6cef66e049fc4b3cae7c4e91f90af33a5038e1a8
[WebKit-https.git] / JSTests / ChangeLog
1 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
4
5         Unreviewed test gardening.
6
7         * stress/new-largeish-contiguous-array-with-size.js:
8
9 2018-02-14  Saam Barati  <sbarati@apple.com>
10
11         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
12         https://bugs.webkit.org/show_bug.cgi?id=182801
13
14         Reviewed by Keith Miller.
15
16         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
17
18 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
19
20         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
21         https://bugs.webkit.org/show_bug.cgi?id=182526
22
23         Unreviewed test gardening.
24
25         * stress/activation-sink-default-value-tdz-error.js:
26
27 2018-02-13  Saam Barati  <sbarati@apple.com>
28
29         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
30         https://bugs.webkit.org/show_bug.cgi?id=182755
31         <rdar://problem/37080864>
32
33         Reviewed by Keith Miller.
34
35         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
36         (test1.o.get 10005):
37         (test1):
38         (test2.o.get 1000):
39         (test2):
40
41 2018-02-13  Caitlin Potter  <caitp@igalia.com>
42
43         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
44         https://bugs.webkit.org/show_bug.cgi?id=182717
45
46         Reviewed by Yusuke Suzuki.
47
48         https://github.com/tc39/ecma262/pull/890 imposes a change to template
49         literals, to allow template callsite arrays to be collected when the
50         code containing the tagged template call is collected. This spec change
51         has received concensus and been ratified.
52
53         This change eliminates the eternal map associating template contents
54         with arrays.
55
56         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
57         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
58         * stress/tagged-templates-identity.js:
59         * stress/template-string-tags-eval.js:
60         * test262.yaml:
61
62 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
63
64         Support GetArrayLength on ArrayStorage in the FTL
65         https://bugs.webkit.org/show_bug.cgi?id=182625
66
67         Reviewed by Saam Barati.
68
69         * stress/array-storage-length.js: Added.
70         (shouldBe):
71         (testInBound):
72         (testUncountable):
73         (testSlowPutInBound):
74         (testSlowPutUncountable):
75         * stress/undecided-length.js: Added.
76         (shouldBe):
77         (test2):
78
79 2018-02-12  Saam Barati  <sbarati@apple.com>
80
81         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
82         https://bugs.webkit.org/show_bug.cgi?id=182706
83         <rdar://problem/36833681>
84
85         Reviewed by Filip Pizlo.
86
87         * stress/get-array-length-phantom-new-array-buffer.js: Added.
88         (effects):
89         (foo):
90
91 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
92
93         Don't waste memory for error.stack
94         https://bugs.webkit.org/show_bug.cgi?id=182656
95
96         Reviewed by Saam Barati.
97         
98         Tests the policy.
99
100         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
101         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
102
103 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
104
105         [JSC] Update Test262 to Feb 9 version
106         https://bugs.webkit.org/show_bug.cgi?id=182468
107
108         Reviewed by Saam Barati.
109
110 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
111
112         Unreviewed, fix invalid line terminator in old test262 file part 2
113         https://bugs.webkit.org/show_bug.cgi?id=182468
114
115         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
116
117 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
118
119         Unreviewed, fix invalid line terminator in old test262 file
120         https://bugs.webkit.org/show_bug.cgi?id=182468
121
122         * test262/test/language/literals/regexp/7.8.5-1.js:
123
124 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
125
126         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
127         https://bugs.webkit.org/show_bug.cgi?id=182440
128
129         Reviewed by Darin Adler.
130
131         * stress/array-flatmap.js: Added.
132         (shouldBe):
133         (shouldBeArray):
134         (shouldThrow):
135         (var):
136         * stress/array-flatten.js: Added.
137         (shouldBe):
138         (shouldBeArray):
139         * test262.yaml:
140         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
141         (3.flatMap):
142         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
143
144 2018-02-06  Keith Miller  <keith_miller@apple.com>
145
146         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
147         https://bugs.webkit.org/show_bug.cgi?id=182549
148         <rdar://problem/36189995>
149
150         Reviewed by Saam Barati.
151
152         * stress/var-injection-cache-invalidation.js: Added.
153         (allocateLotsOfThings):
154         (test):
155
156 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
157
158         Unreviewed, follow up for test262 update
159         https://bugs.webkit.org/show_bug.cgi?id=182288
160
161         * test262.yaml:
162
163 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
164
165         Update test262 to Jan 30 version
166         https://bugs.webkit.org/show_bug.cgi?id=182288
167
168         Unreviewed test gardening.
169
170         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
171
172 2018-02-02  Saam Barati  <sbarati@apple.com>
173
174         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
175         https://bugs.webkit.org/show_bug.cgi?id=182368
176         <rdar://problem/36932466>
177
178         Reviewed by Mark Lam.
179
180         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
181         (runNearStackLimit.t):
182         (runNearStackLimit):
183         (try.runNearStackLimit):
184         (catch):
185
186 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
187
188         Update test262 to Jan 30 version
189         https://bugs.webkit.org/show_bug.cgi?id=182288
190
191         Rubber stamped by Saam Barati.
192
193         This patch updates test262 to the latest one, Jan 30 version.
194         Since added and changed files are too many, we cannot create ChangeLog.
195         The following files are changed.
196
197         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
198         including some special line terminators (like u2028, u2029).
199
200         * test262.yaml:
201         * test262/test262-Revision.txt:
202         * test262/*:
203
204 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
205
206         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
207         https://bugs.webkit.org/show_bug.cgi?id=182411
208
209         Reviewed by Carlos Alberto Lopez Perez.
210
211         This is skipped only on arm memory limited platforms. Until recently
212         it was not a problem on MIPS as the butterfly was not initialized. But
213         since r227435, the butterfly is initialized in that test and therefore
214         memory is allocated, and the test typically takes around 512M, which
215         means it generally gets OOM-killed on the MIPS buildbot.
216
217         * mozilla/mozilla-tests.yaml:
218
219 2018-02-01  Mark Lam  <mark.lam@apple.com>
220
221         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
222         https://bugs.webkit.org/show_bug.cgi?id=182419
223         <rdar://problem/37044945>
224
225         Reviewed by Saam Barati.
226
227         * stress/regress-182419.js: Added.
228
229 2018-02-01  Keith Miller  <keith_miller@apple.com>
230
231         Fix crashes due to mishandling custom sections.
232         https://bugs.webkit.org/show_bug.cgi?id=182404
233         <rdar://problem/36935863>
234
235         Reviewed by Saam Barati.
236
237         * wasm/Builder.js:
238         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
239         * wasm/js-api/validate.js:
240         (assert.truthy):
241
242 2018-01-31  Saam Barati  <sbarati@apple.com>
243
244         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
245         https://bugs.webkit.org/show_bug.cgi?id=182074
246         <rdar://problem/36846261>
247
248         Reviewed by Mark Lam.
249
250         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
251         (assert):
252         (let.func):
253         (let.o.foo):
254         (varFunc):
255
256 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
257
258         Unreviewed, update test262 expects
259         https://bugs.webkit.org/show_bug.cgi?id=182232
260
261         * test262.yaml:
262
263 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
264
265         [JSC] Implement trimStart and trimEnd
266         https://bugs.webkit.org/show_bug.cgi?id=182233
267
268         Reviewed by Mark Lam.
269
270         * stress/trim.js: Added.
271         (shouldBe):
272         (startTest):
273         (endTest):
274         (trimTest):
275
276 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
277
278         [JSC] Relax line terminators in String to make JSON subset of JS
279         https://bugs.webkit.org/show_bug.cgi?id=182232
280
281         Reviewed by Keith Miller.
282
283         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
284         * stress/relaxed-line-terminators-in-string.js: Added.
285         (shouldBe):
286
287 2018-01-29  Michael Saboff  <msaboff@apple.com>
288
289         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
290         https://bugs.webkit.org/show_bug.cgi?id=182249
291
292         Reviewed by Keith Miller.
293
294         New regression test.
295
296         * stress/compare-clobber-untypeduse.js: Added.
297
298 2018-01-29  Matt Lewis  <jlewis3@apple.com>
299
300         Unreviewed, rolling out r227725.
301
302         This caused internal failures.
303
304         Reverted changeset:
305
306         "JSC Sampling Profiler: Detect tester and testee when sampling
307         in RegExp JIT"
308         https://bugs.webkit.org/show_bug.cgi?id=152729
309         https://trac.webkit.org/changeset/227725
310
311 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
312
313         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
314         https://bugs.webkit.org/show_bug.cgi?id=152729
315
316         Reviewed by Saam Barati.
317
318         * stress/sampling-profiler-regexp.js: Added.
319         (platformSupportsSamplingProfiler.test):
320         (platformSupportsSamplingProfiler.baz):
321         (platformSupportsSamplingProfiler):
322
323 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
324
325         [DFG][FTL] WeakMap#set should have DFG node
326         https://bugs.webkit.org/show_bug.cgi?id=180015
327
328         Reviewed by Saam Barati.
329
330         * stress/weakmap-set-change-get.js: Added.
331         (shouldBe):
332         (test):
333         * stress/weakmap-set-cse.js: Added.
334         (shouldBe):
335         (test):
336         * stress/weakset-add-change-get.js: Added.
337         (shouldBe):
338         * stress/weakset-add-cse.js: Added.
339         (shouldBe):
340
341 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
342
343         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
344         https://bugs.webkit.org/show_bug.cgi?id=182213
345
346         Reviewed by Mark Lam.
347
348         * stress/int32-min-to-string.js: Added.
349         (shouldBe):
350         (test2):
351         (test4):
352         (test8):
353         (test16):
354         (test32):
355         * stress/zero-to-string.js: Added.
356         (shouldBe):
357         (test2):
358         (test4):
359         (test8):
360         (test16):
361         (test32):
362
363 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
364
365         Add more module scope related tests with code evaluation by string
366         https://bugs.webkit.org/show_bug.cgi?id=181983
367
368         Reviewed by Sam Weinig.
369
370         Add more module scope related tests. When the original tests are landed,
371         we do not have browser integration. This patch adds more module scope tests
372         with dynamically created script evaluation. We add tests with Function
373         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
374
375         * modules/scopes-eval.js: Added.
