6c4877b96fd5d48255eb6a5c4b675ee86e55efde
[WebKit-https.git] / JSTests / ChangeLog
1 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
4         https://bugs.webkit.org/show_bug.cgi?id=183310
5
6         Reviewed by Filip Pizlo.
7
8         * stress/ai-create-this-to-new-object-fire.js: Added.
9         (assert):
10         (test):
11         (func):
12         (check):
13         (test.body.A):
14         (test.body.B):
15         (test.body):
16         * stress/ai-create-this-to-new-object.js: Added.
17         (assert):
18         (test):
19         (func):
20         (check):
21         (test.body.A):
22         (test.body.B):
23         (test.body):
24
25 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
26
27         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
28         https://bugs.webkit.org/show_bug.cgi?id=181848
29
30         Reviewed by Sam Weinig.
31
32         * microbenchmarks/regexp-u-global-es5.js: Added.
33         (fn):
34         * microbenchmarks/regexp-u-global-es6.js: Added.
35         (fn):
36         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
37         (shouldBe):
38         (test):
39         (i.switch):
40         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
41         (shouldBe):
42         (test):
43
44 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
45
46         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
47         https://bugs.webkit.org/show_bug.cgi?id=183334
48
49         Reviewed by Žan Doberšek.
50
51         * stress/var-injection-cache-invalidation.js:
52
53 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
54
55         [ARM] Disable tests that run out of memory
56         https://bugs.webkit.org/show_bug.cgi?id=182699
57
58         Reviewed by Žan Doberšek.
59
60         Skip tests that run of of memory. Do not run
61         modules/module-jit-reachability.js without LLInt to prevent
62         running out of executable memory.
63
64         * modules.yaml:
65         * modules/module-jit-reachability.js:
66         * stress/has-own-property-name-cache-string-keys.js:
67         * stress/has-own-property-name-cache-symbol-keys.js:
68
69 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
70
71         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
72         https://bugs.webkit.org/show_bug.cgi?id=183173
73
74         Reviewed by Saam Barati.
75
76         * stress/async-arrow-function-in-class-heritage.js: Added.
77         (testSyntax):
78         (testSyntaxError):
79         (SyntaxError):
80
81 2018-03-01  Saam Barati  <sbarati@apple.com>
82
83         We need to clear cached structures when having a bad time
84         https://bugs.webkit.org/show_bug.cgi?id=183256
85         <rdar://problem/36245022>
86
87         Reviewed by Mark Lam.
88
89         * stress/having-a-bad-time-with-derived-arrays.js: Added.
90         (assert):
91         (defineSetter):
92         (iterate):
93         (doSlice):
94
95 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
96
97         JSC crash with `import("")`
98         https://bugs.webkit.org/show_bug.cgi?id=183175
99
100         Reviewed by Saam Barati.
101
102         * stress/import-with-empty-string.js: Added.
103
104 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
105
106         Unreviewed, skip FTL tests if FTL is disabled
107         https://bugs.webkit.org/show_bug.cgi?id=183071
108
109         * stress/has-indexed-property-array-storage-ftl.js:
110         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
111
112 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
113
114         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
115         https://bugs.webkit.org/show_bug.cgi?id=182965
116
117         Reviewed by Saam Barati.
118
119         * stress/put-by-val-array-storage.js: Added.
120         (shouldBe):
121         (testArrayStorageInBounds):
122         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
123         (shouldBe):
124         (testInt32.createBuiltin):
125         (set for):
126         * stress/put-by-val-slow-put-array-storage.js: Added.
127         (shouldBe):
128         (testArrayStorageInBounds):
129
130 2018-02-26  Saam Barati  <sbarati@apple.com>
131
132         validateStackAccess should not validate if the offset is within the stack bounds
133         https://bugs.webkit.org/show_bug.cgi?id=183067
134         <rdar://problem/37749988>
135
136         Reviewed by Mark Lam.
137
138         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
139         (assert):
140         (test.a):
141         (test.b):
142         (test):
143
144 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
145
146         Unreviewed, skip FTL tests if FTL is disabled
147         https://bugs.webkit.org/show_bug.cgi?id=183071
148
149         * stress/has-indexed-property-array-storage-ftl.js:
150         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
151
152 2018-02-23  Saam Barati  <sbarati@apple.com>
153
154         Make Number.isInteger an intrinsic
155         https://bugs.webkit.org/show_bug.cgi?id=183088
156
157         Reviewed by JF Bastien.
158
159         * stress/number-is-integer-intrinsic.js: Added.
160
161 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
162
163         WebAssembly: cache memory address / size on instance
164         https://bugs.webkit.org/show_bug.cgi?id=177305
165
166         Reviewed by JF Bastien.
167
168         * wasm/function-tests/memory-reuse.js: Added.
169         (createWasmInstance):
170         (doCheckTrap):
171         (doMemoryGrow):
172         (doCheck):
173         (checkWasmInstancesWithSharedMemory):
174
175 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
176
177         [JSC] Implement $vm.ftlTrue function for FTL testing
178         https://bugs.webkit.org/show_bug.cgi?id=183071
179
180         Reviewed by Mark Lam.
181
182         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
183         (foo):
184         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
185         (foo):
186         * stress/dead-fiat-value-to-int52.js:
187         (foo):
188         * stress/dead-osr-entry-value.js:
189         (foo):
190         * stress/fiat-value-to-int52-then-exit-not-double.js:
191         (foo):
192         * stress/fiat-value-to-int52-then-exit-not-int52.js:
193         (foo):
194         * stress/fiat-value-to-int52-then-fail-to-fold.js:
195         (foo):
196         * stress/fiat-value-to-int52-then-fold.js:
197         (foo):
198         * stress/fiat-value-to-int52.js:
199         (foo):
200         * stress/fold-based-on-int32-proof-mul-branch.js:
201         (foo):
202         * stress/fold-profiled-call-to-call.js:
203         (foo):
204         * stress/fold-to-double-constant-then-exit.js:
205         (foo):
206         * stress/fold-to-int52-constant-then-exit.js:
207         (foo):
208         * stress/fold-to-primitive-in-cfa.js:
209         (foo):
210         * stress/fold-to-primitive-to-identity-in-cfa.js:
211         (foo):
212         * stress/has-indexed-property-array-storage-ftl.js: Added.
213         (shouldBe):
214         (test1):
215         (test2):
216         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
217         (shouldBe):
218         (test1):
219         (test2):
220         * stress/int52-ai-add-then-filter-int32.js:
221         (foo):
222         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
223         (foo):
224         * stress/int52-ai-mul-then-filter-int32.js:
225         (foo):
226         * stress/int52-ai-neg-then-filter-int32.js:
227         (foo):
228         * stress/int52-ai-sub-then-filter-int32.js:
229         (foo):
230         * stress/licm-pre-header-cannot-exit-nested.js:
231         (foo):
232         * stress/licm-pre-header-cannot-exit.js:
233         (foo):
234         * stress/sparse-array-entry-update-144067.js:
235         (useMemoryToTriggerGCs):
236         * stress/test-spec-misc.js:
237         (foo):
238         * stress/tricky-array-bounds-checks.js:
239         (foo):
240
241 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
242
243         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
244         https://bugs.webkit.org/show_bug.cgi?id=182792
245
246         Reviewed by Mark Lam.
247
248         * stress/has-indexed-property-array-storage.js: Added.
249         (shouldBe):
250         (test1):
251         (test2):
252         * stress/has-indexed-property-slow-put-array-storage.js: Added.
253         (shouldBe):
254         (test1):
255         (test2):
256
257 2018-02-20  Saam Barati  <sbarati@apple.com>
258
259         DFG::VarargsForwardingPhase should eliminate getting argument length
260         https://bugs.webkit.org/show_bug.cgi?id=182959
261
262         Reviewed by Keith Miller.
263
264         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
265
266 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
267
268         [FTL] Support ArrayPush for ArrayStorage
269         https://bugs.webkit.org/show_bug.cgi?id=182782
270
271         Reviewed by Saam Barati.
272
273         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
274
275         * stress/array-push-array-storage-beyond-int32.js: Added.
276         (shouldBe):
277         (test):
278         * stress/array-push-array-storage.js: Added.
279         (shouldBe):
280         (test):
281         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
282         (shouldBe):
283         (test):
284         * stress/array-push-multiple-storage-continuous.js: Added.
285         (shouldBe):
286         (test):
287
288 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
289
290         [FTL] Support ArrayPop for ArrayStorage
291         https://bugs.webkit.org/show_bug.cgi?id=182783
292
293         Reviewed by Saam Barati.
294
295         * stress/array-pop-array-storage.js: Added.
296         (shouldBe):
297         (test):
298
299 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
300
301         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
302         https://bugs.webkit.org/show_bug.cgi?id=182731
303
304         Reviewed by Saam Barati.
305
306         * stress/arrayify-array-storage-array.js: Added.
307         (shouldBe):
308         (testArrayStorage):
309         * stress/arrayify-array-storage-non-array.js: Added.
310         (shouldBe):
311         (testArrayStorage):
312         * stress/arrayify-array-storage.js: Added.
313         (shouldBe):
314         (testArrayStorage):
315         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
316         (shouldBe):
317         (testArrayStorage):
318         * stress/arrayify-slow-put-array-storage.js: Added.
319         (shouldBe):
320         (testArrayStorage):
321
322 2018-02-19  Saam Barati  <sbarati@apple.com>
323
324         Don't use JSFunction's allocation profile when getting the prototype can be effectful
325         https://bugs.webkit.org/show_bug.cgi?id=182942
326         <rdar://problem/37584764>
327
328         Reviewed by Mark Lam.
329
330         * stress/get-prototype-create-this-effectful.js: Added.
331
332 2018-02-16  Saam Barati  <sbarati@apple.com>
333
334         Fix bugs from r228411
335         https://bugs.webkit.org/show_bug.cgi?id=182851
336         <rdar://problem/37577732>
337
338         Reviewed by JF Bastien.
339
340         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
341
342 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
343
344         Unreviewed, roll out r228366 since it did not progress anything.
345
346         * stress/gc-error-stack.js: Removed.
347         * stress/no-gc-error-stack.js: Removed.
348
349 2018-02-15  Tomas Popela  <tpopela@redhat.com>
350
351         Many stress tests fail with JIT disabled
352         https://bugs.webkit.org/show_bug.cgi?id=182730
353
354         Reviewed by Saam Barati.
355
356         These tests are broken by design if the JIT is disabled - they test
357         the return value of numberOfDFGCompiles(), which is always set to
358         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
359
360         * stress/arith-abs-on-various-types.js:
361         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
362         * stress/arith-acos-on-various-types.js:
363         * stress/arith-acosh-on-various-types.js:
364         * stress/arith-asin-on-various-types.js:
365         * stress/arith-asinh-on-various-types.js:
366         * stress/arith-atan-on-various-types.js:
367         * stress/arith-atanh-on-various-types.js:
368         * stress/arith-cbrt-on-various-types.js:
369         * stress/arith-ceil-on-various-types.js:
370         * stress/arith-clz32-on-various-types.js:
371         * stress/arith-cos-on-various-types.js:
372         * stress/arith-cosh-on-various-types.js:
373         * stress/arith-expm1-on-various-types.js:
374         * stress/arith-floor-on-various-types.js:
375         * stress/arith-fround-on-various-types.js:
376         * stress/arith-log-on-various-types.js:
377         * stress/arith-log10-on-various-types.js:
378         * stress/arith-log2-on-various-types.js:
379         * stress/arith-negate-on-various-types.js:
380         * stress/arith-round-on-various-types.js:
381         * stress/arith-sin-on-various-types.js:
382         * stress/arith-sinh-on-various-types.js:
383         * stress/arith-sqrt-on-various-types.js:
384         * stress/arith-tan-on-various-types.js:
385         * stress/arith-tanh-on-various-types.js:
386         * stress/arith-trunc-on-various-types.js:
387         * stress/compare-strict-eq-on-various-types.js:
388
389 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
390
391         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
392
393         Unreviewed test gardening.
394
395         * stress/new-largeish-contiguous-array-with-size.js:
396
397 2018-02-14  Saam Barati  <sbarati@apple.com>
398
399         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
400         https://bugs.webkit.org/show_bug.cgi?id=182801
401
402         Reviewed by Keith Miller.
403
404         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
405
406 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
407
408         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
409         https://bugs.webkit.org/show_bug.cgi?id=182526
410
411         Unreviewed test gardening.
412
413         * stress/activation-sink-default-value-tdz-error.js:
414
415 2018-02-13  Saam Barati  <sbarati@apple.com>
416
417         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
418         https://bugs.webkit.org/show_bug.cgi?id=182755
419         <rdar://problem/37080864>
420
421         Reviewed by Keith Miller.
422
423         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
424         (test1.o.get 10005):
425         (test1):
426         (test2.o.get 1000):
427         (test2):
428
429 2018-02-13  Caitlin Potter  <caitp@igalia.com>
430
431         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
432         https://bugs.webkit.org/show_bug.cgi?id=182717
433
434         Reviewed by Yusuke Suzuki.
435
436         https://github.com/tc39/ecma262/pull/890 imposes a change to template
437         literals, to allow template callsite arrays to be collected when the
438         code containing the tagged template call is collected. This spec change
439         has received concensus and been ratified.
440
441         This change eliminates the eternal map associating template contents
442         with arrays.
443
444         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
445         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
446         * stress/tagged-templates-identity.js:
447         * stress/template-string-tags-eval.js:
448         * test262.yaml:
449
450 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
451
452         Support GetArrayLength on ArrayStorage in the FTL
453         https://bugs.webkit.org/show_bug.cgi?id=182625
454
455         Reviewed by Saam Barati.
456
457         * stress/array-storage-length.js: Added.
458         (shouldBe):
459         (testInBound):
460         (testUncountable):
461         (testSlowPutInBound):
462         (testSlowPutUncountable):
463         * stress/undecided-length.js: Added.
464         (shouldBe):
465         (test2):
466
467 2018-02-12  Saam Barati  <sbarati@apple.com>
468
469         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
470         https://bugs.webkit.org/show_bug.cgi?id=182706
471         <rdar://problem/36833681>
472
473         Reviewed by Filip Pizlo.
474
475         * stress/get-array-length-phantom-new-array-buffer.js: Added.
