
3669         (bar):
3670
3671 2017-08-24  Commit Queue  <commit-queue@webkit.org>
3672
3673         Unreviewed, rolling out r221119, r221124, and r221143.
3674         https://bugs.webkit.org/show_bug.cgi?id=175973
3675
3676         "I think it regressed JSBench by 20%" (Requested by saamyjoon
3677         on #webkit).
3678
3679         Reverted changesets:
3680
3681         "Support compiling catch in the DFG"
3682         https://bugs.webkit.org/show_bug.cgi?id=174590
3683         http://trac.webkit.org/changeset/221119
3684
3685         "Unreviewed, build fix in GTK port"
3686         https://bugs.webkit.org/show_bug.cgi?id=174590
3687         http://trac.webkit.org/changeset/221124
3688
3689         "DFG::JITCode::osrEntry should get sorted since we perform a
3690         binary search on it"
3691         https://bugs.webkit.org/show_bug.cgi?id=175893
3692         http://trac.webkit.org/changeset/221143
3693
3694 2017-08-24  Michael Saboff  <msaboff@apple.com>
3695
3696         Add support for RegExp "dotAll" flag
3697         https://bugs.webkit.org/show_bug.cgi?id=175924
3698
3699         Reviewed by Keith Miller.
3700
3701         Updated tests for new dotAll ('s' flag) changes.
3702
3703         * es6/Proxy_internal_get_calls_RegExp.prototype.flags.js:
3704         * stress/static-getter-in-names.js:
3705
3706 2017-08-24  Mark Lam  <mark.lam@apple.com>
3707
3708         Land regression test for https://bugs.webkit.org/show_bug.cgi?id=164081.
3709         https://bugs.webkit.org/show_bug.cgi?id=175940
3710         <rdar://problem/29003921>
3711
3712         Reviewed by Saam Barati.
3713
3714         * stress/regress-164081.js: Added.
3715         (shouldEqual):
3716         (testcase):
3717
3718 2017-08-24  Ryan Haddad  <ryanhaddad@apple.com>
3719
3720         Skip flaky JSC test stress/test-finally.js.
3721         https://bugs.webkit.org/show_bug.cgi?id=160283
3722
3723         Unreviewed test gardening.
3724
3725         * stress/test-finally.js:
3726
3727 2017-08-23  Saam Barati  <sbarati@apple.com>
3728
3729         Support compiling catch in the DFG
3730         https://bugs.webkit.org/show_bug.cgi?id=174590
3731
3732         Reviewed by Filip Pizlo.
3733