376         (shouldBe):
377         * modules/scopes.js:
378         (shouldBe):
379
380 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
381
382         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
383
384         * microbenchmarks/array-push-3.js: Removed.
385         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
386         * microbenchmarks/double-to-int32.js: Removed.
387         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
388         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
389         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
390         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
391         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
392         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
393         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
394         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
395         * microbenchmarks/map-constant-key.js: Removed.
396         * microbenchmarks/nested-function-parsing.js: Removed.
397         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
398         * microbenchmarks/spread-large-array.js: Removed.
399         * microbenchmarks/string-add-constant-folding.js: Removed.
400         * microbenchmarks/to-lower-case.js: Removed.
401         * microbenchmarks/undefined-property-access.js: Removed.
402         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
403         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
404         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
405         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
406         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
407         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
408         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
409         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
410         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
411         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
412         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
413         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
414         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
415         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
416         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
417         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
418         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
419         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
420
421 2018-01-23  Robin Morisset  <rmorisset@apple.com>
422
423         Update the argument count in DFGByteCodeParser::handleRecursiveCall
424         https://bugs.webkit.org/show_bug.cgi?id=181739
425         <rdar://problem/36627662>
426
427         Reviewed by Saam Barati.
428
429         * stress/recursive-tail-call-with-different-argument-count.js: Added.
430         (foo):
431         (bar):
432
433 2018-01-22  Michael Saboff  <msaboff@apple.com>
434
435         DFG abstract interpreter needs to properly model effects of some Math ops
436         https://bugs.webkit.org/show_bug.cgi?id=181886
437
438         Reviewed by Saam Barati.
439
440         New regression test.
441
442         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
443         (test):
444
445 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
446
447         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
448         https://bugs.webkit.org/show_bug.cgi?id=181182
449
450         Reviewed by Darin Adler.
451
452         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
453         * stress/big-int-prototype-to-string-exception.js: Added.
454         * stress/big-int-prototype-to-string-wrong-values.js: Added.
455         * stress/number-prototype-to-string-cast-overflow.js: Added.
456         * stress/number-prototype-to-string-exception.js: Added.
457         * stress/number-prototype-to-string-wrong-values.js: Added.
458
459 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
460
461         Disable Atomics when SharedArrayBuffer isn’t enabled
462         https://bugs.webkit.org/show_bug.cgi?id=181572
463
464         Unreviewed test gardening.
465
466         * test262.yaml: Skip tests that fail after this change.
467
468 2018-01-19  Saam Barati  <sbarati@apple.com>
469
470         Kill ArithNegate's ArithProfile assert inside BytecodeParser
471         https://bugs.webkit.org/show_bug.cgi?id=181877
472         <rdar://problem/36630552>
473
474         Reviewed by Mark Lam.
475
476         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
477         (runNearStackLimit):
478         (f1):
479         (f2):
480         (f3):
481         (i.catch):
482         (i.try.runNearStackLimit):
483         (catch):
484
485 2018-01-19  Saam Barati  <sbarati@apple.com>
486
487         Spread's effects are modeled incorrectly both in AI and in Clobberize
488         https://bugs.webkit.org/show_bug.cgi?id=181867
489         <rdar://problem/36290415>
490
491         Reviewed by Michael Saboff.
492
493         * stress/ai-needs-to-model-spreads-effects.js: Added.
494         (try.p.Symbol.iterator):
495         (try.go):
496         (catch):
497         * stress/clobberize-needs-to-model-spread-effects.js: Added.
498         (assert):
499         (foo):
500         (a.Symbol.iterator):
501
502 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
503
504         Unreviewed, reduce count of iteration to fix timing out debug JSC test
505         https://bugs.webkit.org/show_bug.cgi?id=181535
506
507         * stress/inserted-recovery-with-set-last-index.js:
508
509 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
510
511         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
512         https://bugs.webkit.org/show_bug.cgi?id=181535
513
514         Reviewed by Saam Barati.
515
516         * stress/inserted-recovery-with-set-last-index.js: Added.
517         (shouldBe):
518         (foo):
519         * stress/materialize-regexp-at-osr-exit.js: Added.
520         (shouldBe):
521         (test):
522         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
523         (shouldBe):
524         (test):
525         * stress/materialize-regexp-cyclic-regexp.js: Added.
526         (shouldBe):
527         (test):
528         (i.switch):
529         * stress/materialize-regexp-cyclic.js: Added.
530         (shouldBe):
531         (test):
532         (i.switch):
533         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
534         (bar):
535         (foo):
536         (test):
537         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
538         (bar):
539         (foo):
540         (test):
541         * stress/materialize-regexp.js: Added.
542         (shouldBe):
543         (test):
544         * stress/phantom-regexp-regexp-exec.js: Added.
545         (shouldBe):
546         (test):
547         * stress/phantom-regexp-string-match.js: Added.
548         (shouldBe):
549         (test):
550         * stress/regexp-last-index-sinking.js: Added.
551         (shouldBe):
552         (test):
553
554 2018-01-17  Saam Barati  <sbarati@apple.com>
555
556         Disable Atomics when SharedArrayBuffer isn’t enabled
557         https://bugs.webkit.org/show_bug.cgi?id=181572
558         <rdar://problem/36553206>
559
560         Reviewed by Michael Saboff.
561
562         * stress/isLockFree.js:
563
564 2018-01-17  Saam Barati  <sbarati@apple.com>
565
566         DFG::Node::convertToConstant needs to clear the varargs flags
567         https://bugs.webkit.org/show_bug.cgi?id=181697
568         <rdar://problem/36497332>
569
570         Reviewed by Yusuke Suzuki.
571
572         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
573         (doIndexOf):
574         (bar):
575         (i.bar):
576
577 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
578
579         Unreviewed, rolling out r226937.
580
581         Tests added with this change are failing due to a missing
582         exception check.
583
584         Reverted changeset:
585
586         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
587         double to int32_t"
588         https://bugs.webkit.org/show_bug.cgi?id=181182
589         https://trac.webkit.org/changeset/226937
590
591 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
592
593         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
594         https://bugs.webkit.org/show_bug.cgi?id=181182
595
596         Reviewed by Darin Adler.
597
598         * bigIntTests.yaml:
599         * stress/big-int-constructor.js:
600         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
601         (assert):
602         (assertThrowRangeError):
603         * stress/number-prototype-to-string-cast-overflow.js: Added.
604         (assert):
605         (assertThrowRangeError):
606
607 2018-01-12  Saam Barati  <sbarati@apple.com>
608
609         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
610         https://bugs.webkit.org/show_bug.cgi?id=181177
611         <rdar://problem/36205704>
612
613         Reviewed by Yusuke Suzuki.
614
615         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
616         (runNearStackLimit.t):
617         (runNearStackLimit):
618         (test.f):
619         (test):
620
621 2018-01-12  Saam Barati  <sbarati@apple.com>
622
623         Each variant of a polymorphic inlined call should be exitOK at the top of the block
624         https://bugs.webkit.org/show_bug.cgi?id=181562
625         <rdar://problem/36445624>
626
627         Reviewed by Yusuke Suzuki.
628
629         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
630         (f):
631         (foo):
632
633 2018-01-11  Saam Barati  <sbarati@apple.com>
634
635         When inserting Unreachable in byte code parser we need to flush all the right things
636         https://bugs.webkit.org/show_bug.cgi?id=181509
637         <rdar://problem/36423110>
638
639         Reviewed by Mark Lam.
640
641         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
642
643 2018-01-11  Saam Barati  <sbarati@apple.com>
644
645         JITMathIC code in the FTL is wrong when code gets duplicated
646         https://bugs.webkit.org/show_bug.cgi?id=181525
647         <rdar://problem/36351993>
648
649         Reviewed by Michael Saboff and Keith Miller.
650
651         * stress/allow-math-ic-b3-code-duplication.js: Added.
652
653 2018-01-11  Saam Barati  <sbarati@apple.com>
654
655         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
656         https://bugs.webkit.org/show_bug.cgi?id=181508
657
658         Reviewed by Yusuke Suzuki.
659
660         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
661         (assert):
662         (test1.foo):
663         (test1):
664         (test2.foo):
665         (test2):
666
667 2018-01-09  Mark Lam  <mark.lam@apple.com>
668
669         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
670         https://bugs.webkit.org/show_bug.cgi?id=181388
671         <rdar://problem/36349351>
672
673         Reviewed by Saam Barati.
674
675         * stress/regress-181388.js: Added.
676
677 2018-01-08  JF Bastien  <jfbastien@apple.com>
678
679         WebAssembly: mask indexed accesses to Table
680         https://bugs.webkit.org/show_bug.cgi?id=181412
681         <rdar://problem/36363236>
682
683         Reviewed by Saam Barati.
684
685         Update error messages.
686
687         * wasm/js-api/table.js:
688         (assert.throws.WebAssembly.Table.prototype.grow):
689
690 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
691
692         Disable SharedArrayBuffer tests missed in r226386.
693         https://bugs.webkit.org/show_bug.cgi?id=181266
694
695         Unreviewed test gardening.
696
697         * test262.yaml:
698
699 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
702         https://bugs.webkit.org/show_bug.cgi?id=181321
703
704         Reviewed by Saam Barati.
705
706         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
707         (shouldBe):
708         (testFunction):
709         * test262.yaml:
710
711 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
712
713         Unreviewed, attempt to fix test262 after r226386.
714
715         * test262.yaml:
716
717 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
718
719         [DFG] Define defs for MapSet/SetAdd to participate in CSE
720         https://bugs.webkit.org/show_bug.cgi?id=179911
721
722         Reviewed by Saam Barati.
723
724         In addition to these tests, map-set-cse.js and set-add-cse.js work.
725
726         * stress/map-set-change-get.js: Added.
727         (shouldBe):
728         (test):
729         * stress/map-set-create-bucket.js: Added.
730         (shouldBe):
731         (test):
732         * stress/set-add-create-bucket.js: Added.