476         (effects):
477         (foo):
478
479 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
480
481         Don't waste memory for error.stack
482         https://bugs.webkit.org/show_bug.cgi?id=182656
483
484         Reviewed by Saam Barati.
485         
486         Tests the policy.
487
488         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
489         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
490
491 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
492
493         [JSC] Update Test262 to Feb 9 version
494         https://bugs.webkit.org/show_bug.cgi?id=182468
495
496         Reviewed by Saam Barati.
497
498 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
499
500         Unreviewed, fix invalid line terminator in old test262 file part 2
501         https://bugs.webkit.org/show_bug.cgi?id=182468
502
503         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
504
505 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
506
507         Unreviewed, fix invalid line terminator in old test262 file
508         https://bugs.webkit.org/show_bug.cgi?id=182468
509
510         * test262/test/language/literals/regexp/7.8.5-1.js:
511
512 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
513
514         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
515         https://bugs.webkit.org/show_bug.cgi?id=182440
516
517         Reviewed by Darin Adler.
518
519         * stress/array-flatmap.js: Added.
520         (shouldBe):
521         (shouldBeArray):
522         (shouldThrow):
523         (var):
524         * stress/array-flatten.js: Added.
525         (shouldBe):
526         (shouldBeArray):
527         * test262.yaml:
528         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
529         (3.flatMap):
530         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
531
532 2018-02-06  Keith Miller  <keith_miller@apple.com>
533
534         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
535         https://bugs.webkit.org/show_bug.cgi?id=182549
536         <rdar://problem/36189995>
537
538         Reviewed by Saam Barati.
539
540         * stress/var-injection-cache-invalidation.js: Added.
541         (allocateLotsOfThings):
542         (test):
543
544 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
545
546         Unreviewed, follow up for test262 update
547         https://bugs.webkit.org/show_bug.cgi?id=182288
548
549         * test262.yaml:
550
551 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
552
553         Update test262 to Jan 30 version
554         https://bugs.webkit.org/show_bug.cgi?id=182288
555
556         Unreviewed test gardening.
557
558         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
559
560 2018-02-02  Saam Barati  <sbarati@apple.com>
561
562         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
563         https://bugs.webkit.org/show_bug.cgi?id=182368
564         <rdar://problem/36932466>
565
566         Reviewed by Mark Lam.
567
568         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
569         (runNearStackLimit.t):
570         (runNearStackLimit):
571         (try.runNearStackLimit):
572         (catch):
573
574 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
575
576         Update test262 to Jan 30 version
577         https://bugs.webkit.org/show_bug.cgi?id=182288
578
579         Rubber stamped by Saam Barati.
580
581         This patch updates test262 to the latest one, Jan 30 version.
582         Since added and changed files are too many, we cannot create ChangeLog.
583         The following files are changed.
584
585         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
586         including some special line terminators (like u2028, u2029).
587
588         * test262.yaml:
589         * test262/test262-Revision.txt:
590         * test262/*:
591
592 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
593
594         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
595         https://bugs.webkit.org/show_bug.cgi?id=182411
596
597         Reviewed by Carlos Alberto Lopez Perez.
598
599         This is skipped only on arm memory limited platforms. Until recently
600         it was not a problem on MIPS as the butterfly was not initialized. But
601         since r227435, the butterfly is initialized in that test and therefore
602         memory is allocated, and the test typically takes around 512M, which
603         means it generally gets OOM-killed on the MIPS buildbot.
604
605         * mozilla/mozilla-tests.yaml:
606
607 2018-02-01  Mark Lam  <mark.lam@apple.com>
608
609         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
610         https://bugs.webkit.org/show_bug.cgi?id=182419
611         <rdar://problem/37044945>
612
613         Reviewed by Saam Barati.
614
615         * stress/regress-182419.js: Added.
616
617 2018-02-01  Keith Miller  <keith_miller@apple.com>
618
619         Fix crashes due to mishandling custom sections.
620         https://bugs.webkit.org/show_bug.cgi?id=182404
621         <rdar://problem/36935863>
622
623         Reviewed by Saam Barati.
624
625         * wasm/Builder.js:
626         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
627         * wasm/js-api/validate.js:
628         (assert.truthy):
629
630 2018-01-31  Saam Barati  <sbarati@apple.com>
631
632         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
633         https://bugs.webkit.org/show_bug.cgi?id=182074
634         <rdar://problem/36846261>
635
636         Reviewed by Mark Lam.
637
638         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
639         (assert):
640         (let.func):
641         (let.o.foo):
642         (varFunc):
643
644 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
645
646         Unreviewed, update test262 expects
647         https://bugs.webkit.org/show_bug.cgi?id=182232
648
649         * test262.yaml:
650
651 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
652
653         [JSC] Implement trimStart and trimEnd
654         https://bugs.webkit.org/show_bug.cgi?id=182233
655
656         Reviewed by Mark Lam.
657
658         * stress/trim.js: Added.
659         (shouldBe):
660         (startTest):
661         (endTest):
662         (trimTest):
663
664 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
665
666         [JSC] Relax line terminators in String to make JSON subset of JS
667         https://bugs.webkit.org/show_bug.cgi?id=182232
668
669         Reviewed by Keith Miller.
670
671         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
672         * stress/relaxed-line-terminators-in-string.js: Added.
673         (shouldBe):
674
675 2018-01-29  Michael Saboff  <msaboff@apple.com>
676
677         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
678         https://bugs.webkit.org/show_bug.cgi?id=182249
679
680         Reviewed by Keith Miller.
681
682         New regression test.
683
684         * stress/compare-clobber-untypeduse.js: Added.
685
686 2018-01-29  Matt Lewis  <jlewis3@apple.com>
687
688         Unreviewed, rolling out r227725.
689
690         This caused internal failures.
691
692         Reverted changeset:
693
694         "JSC Sampling Profiler: Detect tester and testee when sampling
695         in RegExp JIT"
696         https://bugs.webkit.org/show_bug.cgi?id=152729
697         https://trac.webkit.org/changeset/227725
698
699 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
702         https://bugs.webkit.org/show_bug.cgi?id=152729
703
704         Reviewed by Saam Barati.
705
706         * stress/sampling-profiler-regexp.js: Added.
707         (platformSupportsSamplingProfiler.test):
708         (platformSupportsSamplingProfiler.baz):
709         (platformSupportsSamplingProfiler):
710
711 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
712
713         [DFG][FTL] WeakMap#set should have DFG node
714         https://bugs.webkit.org/show_bug.cgi?id=180015
715
716         Reviewed by Saam Barati.
717
718         * stress/weakmap-set-change-get.js: Added.
719         (shouldBe):
720         (test):
721         * stress/weakmap-set-cse.js: Added.
722         (shouldBe):
723         (test):
724         * stress/weakset-add-change-get.js: Added.
725         (shouldBe):
726         * stress/weakset-add-cse.js: Added.
727         (shouldBe):
728
729 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
730
731         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
732         https://bugs.webkit.org/show_bug.cgi?id=182213
733
734         Reviewed by Mark Lam.
735
736         * stress/int32-min-to-string.js: Added.
737         (shouldBe):
738         (test2):
739         (test4):
740         (test8):
741         (test16):
742         (test32):
743         * stress/zero-to-string.js: Added.
744         (shouldBe):
745         (test2):
746         (test4):
747         (test8):
748         (test16):
749         (test32):
750
751 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
752
753         Add more module scope related tests with code evaluation by string
754         https://bugs.webkit.org/show_bug.cgi?id=181983
755
756         Reviewed by Sam Weinig.
757
758         Add more module scope related tests. When the original tests are landed,
759         we do not have browser integration. This patch adds more module scope tests
760         with dynamically created script evaluation. We add tests with Function
761         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
762
763         * modules/scopes-eval.js: Added.
764         (shouldBe):
765         * modules/scopes.js:
766         (shouldBe):
767
768 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
769
770         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
771
772         * microbenchmarks/array-push-3.js: Removed.
773         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
774         * microbenchmarks/double-to-int32.js: Removed.
775         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
776         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
777         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
778         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
779         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
780         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
781         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
782         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
783         * microbenchmarks/map-constant-key.js: Removed.
784         * microbenchmarks/nested-function-parsing.js: Removed.
785         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
786         * microbenchmarks/spread-large-array.js: Removed.
787         * microbenchmarks/string-add-constant-folding.js: Removed.
788         * microbenchmarks/to-lower-case.js: Removed.
789         * microbenchmarks/undefined-property-access.js: Removed.
790         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
791         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
792         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
793         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
794         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
795         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
796         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
797         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
798         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
799         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
800         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
801         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
802         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
803         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
804         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
805         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
806         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
807         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
808
809 2018-01-23  Robin Morisset  <rmorisset@apple.com>
810
811         Update the argument count in DFGByteCodeParser::handleRecursiveCall
812         https://bugs.webkit.org/show_bug.cgi?id=181739
813         <rdar://problem/36627662>
814
815         Reviewed by Saam Barati.
816
817         * stress/recursive-tail-call-with-different-argument-count.js: Added.
818         (foo):
819         (bar):
820
821 2018-01-22  Michael Saboff  <msaboff@apple.com>
822
823         DFG abstract interpreter needs to properly model effects of some Math ops
824         https://bugs.webkit.org/show_bug.cgi?id=181886
825
826         Reviewed by Saam Barati.
827
828         New regression test.
829
830         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
831         (test):
832
833 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
834
835         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
836         https://bugs.webkit.org/show_bug.cgi?id=181182
837
838         Reviewed by Darin Adler.
839
840         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
841         * stress/big-int-prototype-to-string-exception.js: Added.
842         * stress/big-int-prototype-to-string-wrong-values.js: Added.
843         * stress/number-prototype-to-string-cast-overflow.js: Added.
844         * stress/number-prototype-to-string-exception.js: Added.
845         * stress/number-prototype-to-string-wrong-values.js: Added.
846
847 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
848
849         Disable Atomics when SharedArrayBuffer isn’t enabled
850         https://bugs.webkit.org/show_bug.cgi?id=181572
851
852         Unreviewed test gardening.
853
854         * test262.yaml: Skip tests that fail after this change.
855
856 2018-01-19  Saam Barati  <sbarati@apple.com>
857
858         Kill ArithNegate's ArithProfile assert inside BytecodeParser
859         https://bugs.webkit.org/show_bug.cgi?id=181877
860         <rdar://problem/36630552>
861
862         Reviewed by Mark Lam.
863
864         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
865         (runNearStackLimit):
866         (f1):
867         (f2):
868         (f3):
869         (i.catch):
870         (i.try.runNearStackLimit):
871         (catch):
872
873 2018-01-19  Saam Barati  <sbarati@apple.com>
874
875         Spread's effects are modeled incorrectly both in AI and in Clobberize
876         https://bugs.webkit.org/show_bug.cgi?id=181867
877         <rdar://problem/36290415>
878
879         Reviewed by Michael Saboff.
880
881         * stress/ai-needs-to-model-spreads-effects.js: Added.
882         (try.p.Symbol.iterator):
883         (try.go):
884         (catch):
885         * stress/clobberize-needs-to-model-spread-effects.js: Added.
886         (assert):
887         (foo):
888         (a.Symbol.iterator):
889
890 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
891
892         Unreviewed, reduce count of iteration to fix timing out debug JSC test
893         https://bugs.webkit.org/show_bug.cgi?id=181535
894
895         * stress/inserted-recovery-with-set-last-index.js:
896
897 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
898
899         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
900         https://bugs.webkit.org/show_bug.cgi?id=181535
901
902         Reviewed by Saam Barati.
903
904         * stress/inserted-recovery-with-set-last-index.js: Added.
905         (shouldBe):
906         (foo):
907         * stress/materialize-regexp-at-osr-exit.js: Added.
908         (shouldBe):
909         (test):
910         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
911         (shouldBe):
912         (test):
913         * stress/materialize-regexp-cyclic-regexp.js: Added.
914         (shouldBe):
915         (test):
916         (i.switch):
917         * stress/materialize-regexp-cyclic.js: Added.
918         (shouldBe):
919         (test):
920         (i.switch):
921         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
922         (bar):
923         (foo):
924         (test):
925         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
926         (bar):
927         (foo):
928         (test):
929         * stress/materialize-regexp.js: Added.
930         (shouldBe):
931         (test):
932         * stress/phantom-regexp-regexp-exec.js: Added.
933         (shouldBe):
934         (test):
935         * stress/phantom-regexp-string-match.js: Added.
936         (shouldBe):
937         (test):
938         * stress/regexp-last-index-sinking.js: Added.
939         (shouldBe):
940         (test):
941
942 2018-01-17  Saam Barati  <sbarati@apple.com>
943
944         Disable Atomics when SharedArrayBuffer isn’t enabled
945         https://bugs.webkit.org/show_bug.cgi?id=181572
946         <rdar://problem/36553206>
947
948         Reviewed by Michael Saboff.
949
950         * stress/isLockFree.js:
951
952 2018-01-17  Saam Barati  <sbarati@apple.com>
953
954         DFG::Node::convertToConstant needs to clear the varargs flags
955         https://bugs.webkit.org/show_bug.cgi?id=181697
956         <rdar://problem/36497332>
957
958         Reviewed by Yusuke Suzuki.
959
960         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
961         (doIndexOf):
962         (bar):
963         (i.bar):
964
965 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
966
967         Unreviewed, rolling out r226937.
968
969         Tests added with this change are failing due to a missing
970         exception check.
971
972         Reverted changeset:
973
974         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
975         double to int32_t"
976         https://bugs.webkit.org/show_bug.cgi?id=181182
977         https://trac.webkit.org/changeset/226937
978
979 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
980
981         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
982         https://bugs.webkit.org/show_bug.cgi?id=181182
983
984         Reviewed by Darin Adler.
985
986         * bigIntTests.yaml:
987         * stress/big-int-constructor.js:
988         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
989         (assert):
990         (assertThrowRangeError):
991         * stress/number-prototype-to-string-cast-overflow.js: Added.
992         (assert):
993         (assertThrowRangeError):
994
995 2018-01-12  Saam Barati  <sbarati@apple.com>
996
997         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
998         https://bugs.webkit.org/show_bug.cgi?id=181177
999         <rdar://problem/36205704>
1000
1001         Reviewed by Yusuke Suzuki.
1002
1003         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1004         (runNearStackLimit.t):
1005         (runNearStackLimit):
1006         (test.f):
1007         (test):
1008
1009 2018-01-12  Saam Barati  <sbarati@apple.com>
1010
1011         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1012         https://bugs.webkit.org/show_bug.cgi?id=181562
1013         <rdar://problem/36445624>
1014
1015         Reviewed by Yusuke Suzuki.
1016
1017         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1018         (f):
1019         (foo):
1020
1021 2018-01-11  Saam Barati  <sbarati@apple.com>
1022
1023         When inserting Unreachable in byte code parser we need to flush all the right things
1024         https://bugs.webkit.org/show_bug.cgi?id=181509
1025         <rdar://problem/36423110>
1026
1027         Reviewed by Mark Lam.
1028
1029         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1030
1031 2018-01-11  Saam Barati  <sbarati@apple.com>
1032
1033         JITMathIC code in the FTL is wrong when code gets duplicated
1034         https://bugs.webkit.org/show_bug.cgi?id=181525
1035         <rdar://problem/36351993>
1036
1037         Reviewed by Michael Saboff and Keith Miller.
1038
1039         * stress/allow-math-ic-b3-code-duplication.js: Added.
1040
1041 2018-01-11  Saam Barati  <sbarati@apple.com>
1042
1043         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1044         https://bugs.webkit.org/show_bug.cgi?id=181508
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1049         (assert):
1050         (test1.foo):
1051         (test1):
1052         (test2.foo):
1053         (test2):
1054
1055 2018-01-09  Mark Lam  <mark.lam@apple.com>
1056
1057         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1058         https://bugs.webkit.org/show_bug.cgi?id=181388
1059         <rdar://problem/36349351>
1060
1061         Reviewed by Saam Barati.
1062
1063         * stress/regress-181388.js: Added.
1064
1065 2018-01-08  JF Bastien  <jfbastien@apple.com>
1066
1067         WebAssembly: mask indexed accesses to Table
1068         https://bugs.webkit.org/show_bug.cgi?id=181412
1069         <rdar://problem/36363236>
1070
1071         Reviewed by Saam Barati.
1072
1073         Update error messages.
1074
1075         * wasm/js-api/table.js:
1076         (assert.throws.WebAssembly.Table.prototype.grow):
1077
1078 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1079
1080         Disable SharedArrayBuffer tests missed in r226386.
1081         https://bugs.webkit.org/show_bug.cgi?id=181266
1082
1083         Unreviewed test gardening.
1084
1085         * test262.yaml:
1086
1087 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1088
1089         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1090         https://bugs.webkit.org/show_bug.cgi?id=181321
1091
1092         Reviewed by Saam Barati.
1093
1094         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1095         (shouldBe):
1096         (testFunction):
1097         * test262.yaml:
1098
1099 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1100
1101         Unreviewed, attempt to fix test262 after r226386.
1102
1103         * test262.yaml:
1104
1105 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1106
1107         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1108         https://bugs.webkit.org/show_bug.cgi?id=179911
1109
1110         Reviewed by Saam Barati.
1111
1112         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1113
1114         * stress/map-set-change-get.js: Added.
1115         (shouldBe):
1116         (test):
1117         * stress/map-set-create-bucket.js: Added.
1118         (shouldBe):
1119         (test):
1120         * stress/set-add-create-bucket.js: Added.
1121         (shouldBe):
1122
1123 2018-01-03  Michael Saboff  <msaboff@apple.com>
1124
1125         Disable SharedArrayBuffers from Web API
1126         https://bugs.webkit.org/show_bug.cgi?id=181266
1127
1128         Reviewed by Saam Barati.
1129
1130         Disabled SharedArrayBuffer tests.
1131
1132         * stress/SharedArrayBuffer-opt.js:
1133         * stress/SharedArrayBuffer.js:
1134         * stress/array-buffer-byte-length.js:
1135         * stress/atomics-add-uint32.js:
1136         * stress/atomics-known-int-use.js:
1137         * stress/atomics-neg-zero.js:
1138         * stress/atomics-store-return.js:
1139         * stress/lars-sab-workers.js:
1140         * stress/regress-159779-1.js:
1141         * stress/regress-159779-2.js:
1142         * stress/regress-170473.js:
1143         * test262.yaml:
1144
1145 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1146
1147         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1148         https://bugs.webkit.org/show_bug.cgi?id=181258
1149
1150         Reviewed by Antonio Gomes.
1151
1152         * stress/big-int-constructor-gc.js:
1153         * stress/big-int-constructor-oom.js:
1154
1155 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1156
1157         Inlining of a function that ends in op_unreachable crashes
1158         https://bugs.webkit.org/show_bug.cgi?id=181027
1159
1160         Reviewed by Filip Pizlo.
1161
1162         * stress/inlining-unreachable.js: Added.
1163         (bar):
1164         (baz):
1165         (i.catch):
1166
1167 2018-01-02  Saam Barati  <sbarati@apple.com>
1168
1169         Incorrect assertion inside AccessCase
1170         https://bugs.webkit.org/show_bug.cgi?id=181200
1171         <rdar://problem/35494754>
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1176         (ctor):
1177         (theFunc):
1178         (run):
1179
1180 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1181
1182         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1183         https://bugs.webkit.org/show_bug.cgi?id=175359
1184
1185         Reviewed by Yusuke Suzuki.
1186
1187         * bigIntTests.yaml:
1188         * stress/big-int-as-key.js: Added.
1189         * stress/big-int-constructor-gc.js: Added.
1190         * stress/big-int-constructor-oom.js: Added.
1191         * stress/big-int-constructor-properties.js: Added.
1192         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1193         * stress/big-int-constructor-prototype.js: Added.
1194         * stress/big-int-constructor.js: Added.
1195         * stress/big-int-function-apply.js:
1196         * stress/big-int-length.js: Added.
1197         * stress/big-int-prop-descriptor.js: Added.
1198         * stress/big-int-proto-constructor.js: Added.
1199         * stress/big-int-proto-name.js: Added.
1200         * stress/big-int-prototype-properties.js: Added.
1201         * stress/big-int-prototype-proto.js: Added.
1202         * stress/big-int-prototype-value-of.js: Added.
1203         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1204         * stress/big-int-prototype-to-string-apply.js: Added.
1205         * stress/big-int-to-object.js: Added.
1206         * stress/big-int-to-string.js: Added.
1207
1208 2017-12-28  Saam Barati  <sbarati@apple.com>
1209
1210         Assertion used to determine if something is an async generator is wrong
1211         https://bugs.webkit.org/show_bug.cgi?id=181168
1212         <rdar://problem/35640560>
1213
1214         Reviewed by Yusuke Suzuki.
1215
1216         * stress/async-generator-assertion.js: Added.
1217
1218 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1219
1220         Skip stress/splay-flash-access tests on memory limited platforms
1221         https://bugs.webkit.org/show_bug.cgi?id=181086
1222
1223         Reviewed by Carlos Alberto Lopez Perez.
1224
1225         These tests use about 185M of memory, and occasionally get OOM-killed
1226         on memory limited platforms.
1227
1228         * stress/splay-flash-access-1ms.js:
1229         * stress/splay-flash-access.js:
1230
1231 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1232
1233         Skip slow jsc tests on embedded platforms
1234         https://bugs.webkit.org/show_bug.cgi?id=180937
1235
1236         Reviewed by Carlos Alberto Lopez Perez.
1237
1238         The tests typeProfiler/deltablue-for-of.js and
1239         typeProfiler/getter-richards.js take a very long time in the
1240         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1241         thus always timeout. They should be skipped on these platforms.
1242
1243         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1244         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1245
1246 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1247
1248         [JSC] Do not check isValid() in op_new_regexp
1249         https://bugs.webkit.org/show_bug.cgi?id=180970
1250
1251         Reviewed by Saam Barati.
1252
1253         * stress/regexp-syntax-error-invalid-flags.js: Added.
1254         (shouldThrow):
1255
1256 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1257
1258         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1259         https://bugs.webkit.org/show_bug.cgi?id=180712
1260
1261         Reviewed by Michael Catanzaro.
1262
1263         stress/call-apply-exponential-bytecode-size.js crashes if the
1264         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1265         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1266         should skip the test on other platforms.
1267
1268         * stress/call-apply-exponential-bytecode-size.js:
1269
1270 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1271
1272         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1273         https://bugs.webkit.org/show_bug.cgi?id=179762
1274
1275         Reviewed by Saam Barati.
1276
1277         * stress/call-varargs-double-new-array-buffer.js: Added.
1278         (assert):
1279         (bar):
1280         (foo):
1281         * stress/call-varargs-spread-new-array-buffer.js: Added.
1282         (assert):
1283         (bar):
1284         (foo):
1285         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1286         (assert):
1287         (bar):
1288         (foo):
1289         * stress/forward-varargs-double-new-array-buffer.js: Added.
1290         (assert):
1291         (test.baz):
1292         (test.bar):
1293         (test.foo):
1294         (test):
1295         * stress/new-array-buffer-sinking-osrexit.js: Added.
1296         (target):
1297         (test):
1298         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1299         (shouldBe):
1300         (test):
1301         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1302         (shouldBe):
1303         (target):
1304         (test):
1305         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1306         (assert):
1307         (test1.bar):
1308         (test1.foo):
1309         (test1):
1310         (test2.bar):
1311         (test2.foo):
1312         (test3.baz):
1313         (test3.bar):
1314         (test3.foo):
1315         (test4.baz):
1316         (test4.bar):
1317         (test4.foo):
1318         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1319         (assert):
1320         (test.baz):
1321         (test.bar):
1322         (test.foo):
1323         (test):
1324         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1325         (assert):
1326         (baz):
1327         (bar):
1328         (effects):
1329         (foo):
1330
1331 2017-12-14  Saam Barati  <sbarati@apple.com>
1332
1333         The CleanUp after LICM is erroneously removing a Check
1334         https://bugs.webkit.org/show_bug.cgi?id=180852
1335         <rdar://problem/36063494>
1336
1337         Reviewed by Filip Pizlo.
1338
1339         * stress/dont-run-cleanup-after-licm.js: Added.
1340
1341 2017-12-14  Michael Saboff  <msaboff@apple.com>
1342
1343         REGRESSION (r225695): Repro crash on yahoo login page
1344         https://bugs.webkit.org/show_bug.cgi?id=180761
1345
1346         Reviewed by JF Bastien.
1347
1348         New regression test.
1349
1350         * stress/regress-180761.js: Added.
1351
1352 2017-12-13  Keith Miller  <keith_miller@apple.com>
1353
1354         JSObjects should have a mask for loading indexed properties
1355         https://bugs.webkit.org/show_bug.cgi?id=180768
1356
1357         Reviewed by Mark Lam.
1358
1359         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1360         (test):
1361
1362 2017-12-13  Saam Barati  <sbarati@apple.com>
1363
1364         Arrow functions need their own structure because they have different properties than sloppy functions
1365         https://bugs.webkit.org/show_bug.cgi?id=180779
1366         <rdar://problem/35814591>
1367
1368         Reviewed by Mark Lam.
1369
1370         * stress/arrow-function-needs-its-own-structure.js: Added.
1371         (assert):
1372         (readPrototype):
1373         (noInline.let.f1):
1374         (noInline):
1375
1376 2017-12-13  Saam Barati  <sbarati@apple.com>
1377
1378         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1379         https://bugs.webkit.org/show_bug.cgi?id=163579
1380         <rdar://problem/35455798>
1381
1382         Reviewed by Mark Lam.
1383
1384         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1385         (assert):
1386         (test1):
1387         (i.test1):
1388         (i.test1.C):
1389         (i.test1.async.foo):
1390         (i.test1.foo):
1391         (test2):
1392
1393 2017-12-13  Saam Barati  <sbarati@apple.com>
1394
1395         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1396         https://bugs.webkit.org/show_bug.cgi?id=180734
1397         <rdar://problem/35640547>
1398
1399         Reviewed by Yusuke Suzuki.
1400
1401         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1402         (__isPropertyOfType):
1403         (__getProperties):
1404         (__getObjects):
1405         (__getRandomObject):
1406         (theClass.):
1407         (theClass):
1408         (childClass):
1409         (counter.catch):
1410
1411 2017-12-12  Saam Barati  <sbarati@apple.com>
1412
1413         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1414         https://bugs.webkit.org/show_bug.cgi?id=180725
1415         <rdar://problem/35970511>
1416
1417         Reviewed by Michael Saboff.
1418
1419         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1420         (f1):
1421         (f2):
1422         (let.o2.valueOf):
1423
1424 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1425
1426         [JSC] Implement optimized WeakMap and WeakSet
1427         https://bugs.webkit.org/show_bug.cgi?id=179929
1428
1429         Reviewed by Saam Barati.
1430
1431         * microbenchmarks/weak-map-key.js:
1432         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1433         (assert):
1434         (objectKey):
1435         (let.start.Date.now):
1436         * stress/basic-weakmap.js: Added.
1437         (shouldBe):
1438         (test):
1439         * stress/basic-weakset.js: Added.
1440         (shouldBe):
1441         (test.set new):
1442         * stress/weakmap-cse-set-break.js: Added.
1443         (shouldBe):
1444         (test):
1445         * stress/weakmap-cse.js: Added.
1446         (shouldBe):
1447         (test):
1448         * stress/weakmap-gc.js: Added.
1449         (test):
1450         * stress/weakset-cse-add-break.js: Added.
1451         (shouldBe):
1452         (test.set new):
1453         * stress/weakset-cse.js: Added.
1454         (shouldBe):
1455         (test.set new):
1456         * stress/weakset-gc.js: Added.
1457         (test.set add):
1458         (test.set new):
1459         (test):
1460
1461 2017-12-12  Saam Barati  <sbarati@apple.com>
1462
1463         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1464         https://bugs.webkit.org/show_bug.cgi?id=180723
1465         <rdar://problem/35859726>
1466
1467         Reviewed by JF Bastien.
1468
1469         * stress/get-my-argument-by-val-constant-folding.js: Added.