733         (shouldBe):
734
735 2018-01-03  Michael Saboff  <msaboff@apple.com>
736
737         Disable SharedArrayBuffers from Web API
738         https://bugs.webkit.org/show_bug.cgi?id=181266
739
740         Reviewed by Saam Barati.
741
742         Disabled SharedArrayBuffer tests.
743
744         * stress/SharedArrayBuffer-opt.js:
745         * stress/SharedArrayBuffer.js:
746         * stress/array-buffer-byte-length.js:
747         * stress/atomics-add-uint32.js:
748         * stress/atomics-known-int-use.js:
749         * stress/atomics-neg-zero.js:
750         * stress/atomics-store-return.js:
751         * stress/lars-sab-workers.js:
752         * stress/regress-159779-1.js:
753         * stress/regress-159779-2.js:
754         * stress/regress-170473.js:
755         * test262.yaml:
756
757 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
758
759         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
760         https://bugs.webkit.org/show_bug.cgi?id=181258
761
762         Reviewed by Antonio Gomes.
763
764         * stress/big-int-constructor-gc.js:
765         * stress/big-int-constructor-oom.js:
766
767 2018-01-03  Robin Morisset  <rmorisset@apple.com>
768
769         Inlining of a function that ends in op_unreachable crashes
770         https://bugs.webkit.org/show_bug.cgi?id=181027
771
772         Reviewed by Filip Pizlo.
773
774         * stress/inlining-unreachable.js: Added.
775         (bar):
776         (baz):
777         (i.catch):
778
779 2018-01-02  Saam Barati  <sbarati@apple.com>
780
781         Incorrect assertion inside AccessCase
782         https://bugs.webkit.org/show_bug.cgi?id=181200
783         <rdar://problem/35494754>
784
785         Reviewed by Yusuke Suzuki.
786
787         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
788         (ctor):
789         (theFunc):
790         (run):
791
792 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
793
794         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
795         https://bugs.webkit.org/show_bug.cgi?id=175359
796
797         Reviewed by Yusuke Suzuki.
798
799         * bigIntTests.yaml:
800         * stress/big-int-as-key.js: Added.
801         * stress/big-int-constructor-gc.js: Added.
802         * stress/big-int-constructor-oom.js: Added.
803         * stress/big-int-constructor-properties.js: Added.
804         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
805         * stress/big-int-constructor-prototype.js: Added.
806         * stress/big-int-constructor.js: Added.
807         * stress/big-int-function-apply.js:
808         * stress/big-int-length.js: Added.
809         * stress/big-int-prop-descriptor.js: Added.
810         * stress/big-int-proto-constructor.js: Added.
811         * stress/big-int-proto-name.js: Added.
812         * stress/big-int-prototype-properties.js: Added.
813         * stress/big-int-prototype-proto.js: Added.
814         * stress/big-int-prototype-value-of.js: Added.
815         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
816         * stress/big-int-prototype-to-string-apply.js: Added.
817         * stress/big-int-to-object.js: Added.
818         * stress/big-int-to-string.js: Added.
819
820 2017-12-28  Saam Barati  <sbarati@apple.com>
821
822         Assertion used to determine if something is an async generator is wrong
823         https://bugs.webkit.org/show_bug.cgi?id=181168
824         <rdar://problem/35640560>
825
826         Reviewed by Yusuke Suzuki.
827
828         * stress/async-generator-assertion.js: Added.
829
830 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
831
832         Skip stress/splay-flash-access tests on memory limited platforms
833         https://bugs.webkit.org/show_bug.cgi?id=181086
834
835         Reviewed by Carlos Alberto Lopez Perez.
836
837         These tests use about 185M of memory, and occasionally get OOM-killed
838         on memory limited platforms.
839
840         * stress/splay-flash-access-1ms.js:
841         * stress/splay-flash-access.js:
842
843 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
844
845         Skip slow jsc tests on embedded platforms
846         https://bugs.webkit.org/show_bug.cgi?id=180937
847
848         Reviewed by Carlos Alberto Lopez Perez.
849
850         The tests typeProfiler/deltablue-for-of.js and
851         typeProfiler/getter-richards.js take a very long time in the
852         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
853         thus always timeout. They should be skipped on these platforms.
854
855         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
856         * typeProfiler/getter-richards.js: Skip on arm*/mips.
857
858 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
859
860         [JSC] Do not check isValid() in op_new_regexp
861         https://bugs.webkit.org/show_bug.cgi?id=180970
862
863         Reviewed by Saam Barati.
864
865         * stress/regexp-syntax-error-invalid-flags.js: Added.
866         (shouldThrow):
867
868 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
869
870         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
871         https://bugs.webkit.org/show_bug.cgi?id=180712
872
873         Reviewed by Michael Catanzaro.
874
875         stress/call-apply-exponential-bytecode-size.js crashes if the
876         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
877         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
878         should skip the test on other platforms.
879
880         * stress/call-apply-exponential-bytecode-size.js:
881
882 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
883
884         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
885         https://bugs.webkit.org/show_bug.cgi?id=179762
886
887         Reviewed by Saam Barati.
888
889         * stress/call-varargs-double-new-array-buffer.js: Added.
890         (assert):
891         (bar):
892         (foo):
893         * stress/call-varargs-spread-new-array-buffer.js: Added.
894         (assert):
895         (bar):
896         (foo):
897         * stress/call-varargs-spread-new-array-buffer2.js: Added.
898         (assert):
899         (bar):
900         (foo):
901         * stress/forward-varargs-double-new-array-buffer.js: Added.
902         (assert):
903         (test.baz):
904         (test.bar):
905         (test.foo):
906         (test):
907         * stress/new-array-buffer-sinking-osrexit.js: Added.
908         (target):
909         (test):
910         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
911         (shouldBe):
912         (test):
913         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
914         (shouldBe):
915         (target):
916         (test):
917         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
918         (assert):
919         (test1.bar):
920         (test1.foo):
921         (test1):
922         (test2.bar):
923         (test2.foo):
924         (test3.baz):
925         (test3.bar):
926         (test3.foo):
927         (test4.baz):
928         (test4.bar):
929         (test4.foo):
930         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
931         (assert):
932         (test.baz):
933         (test.bar):
934         (test.foo):
935         (test):
936         * stress/phantom-new-array-buffer-osr-exit.js: Added.
937         (assert):
938         (baz):
939         (bar):
940         (effects):
941         (foo):
942
943 2017-12-14  Saam Barati  <sbarati@apple.com>
944
945         The CleanUp after LICM is erroneously removing a Check
946         https://bugs.webkit.org/show_bug.cgi?id=180852
947         <rdar://problem/36063494>
948
949         Reviewed by Filip Pizlo.
950
951         * stress/dont-run-cleanup-after-licm.js: Added.
952
953 2017-12-14  Michael Saboff  <msaboff@apple.com>
954
955         REGRESSION (r225695): Repro crash on yahoo login page
956         https://bugs.webkit.org/show_bug.cgi?id=180761
957
958         Reviewed by JF Bastien.
959
960         New regression test.
961
962         * stress/regress-180761.js: Added.
963
964 2017-12-13  Keith Miller  <keith_miller@apple.com>
965
966         JSObjects should have a mask for loading indexed properties
967         https://bugs.webkit.org/show_bug.cgi?id=180768
968
969         Reviewed by Mark Lam.
970
971         * stress/int16-put-by-val-in-and-out-of-bounds.js:
972         (test):
973
974 2017-12-13  Saam Barati  <sbarati@apple.com>
975
976         Arrow functions need their own structure because they have different properties than sloppy functions
977         https://bugs.webkit.org/show_bug.cgi?id=180779
978         <rdar://problem/35814591>
979
980         Reviewed by Mark Lam.
981
982         * stress/arrow-function-needs-its-own-structure.js: Added.
983         (assert):
984         (readPrototype):
985         (noInline.let.f1):
986         (noInline):
987
988 2017-12-13  Saam Barati  <sbarati@apple.com>
989
990         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
991         https://bugs.webkit.org/show_bug.cgi?id=163579
992         <rdar://problem/35455798>
993
994         Reviewed by Mark Lam.
995
996         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
997         (assert):
998         (test1):
999         (i.test1):
1000         (i.test1.C):
1001         (i.test1.async.foo):
1002         (i.test1.foo):
1003         (test2):
1004
1005 2017-12-13  Saam Barati  <sbarati@apple.com>
1006
1007         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1008         https://bugs.webkit.org/show_bug.cgi?id=180734
1009         <rdar://problem/35640547>
1010
1011         Reviewed by Yusuke Suzuki.
1012
1013         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1014         (__isPropertyOfType):
1015         (__getProperties):
1016         (__getObjects):
1017         (__getRandomObject):
1018         (theClass.):
1019         (theClass):
1020         (childClass):
1021         (counter.catch):
1022
1023 2017-12-12  Saam Barati  <sbarati@apple.com>
1024
1025         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1026         https://bugs.webkit.org/show_bug.cgi?id=180725
1027         <rdar://problem/35970511>
1028
1029         Reviewed by Michael Saboff.
1030
1031         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1032         (f1):
1033         (f2):
1034         (let.o2.valueOf):
1035
1036 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1037
1038         [JSC] Implement optimized WeakMap and WeakSet
1039         https://bugs.webkit.org/show_bug.cgi?id=179929
1040
1041         Reviewed by Saam Barati.
1042
1043         * microbenchmarks/weak-map-key.js:
1044         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1045         (assert):
1046         (objectKey):
1047         (let.start.Date.now):
1048         * stress/basic-weakmap.js: Added.
1049         (shouldBe):
1050         (test):
1051         * stress/basic-weakset.js: Added.
1052         (shouldBe):
1053         (test.set new):
1054         * stress/weakmap-cse-set-break.js: Added.
1055         (shouldBe):
1056         (test):
1057         * stress/weakmap-cse.js: Added.
1058         (shouldBe):
1059         (test):
1060         * stress/weakmap-gc.js: Added.
1061         (test):
1062         * stress/weakset-cse-add-break.js: Added.