1470         (test):
1471         (catch):
1472
1473 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1474
1475         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1476         https://bugs.webkit.org/show_bug.cgi?id=179000
1477
1478         Reviewed by Darin Adler and Yusuke Suzuki.
1479
1480         * bigIntTests.yaml: Added.
1481         * stress/big-int-literal-line-terminator.js: Added.
1482         * stress/big-int-literals.js: Added.
1483         * stress/big-int-operations-error.js: Added.
1484         * stress/big-int-type-of.js: Added.
1485         * stress/big-int-white-space-trailing-leading.js: Added.
1486         * stress/big-int-function-apply.js: Added.
1487
1488 2017-12-11  Saam Barati  <sbarati@apple.com>
1489
1490         We need to disableCaching() in ErrorInstance when we materialize properties
1491         https://bugs.webkit.org/show_bug.cgi?id=180343
1492         <rdar://problem/35833002>
1493
1494         Reviewed by Mark Lam.
1495
1496         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1497         (assert):
1498         (makeError):
1499         (storeToStack):
1500         (storeToStackAlreadyMaterialized):
1501
1502 2017-12-05  JF Bastien  <jfbastien@apple.com>
1503
1504         WebAssembly: don't eagerly checksum
1505         https://bugs.webkit.org/show_bug.cgi?id=180441
1506         <rdar://problem/35156628>
1507
1508         Reviewed by Saam Barati.
1509
1510         Checksum is now disabled, so tests only have <?> as the module
1511         name.
1512
1513         * wasm/function-tests/nameSection.js:
1514         * wasm/function-tests/stack-overflow.js:
1515         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1516         (assertOverflows.assertThrows):
1517         (assertOverflows):
1518         * wasm/function-tests/stack-trace.js:
1519
1520 2017-12-04  JF Bastien  <jfbastien@apple.com>
1521
1522         Proxy all functions, except the $ objects
1523         https://bugs.webkit.org/show_bug.cgi?id=180375
1524
1525         Reviewed by Saam Barati.
1526
1527         It looks like this test may have broken some executions because I
1528         call some internal objects. Explicitly ignore objects whose name
1529         starts with "$" because it's a bad idea anyways.
1530
1531         * stress/proxy-all-the-parameters.js:
1532         (generateObjects):
1533         (get throw):
1534
1535 2017-12-04  Saam Barati  <sbarati@apple.com>
1536
1537         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1538         https://bugs.webkit.org/show_bug.cgi?id=180366
1539         <rdar://problem/35685877>
1540
1541         Reviewed by Michael Saboff.
1542
1543         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1544         (theParent):
1545         (test1.base.getParentStaticValue):
1546         (test1.base):
1547         (test1.__v_24888.prototype.set prop):
1548         (test1.__v_24888):
1549         (test2.base.getParentStaticValue):
1550         (test2.base):
1551         (test2.__v_24888.prototype.set prop):
1552         (test2.__v_24888):
1553         (test2):
1554
1555 2017-12-01  JF Bastien  <jfbastien@apple.com>
1556
1557         Try proxying all function arguments
1558         https://bugs.webkit.org/show_bug.cgi?id=180306
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/proxy-all-the-parameters.js: Added.
1563         (isPropertyOfType):
1564         (getProperties):
1565         (generateObjects):
1566         (getObjects):
1567         (getFunctions):
1568         (get throw):
1569         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1570
1571 2017-12-01  JF Bastien  <jfbastien@apple.com>
1572
1573         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1574         https://bugs.webkit.org/show_bug.cgi?id=180297
1575         <rdar://problem/35745556>
1576
1577         Reviewed by Mark Lam.
1578
1579         * stress/math-exceptions.js: Added.
1580         (get try):
1581         (catch):
1582
1583 2017-12-01  JF Bastien  <jfbastien@apple.com>
1584
1585         JavaScriptCore: add test for weird class static getters
1586         https://bugs.webkit.org/show_bug.cgi?id=180281
1587         <rdar://problem/35592139>
1588
1589         Reviewed by Mark Lam.
1590
1591         I fixed a bug for it in r224927 and didn't add a test. Do so.
1592
1593         * stress/class-static-get-weird.js: Added.
1594         (c.prototype.get name):
1595         (c):
1596         (c.prototype.get arguments):
1597         (c.prototype.get caller):
1598         (c.prototype.get length):
1599
1600 2017-12-01  Saam Barati  <sbarati@apple.com>
1601
1602         Having a bad time needs to handle ArrayClass indexing type as well
1603         https://bugs.webkit.org/show_bug.cgi?id=180274
1604         <rdar://problem/35667869>
1605
1606         Reviewed by Keith Miller and Mark Lam.
1607
1608         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1609         (assert):
1610         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1611         (assert):
1612
1613 2017-12-01  JF Bastien  <jfbastien@apple.com>
1614
1615         WebAssembly: restore cached stack limit after out-call
1616         https://bugs.webkit.org/show_bug.cgi?id=179106
1617         <rdar://problem/35337525>
1618
1619         Reviewed by Saam Barati.
1620
1621         * wasm/function-tests/double-instance.js: Added.
1622         (const.imp.boom):
1623         (const.imp.get callAnother):
1624
1625 2017-11-30  JF Bastien  <jfbastien@apple.com>
1626
1627         WebAssembly: improve stack trace
1628         https://bugs.webkit.org/show_bug.cgi?id=179343
1629
1630         Reviewed by Saam Barati.
1631
1632         Update the tests to follow the new format. Notably, SHA1 module
1633         hash is now included in traces, and stubs are properly identified.
1634
1635         * wasm/assert.js: Add an assertion which matches regular expressions.
1636         * wasm/function-tests/nameSection.js:
1637         * wasm/function-tests/stack-overflow.js:
1638         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1639         (assertOverflows.assertThrows.wasm.1):
1640         (assertOverflows.assertThrows.wasm.0):
1641         (assertOverflows.assertThrows):
1642         (assertOverflows):
1643         * wasm/function-tests/stack-trace.js:
1644         (import.Builder.from.string_appeared_here.assert): Deleted.
1645         * wasm/function-tests/trap-after-cross-instance-call.js:
1646         (wasmFrameCountFromError):
1647         * wasm/function-tests/trap-load-2.js:
1648         (wasmFrameCountFromError):
1649         * wasm/function-tests/trap-load.js:
1650         (wasmFrameCountFromError):
1651
1652 2017-11-30  Mark Lam  <mark.lam@apple.com>
1653
1654         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1655         https://bugs.webkit.org/show_bug.cgi?id=180219
1656         <rdar://problem/35696536>
1657
1658         Reviewed by Filip Pizlo.
1659
1660         * stress/regress-180219.js: Added.
1661
1662 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1663
1664         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1665         https://bugs.webkit.org/show_bug.cgi?id=180190
1666
1667         Reviewed by Mark Lam.
1668
1669         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1670         (shouldBe):
1671         (test1):
1672         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1673         (shouldBe):
1674         (test1):
1675         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1676         (shouldBe):
1677         (test1):
1678         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1679         (shouldBe):
1680         (test1):
1681         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1682         (shouldBe):
1683         (test1):
1684         * stress/operation-in-may-have-negative-int32.js: Added.
1685         (shouldBe):
1686         (test2):
1687         * stress/operation-in-negative-int32-cast.js: Added.
1688         (shouldBe):
1689         (test1):
1690
1691 2017-11-28  JF Bastien  <jfbastien@apple.com>
1692
1693         Strict and sloppy functions shouldn't share structure
1694         https://bugs.webkit.org/show_bug.cgi?id=180103
1695         <rdar://problem/35667847>
1696
1697         Reviewed by Saam Barati.
1698
1699         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1700         because the IC was wrong.
1701         (foo):
1702         (bar):
1703         (baz):
1704         (catch):
1705         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1706         in this patch, but may as well test odd strict mode corner cases.
1707         (bar):
1708         (baz):
1709         (catch):
1710         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1711         (foo):
1712         (bar):
1713         (baz):
1714         (catch):
1715         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1716         next file, but with invalidation of the FunctionExecutable's
1717         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1718         slower path.
1719         (foo):
1720         (bar.const.x):
1721         (bar.const.y):
1722         (bar):
1723         (catch):
1724         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1725         strict nesting works correctly.
1726         (foo):
1727         (bar.baz):
1728         (bar):
1729         * stress/strict-function-structure.js: Added. The test used to
1730         assert in objectProtoFuncHasOwnProperty.
1731         (foo):
1732         (bar):
1733         (baz):
1734         * stress/strict-nested-function-structure.js: Added. Nesting.
1735         (foo):
1736         (bar):
1737         (baz.boo):
1738         (baz):
1739
1740 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1741
1742         The recursive tail call optimisation is wrong on closures
1743         https://bugs.webkit.org/show_bug.cgi?id=179835
1744
1745         Reviewed by Saam Barati.
1746
1747         * stress/closure-recursive-tail-call.js: Added.
1748         (makeClosure):
1749
1750 2017-11-27  JF Bastien  <jfbastien@apple.com>
1751
1752         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1753         https://bugs.webkit.org/show_bug.cgi?id=180051
1754         <rdar://problem/35614371>
1755
1756         Reviewed by Saam Barati.
1757
1758         * stress/rest-parameter-negative.js: Added.
1759         (__f_5484):
1760         (catch):
1761         (__f_5485):
1762         (__v_22598.catch):
1763
1764 2017-11-27  Saam Barati  <sbarati@apple.com>
1765
1766         Spread can escape when CreateRest does not
1767         https://bugs.webkit.org/show_bug.cgi?id=180057
1768         <rdar://problem/35676119>
1769
1770         Reviewed by JF Bastien.
1771
1772         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1773         (assert):
1774         (getProperties):
1775         (theFunc):
1776         (let.obj.valueOf):
1777
1778 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1779
1780         [DFG] Add NormalizeMapKey DFG IR
1781         https://bugs.webkit.org/show_bug.cgi?id=179912
1782
1783         Reviewed by Saam Barati.
1784
1785         * stress/map-untyped-normalize-cse.js: Added.
1786         (shouldBe):
1787         (test):
1788         * stress/map-untyped-normalize.js: Added.
1789         (shouldBe):
1790         (test):
1791         * stress/set-untyped-normalize-cse.js: Added.
1792         (shouldBe):
1793         (set return.set has.set has):
1794         * stress/set-untyped-normalize.js: Added.
1795         (shouldBe):
1796         (set return.set has):
1797
1798 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1799
1800         [FTL] Support DeleteById and DeleteByVal
1801         https://bugs.webkit.org/show_bug.cgi?id=180022
1802
1803         Reviewed by Saam Barati.
1804
1805         * stress/delete-by-id.js: Added.
1806         (shouldBe):
1807         (test1):
1808         (test2):
1809         * stress/delete-by-val-ftl.js: Added.
1810         (shouldBe):
1811         (test1):
1812         (test2):
1813
1814 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1815
1816         [DFG] Introduce {Set,Map,WeakMap}Fields
1817         https://bugs.webkit.org/show_bug.cgi?id=179925
1818
1819         Reviewed by Saam Barati.
1820
1821         * stress/map-set-clobber-map-get.js: Added.
1822         (shouldBe):
1823         (test):
1824         * stress/map-set-does-not-clobber-set-has.js: Added.
1825         (shouldBe):
1826         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1827         (shouldBe):
1828         (test):
1829         * stress/set-add-clobber-set-has.js: Added.
1830         (shouldBe):
1831         * stress/set-add-does-not-clobber-map-get.js: Added.
1832         (shouldBe):