1063         (shouldBe):
1064         (test.set new):
1065         * stress/weakset-cse.js: Added.
1066         (shouldBe):
1067         (test.set new):
1068         * stress/weakset-gc.js: Added.
1069         (test.set add):
1070         (test.set new):
1071         (test):
1072
1073 2017-12-12  Saam Barati  <sbarati@apple.com>
1074
1075         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1076         https://bugs.webkit.org/show_bug.cgi?id=180723
1077         <rdar://problem/35859726>
1078
1079         Reviewed by JF Bastien.
1080
1081         * stress/get-my-argument-by-val-constant-folding.js: Added.
1082         (test):
1083         (catch):
1084
1085 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1086
1087         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1088         https://bugs.webkit.org/show_bug.cgi?id=179000
1089
1090         Reviewed by Darin Adler and Yusuke Suzuki.
1091
1092         * bigIntTests.yaml: Added.
1093         * stress/big-int-literal-line-terminator.js: Added.
1094         * stress/big-int-literals.js: Added.
1095         * stress/big-int-operations-error.js: Added.
1096         * stress/big-int-type-of.js: Added.
1097         * stress/big-int-white-space-trailing-leading.js: Added.
1098         * stress/big-int-function-apply.js: Added.
1099
1100 2017-12-11  Saam Barati  <sbarati@apple.com>
1101
1102         We need to disableCaching() in ErrorInstance when we materialize properties
1103         https://bugs.webkit.org/show_bug.cgi?id=180343
1104         <rdar://problem/35833002>
1105
1106         Reviewed by Mark Lam.
1107
1108         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1109         (assert):
1110         (makeError):
1111         (storeToStack):
1112         (storeToStackAlreadyMaterialized):
1113
1114 2017-12-05  JF Bastien  <jfbastien@apple.com>
1115
1116         WebAssembly: don't eagerly checksum
1117         https://bugs.webkit.org/show_bug.cgi?id=180441
1118         <rdar://problem/35156628>
1119
1120         Reviewed by Saam Barati.
1121
1122         Checksum is now disabled, so tests only have <?> as the module
1123         name.
1124
1125         * wasm/function-tests/nameSection.js:
1126         * wasm/function-tests/stack-overflow.js:
1127         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1128         (assertOverflows.assertThrows):
1129         (assertOverflows):
1130         * wasm/function-tests/stack-trace.js:
1131
1132 2017-12-04  JF Bastien  <jfbastien@apple.com>
1133
1134         Proxy all functions, except the $ objects
1135         https://bugs.webkit.org/show_bug.cgi?id=180375
1136
1137         Reviewed by Saam Barati.
1138
1139         It looks like this test may have broken some executions because I
1140         call some internal objects. Explicitly ignore objects whose name
1141         starts with "$" because it's a bad idea anyways.
1142
1143         * stress/proxy-all-the-parameters.js:
1144         (generateObjects):
1145         (get throw):
1146
1147 2017-12-04  Saam Barati  <sbarati@apple.com>
1148
1149         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1150         https://bugs.webkit.org/show_bug.cgi?id=180366
1151         <rdar://problem/35685877>
1152
1153         Reviewed by Michael Saboff.
1154
1155         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1156         (theParent):
1157         (test1.base.getParentStaticValue):
1158         (test1.base):
1159         (test1.__v_24888.prototype.set prop):
1160         (test1.__v_24888):
1161         (test2.base.getParentStaticValue):
1162         (test2.base):
1163         (test2.__v_24888.prototype.set prop):
1164         (test2.__v_24888):
1165         (test2):
1166
1167 2017-12-01  JF Bastien  <jfbastien@apple.com>
1168
1169         Try proxying all function arguments
1170         https://bugs.webkit.org/show_bug.cgi?id=180306
1171
1172         Reviewed by Saam Barati.
1173
1174         * stress/proxy-all-the-parameters.js: Added.
1175         (isPropertyOfType):
1176         (getProperties):
1177         (generateObjects):
1178         (getObjects):
1179         (getFunctions):
1180         (get throw):
1181         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1182
1183 2017-12-01  JF Bastien  <jfbastien@apple.com>
1184
1185         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1186         https://bugs.webkit.org/show_bug.cgi?id=180297
1187         <rdar://problem/35745556>
1188
1189         Reviewed by Mark Lam.
1190
1191         * stress/math-exceptions.js: Added.
1192         (get try):
1193         (catch):
1194
1195 2017-12-01  JF Bastien  <jfbastien@apple.com>
1196
1197         JavaScriptCore: add test for weird class static getters
1198         https://bugs.webkit.org/show_bug.cgi?id=180281
1199         <rdar://problem/35592139>
1200
1201         Reviewed by Mark Lam.
1202
1203         I fixed a bug for it in r224927 and didn't add a test. Do so.
1204
1205         * stress/class-static-get-weird.js: Added.
1206         (c.prototype.get name):
1207         (c):
1208         (c.prototype.get arguments):
1209         (c.prototype.get caller):
1210         (c.prototype.get length):
1211
1212 2017-12-01  Saam Barati  <sbarati@apple.com>
1213
1214         Having a bad time needs to handle ArrayClass indexing type as well
1215         https://bugs.webkit.org/show_bug.cgi?id=180274
1216         <rdar://problem/35667869>
1217
1218         Reviewed by Keith Miller and Mark Lam.
1219
1220         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1221         (assert):
1222         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1223         (assert):
1224
1225 2017-12-01  JF Bastien  <jfbastien@apple.com>
1226
1227         WebAssembly: restore cached stack limit after out-call
1228         https://bugs.webkit.org/show_bug.cgi?id=179106
1229         <rdar://problem/35337525>
1230
1231         Reviewed by Saam Barati.
1232
1233         * wasm/function-tests/double-instance.js: Added.
1234         (const.imp.boom):
1235         (const.imp.get callAnother):
1236
1237 2017-11-30  JF Bastien  <jfbastien@apple.com>
1238
1239         WebAssembly: improve stack trace
1240         https://bugs.webkit.org/show_bug.cgi?id=179343
1241
1242         Reviewed by Saam Barati.
1243
1244         Update the tests to follow the new format. Notably, SHA1 module
1245         hash is now included in traces, and stubs are properly identified.
1246
1247         * wasm/assert.js: Add an assertion which matches regular expressions.
1248         * wasm/function-tests/nameSection.js:
1249         * wasm/function-tests/stack-overflow.js:
1250         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1251         (assertOverflows.assertThrows.wasm.1):
1252         (assertOverflows.assertThrows.wasm.0):
1253         (assertOverflows.assertThrows):
1254         (assertOverflows):
1255         * wasm/function-tests/stack-trace.js:
1256         (import.Builder.from.string_appeared_here.assert): Deleted.
1257         * wasm/function-tests/trap-after-cross-instance-call.js:
1258         (wasmFrameCountFromError):
1259         * wasm/function-tests/trap-load-2.js:
1260         (wasmFrameCountFromError):
1261         * wasm/function-tests/trap-load.js:
1262         (wasmFrameCountFromError):
1263
1264 2017-11-30  Mark Lam  <mark.lam@apple.com>
1265
1266         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1267         https://bugs.webkit.org/show_bug.cgi?id=180219
1268         <rdar://problem/35696536>
1269
1270         Reviewed by Filip Pizlo.
1271
1272         * stress/regress-180219.js: Added.
1273
1274 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1275
1276         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1277         https://bugs.webkit.org/show_bug.cgi?id=180190
1278
1279         Reviewed by Mark Lam.
1280
1281         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1282         (shouldBe):
1283         (test1):
1284         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1285         (shouldBe):
1286         (test1):
1287         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1288         (shouldBe):
1289         (test1):
1290         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1291         (shouldBe):
1292         (test1):
1293         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1294         (shouldBe):
1295         (test1):
1296         * stress/operation-in-may-have-negative-int32.js: Added.
1297         (shouldBe):
1298         (test2):
1299         * stress/operation-in-negative-int32-cast.js: Added.
1300         (shouldBe):
1301         (test1):
1302
1303 2017-11-28  JF Bastien  <jfbastien@apple.com>
1304
1305         Strict and sloppy functions shouldn't share structure
1306         https://bugs.webkit.org/show_bug.cgi?id=180103
1307         <rdar://problem/35667847>
1308
1309         Reviewed by Saam Barati.
1310
1311         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1312         because the IC was wrong.
1313         (foo):
1314         (bar):
1315         (baz):
1316         (catch):
1317         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1318         in this patch, but may as well test odd strict mode corner cases.
1319         (bar):
1320         (baz):
1321         (catch):
1322         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1323         (foo):
1324         (bar):
1325         (baz):
1326         (catch):
1327         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1328         next file, but with invalidation of the FunctionExecutable's
1329         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1330         slower path.
1331         (foo):
1332         (bar.const.x):
1333         (bar.const.y):
1334         (bar):
1335         (catch):
1336         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1337         strict nesting works correctly.
1338         (foo):
1339         (bar.baz):
1340         (bar):
1341         * stress/strict-function-structure.js: Added. The test used to
1342         assert in objectProtoFuncHasOwnProperty.
1343         (foo):
1344         (bar):
1345         (baz):
1346         * stress/strict-nested-function-structure.js: Added. Nesting.
1347         (foo):
1348         (bar):
1349         (baz.boo):
1350         (baz):
1351
1352 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1353
1354         The recursive tail call optimisation is wrong on closures
1355         https://bugs.webkit.org/show_bug.cgi?id=179835
1356
1357         Reviewed by Saam Barati.
1358
1359         * stress/closure-recursive-tail-call.js: Added.
1360         (makeClosure):
1361
1362 2017-11-27  JF Bastien  <jfbastien@apple.com>
1363
1364         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1365         https://bugs.webkit.org/show_bug.cgi?id=180051
1366         <rdar://problem/35614371>
1367
1368         Reviewed by Saam Barati.
1369
1370         * stress/rest-parameter-negative.js: Added.