1833
1834 2017-11-24  Mark Lam  <mark.lam@apple.com>
1835
1836         Move unsafe jsc shell test functions to the $vm object.
1837         https://bugs.webkit.org/show_bug.cgi?id=179980
1838
1839         Reviewed by Yusuke Suzuki.
1840
1841         * controlFlowProfiler/driver/driver.js:
1842         * controlFlowProfiler/execution-count.js:
1843         * controlFlowProfiler/if-statement.js:
1844         * controlFlowProfiler/loop-statements.js:
1845         * controlFlowProfiler/switch-statements.js:
1846         * controlFlowProfiler/test-jit.js:
1847         * exceptionFuzz/3d-cube.js:
1848         * exceptionFuzz/date-format-xparb.js:
1849         * exceptionFuzz/earley-boyer.js:
1850         * heapProfiler/basic-edges.js:
1851         * heapProfiler/property-edge-types.js:
1852         * microbenchmarks/try-get-by-id-basic.js:
1853         * microbenchmarks/try-get-by-id-polymorphic.js:
1854         * modules/namespace-object-try-get.js:
1855         * stress/argument-count-bytecode.js:
1856         * stress/argument-intrinsic-basic.js:
1857         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1858         * stress/argument-intrinsic-inlining-with-result-escape.js:
1859         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1860         * stress/argument-intrinsic-inlining-with-vararg.js:
1861         * stress/argument-intrinsic-nested-inlining.js:
1862         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1863         * stress/argument-intrinsic-with-stack-write.js:
1864         * stress/arity-mismatch-get-argument.js:
1865         * stress/array-message-passing.js:
1866         * stress/array-push-with-force-exit.js:
1867         * stress/check-dom-with-signature.js:
1868         * stress/check-sub-class.js:
1869         * stress/compare-eq-incomplete-profile.js:
1870         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1871         * stress/do-eval-virtual-call-correctly.js:
1872         * stress/dom-jit-with-poly-proto.js:
1873         * stress/domjit-exception-ic.js:
1874         * stress/domjit-exception.js:
1875         * stress/domjit-getter-complex-with-incorrect-object.js:
1876         * stress/domjit-getter-complex.js:
1877         * stress/domjit-getter-poly.js:
1878         * stress/domjit-getter-proto.js:
1879         * stress/domjit-getter-super-poly.js:
1880         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1881         * stress/domjit-getter-type-check.js:
1882         * stress/domjit-getter.js:
1883         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1884         * stress/for-in-proxy-target-changed-structure.js:
1885         * stress/for-in-proxy.js:
1886         * stress/generational-opaque-roots.js:
1887         * stress/global-const-redeclaration-setting-2.js:
1888         * stress/global-const-redeclaration-setting-3.js:
1889         * stress/global-const-redeclaration-setting-4.js:
1890         * stress/global-const-redeclaration-setting-5.js:
1891         * stress/global-const-redeclaration-setting.js:
1892         * stress/import-basic.js:
1893         * stress/import-from-eval.js:
1894         * stress/import-reject-with-exception.js:
1895         * stress/import-syntax.js:
1896         * stress/impure-get-own-property-slot-inline-cache.js:
1897         * stress/is-constructor.js:
1898         * stress/istypedarrayview-intrinsic.js:
1899         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1900         * stress/jsc-test-functions-should-be-more-robust.js:
1901         * stress/object-toString-with-proxy.js:
1902         * stress/poly-proto-custom-value-and-accessor.js:
1903         * stress/proxy-inline-cache.js:
1904         * stress/re-execute-error-module.js:
1905         * stress/regress-150532.js:
1906         * stress/regress-156992.js:
1907         * stress/regress-179619.js:
1908         * stress/resources/shadow-chicken-support.js:
1909         * stress/runtime-array.js:
1910         * stress/sampling-profiler-microtasks.js:
1911         * stress/shadow-chicken-enabled.js:
1912         * stress/spread-correct-global-object-on-exception.js:
1913         * stress/super-get-by-id.js:
1914         * stress/tailCallForwardArguments.js:
1915         * stress/to-object-intrinsic-boolean-edge.js:
1916         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1917         * stress/to-object-intrinsic-number-edge.js:
1918         * stress/to-object-intrinsic-object-edge.js:
1919         * stress/to-object-intrinsic-string-edge.js:
1920         * stress/to-object-intrinsic-symbol-edge.js:
1921         * stress/to-object-intrinsic.js:
1922         * stress/try-catch-custom-getter-as-get-by-id.js:
1923         * stress/try-get-by-id-poly-proto.js:
1924         * stress/try-get-by-id-should-spill-registers-dfg.js:
1925         * stress/try-get-by-id.js:
1926         * typeProfiler/arrow-functions.js:
1927         * typeProfiler/basic.js:
1928         * typeProfiler/captured.js:
1929         * typeProfiler/classes.js:
1930         * typeProfiler/dfg-jit-optimizations.js:
1931         * typeProfiler/dictionary-mode.js:
1932         * typeProfiler/es6-block-scoping.js:
1933         * typeProfiler/es6-classes.js:
1934         * typeProfiler/inheritance.js:
1935         * typeProfiler/int52-dfg.js:
1936         * typeProfiler/loop.js:
1937         * typeProfiler/optional-fields.js:
1938         * typeProfiler/overflow.js:
1939         * typeProfiler/return.js:
1940         * typeProfiler/symbol.js:
1941         * typeProfiler/weird-prototype-chain.js:
1942
1943 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1944
1945         [DFG][FTL] Support MapSet / SetAdd intrinsics
1946         https://bugs.webkit.org/show_bug.cgi?id=179858
1947
1948         Reviewed by Saam Barati.
1949
1950         * microbenchmarks/map-has-and-set.js: Added.
1951         (test):
1952         * stress/map-set-check-failure.js: Added.
1953         (shouldBe):
1954         (shouldThrow):
1955         (target):
1956         * stress/map-set-cse.js: Added.
1957         (shouldBe):
1958         (test):
1959         * stress/set-add-check-failure.js: Added.
1960         (shouldBe):
1961         (shouldThrow):
1962         (set shouldThrow):
1963         * stress/set-add-cse.js: Added.
1964         (shouldBe):
1965
1966 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1967
1968         [JSC] Allow poly proto for intrinsic getters
1969         https://bugs.webkit.org/show_bug.cgi?id=179550
1970
1971         Reviewed by Saam Barati.
1972
1973         This change is also tested by existing tests.
1974
1975             1. stress/intrinsic-getter-with-poly-proto.js
1976             2. stress/poly-proto-intrinsic-getter-correctness.js
1977
1978         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1979         (shouldBe):
1980         (makePolyProtoObject.foo.C):
1981         (makePolyProtoObject.foo):
1982         (makePolyProtoObject):
1983         (target):
1984         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1985         (shouldBe):
1986         (makePolyProtoObject.foo.C):
1987         (makePolyProtoObject.foo):
1988         (makePolyProtoObject):
1989         (target):
1990
1991 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1992
1993         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1994         https://bugs.webkit.org/show_bug.cgi?id=179744
1995
1996         Reviewed by Michael Catanzaro.
1997
1998         This test uses too much memory for our buildbots on these platforms
1999         and gets OOM-killed.
2000
2001         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2002         Skip if $memoryLimited and linux.
2003
2004 2017-11-17  JF Bastien  <jfbastien@apple.com>
2005
2006         WebAssembly JS API: throw when a promise can't be created
2007         https://bugs.webkit.org/show_bug.cgi?id=179826
2008         <rdar://problem/35455813>
2009
2010         Reviewed by Mark Lam.
2011
2012         Test WebAssembly.{compile,instantiate} where promise creation
2013         fails because of a stack overflow.
2014
2015         * wasm/js-api/promise-stack-overflow.js: Added.
2016         (const.runNearStackLimit.f.const.t):
2017         (async.testCompile):
2018         (async.testInstantiate):
2019
2020 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2021
2022         Unreviewed, mark regress-178385.js as memory exhausting
2023
2024         * stress/regress-178385.js:
2025
2026 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2027
2028         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2029
2030         Unreviewed test gardening.
2031
2032         * test262.yaml:
2033
2034 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2035
2036         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2037         https://bugs.webkit.org/show_bug.cgi?id=179763
2038         <rdar://problem/35550513>
2039
2040         Reviewed by Keith Miller.
2041
2042         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2043
2044         * stress/tdz-this-in-try-catch.js: Added.
2045         (__v_6388):
2046         (__v_6392):
2047
2048 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2049
2050         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2051         https://bugs.webkit.org/show_bug.cgi?id=179594
2052
2053         Reviewed by Saam Barati.
2054
2055         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2056         (shouldBe):
2057         (args):
2058         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2059         (shouldBe):
2060         (args):
2061
2062 2017-11-14  Saam Barati  <sbarati@apple.com>
2063
2064         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2065         https://bugs.webkit.org/show_bug.cgi?id=179639
2066         <rdar://problem/35513018>
2067
2068         Reviewed by JF Bastien.
2069
2070         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2071         (escape):
2072         (i.func):
2073
2074 2017-11-13  Mark Lam  <mark.lam@apple.com>
2075
2076         Add more overflow check book-keeping for MarkedArgumentBuffer.
2077         https://bugs.webkit.org/show_bug.cgi?id=179634
2078         <rdar://problem/35492517>
2079
2080         Reviewed by Saam Barati.
2081
2082         * stress/regress-179634.js: Added.
2083
2084 2017-11-13  Mark Lam  <mark.lam@apple.com>
2085
2086         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2087         https://bugs.webkit.org/show_bug.cgi?id=179619
2088         <rdar://problem/35492518>
2089
2090         Reviewed by Saam Barati.
2091
2092         * stress/regress-179619.js: Added.
2093
2094 2017-11-12  Mark Lam  <mark.lam@apple.com>
2095
2096         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2097         https://bugs.webkit.org/show_bug.cgi?id=179562
2098         <rdar://problem/35467022>
2099
2100         Reviewed by Saam Barati.
2101
2102         * regress-179562.js: Added.
2103
2104 2017-11-08  Saam Barati  <sbarati@apple.com>
2105
2106         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2107         https://bugs.webkit.org/show_bug.cgi?id=177792
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2112         (assert):
2113         (foo.Foo.prototype.ensureX):
2114         (foo.Foo):
2115         (foo):
2116         (access):
2117
2118 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2119
2120         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2121         https://bugs.webkit.org/show_bug.cgi?id=178592
2122
2123         Unreviewed test gardening.
2124
2125         * test262.yaml:
2126
2127 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2128
2129         Turn recursive tail calls into loops
2130         https://bugs.webkit.org/show_bug.cgi?id=176601
2131
2132         Reviewed by Saam Barati.
2133
2134         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2135
2136         Add some simple test that computes factorial in several ways, and other trivial computations.
2137         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2138         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2139         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2140         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2141
2142         * stress/inline-call-to-recursive-tail-call.js: Added.
2143         (factorial.aux):
2144         (factorial):
2145         (factorial2.aux2):
2146         (factorial2.id):
2147         (factorial2):
2148         (factorial3.aux3):
2149         (factorial3):
2150         (aux4):
2151         (factorial4):
2152         (foo):
2153         (auxBar):
2154         (bar):
2155         (test):
2156
2157 2017-11-07  Mark Lam  <mark.lam@apple.com>
2158
2159         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2160         https://bugs.webkit.org/show_bug.cgi?id=179355
2161         <rdar://problem/35263053>
2162
2163         Reviewed by Saam Barati.
2164
2165         * stress/regress-179355.js: Added.
2166
2167 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2168
2169         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2170         https://bugs.webkit.org/show_bug.cgi?id=144458
2171
2172         Reviewed by Saam Barati.
2173
2174         * microbenchmarks/dfg-internal-function-call.js: Added.
2175         (target):
2176         * microbenchmarks/dfg-internal-function-construct.js: Added.
2177         (target):
2178         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2179         (target):
2180         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2181         (target):
2182         * stress/dfg-internal-function-call.js: Added.
2183         (shouldBe):
2184         (target):
2185         * stress/dfg-internal-function-construct.js: Added.
2186         (shouldBe):
2187         (target):
2188         * stress/internal-function-call.js: Added.
2189         (shouldBe):
2190         * stress/internal-function-construct.js: Added.
2191         (shouldBe):
2192
2193 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2194
2195         [Win] Skip stress/regress-178385.js.
2196         https://bugs.webkit.org/show_bug.cgi?id=179298
2197
2198         Unreviewed test gardening.
2199
2200         * stress/regress-178385.js:
2201
2202 2017-11-03  Keith Miller  <keith_miller@apple.com>
2203
2204         Add test for ic with side effects
2205         https://bugs.webkit.org/show_bug.cgi?id=179268
2206
2207         Reviewed by Saam Barati.
2208
2209         * stress/put-inline-cache-side-effects.js: Added.
2210         (let.i.of.objs.keys):
2211         (f):
2212
2213 2017-11-03  Mark Lam  <mark.lam@apple.com>
2214
2215         CachedCall (and its clients) needs overflow checks.
2216         https://bugs.webkit.org/show_bug.cgi?id=179185
2217
2218         Reviewed by JF Bastien.
2219
2220         * stress/regress-179185.js: Added.
2221
2222 2017-11-02  Michael Saboff  <msaboff@apple.com>
2223
2224         DFG needs to handle code motion of code in for..in loop bodies
2225         https://bugs.webkit.org/show_bug.cgi?id=179212
2226
2227         Reviewed by Keith Miller.
2228
2229         New regression test.
2230
2231         * stress/for-in-side-effects.js: Added.
2232         (getPrototypeOf):
2233         (reset):
2234         (testWithoutFTL.f):
2235         (testWithoutFTL):
2236         (testWithFTL.f):
2237         (testWithFTL):
2238
2239 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2240
2241         AI does not correctly model the clobber case of ArithClz32
2242         https://bugs.webkit.org/show_bug.cgi?id=179188
2243
2244         Reviewed by Michael Saboff.
2245
2246         * stress/arith-clz32-effects.js: Added.
2247         (foo):
2248         (valueOf):
2249
2250 2017-11-01  Michael Saboff  <msaboff@apple.com>
2251
2252         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2253         https://bugs.webkit.org/show_bug.cgi?id=179140
2254
2255         Reviewed by Saam Barati.
2256
2257         New regression test.
2258
2259         * stress/regress-179140.js: Added.
2260         (testWithoutFTL):
2261         (testWithFTL):
2262
2263 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2264
2265         [JSC] Introduce @toObject
2266         https://bugs.webkit.org/show_bug.cgi?id=178726
2267
2268         Reviewed by Saam Barati.
2269
2270         * stress/array-copywithin.js:
2271         (shouldThrow):
2272         * stress/object-constructor-boolean-edge.js: Added.
2273         (shouldBe):
2274         (test):
2275         * stress/object-constructor-global.js: Added.
2276         (shouldBe):
2277         * stress/object-constructor-null-edge.js: Added.
2278         (shouldBe):
2279         (test):
2280         * stress/object-constructor-number-edge.js: Added.
2281         (shouldBe):
2282         (test):
2283         * stress/object-constructor-object-edge.js: Added.
2284         (shouldBe):
2285         (test):
2286         (i.arg):
2287         * stress/object-constructor-string-edge.js: Added.
2288         (shouldBe):
2289         (test):
2290         * stress/object-constructor-symbol-edge.js: Added.
2291         (shouldBe):
2292         (test):
2293         * stress/object-constructor-undefined-edge.js: Added.
2294         (shouldBe):
2295         (test):
2296         * stress/symbol-array-from.js: Added.
2297         (shouldBe):
2298         * stress/to-object-intrinsic-boolean-edge.js: Added.
2299         (shouldBe):
2300         (builtin.createBuiltin):
2301         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2302         (shouldThrow):
2303         * stress/to-object-intrinsic-number-edge.js: Added.
2304         (shouldBe):
2305         (builtin.createBuiltin):
2306         * stress/to-object-intrinsic-object-edge.js: Added.
2307         (shouldBe):
2308         (builtin.createBuiltin):
2309         (i.arg):
2310         * stress/to-object-intrinsic-string-edge.js: Added.
2311         (shouldBe):
2312         (builtin.createBuiltin):
2313         * stress/to-object-intrinsic-symbol-edge.js: Added.
2314         (shouldBe):
2315         (builtin.createBuiltin):
2316         * stress/to-object-intrinsic.js: Added.
2317         (shouldBe):
2318         (shouldThrow):
2319         (builtin.createBuiltin):
2320
2321 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2322
2323         [DFG][FTL] Introduce StringSlice
2324         https://bugs.webkit.org/show_bug.cgi?id=178934
2325
2326         Reviewed by Saam Barati.
2327
2328         * microbenchmarks/string-slice-empty.js: Added.