1371         (__f_5484):
1372         (catch):
1373         (__f_5485):
1374         (__v_22598.catch):
1375
1376 2017-11-27  Saam Barati  <sbarati@apple.com>
1377
1378         Spread can escape when CreateRest does not
1379         https://bugs.webkit.org/show_bug.cgi?id=180057
1380         <rdar://problem/35676119>
1381
1382         Reviewed by JF Bastien.
1383
1384         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1385         (assert):
1386         (getProperties):
1387         (theFunc):
1388         (let.obj.valueOf):
1389
1390 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1391
1392         [DFG] Add NormalizeMapKey DFG IR
1393         https://bugs.webkit.org/show_bug.cgi?id=179912
1394
1395         Reviewed by Saam Barati.
1396
1397         * stress/map-untyped-normalize-cse.js: Added.
1398         (shouldBe):
1399         (test):
1400         * stress/map-untyped-normalize.js: Added.
1401         (shouldBe):
1402         (test):
1403         * stress/set-untyped-normalize-cse.js: Added.
1404         (shouldBe):
1405         (set return.set has.set has):
1406         * stress/set-untyped-normalize.js: Added.
1407         (shouldBe):
1408         (set return.set has):
1409
1410 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1411
1412         [FTL] Support DeleteById and DeleteByVal
1413         https://bugs.webkit.org/show_bug.cgi?id=180022
1414
1415         Reviewed by Saam Barati.
1416
1417         * stress/delete-by-id.js: Added.
1418         (shouldBe):
1419         (test1):
1420         (test2):
1421         * stress/delete-by-val-ftl.js: Added.
1422         (shouldBe):
1423         (test1):
1424         (test2):
1425
1426 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1427
1428         [DFG] Introduce {Set,Map,WeakMap}Fields
1429         https://bugs.webkit.org/show_bug.cgi?id=179925
1430
1431         Reviewed by Saam Barati.
1432
1433         * stress/map-set-clobber-map-get.js: Added.
1434         (shouldBe):
1435         (test):
1436         * stress/map-set-does-not-clobber-set-has.js: Added.
1437         (shouldBe):
1438         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1439         (shouldBe):
1440         (test):
1441         * stress/set-add-clobber-set-has.js: Added.
1442         (shouldBe):
1443         * stress/set-add-does-not-clobber-map-get.js: Added.
1444         (shouldBe):
1445
1446 2017-11-24  Mark Lam  <mark.lam@apple.com>
1447
1448         Move unsafe jsc shell test functions to the $vm object.
1449         https://bugs.webkit.org/show_bug.cgi?id=179980
1450
1451         Reviewed by Yusuke Suzuki.
1452
1453         * controlFlowProfiler/driver/driver.js:
1454         * controlFlowProfiler/execution-count.js:
1455         * controlFlowProfiler/if-statement.js:
1456         * controlFlowProfiler/loop-statements.js:
1457         * controlFlowProfiler/switch-statements.js:
1458         * controlFlowProfiler/test-jit.js:
1459         * exceptionFuzz/3d-cube.js:
1460         * exceptionFuzz/date-format-xparb.js:
1461         * exceptionFuzz/earley-boyer.js:
1462         * heapProfiler/basic-edges.js:
1463         * heapProfiler/property-edge-types.js:
1464         * microbenchmarks/try-get-by-id-basic.js:
1465         * microbenchmarks/try-get-by-id-polymorphic.js:
1466         * modules/namespace-object-try-get.js:
1467         * stress/argument-count-bytecode.js:
1468         * stress/argument-intrinsic-basic.js:
1469         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1470         * stress/argument-intrinsic-inlining-with-result-escape.js:
1471         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1472         * stress/argument-intrinsic-inlining-with-vararg.js:
1473         * stress/argument-intrinsic-nested-inlining.js:
1474         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1475         * stress/argument-intrinsic-with-stack-write.js:
1476         * stress/arity-mismatch-get-argument.js:
1477         * stress/array-message-passing.js:
1478         * stress/array-push-with-force-exit.js:
1479         * stress/check-dom-with-signature.js:
1480         * stress/check-sub-class.js:
1481         * stress/compare-eq-incomplete-profile.js:
1482         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1483         * stress/do-eval-virtual-call-correctly.js:
1484         * stress/dom-jit-with-poly-proto.js:
1485         * stress/domjit-exception-ic.js:
1486         * stress/domjit-exception.js:
1487         * stress/domjit-getter-complex-with-incorrect-object.js:
1488         * stress/domjit-getter-complex.js:
1489         * stress/domjit-getter-poly.js:
1490         * stress/domjit-getter-proto.js:
1491         * stress/domjit-getter-super-poly.js:
1492         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1493         * stress/domjit-getter-type-check.js:
1494         * stress/domjit-getter.js:
1495         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1496         * stress/for-in-proxy-target-changed-structure.js:
1497         * stress/for-in-proxy.js:
1498         * stress/generational-opaque-roots.js:
1499         * stress/global-const-redeclaration-setting-2.js:
1500         * stress/global-const-redeclaration-setting-3.js:
1501         * stress/global-const-redeclaration-setting-4.js:
1502         * stress/global-const-redeclaration-setting-5.js:
1503         * stress/global-const-redeclaration-setting.js:
1504         * stress/import-basic.js:
1505         * stress/import-from-eval.js:
1506         * stress/import-reject-with-exception.js:
1507         * stress/import-syntax.js:
1508         * stress/impure-get-own-property-slot-inline-cache.js:
1509         * stress/is-constructor.js:
1510         * stress/istypedarrayview-intrinsic.js:
1511         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1512         * stress/jsc-test-functions-should-be-more-robust.js:
1513         * stress/object-toString-with-proxy.js:
1514         * stress/poly-proto-custom-value-and-accessor.js:
1515         * stress/proxy-inline-cache.js:
1516         * stress/re-execute-error-module.js:
1517         * stress/regress-150532.js:
1518         * stress/regress-156992.js:
1519         * stress/regress-179619.js:
1520         * stress/resources/shadow-chicken-support.js:
1521         * stress/runtime-array.js:
1522         * stress/sampling-profiler-microtasks.js:
1523         * stress/shadow-chicken-enabled.js:
1524         * stress/spread-correct-global-object-on-exception.js:
1525         * stress/super-get-by-id.js:
1526         * stress/tailCallForwardArguments.js:
1527         * stress/to-object-intrinsic-boolean-edge.js:
1528         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1529         * stress/to-object-intrinsic-number-edge.js:
1530         * stress/to-object-intrinsic-object-edge.js:
1531         * stress/to-object-intrinsic-string-edge.js:
1532         * stress/to-object-intrinsic-symbol-edge.js:
1533         * stress/to-object-intrinsic.js:
1534         * stress/try-catch-custom-getter-as-get-by-id.js:
1535         * stress/try-get-by-id-poly-proto.js:
1536         * stress/try-get-by-id-should-spill-registers-dfg.js:
1537         * stress/try-get-by-id.js:
1538         * typeProfiler/arrow-functions.js:
1539         * typeProfiler/basic.js:
1540         * typeProfiler/captured.js:
1541         * typeProfiler/classes.js:
1542         * typeProfiler/dfg-jit-optimizations.js:
1543         * typeProfiler/dictionary-mode.js:
1544         * typeProfiler/es6-block-scoping.js:
1545         * typeProfiler/es6-classes.js:
1546         * typeProfiler/inheritance.js:
1547         * typeProfiler/int52-dfg.js:
1548         * typeProfiler/loop.js:
1549         * typeProfiler/optional-fields.js:
1550         * typeProfiler/overflow.js:
1551         * typeProfiler/return.js:
1552         * typeProfiler/symbol.js:
1553         * typeProfiler/weird-prototype-chain.js:
1554
1555 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1556
1557         [DFG][FTL] Support MapSet / SetAdd intrinsics
1558         https://bugs.webkit.org/show_bug.cgi?id=179858
1559
1560         Reviewed by Saam Barati.
1561
1562         * microbenchmarks/map-has-and-set.js: Added.
1563         (test):
1564         * stress/map-set-check-failure.js: Added.
1565         (shouldBe):
1566         (shouldThrow):
1567         (target):
1568         * stress/map-set-cse.js: Added.
1569         (shouldBe):
1570         (test):
1571         * stress/set-add-check-failure.js: Added.
1572         (shouldBe):
1573         (shouldThrow):
1574         (set shouldThrow):
1575         * stress/set-add-cse.js: Added.
1576         (shouldBe):
1577
1578 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1579
1580         [JSC] Allow poly proto for intrinsic getters
1581         https://bugs.webkit.org/show_bug.cgi?id=179550
1582
1583         Reviewed by Saam Barati.
1584
1585         This change is also tested by existing tests.
1586
1587             1. stress/intrinsic-getter-with-poly-proto.js
1588             2. stress/poly-proto-intrinsic-getter-correctness.js
1589
1590         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1591         (shouldBe):
1592         (makePolyProtoObject.foo.C):
1593         (makePolyProtoObject.foo):
1594         (makePolyProtoObject):
1595         (target):
1596         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1597         (shouldBe):
1598         (makePolyProtoObject.foo.C):
1599         (makePolyProtoObject.foo):
1600         (makePolyProtoObject):
1601         (target):
1602
1603 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1604
1605         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1606         https://bugs.webkit.org/show_bug.cgi?id=179744
1607
1608         Reviewed by Michael Catanzaro.
1609
1610         This test uses too much memory for our buildbots on these platforms
1611         and gets OOM-killed.
1612
1613         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1614         Skip if $memoryLimited and linux.
1615
1616 2017-11-17  JF Bastien  <jfbastien@apple.com>
1617
1618         WebAssembly JS API: throw when a promise can't be created
1619         https://bugs.webkit.org/show_bug.cgi?id=179826
1620         <rdar://problem/35455813>
1621
1622         Reviewed by Mark Lam.
1623
1624         Test WebAssembly.{compile,instantiate} where promise creation
1625         fails because of a stack overflow.
1626
1627         * wasm/js-api/promise-stack-overflow.js: Added.