2329         (slice):
2330         * microbenchmarks/string-slice-one-char.js: Added.
2331         (slice):
2332         * microbenchmarks/string-slice.js: Added.
2333         (slice):
2334
2335 2017-10-26  Michael Saboff  <msaboff@apple.com>
2336
2337         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2338         https://bugs.webkit.org/show_bug.cgi?id=178890
2339
2340         Reviewed by Keith Miller.
2341
2342         New regression test.
2343
2344         * stress/regress-178890.js: Added.
2345
2346 2017-10-26  Mark Lam  <mark.lam@apple.com>
2347
2348         JSRopeString::RopeBuilder::append() should check for overflows.
2349         https://bugs.webkit.org/show_bug.cgi?id=178385
2350         <rdar://problem/35027468>
2351
2352         Reviewed by Saam Barati.
2353
2354         * stress/regress-178385.js: Added.
2355
2356 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2357
2358         Unreviewed, rolling out r223961.
2359
2360         The change that required this has been rolled out.
2361
2362         Reverted changeset:
2363
2364         "Mark test262.yaml/test262/test/language/statements/try/tco-
2365         catch.js as passing."
2366         https://bugs.webkit.org/show_bug.cgi?id=178592
2367         https://trac.webkit.org/changeset/223961
2368
2369 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2370
2371         Unreviewed, rolling out r223691 and r223729.
2372         https://bugs.webkit.org/show_bug.cgi?id=178834
2373
2374         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2375         by rniwa on #webkit).
2376
2377         Reverted changesets:
2378
2379         "Turn recursive tail calls into loops"
2380         https://bugs.webkit.org/show_bug.cgi?id=176601
2381         https://trac.webkit.org/changeset/223691
2382
2383         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2384         comparison is always false due to limited range of data type
2385         [-Wtype-limits]"
2386         https://bugs.webkit.org/show_bug.cgi?id=178543
2387         https://trac.webkit.org/changeset/223729
2388
2389 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2390
2391         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2392         https://bugs.webkit.org/show_bug.cgi?id=178592
2393
2394         Unreviewed test gardening.
2395
2396         * test262.yaml:
2397
2398 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2399
2400         [FTL] Support NewStringObject
2401         https://bugs.webkit.org/show_bug.cgi?id=178737
2402
2403         Reviewed by Saam Barati.
2404
2405         * stress/new-string-object.js: Added.
2406         (shouldBe):
2407         (test):
2408
2409 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2410
2411         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2412         https://bugs.webkit.org/show_bug.cgi?id=178308
2413
2414         Reviewed by Mark Lam.
2415
2416         * test262.yaml:
2417
2418 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2419
2420         [JSC] Use fastJoin in Array#toString
2421         https://bugs.webkit.org/show_bug.cgi?id=178062
2422
2423         Reviewed by Darin Adler.
2424
2425         * microbenchmarks/contiguous-array-to-string.js: Added.
2426         (target):
2427         * microbenchmarks/double-array-to-string.js: Added.
2428         (target):
2429         * microbenchmarks/int32-array-to-string.js: Added.
2430         (target):
2431
2432 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2433
2434         stress/check-string-ident.js is improperly skipped
2435         https://bugs.webkit.org/show_bug.cgi?id=178642
2436
2437         Reviewed by Saam Barati.
2438
2439         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2440         since it enforces the run-jsc-stress-tests script to still set up the
2441         test to run, despite the skip directive that's used before.
2442
2443 2017-10-20  Mark Lam  <mark.lam@apple.com>
2444
2445         Add a test case for r214334.
2446         https://bugs.webkit.org/show_bug.cgi?id=169941
2447         <rdar://problem/31221258>
2448
2449         Reviewed by JF Bastien.
2450
2451         * stress/regress-169941.js: Added.
2452
2453 2017-10-19  JF Bastien  <jfbastien@apple.com>
2454
2455         WebAssembly: no VM / JS version of everything but Instance
2456         https://bugs.webkit.org/show_bug.cgi?id=177473
2457
2458         Reviewed by Filip Pizlo, Saam Barati.
2459
2460         - Exceeding max on memory growth now returns a range error as per
2461         spec. This is a (very minor) breaking change: it used to throw OOM
2462         error. Update the corresponding test.
2463
2464         * wasm/js-api/memory-grow.js:
2465         (assertEq):
2466         * wasm/js-api/table.js:
2467         (assert.throws):
2468
2469 2017-10-19  Mark Lam  <mark.lam@apple.com>
2470
2471         Stringifier::appendStringifiedValue() is missing an exception check.
2472         https://bugs.webkit.org/show_bug.cgi?id=178386
2473         <rdar://problem/35027610>
2474
2475         Reviewed by Saam Barati.
2476
2477         * stress/regress-178386.js: Added.
2478
2479 2017-10-19  Michael Saboff  <msaboff@apple.com>
2480
2481         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2482         https://bugs.webkit.org/show_bug.cgi?id=178521
2483
2484         Reviewed by JF Bastien.
2485
2486         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2487         now passes with the current version (5.0) of the Emoji spec.
2488
2489 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2490
2491         Turn recursive tail calls into loops
2492         https://bugs.webkit.org/show_bug.cgi?id=176601
2493
2494         Reviewed by Saam Barati.
2495
2496         Add some simple test that computes factorial in several ways, and other trivial computations.
2497         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2498         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2499         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2500         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2501
2502         * stress/inline-call-to-recursive-tail-call.js: Added.
2503         (factorial.aux):
2504         (factorial):
2505         (factorial2.aux):
2506         (factorial2.id):
2507         (factorial2):
2508         (factorial3.aux):
2509         (factorial3):
2510         (aux):
2511         (factorial4):
2512         (test):
2513
2514 2017-10-18  Mark Lam  <mark.lam@apple.com>
2515
2516         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2517         https://bugs.webkit.org/show_bug.cgi?id=177600
2518         <rdar://problem/34710985>
2519
2520         Reviewed by Saam Barati.
2521
2522         * stress/regress-177600.js: Added.
2523
2524 2017-10-18  Mark Lam  <mark.lam@apple.com>
2525
2526         The compiler should always register a structure when it adds its transitionWatchPointSet.
2527         https://bugs.webkit.org/show_bug.cgi?id=178420
2528         <rdar://problem/34814024>
2529
2530         Reviewed by Saam Barati and Filip Pizlo.
2531
2532         * stress/regress-178420.js: Added.
2533         (new.Array.10000.map):
2534
2535 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [JSC] __proto__ getter should be fast
2538         https://bugs.webkit.org/show_bug.cgi?id=178067
2539
2540         Reviewed by Saam Barati.
2541
2542         * stress/dfg-object-proto-accessor.js: Added.
2543         (shouldBe):
2544         (shouldThrow):
2545         (target):
2546         * stress/dfg-object-proto-getter.js: Added.
2547         (shouldBe):
2548         (shouldThrow):
2549         (target):
2550         * stress/dfg-object-prototype-of.js: Added.
2551         (shouldBe):
2552         (shouldThrow):
2553         (target):
2554         * stress/dfg-reflect-get-prototype-of.js: Added.
2555         (shouldBe):
2556         (shouldThrow):
2557         (target):
2558         * stress/intrinsic-getter-with-poly-proto.js: Added.
2559         (shouldBe):
2560         (makePolyProtoObject.foo.C):
2561         (makePolyProtoObject.foo):
2562         (makePolyProtoObject):
2563         (target):
2564         * stress/object-get-prototype-of-filtered.js: Added.
2565         (shouldBe):
2566         (shouldThrow):
2567         (target):
2568         (i.Cocoa):
2569         * stress/object-get-prototype-of-mono-proto.js: Added.
2570         (shouldBe):
2571         (makePolyProtoObject.foo.C):
2572         (makePolyProtoObject.foo):
2573         (makePolyProtoObject):
2574         (target):
2575         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2576         (shouldBe):
2577         (makePolyProtoObject.foo.C):
2578         (makePolyProtoObject.foo):
2579         (makePolyProtoObject):
2580         (target):
2581         * stress/object-get-prototype-of-poly-proto.js: Added.
2582         (shouldBe):
2583         (makePolyProtoObject.foo.C):
2584         (makePolyProtoObject.foo):
2585         (makePolyProtoObject):
2586         (target):
2587         * stress/object-proto-getter-filtered.js: Added.
2588         (shouldBe):
2589         (shouldThrow):
2590         (target):
2591         (i.Cocoa):
2592         * stress/object-proto-getter-poly-mono-proto.js: Added.
2593         (shouldBe):
2594         (makePolyProtoObject.foo.C):
2595         (makePolyProtoObject.foo):
2596         (makePolyProtoObject):
2597         (target):
2598         * stress/object-proto-getter-poly-proto.js: Added.
2599         (shouldBe):
2600         (makePolyProtoObject.foo.C):
2601         (makePolyProtoObject.foo):
2602         (makePolyProtoObject):
2603         (target):
2604         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2605         * stress/string-proto.js: Added.
2606         (shouldBe):
2607         (target):
2608
2609 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2610
2611         Unreviewed, rolling out r223523.
2612
2613         A test for this change is failing on debug JSC bots.
2614
2615         Reverted changeset:
2616
2617         "[JSC] __proto__ getter should be fast"
2618         https://bugs.webkit.org/show_bug.cgi?id=178067
2619         https://trac.webkit.org/changeset/223523
2620
2621 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2622
2623         [JSC] __proto__ getter should be fast
2624         https://bugs.webkit.org/show_bug.cgi?id=178067
2625
2626         Reviewed by Saam Barati.
2627
2628         * stress/dfg-object-proto-accessor.js: Added.
2629         (shouldBe):
2630         (shouldThrow):
2631         (target):
2632         * stress/dfg-object-proto-getter.js: Added.
2633         (shouldBe):
2634         (shouldThrow):
2635         (target):
2636         * stress/dfg-object-prototype-of.js: Added.
2637         (shouldBe):
2638         (shouldThrow):
2639         (target):
2640         * stress/dfg-reflect-get-prototype-of.js: Added.
2641         (shouldBe):
2642         (shouldThrow):
2643         (target):
2644         * stress/object-get-prototype-of-filtered.js: Added.
2645         (shouldBe):
2646         (shouldThrow):
2647         (target):
2648         (i.Cocoa):
2649         * stress/object-get-prototype-of-mono-proto.js: Added.
2650         (shouldBe):
2651         (makePolyProtoObject.foo.C):
2652         (makePolyProtoObject.foo):
2653         (makePolyProtoObject):
2654         (target):
2655         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2656         (shouldBe):
2657         (makePolyProtoObject.foo.C):
2658         (makePolyProtoObject.foo):
2659         (makePolyProtoObject):
2660         (target):
2661         * stress/object-get-prototype-of-poly-proto.js: Added.
2662         (shouldBe):
2663         (makePolyProtoObject.foo.C):
2664         (makePolyProtoObject.foo):
2665         (makePolyProtoObject):
2666         (target):
2667         * stress/object-proto-getter-filtered.js: Added.
2668         (shouldBe):
2669         (shouldThrow):
2670         (target):
2671         (i.Cocoa):
2672         * stress/object-proto-getter-poly-mono-proto.js: Added.
2673         (shouldBe):
2674         (makePolyProtoObject.foo.C):
2675         (makePolyProtoObject.foo):
2676         (makePolyProtoObject):
2677         (target):
2678         * stress/object-proto-getter-poly-proto.js: Added.
2679         (shouldBe):
2680         (makePolyProtoObject.foo.C):
2681         (makePolyProtoObject.foo):
2682         (makePolyProtoObject):
2683         (target):
2684         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2685         * stress/string-proto.js: Added.
2686         (shouldBe):
2687         (target):
2688
2689 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2690
2691         Reland "Add Above/Below comparisons for UInt32 patterns"
2692         https://bugs.webkit.org/show_bug.cgi?id=177281
2693
2694         Reviewed by Saam Barati.
2695
2696         * stress/uint32-comparison-jump.js: Added.
2697         (shouldBe):
2698         (above):
2699         (aboveOrEqual):
2700         (below):
2701         (belowOrEqual):
2702         (notAbove):
2703         (notAboveOrEqual):
2704         (notBelow):
2705         (notBelowOrEqual):
2706         * stress/uint32-comparison.js: Added.
2707         (shouldBe):
2708         (above):
2709         (aboveOrEqual):
2710         (below):
2711         (belowOrEqual):
2712         (aboveTest):
2713         (aboveOrEqualTest):
2714         (belowTest):
2715         (belowOrEqualTest):
2716
2717 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2718
2719         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2720         https://bugs.webkit.org/show_bug.cgi?id=178210
2721
2722         Reviewed by Saam Barati.
2723
2724         * wasm/function-tests/trap-from-start-async.js:
2725         (async.StartTrapsAsync):
2726         * wasm/function-tests/trap-from-start.js:
2727         (StartTraps):
2728         * wasm/js-api/web-assembly-function.js:
2729         (assert.eq.Object.getPrototypeOf):
2730         * wasm/js-api/wrapper-function.js:
2731         (return.new.WebAssembly.Module):
2732         (assert.throws.makeInstance): Deleted.
2733         (assert.throws.Bar): Deleted.
2734         (assert.throws): Deleted.
2735
2736 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2737
2738         Enable gigacage on iOS
2739         https://bugs.webkit.org/show_bug.cgi?id=177586
2740
2741         Reviewed by JF Bastien.
2742         
2743         Add tests for when Gigacage gets runtime disabled.
2744
2745         * stress/disable-gigacage-arrays.js: Added.
2746         (foo):
2747         * stress/disable-gigacage-strings.js: Added.
2748         (foo):
2749         * stress/disable-gigacage-typed-arrays.js: Added.
2750         (foo):
2751
2752 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2753
2754         import.meta should not be assignable
2755         https://bugs.webkit.org/show_bug.cgi?id=178202
2756
2757         Reviewed by Saam Barati.
2758
2759         * modules/import-meta-assignment.js: Added.
2760         (shouldThrow):
2761         (SyntaxError.import.meta.can.shouldThrow):
2762
2763 2017-10-11  Saam Barati  <sbarati@apple.com>
2764
2765         Unreviewed. Actually skip certain type profiler tests in debug.
2766
2767         * typeProfiler.yaml:
2768         * typeProfiler/deltablue-for-of.js:
2769         * typeProfiler/getter-richards.js:
2770
2771 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2772
2773         Unreviewed, rolling out r223113 and r223121.
2774         https://bugs.webkit.org/show_bug.cgi?id=178182
2775
2776         Reintroduced 20% regression on Kraken (Requested by rniwa on
2777         #webkit).
2778
2779         Reverted changesets:
2780
2781         "Enable gigacage on iOS"
2782         https://bugs.webkit.org/show_bug.cgi?id=177586
2783         https://trac.webkit.org/changeset/223113
2784
2785         "Use one virtual allocation for all gigacages and their
2786         runways"
2787         https://bugs.webkit.org/show_bug.cgi?id=178050
2788         https://trac.webkit.org/changeset/223121
2789
2790 2017-10-11  Michael Saboff  <msaboff@apple.com>
2791
2792         Disable test262 named capture group tests with direct unicode names and with references before definitions
2793         https://bugs.webkit.org/show_bug.cgi?id=178177
2794
2795         Reviewed by Keith Miller.
2796
2797         Bugs to track fixing these test are:
2798         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2799             "Add support in named capture group identifiers for direct surrogate pairs"
2800         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2801             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2802
2803         * test262.yaml:
2804
2805 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2806
2807         Object properties are undefined in super.call() but not in this.call()
2808         https://bugs.webkit.org/show_bug.cgi?id=177230
2809
2810         Reviewed by Saam Barati.
2811
2812         * stress/super-call-function-subclass.js: Added.
2813         (assert):
2814         (A.prototype.t):
2815         (A):
2816         * stress/super-dot-call-and-apply.js: Added.
2817         (assert):
2818         (A):
2819         (A.prototype.call):
2820         (A.prototype.apply):
2821         (B.prototype.testSuper):
2822         (B):
2823         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2824         (D.prototype.testSuper):
2825         (D):
2826
2827 2017-10-10  Saam Barati  <sbarati@apple.com>
2828
2829         The prototype cache should be aware of the Executable it generates a Structure for
2830         https://bugs.webkit.org/show_bug.cgi?id=177907
2831
2832         Reviewed by Filip Pizlo.
2833
2834         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2835         (assert):
2836         (foo.C):
2837         (foo):
2838         (bar.C):
2839         (bar):
2840         (access):
2841         (makeLongChain):
2842         (accessY):
2843
2844 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2845
2846         `async` should be able to be used as an imported binding name
2847         https://bugs.webkit.org/show_bug.cgi?id=176573
2848
2849         Reviewed by Saam Barati.
2850
2851         * modules/import-default-async.js: Added.
2852         * modules/import-named-async-as.js: Added.
2853         * modules/import-named-async.js: Added.
2854         * modules/import-named-async/target.js: Added.
2855         * modules/import-namespace-async.js: Added.
2856         * test262.yaml:
2857
2858 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2859
2860         Enable gigacage on iOS
2861         https://bugs.webkit.org/show_bug.cgi?id=177586
2862
2863         Reviewed by JF Bastien.
2864         
2865         Add tests for when Gigacage gets runtime disabled.
2866
2867         * stress/disable-gigacage-arrays.js: Added.
2868         (foo):
2869         * stress/disable-gigacage-strings.js: Added.
2870         (foo):
2871         * stress/disable-gigacage-typed-arrays.js: Added.
2872         (foo):
2873
2874 2017-10-09  Michael Saboff  <msaboff@apple.com>
2875
2876         Implement RegExp Unicode property escapes
2877         https://bugs.webkit.org/show_bug.cgi?id=172069
2878
2879         Reviewed by JF Bastien.
2880
2881         Enabled Unicode Property tests.
2882
2883         * test262.yaml:
2884
2885 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2886
2887         Unreviewed, rolling out r223015 and r223025.
2888         https://bugs.webkit.org/show_bug.cgi?id=178093
2889
2890         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2891         #webkit).
2892
2893         Reverted changesets:
2894
2895         "Enable gigacage on iOS"
2896         https://bugs.webkit.org/show_bug.cgi?id=177586
2897         http://trac.webkit.org/changeset/223015
2898
2899         "Unreviewed, disable Gigacage on ARM64 Linux"
2900         https://bugs.webkit.org/show_bug.cgi?id=177586
2901         http://trac.webkit.org/changeset/223025
2902
2903 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2904
2905         Update expectations for test262 tests that pass after r223043.
2906         https://bugs.webkit.org/show_bug.cgi?id=176685
2907
2908         Unreviewed test gardening.
2909
2910         * test262.yaml:
2911
2912 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2913
2914         Unreviewed, rolling out r223022.
2915
2916         This change introduced 18 test262 failures.
2917
2918         Reverted changeset:
2919
2920         "`async` should be able to be used as an imported binding
2921         name"
2922         https://bugs.webkit.org/show_bug.cgi?id=176573
2923         http://trac.webkit.org/changeset/223022
2924
2925 2017-10-09  Saam Barati  <sbarati@apple.com>
2926
2927         3 poly-proto JSC tests timing out on debug after r222827
2928         https://bugs.webkit.org/show_bug.cgi?id=177880
2929         <rdar://problem/34817122>
2930
2931         Unreviewed.
2932
2933         I'm skipping these type profiler tests on debug since they are long running.
2934
2935         * typeProfiler/deltablue-for-of.js:
2936         * typeProfiler/getter-richards.js:
2937
2938 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2939
2940         Safari 10 /11 problem with if (!await get(something)).
2941         https://bugs.webkit.org/show_bug.cgi?id=176685
2942
2943         Reviewed by Saam Barati.
2944
2945         * stress/async-await-basic.js:
2946         (awaitEpression.async):
2947         * stress/async-await-syntax.js:
2948         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2949         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2950
2951 2017-10-08  Saam Barati  <sbarati@apple.com>
2952
2953         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2954
2955         * typeProfiler/deltablue-for-of.js:
2956         * typeProfiler/getter-richards.js:
2957
2958 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2959
2960         `async` should be able to be used as an imported binding name
2961         https://bugs.webkit.org/show_bug.cgi?id=176573
2962
2963         Reviewed by Darin Adler.
2964
2965         * modules/import-default-async.js: Added.
2966         * modules/import-named-async-as.js: Added.
2967         * modules/import-named-async.js: Added.
2968         * modules/import-named-async/target.js: Added.
2969         * modules/import-namespace-async.js: Added.
2970
2971 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2972
2973         Enable gigacage on iOS
2974         https://bugs.webkit.org/show_bug.cgi?id=177586
2975
2976         Reviewed by JF Bastien.
2977         
2978         Add tests for when Gigacage gets runtime disabled.
2979
2980         * stress/disable-gigacage-arrays.js: Added.
2981         (foo):
2982         * stress/disable-gigacage-strings.js: Added.
2983         (foo):
2984         * stress/disable-gigacage-typed-arrays.js: Added.
2985         (foo):
2986
2987 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2988
2989         Unreviewed, rolling out r222791 and r222873.
2990         https://bugs.webkit.org/show_bug.cgi?id=178031
2991
2992         Caused crashes with workers/wasm LayoutTests (Requested by
2993         ryanhaddad on #webkit).
2994
2995         Reverted changesets:
2996
2997         "WebAssembly: no VM / JS version of everything but Instance"
2998         https://bugs.webkit.org/show_bug.cgi?id=177473
2999         http://trac.webkit.org/changeset/222791
3000
3001         "WebAssembly: address no VM / JS follow-ups"
3002         https://bugs.webkit.org/show_bug.cgi?id=177887
3003         http://trac.webkit.org/changeset/222873
3004
3005 2017-10-05  Saam Barati  <sbarati@apple.com>
3006
3007         Make sure all prototypes under poly proto get added into the VM's prototype map
3008         https://bugs.webkit.org/show_bug.cgi?id=177909
3009
3010         Reviewed by Keith Miller.
3011
3012         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3013         (assert):
3014         (foo.C):
3015         (foo):
3016         (set x):
3017
3018 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3019
3020         [JSC] Introduce import.meta
3021         https://bugs.webkit.org/show_bug.cgi?id=177703
3022
3023         Reviewed by Filip Pizlo.
3024
3025         * modules/import-meta-syntax.js: Added.
3026         (shouldThrow):
3027         (shouldNotThrow):
3028         * modules/import-meta.js: Added.
3029         * modules/import-meta/cocoa.js: Added.
3030         * modules/resources/assert.js:
3031         (export.shouldNotThrow):
3032         * stress/import-syntax.js:
3033
3034 2017-10-04  Saam Barati  <sbarati@apple.com>
3035
3036         Make pertinent AccessCases watch the poly proto watchpoint
3037         https://bugs.webkit.org/show_bug.cgi?id=177765
3038
3039         Reviewed by Keith Miller.
3040
3041         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3042         (assert):
3043         (foo.C):
3044         (foo):
3045         (validate):
3046         * stress/poly-proto-clear-stub.js: Added.
3047         (assert):
3048         (foo.C):
3049         (foo):
3050
3051 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3052
3053         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3054
3055         Unreviewed test gardening.
3056
3057         * test262.yaml:
3058
3059 2017-10-04  Saam Barati  <sbarati@apple.com>
3060
3061         3 poly-proto JSC tests timing out on debug after r222827
3062         https://bugs.webkit.org/show_bug.cgi?id=177880
3063
3064         Rubber stamped by Mark Lam.
3065
3066         * microbenchmarks/poly-proto-access.js:
3067         * typeProfiler/deltablue-for-of.js:
3068         * typeProfiler/getter-richards.js:
3069
3070 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3071
3072         Unreviewed, marking tco-catch.js as a failure after test262 update
3073         https://bugs.webkit.org/show_bug.cgi?id=177859
3074
3075         * test262.yaml:
3076
3077 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3078
3079         Unreviewed, marking one async iterator test262 test failed
3080         https://bugs.webkit.org/show_bug.cgi?id=177859
3081
3082         * test262.yaml:
3083
3084 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3085
3086         [Test262] Update Test262 to Oct 4 version
3087         https://bugs.webkit.org/show_bug.cgi?id=177859
3088
3089         Reviewed by Sam Weinig.
3090
3091         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3092         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3093
3094         * test262.yaml:
3095         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3096         (checkSequence):
3097         * test262/harness/typeCoercion.js:
3098         (testCoercibleToIndexZero):
3099         (testCoercibleToIndexOne):
3100         (testCoercibleToIndexFromIndex):
3101         (testNotCoercibleToIndex.testPrimitiveValue):
3102         (testNotCoercibleToInteger):
3103         (testCoercibleToBigIntZero.testPrimitiveValue):
3104         (testCoercibleToBigIntZero):
3105         (testCoercibleToBigIntOne.testPrimitiveValue):
3106         (testCoercibleToBigIntOne):
3107         (testPrimitiveValue):
3108         (testCoercibleToBigIntFromBigInt):
3109         (testNotCoercibleToBigInt.testPrimitiveValue):
3110         (testNotCoercibleToBigInt.testStringValue):
3111         (testNotCoercibleToBigInt):
3112         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3113         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3114         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3115         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3116         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3117         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3118         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3119         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3120         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3121         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3122         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3123         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3124         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3125         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3126         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3127         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3128         (testCoercibleToBigIntZero):
3129         (testCoercibleToBigIntOne):
3130         (testNotCoercibleToBigInt):
3131         (MyError): Deleted.
3132         (valueOf): Deleted.
3133         (toString): Deleted.
3134         (Symbol.toPrimitive): Deleted.
3135         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3136         (testCoercibleToIndexZero):
3137         (testCoercibleToIndexOne):
3138         (testNotCoercibleToIndex):
3139         (MyError): Deleted.
3140         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3141         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3142         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3143         (BigInt.asIntN.valueOf): Deleted.
3144         (BigInt.asIntN.toString): Deleted.
3145         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3146         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3147         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3148         (testCoercibleToBigIntZero):
3149         (testCoercibleToBigIntOne):
3150         (testNotCoercibleToBigInt):
3151         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3152         (testCoercibleToIndexZero):
3153         (testCoercibleToIndexOne):
3154         (testNotCoercibleToIndex):
3155         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3156         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3157         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3158         (bits.valueOf):
3159         (bigint.valueOf):
3160         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3161         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3162         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3163         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3164         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3165         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3166         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3167         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3168         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3169         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3170         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3171         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3172         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3173         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3174         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3175         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3176         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3177         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3178         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3179         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3180         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3181         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3182         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3183         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3184         (replacer):
3185         (BigInt.prototype.toJSON):
3186         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3187         (replacer):
3188         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3189         (BigInt.prototype.toJSON):
3190         * test262/test/built-ins/JSON/stringify/bigint.js:
3191         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3192         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3193         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3194         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3195         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3196         * test262/test/built-ins/Object/proto-from-ctor.js:
3197         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3198         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3199         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3200         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3201         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3202         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3203         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3204         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3205         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3206         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3207         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3208         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3209         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3210         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3211         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3212         * test262/test/built-ins/Proxy/get-fn-realm.js:
3213         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3214         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3215         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3216         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3217         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3218         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3219         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3220         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3221         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3222         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3223         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3224         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3225         (i6.replace):
3226         (i6b.replace):
3227         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3228         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3229         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3230         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3231         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3232         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3233         * test262/test/built-ins/RegExp/u180e.js: Added.