1628         (const.runNearStackLimit.f.const.t):
1629         (async.testCompile):
1630         (async.testInstantiate):
1631
1632 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1633
1634         Unreviewed, mark regress-178385.js as memory exhausting
1635
1636         * stress/regress-178385.js:
1637
1638 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1639
1640         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1641
1642         Unreviewed test gardening.
1643
1644         * test262.yaml:
1645
1646 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1647
1648         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1649         https://bugs.webkit.org/show_bug.cgi?id=179763
1650         <rdar://problem/35550513>
1651
1652         Reviewed by Keith Miller.
1653
1654         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1655
1656         * stress/tdz-this-in-try-catch.js: Added.
1657         (__v_6388):
1658         (__v_6392):
1659
1660 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1661
1662         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1663         https://bugs.webkit.org/show_bug.cgi?id=179594
1664
1665         Reviewed by Saam Barati.
1666
1667         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1668         (shouldBe):
1669         (args):
1670         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1671         (shouldBe):
1672         (args):
1673
1674 2017-11-14  Saam Barati  <sbarati@apple.com>
1675
1676         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1677         https://bugs.webkit.org/show_bug.cgi?id=179639
1678         <rdar://problem/35513018>
1679
1680         Reviewed by JF Bastien.
1681
1682         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1683         (escape):
1684         (i.func):
1685
1686 2017-11-13  Mark Lam  <mark.lam@apple.com>
1687
1688         Add more overflow check book-keeping for MarkedArgumentBuffer.
1689         https://bugs.webkit.org/show_bug.cgi?id=179634
1690         <rdar://problem/35492517>
1691
1692         Reviewed by Saam Barati.
1693
1694         * stress/regress-179634.js: Added.
1695
1696 2017-11-13  Mark Lam  <mark.lam@apple.com>
1697
1698         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1699         https://bugs.webkit.org/show_bug.cgi?id=179619
1700         <rdar://problem/35492518>
1701
1702         Reviewed by Saam Barati.
1703
1704         * stress/regress-179619.js: Added.
1705
1706 2017-11-12  Mark Lam  <mark.lam@apple.com>
1707
1708         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1709         https://bugs.webkit.org/show_bug.cgi?id=179562
1710         <rdar://problem/35467022>
1711
1712         Reviewed by Saam Barati.
1713
1714         * regress-179562.js: Added.
1715
1716 2017-11-08  Saam Barati  <sbarati@apple.com>
1717
1718         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1719         https://bugs.webkit.org/show_bug.cgi?id=177792
1720
1721         Reviewed by Yusuke Suzuki.
1722
1723         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1724         (assert):
1725         (foo.Foo.prototype.ensureX):
1726         (foo.Foo):
1727         (foo):
1728         (access):
1729
1730 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1731
1732         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1733         https://bugs.webkit.org/show_bug.cgi?id=178592
1734
1735         Unreviewed test gardening.
1736
1737         * test262.yaml:
1738
1739 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1740
1741         Turn recursive tail calls into loops
1742         https://bugs.webkit.org/show_bug.cgi?id=176601
1743
1744         Reviewed by Saam Barati.
1745
1746         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1747
1748         Add some simple test that computes factorial in several ways, and other trivial computations.
1749         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1750         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1751         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1752         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1753
1754         * stress/inline-call-to-recursive-tail-call.js: Added.
1755         (factorial.aux):
1756         (factorial):
1757         (factorial2.aux2):
1758         (factorial2.id):
1759         (factorial2):
1760         (factorial3.aux3):
1761         (factorial3):
1762         (aux4):
1763         (factorial4):
1764         (foo):
1765         (auxBar):
1766         (bar):
1767         (test):
1768
1769 2017-11-07  Mark Lam  <mark.lam@apple.com>
1770
1771         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1772         https://bugs.webkit.org/show_bug.cgi?id=179355
1773         <rdar://problem/35263053>
1774
1775         Reviewed by Saam Barati.
1776
1777         * stress/regress-179355.js: Added.
1778
1779 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1780
1781         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1782         https://bugs.webkit.org/show_bug.cgi?id=144458
1783
1784         Reviewed by Saam Barati.
1785
1786         * microbenchmarks/dfg-internal-function-call.js: Added.
1787         (target):
1788         * microbenchmarks/dfg-internal-function-construct.js: Added.
1789         (target):
1790         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
1791         (target):
1792         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
1793         (target):
1794         * stress/dfg-internal-function-call.js: Added.
1795         (shouldBe):
1796         (target):
1797         * stress/dfg-internal-function-construct.js: Added.
1798         (shouldBe):
1799         (target):
1800         * stress/internal-function-call.js: Added.
1801         (shouldBe):
1802         * stress/internal-function-construct.js: Added.
1803         (shouldBe):
1804
1805 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
1806
1807         [Win] Skip stress/regress-178385.js.
1808         https://bugs.webkit.org/show_bug.cgi?id=179298
1809
1810         Unreviewed test gardening.
1811
1812         * stress/regress-178385.js:
1813
1814 2017-11-03  Keith Miller  <keith_miller@apple.com>
1815
1816         Add test for ic with side effects
1817         https://bugs.webkit.org/show_bug.cgi?id=179268
1818
1819         Reviewed by Saam Barati.
1820
1821         * stress/put-inline-cache-side-effects.js: Added.
1822         (let.i.of.objs.keys):
1823         (f):
1824
1825 2017-11-03  Mark Lam  <mark.lam@apple.com>
1826
1827         CachedCall (and its clients) needs overflow checks.
1828         https://bugs.webkit.org/show_bug.cgi?id=179185
1829
1830         Reviewed by JF Bastien.
1831
1832         * stress/regress-179185.js: Added.
1833
1834 2017-11-02  Michael Saboff  <msaboff@apple.com>
1835
1836         DFG needs to handle code motion of code in for..in loop bodies
1837         https://bugs.webkit.org/show_bug.cgi?id=179212
1838
1839         Reviewed by Keith Miller.
1840
1841         New regression test.
1842
1843         * stress/for-in-side-effects.js: Added.
1844         (getPrototypeOf):
1845         (reset):
1846         (testWithoutFTL.f):
1847         (testWithoutFTL):
1848         (testWithFTL.f):
1849         (testWithFTL):
1850
1851 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1852
1853         AI does not correctly model the clobber case of ArithClz32
1854         https://bugs.webkit.org/show_bug.cgi?id=179188
1855
1856         Reviewed by Michael Saboff.
1857
1858         * stress/arith-clz32-effects.js: Added.
1859         (foo):
1860         (valueOf):
1861
1862 2017-11-01  Michael Saboff  <msaboff@apple.com>
1863
1864         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1865         https://bugs.webkit.org/show_bug.cgi?id=179140
1866
1867         Reviewed by Saam Barati.
1868
1869         New regression test.
1870
1871         * stress/regress-179140.js: Added.
1872         (testWithoutFTL):
1873         (testWithFTL):
1874
1875 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1876
1877         [JSC] Introduce @toObject
1878         https://bugs.webkit.org/show_bug.cgi?id=178726
1879
1880         Reviewed by Saam Barati.
1881
1882         * stress/array-copywithin.js:
1883         (shouldThrow):
1884         * stress/object-constructor-boolean-edge.js: Added.
1885         (shouldBe):
1886         (test):
1887         * stress/object-constructor-global.js: Added.
1888         (shouldBe):
1889         * stress/object-constructor-null-edge.js: Added.
1890         (shouldBe):
1891         (test):
1892         * stress/object-constructor-number-edge.js: Added.
1893         (shouldBe):
1894         (test):
1895         * stress/object-constructor-object-edge.js: Added.
1896         (shouldBe):
1897         (test):
1898         (i.arg):
1899         * stress/object-constructor-string-edge.js: Added.
1900         (shouldBe):
1901         (test):
1902         * stress/object-constructor-symbol-edge.js: Added.
1903         (shouldBe):
1904         (test):
1905         * stress/object-constructor-undefined-edge.js: Added.
1906         (shouldBe):
1907         (test):
1908         * stress/symbol-array-from.js: Added.
1909         (shouldBe):
1910         * stress/to-object-intrinsic-boolean-edge.js: Added.
1911         (shouldBe):
1912         (builtin.createBuiltin):
1913         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
1914         (shouldThrow):
1915         * stress/to-object-intrinsic-number-edge.js: Added.
1916         (shouldBe):
1917         (builtin.createBuiltin):
1918         * stress/to-object-intrinsic-object-edge.js: Added.
1919         (shouldBe):
1920         (builtin.createBuiltin):
1921         (i.arg):
1922         * stress/to-object-intrinsic-string-edge.js: Added.
1923         (shouldBe):
1924         (builtin.createBuiltin):
1925         * stress/to-object-intrinsic-symbol-edge.js: Added.
1926         (shouldBe):
1927         (builtin.createBuiltin):
1928         * stress/to-object-intrinsic.js: Added.
1929         (shouldBe):
1930         (shouldThrow):
1931         (builtin.createBuiltin):
1932
1933 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1934
1935         [DFG][FTL] Introduce StringSlice
1936         https://bugs.webkit.org/show_bug.cgi?id=178934
1937
1938         Reviewed by Saam Barati.
1939
1940         * microbenchmarks/string-slice-empty.js: Added.
1941         (slice):
1942         * microbenchmarks/string-slice-one-char.js: Added.
1943         (slice):
1944         * microbenchmarks/string-slice.js: Added.
1945         (slice):
1946
1947 2017-10-26  Michael Saboff  <msaboff@apple.com>
1948
1949         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1950         https://bugs.webkit.org/show_bug.cgi?id=178890
1951
1952         Reviewed by Keith Miller.
1953
1954         New regression test.
1955
1956         * stress/regress-178890.js: Added.
1957
1958 2017-10-26  Mark Lam  <mark.lam@apple.com>
1959
1960         JSRopeString::RopeBuilder::append() should check for overflows.
1961         https://bugs.webkit.org/show_bug.cgi?id=178385
1962         <rdar://problem/35027468>
1963
1964         Reviewed by Saam Barati.
1965
1966         * stress/regress-178385.js: Added.
1967
1968 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
1969
1970         Unreviewed, rolling out r223961.
1971
1972         The change that required this has been rolled out.
1973
1974         Reverted changeset:
1975
1976         "Mark test262.yaml/test262/test/language/statements/try/tco-
1977         catch.js as passing."
1978         https://bugs.webkit.org/show_bug.cgi?id=178592
1979         https://trac.webkit.org/changeset/223961
1980
1981 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1982
1983         Unreviewed, rolling out r223691 and r223729.
1984         https://bugs.webkit.org/show_bug.cgi?id=178834
1985
1986         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1987         by rniwa on #webkit).
1988
1989         Reverted changesets:
1990
1991         "Turn recursive tail calls into loops"
1992         https://bugs.webkit.org/show_bug.cgi?id=176601
1993         https://trac.webkit.org/changeset/223691
1994
1995         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1996         comparison is always false due to limited range of data type
1997         [-Wtype-limits]"
1998         https://bugs.webkit.org/show_bug.cgi?id=178543
1999         https://trac.webkit.org/changeset/223729
2000
2001 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2002
2003         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2004         https://bugs.webkit.org/show_bug.cgi?id=178592
2005
2006         Unreviewed test gardening.
2007
2008         * test262.yaml:
2009
2010 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2011
2012         [FTL] Support NewStringObject
2013         https://bugs.webkit.org/show_bug.cgi?id=178737
2014
2015         Reviewed by Saam Barati.
2016
2017         * stress/new-string-object.js: Added.
2018         (shouldBe):
2019         (test):
2020
2021 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2022
2023         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2024         https://bugs.webkit.org/show_bug.cgi?id=178308
2025
2026         Reviewed by Mark Lam.
2027
2028         * test262.yaml:
2029
2030 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2031
2032         [JSC] Use fastJoin in Array#toString
2033         https://bugs.webkit.org/show_bug.cgi?id=178062
2034
2035         Reviewed by Darin Adler.
2036
2037         * microbenchmarks/contiguous-array-to-string.js: Added.
2038         (target):
2039         * microbenchmarks/double-array-to-string.js: Added.
2040         (target):
2041         * microbenchmarks/int32-array-to-string.js: Added.
2042         (target):
2043
2044 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2045
2046         stress/check-string-ident.js is improperly skipped
2047         https://bugs.webkit.org/show_bug.cgi?id=178642
2048
2049         Reviewed by Saam Barati.
2050
2051         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2052         since it enforces the run-jsc-stress-tests script to still set up the
2053         test to run, despite the skip directive that's used before.
2054
2055 2017-10-20  Mark Lam  <mark.lam@apple.com>
2056
2057         Add a test case for r214334.
2058         https://bugs.webkit.org/show_bug.cgi?id=169941
2059         <rdar://problem/31221258>
2060
2061         Reviewed by JF Bastien.
2062
2063         * stress/regress-169941.js: Added.
2064
2065 2017-10-19  JF Bastien  <jfbastien@apple.com>
2066
2067         WebAssembly: no VM / JS version of everything but Instance
2068         https://bugs.webkit.org/show_bug.cgi?id=177473
2069
2070         Reviewed by Filip Pizlo, Saam Barati.
2071
2072         - Exceeding max on memory growth now returns a range error as per
2073         spec. This is a (very minor) breaking change: it used to throw OOM
2074         error. Update the corresponding test.
2075
2076         * wasm/js-api/memory-grow.js:
2077         (assertEq):
2078         * wasm/js-api/table.js:
2079         (assert.throws):
2080
2081 2017-10-19  Mark Lam  <mark.lam@apple.com>
2082
2083         Stringifier::appendStringifiedValue() is missing an exception check.
2084         https://bugs.webkit.org/show_bug.cgi?id=178386
2085         <rdar://problem/35027610>
2086
2087         Reviewed by Saam Barati.
2088
2089         * stress/regress-178386.js: Added.
2090
2091 2017-10-19  Michael Saboff  <msaboff@apple.com>
2092
2093         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2094         https://bugs.webkit.org/show_bug.cgi?id=178521
2095
2096         Reviewed by JF Bastien.
2097
2098         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2099         now passes with the current version (5.0) of the Emoji spec.
2100
2101 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2102
2103         Turn recursive tail calls into loops
2104         https://bugs.webkit.org/show_bug.cgi?id=176601
2105
2106         Reviewed by Saam Barati.
2107
2108         Add some simple test that computes factorial in several ways, and other trivial computations.
2109         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2110         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2111         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2112         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2113
2114         * stress/inline-call-to-recursive-tail-call.js: Added.
2115         (factorial.aux):
2116         (factorial):
2117         (factorial2.aux):
2118         (factorial2.id):
2119         (factorial2):
2120         (factorial3.aux):
2121         (factorial3):
2122         (aux):
2123         (factorial4):
2124         (test):
2125
2126 2017-10-18  Mark Lam  <mark.lam@apple.com>
2127
2128         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2129         https://bugs.webkit.org/show_bug.cgi?id=177600
2130         <rdar://problem/34710985>
2131
2132         Reviewed by Saam Barati.
2133
2134         * stress/regress-177600.js: Added.
2135
2136 2017-10-18  Mark Lam  <mark.lam@apple.com>
2137
2138         The compiler should always register a structure when it adds its transitionWatchPointSet.
2139         https://bugs.webkit.org/show_bug.cgi?id=178420
2140         <rdar://problem/34814024>
2141
2142         Reviewed by Saam Barati and Filip Pizlo.
2143
2144         * stress/regress-178420.js: Added.
2145         (new.Array.10000.map):
2146
2147 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2148
2149         [JSC] __proto__ getter should be fast
2150         https://bugs.webkit.org/show_bug.cgi?id=178067
2151
2152         Reviewed by Saam Barati.
2153
2154         * stress/dfg-object-proto-accessor.js: Added.
2155         (shouldBe):
2156         (shouldThrow):
2157         (target):
2158         * stress/dfg-object-proto-getter.js: Added.
2159         (shouldBe):
2160         (shouldThrow):
2161         (target):
2162         * stress/dfg-object-prototype-of.js: Added.
2163         (shouldBe):
2164         (shouldThrow):
2165         (target):
2166         * stress/dfg-reflect-get-prototype-of.js: Added.
2167         (shouldBe):
2168         (shouldThrow):
2169         (target):
2170         * stress/intrinsic-getter-with-poly-proto.js: Added.
2171         (shouldBe):
2172         (makePolyProtoObject.foo.C):
2173         (makePolyProtoObject.foo):
2174         (makePolyProtoObject):
2175         (target):
2176         * stress/object-get-prototype-of-filtered.js: Added.
2177         (shouldBe):
2178         (shouldThrow):
2179         (target):
2180         (i.Cocoa):
2181         * stress/object-get-prototype-of-mono-proto.js: Added.
2182         (shouldBe):
2183         (makePolyProtoObject.foo.C):
2184         (makePolyProtoObject.foo):
2185         (makePolyProtoObject):
2186         (target):
2187         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2188         (shouldBe):
2189         (makePolyProtoObject.foo.C):
2190         (makePolyProtoObject.foo):
2191         (makePolyProtoObject):
2192         (target):
2193         * stress/object-get-prototype-of-poly-proto.js: Added.
2194         (shouldBe):
2195         (makePolyProtoObject.foo.C):
2196         (makePolyProtoObject.foo):
2197         (makePolyProtoObject):
2198         (target):
2199         * stress/object-proto-getter-filtered.js: Added.
2200         (shouldBe):
2201         (shouldThrow):
2202         (target):
2203         (i.Cocoa):
2204         * stress/object-proto-getter-poly-mono-proto.js: Added.
2205         (shouldBe):
2206         (makePolyProtoObject.foo.C):
2207         (makePolyProtoObject.foo):
2208         (makePolyProtoObject):
2209         (target):
2210         * stress/object-proto-getter-poly-proto.js: Added.
2211         (shouldBe):
2212         (makePolyProtoObject.foo.C):
2213         (makePolyProtoObject.foo):
2214         (makePolyProtoObject):
2215         (target):
2216         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2217         * stress/string-proto.js: Added.
2218         (shouldBe):
2219         (target):
2220
2221 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2222
2223         Unreviewed, rolling out r223523.
2224
2225         A test for this change is failing on debug JSC bots.
2226
2227         Reverted changeset:
2228
2229         "[JSC] __proto__ getter should be fast"
2230         https://bugs.webkit.org/show_bug.cgi?id=178067
2231         https://trac.webkit.org/changeset/223523
2232
2233 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2234
2235         [JSC] __proto__ getter should be fast
2236         https://bugs.webkit.org/show_bug.cgi?id=178067
2237
2238         Reviewed by Saam Barati.
2239
2240         * stress/dfg-object-proto-accessor.js: Added.
2241         (shouldBe):
2242         (shouldThrow):
2243         (target):
2244         * stress/dfg-object-proto-getter.js: Added.
2245         (shouldBe):
2246         (shouldThrow):
2247         (target):
2248         * stress/dfg-object-prototype-of.js: Added.
2249         (shouldBe):
2250         (shouldThrow):
2251         (target):
2252         * stress/dfg-reflect-get-prototype-of.js: Added.
2253         (shouldBe):
2254         (shouldThrow):
2255         (target):
2256         * stress/object-get-prototype-of-filtered.js: Added.
2257         (shouldBe):
2258         (shouldThrow):
2259         (target):
2260         (i.Cocoa):
2261         * stress/object-get-prototype-of-mono-proto.js: Added.
2262         (shouldBe):
2263         (makePolyProtoObject.foo.C):
2264         (makePolyProtoObject.foo):
2265         (makePolyProtoObject):
2266         (target):
2267         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2268         (shouldBe):
2269         (makePolyProtoObject.foo.C):
2270         (makePolyProtoObject.foo):
2271         (makePolyProtoObject):
2272         (target):
2273         * stress/object-get-prototype-of-poly-proto.js: Added.
2274         (shouldBe):
2275         (makePolyProtoObject.foo.C):
2276         (makePolyProtoObject.foo):
2277         (makePolyProtoObject):
2278         (target):
2279         * stress/object-proto-getter-filtered.js: Added.