3234         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3235         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3236         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3237         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3238         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3239         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3240         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3241         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3242         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3243         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3244         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3245         * test262/test/built-ins/String/prototype/endsWith/length.js:
3246         * test262/test/built-ins/String/prototype/endsWith/name.js:
3247         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3248         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3249         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3250         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3251         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3252         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3253         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3254         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3255         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3256         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3257         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3258         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3259         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3260         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3261         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3262         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3263         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3264         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3265         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3266         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3267         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3268         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3269         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3270         * test262/test/built-ins/String/prototype/includes/includes.js:
3271         * test262/test/built-ins/String/prototype/includes/length.js:
3272         * test262/test/built-ins/String/prototype/includes/name.js:
3273         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3274         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3275         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3276         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3277         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3278         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3279         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3280         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3281         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3282         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3283         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3284         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3285         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3286         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3287         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3288         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3289         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3290         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3291         * test262/test/built-ins/String/prototype/trim/u180e.js:
3292         * test262/test/built-ins/Symbol/for/cross-realm.js:
3293         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3294         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3295         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3296         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3297         * test262/test/built-ins/Symbol/match/cross-realm.js:
3298         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3299         * test262/test/built-ins/Symbol/search/cross-realm.js:
3300         * test262/test/built-ins/Symbol/species/cross-realm.js:
3301         * test262/test/built-ins/Symbol/split/cross-realm.js:
3302         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3303         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3304         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3305         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3306         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3307         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3308         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3309         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3310         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3311         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3312         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3313         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3314         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3315         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3316         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3317         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3318         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3319         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3320         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3321         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3322         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3323         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3324         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3325         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3326         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3327         * test262/test/language/eval-code/indirect/realm.js:
3328         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3329         (o.get z):
3330         (o.get a):
3331         * test262/test/language/expressions/call/eval-realm-indirect.js:
3332         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3333         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3334         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3335         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3336         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3337         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3338         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3339         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3340         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3341         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3342         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3343         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3344         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3345         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3346         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3347         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3348         * test262/test/language/expressions/less-than/bigint-and-number.js:
3349         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3350         * test262/test/language/expressions/super/realm.js:
3351         * test262/test/language/expressions/tagged-template/cache-realm.js:
3352         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3353         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3354         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3355         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3356         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3357         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3358         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3359         (o.get z):
3360         (o.get a):
3361         * test262/test/language/statements/for-of/iterator-next-reference.js:
3362         (next):
3363         (iterator.next): Deleted.
3364         (x.of.iterable.): Deleted.
3365         (x.of.iterable.get return): Deleted.
3366         (x.of.iterable.iterator.next): Deleted.
3367         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3368         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3369         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3370         * test262/test/language/white-space/mongolian-vowel-separator.js:
3371         * test262/test262-Revision.txt:
3372
3373 2017-10-03  Saam Barati  <sbarati@apple.com>
3374
3375         Implement polymorphic prototypes
3376         https://bugs.webkit.org/show_bug.cgi?id=176391
3377
3378         Reviewed by Filip Pizlo.
3379
3380         * microbenchmarks/poly-proto-access.js: Added.
3381         (assert):
3382         (foo.C):
3383         (foo.C.prototype.get bar):
3384         (foo):
3385         (bar):
3386         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3387         (assert):
3388         (makePolyProtoObject.foo.C):
3389         (makePolyProtoObject.foo):
3390         (makePolyProtoObject):
3391         (performSet):
3392         * microbenchmarks/poly-proto-setter-speed.js: Added.
3393         (assert):
3394         (makePolyProtoObject.foo.C):
3395         (makePolyProtoObject.foo.C.prototype.set p):
3396         (makePolyProtoObject.foo):
3397         (makePolyProtoObject):
3398         (performSet):
3399         * stress/constructor-with-return.js:
3400         (i.tests.forEach.Constructor):
3401         (i.tests.forEach):
3402         (tests.forEach.Constructor): Deleted.
3403         (tests.forEach): Deleted.
3404         * stress/dom-jit-with-poly-proto.js: Added.
3405         (assert):
3406         (makePolyProtoObject.foo.C):
3407         (makePolyProtoObject.foo):
3408         (makePolyProtoObject):
3409         (validate):
3410         * stress/poly-proto-custom-value-and-accessor.js: Added.
3411         (assert):
3412         (makePolyProtoObject.foo.C):
3413         (makePolyProtoObject.foo):
3414         (makePolyProtoObject):
3415         (items.forEach):
3416         (set get for):
3417         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3418         (assert):
3419         (makePolyProtoObject.foo.C):
3420         (makePolyProtoObject.foo):
3421         (makePolyProtoObject):
3422         (foo):
3423         * stress/poly-proto-miss.js: Added.
3424         (makePolyProtoInstanceWithNullPrototype.foo.C):
3425         (makePolyProtoInstanceWithNullPrototype.foo):
3426         (makePolyProtoInstanceWithNullPrototype):
3427         (assert):
3428         (validate):
3429         * stress/poly-proto-op-in-caching.js: Added.
3430         (assert):
3431         (makePolyProtoObject.foo.C):
3432         (makePolyProtoObject.foo):
3433         (makePolyProtoObject):
3434         (validate):
3435         (validate2):
3436         * stress/poly-proto-put-transition.js: Added.
3437         (assert):
3438         (makePolyProtoObject.foo.C):
3439         (makePolyProtoObject.foo):
3440         (makePolyProtoObject):
3441         (performSet):
3442         (i.obj.__proto__.set p):
3443         * stress/poly-proto-set-prototype.js: Added.
3444         (assert):
3445         (let.alternateProto.get x):
3446         (let.alternateProto2.get y):
3447         (let.alternateProto2.get x):
3448         (foo.C):
3449         (foo):
3450         (validate):
3451         * stress/poly-proto-setter.js: Added.
3452         (assert):
3453         (makePolyProtoObject.foo.C):
3454         (makePolyProtoObject.foo.C.prototype.set p):
3455         (makePolyProtoObject.foo.C.prototype.get p):
3456         (makePolyProtoObject.foo):
3457         (makePolyProtoObject):
3458         (performSet):
3459         * stress/poly-proto-using-inheritance.js: Added.
3460         (assert):
3461         (foo.C):
3462         (foo.C.prototype.get baz):
3463         (foo):
3464         (bar.C):
3465         (bar):
3466         (validate):
3467         * stress/primitive-poly-proto.js: Added.
3468         (makePolyProtoInstance.foo.C):
3469         (makePolyProtoInstance.foo):
3470         (makePolyProtoInstance):
3471         (assert):
3472         (validate):
3473         * stress/prototype-is-not-js-object.js: Added.
3474         (foo.bar):
3475         (foo):
3476         (assert):
3477         (validate):
3478         * stress/try-get-by-id-poly-proto.js: Added.
3479         (assert):
3480         (makePolyProtoObject.foo.C):
3481         (makePolyProtoObject.foo):
3482         (makePolyProtoObject):
3483         (tryGetByIdText):
3484         (x.__proto__.get bar):
3485         (validate):
3486         * typeProfiler/overflow.js:
3487
3488 2017-10-03  JF Bastien  <jfbastien@apple.com>
3489
3490         WebAssembly: no VM / JS version of everything but Instance
3491         https://bugs.webkit.org/show_bug.cgi?id=177473
3492
3493         Reviewed by Filip Pizlo.
3494
3495         - Exceeding max on memory growth now returns a range error as per
3496         spec. This is a (very minor) breaking change: it used to throw OOM
3497         error. Update the corresponding test.
3498
3499         * wasm/js-api/memory-grow.js:
3500         (assertEq):
3501         * wasm/js-api/table.js:
3502         (assert.throws):
3503
3504 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3505
3506         Skip JSC test stress/regress-159779-2.js on debug.
3507         https://bugs.webkit.org/show_bug.cgi?id=177204
3508
3509         Unreviewed test gardening.
3510
3511         * stress/regress-159779-2.js:
3512
3513 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3514
3515         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3516         https://bugs.webkit.org/show_bug.cgi?id=175642
3517
3518         Reviewed by Darin Adler.
3519
3520         * ChakraCore/test/Function/apply3.baseline-jsc:
3521
3522 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3523
3524         Unreviewed, rolling out r222564.
3525         https://bugs.webkit.org/show_bug.cgi?id=177720
3526
3527         "It regressed JetStream by 2% on iOS caused by a 50%
3528         regression on the bigfib subtest" (Requested by saamyjoon on
3529         #webkit).
3530
3531         Reverted changeset:
3532
3533         "Add Above/Below comparisons for UInt32 patterns"
3534         https://bugs.webkit.org/show_bug.cgi?id=177281
3535         http://trac.webkit.org/changeset/222564
3536
3537 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3538
3539         [DFG] Support ArrayPush with multiple args
3540         https://bugs.webkit.org/show_bug.cgi?id=175823
3541
3542         Reviewed by Saam Barati.
3543
3544         * microbenchmarks/array-push-0.js: Added.
3545         (arrayPush0):
3546         * microbenchmarks/array-push-1.js: Added.
3547         (arrayPush1):
3548         * microbenchmarks/array-push-2.js: Added.
3549         (arrayPush2):
3550         * microbenchmarks/array-push-3.js: Added.
3551         (arrayPush3):
3552         * stress/array-push-multiple-contiguous.js: Added.
3553         (shouldBe):
3554         (test):
3555         * stress/array-push-multiple-double-nan.js: Added.
3556         (shouldBe):
3557         (test):
3558         * stress/array-push-multiple-double.js: Added.
3559         (shouldBe):
3560         (test):
3561         * stress/array-push-multiple-int32.js: Added.
3562         (shouldBe):
3563         (test):
3564         * stress/array-push-multiple-many-contiguous.js: Added.
3565         (shouldBe):
3566         (test):
3567         * stress/array-push-multiple-many-double.js: Added.
3568         (shouldBe):
3569         (test):
3570         * stress/array-push-multiple-many-int32.js: Added.
3571         (shouldBe):
3572         (test):
3573         * stress/array-push-multiple-many-storage.js: Added.
3574         (shouldBe):
3575         (test):
3576         * stress/array-push-multiple-storage.js: Added.
3577         (shouldBe):
3578         (test):
3579         * stress/array-push-with-force-exit.js: Added.
3580         (target.createBuiltin):
3581
3582 2017-09-29  Saam Barati  <sbarati@apple.com>
3583
3584         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3585         https://bugs.webkit.org/show_bug.cgi?id=177639
3586
3587         Reviewed by Geoffrey Garen.
3588
3589         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3590         (assert):
3591         (Class):
3592         (items.forEach):
3593         (set get for):
3594
3595 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3596
3597         Unreviewed, rolling out r222563, r222565, and r222581.
3598         https://bugs.webkit.org/show_bug.cgi?id=177675
3599
3600         "It causes a crash when playing youtube videos" (Requested by
3601         saamyjoon on #webkit).
3602
3603         Reverted changesets:
3604
3605         "[DFG] Support ArrayPush with multiple args"
3606         https://bugs.webkit.org/show_bug.cgi?id=175823
3607         http://trac.webkit.org/changeset/222563
3608
3609         "Unreviewed, build fix after r222563"
3610         https://bugs.webkit.org/show_bug.cgi?id=175823
3611         http://trac.webkit.org/changeset/222565
3612
3613         "Unreviewed, fix x86 breaking due to exhausted registers"
3614         https://bugs.webkit.org/show_bug.cgi?id=175823
3615         http://trac.webkit.org/changeset/222581
3616
3617 2017-09-28  Mark Lam  <mark.lam@apple.com>
3618
3619         test262: Unexpected passes after r222617 and r222618.
3620         https://bugs.webkit.org/show_bug.cgi?id=177622
3621         <rdar://problem/34725960>
3622
3623         Reviewed by Saam Barati.
3624
3625         Update test262.yaml for tests that are now passing.
3626
3627         * test262.yaml:
3628
3629 2017-09-27  Michael Saboff  <msaboff@apple.com>
3630
3631         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3632         https://bugs.webkit.org/show_bug.cgi?id=177570
3633
3634         Reviewed by Filip Pizlo.
3635
3636         New regression test.
3637
3638         * stress/regress-177570.js: Added.
3639
3640 2017-09-28  Michael Saboff  <msaboff@apple.com>
3641
3642         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3643         https://bugs.webkit.org/show_bug.cgi?id=177423
3644
3645         Reviewed by Mark Lam.
3646
3647         Updated regression test.
3648
3649         * stress/regress-177423.js:
3650         (catch):
3651
3652 2017-09-27  Mark Lam  <mark.lam@apple.com>
3653
3654         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3655         https://bugs.webkit.org/show_bug.cgi?id=177584
3656         <rdar://problem/34463903>
3657
3658         Reviewed by Saam Barati.
3659
3660         * stress/regress-177584.js: Added.
3661         (assertEqual):
3662         (Array.prototype.Symbol.species):
3663
3664 2017-09-27  Saam Barati  <sbarati@apple.com>
3665
3666         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3667         https://bugs.webkit.org/show_bug.cgi?id=177523
3668
3669         Reviewed by Mark Lam.
3670
3671         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3672         (assert):
3673         (Test):
3674         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3675         (addMethods):
3676         (i.Test.prototype.propName):
3677
3678 2017-09-27  Mark Lam  <mark.lam@apple.com>
3679
3680         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3681         https://bugs.webkit.org/show_bug.cgi?id=177423
3682         <rdar://problem/34621320>
3683
3684         Reviewed by Keith Miller.
3685
3686         * stress/regress-177423.js: Added.
3687
3688 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3689
3690         Add Above/Below comparisons for UInt32 patterns
3691         https://bugs.webkit.org/show_bug.cgi?id=177281
3692
3693         Reviewed by Saam Barati.
3694
3695         * stress/uint32-comparison-jump.js: Added.
3696         (shouldBe):
3697         (above):
3698         (aboveOrEqual):
3699         (below):
3700         (belowOrEqual):
3701         (notAbove):
3702         (notAboveOrEqual):
3703         (notBelow):
3704         (notBelowOrEqual):
3705         * stress/uint32-comparison.js: Added.
3706         (shouldBe):
3707         (above):
3708         (aboveOrEqual):
3709         (below):
3710         (belowOrEqual):
3711         (aboveTest):
3712         (aboveOrEqualTest):
3713         (belowTest):
3714         (belowOrEqualTest):
3715
3716 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3717
3718         [DFG] Support ArrayPush with multiple args
3719         https://bugs.webkit.org/show_bug.cgi?id=175823
3720
3721         Reviewed by Saam Barati.
3722
3723         * microbenchmarks/array-push-0.js: Added.
3724         (arrayPush0):
3725         * microbenchmarks/array-push-1.js: Added.