2280         (shouldBe):
2281         (shouldThrow):
2282         (target):
2283         (i.Cocoa):
2284         * stress/object-proto-getter-poly-mono-proto.js: Added.
2285         (shouldBe):
2286         (makePolyProtoObject.foo.C):
2287         (makePolyProtoObject.foo):
2288         (makePolyProtoObject):
2289         (target):
2290         * stress/object-proto-getter-poly-proto.js: Added.
2291         (shouldBe):
2292         (makePolyProtoObject.foo.C):
2293         (makePolyProtoObject.foo):
2294         (makePolyProtoObject):
2295         (target):
2296         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2297         * stress/string-proto.js: Added.
2298         (shouldBe):
2299         (target):
2300
2301 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2302
2303         Reland "Add Above/Below comparisons for UInt32 patterns"
2304         https://bugs.webkit.org/show_bug.cgi?id=177281
2305
2306         Reviewed by Saam Barati.
2307
2308         * stress/uint32-comparison-jump.js: Added.
2309         (shouldBe):
2310         (above):
2311         (aboveOrEqual):
2312         (below):
2313         (belowOrEqual):
2314         (notAbove):
2315         (notAboveOrEqual):
2316         (notBelow):
2317         (notBelowOrEqual):
2318         * stress/uint32-comparison.js: Added.
2319         (shouldBe):
2320         (above):
2321         (aboveOrEqual):
2322         (below):
2323         (belowOrEqual):
2324         (aboveTest):
2325         (aboveOrEqualTest):
2326         (belowTest):
2327         (belowOrEqualTest):
2328
2329 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2330
2331         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2332         https://bugs.webkit.org/show_bug.cgi?id=178210
2333
2334         Reviewed by Saam Barati.
2335
2336         * wasm/function-tests/trap-from-start-async.js:
2337         (async.StartTrapsAsync):
2338         * wasm/function-tests/trap-from-start.js:
2339         (StartTraps):
2340         * wasm/js-api/web-assembly-function.js:
2341         (assert.eq.Object.getPrototypeOf):
2342         * wasm/js-api/wrapper-function.js:
2343         (return.new.WebAssembly.Module):
2344         (assert.throws.makeInstance): Deleted.
2345         (assert.throws.Bar): Deleted.
2346         (assert.throws): Deleted.
2347
2348 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2349
2350         Enable gigacage on iOS
2351         https://bugs.webkit.org/show_bug.cgi?id=177586
2352
2353         Reviewed by JF Bastien.
2354         
2355         Add tests for when Gigacage gets runtime disabled.
2356
2357         * stress/disable-gigacage-arrays.js: Added.
2358         (foo):
2359         * stress/disable-gigacage-strings.js: Added.
2360         (foo):
2361         * stress/disable-gigacage-typed-arrays.js: Added.
2362         (foo):
2363
2364 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2365
2366         import.meta should not be assignable
2367         https://bugs.webkit.org/show_bug.cgi?id=178202
2368
2369         Reviewed by Saam Barati.
2370
2371         * modules/import-meta-assignment.js: Added.
2372         (shouldThrow):
2373         (SyntaxError.import.meta.can.shouldThrow):
2374
2375 2017-10-11  Saam Barati  <sbarati@apple.com>
2376
2377         Unreviewed. Actually skip certain type profiler tests in debug.
2378
2379         * typeProfiler.yaml:
2380         * typeProfiler/deltablue-for-of.js:
2381         * typeProfiler/getter-richards.js:
2382
2383 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2384
2385         Unreviewed, rolling out r223113 and r223121.
2386         https://bugs.webkit.org/show_bug.cgi?id=178182
2387
2388         Reintroduced 20% regression on Kraken (Requested by rniwa on
2389         #webkit).
2390
2391         Reverted changesets:
2392
2393         "Enable gigacage on iOS"
2394         https://bugs.webkit.org/show_bug.cgi?id=177586
2395         https://trac.webkit.org/changeset/223113
2396
2397         "Use one virtual allocation for all gigacages and their
2398         runways"
2399         https://bugs.webkit.org/show_bug.cgi?id=178050
2400         https://trac.webkit.org/changeset/223121
2401
2402 2017-10-11  Michael Saboff  <msaboff@apple.com>
2403
2404         Disable test262 named capture group tests with direct unicode names and with references before definitions
2405         https://bugs.webkit.org/show_bug.cgi?id=178177
2406
2407         Reviewed by Keith Miller.
2408
2409         Bugs to track fixing these test are:
2410         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2411             "Add support in named capture group identifiers for direct surrogate pairs"
2412         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2413             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2414
2415         * test262.yaml:
2416
2417 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2418
2419         Object properties are undefined in super.call() but not in this.call()
2420         https://bugs.webkit.org/show_bug.cgi?id=177230
2421
2422         Reviewed by Saam Barati.
2423
2424         * stress/super-call-function-subclass.js: Added.
2425         (assert):
2426         (A.prototype.t):
2427         (A):
2428         * stress/super-dot-call-and-apply.js: Added.
2429         (assert):
2430         (A):
2431         (A.prototype.call):
2432         (A.prototype.apply):
2433         (B.prototype.testSuper):
2434         (B):
2435         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2436         (D.prototype.testSuper):
2437         (D):
2438
2439 2017-10-10  Saam Barati  <sbarati@apple.com>
2440
2441         The prototype cache should be aware of the Executable it generates a Structure for
2442         https://bugs.webkit.org/show_bug.cgi?id=177907
2443
2444         Reviewed by Filip Pizlo.
2445
2446         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2447         (assert):
2448         (foo.C):
2449         (foo):
2450         (bar.C):
2451         (bar):
2452         (access):
2453         (makeLongChain):
2454         (accessY):
2455
2456 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2457
2458         `async` should be able to be used as an imported binding name
2459         https://bugs.webkit.org/show_bug.cgi?id=176573
2460
2461         Reviewed by Saam Barati.
2462
2463         * modules/import-default-async.js: Added.
2464         * modules/import-named-async-as.js: Added.
2465         * modules/import-named-async.js: Added.
2466         * modules/import-named-async/target.js: Added.
2467         * modules/import-namespace-async.js: Added.
2468         * test262.yaml:
2469
2470 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2471
2472         Enable gigacage on iOS
2473         https://bugs.webkit.org/show_bug.cgi?id=177586
2474
2475         Reviewed by JF Bastien.
2476         
2477         Add tests for when Gigacage gets runtime disabled.
2478
2479         * stress/disable-gigacage-arrays.js: Added.
2480         (foo):
2481         * stress/disable-gigacage-strings.js: Added.
2482         (foo):
2483         * stress/disable-gigacage-typed-arrays.js: Added.
2484         (foo):
2485
2486 2017-10-09  Michael Saboff  <msaboff@apple.com>
2487
2488         Implement RegExp Unicode property escapes
2489         https://bugs.webkit.org/show_bug.cgi?id=172069
2490
2491         Reviewed by JF Bastien.
2492
2493         Enabled Unicode Property tests.
2494
2495         * test262.yaml:
2496
2497 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2498
2499         Unreviewed, rolling out r223015 and r223025.
2500         https://bugs.webkit.org/show_bug.cgi?id=178093
2501
2502         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2503         #webkit).
2504
2505         Reverted changesets:
2506
2507         "Enable gigacage on iOS"
2508         https://bugs.webkit.org/show_bug.cgi?id=177586
2509         http://trac.webkit.org/changeset/223015
2510
2511         "Unreviewed, disable Gigacage on ARM64 Linux"
2512         https://bugs.webkit.org/show_bug.cgi?id=177586
2513         http://trac.webkit.org/changeset/223025
2514
2515 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2516
2517         Update expectations for test262 tests that pass after r223043.
2518         https://bugs.webkit.org/show_bug.cgi?id=176685
2519
2520         Unreviewed test gardening.
2521
2522         * test262.yaml:
2523
2524 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2525
2526         Unreviewed, rolling out r223022.
2527
2528         This change introduced 18 test262 failures.
2529
2530         Reverted changeset:
2531
2532         "`async` should be able to be used as an imported binding
2533         name"
2534         https://bugs.webkit.org/show_bug.cgi?id=176573
2535         http://trac.webkit.org/changeset/223022
2536
2537 2017-10-09  Saam Barati  <sbarati@apple.com>
2538
2539         3 poly-proto JSC tests timing out on debug after r222827
2540         https://bugs.webkit.org/show_bug.cgi?id=177880
2541         <rdar://problem/34817122>
2542
2543         Unreviewed.
2544
2545         I'm skipping these type profiler tests on debug since they are long running.
2546
2547         * typeProfiler/deltablue-for-of.js:
2548         * typeProfiler/getter-richards.js:
2549
2550 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2551
2552         Safari 10 /11 problem with if (!await get(something)).
2553         https://bugs.webkit.org/show_bug.cgi?id=176685
2554
2555         Reviewed by Saam Barati.
2556
2557         * stress/async-await-basic.js:
2558         (awaitEpression.async):
2559         * stress/async-await-syntax.js:
2560         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2561         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2562
2563 2017-10-08  Saam Barati  <sbarati@apple.com>
2564
2565         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2566
2567         * typeProfiler/deltablue-for-of.js:
2568         * typeProfiler/getter-richards.js:
2569
2570 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2571
2572         `async` should be able to be used as an imported binding name
2573         https://bugs.webkit.org/show_bug.cgi?id=176573
2574
2575         Reviewed by Darin Adler.
2576
2577         * modules/import-default-async.js: Added.
2578         * modules/import-named-async-as.js: Added.
2579         * modules/import-named-async.js: Added.
2580         * modules/import-named-async/target.js: Added.
2581         * modules/import-namespace-async.js: Added.
2582
2583 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2584
2585         Enable gigacage on iOS
2586         https://bugs.webkit.org/show_bug.cgi?id=177586
2587
2588         Reviewed by JF Bastien.
2589         
2590         Add tests for when Gigacage gets runtime disabled.
2591
2592         * stress/disable-gigacage-arrays.js: Added.
2593         (foo):
2594         * stress/disable-gigacage-strings.js: Added.
2595         (foo):
2596         * stress/disable-gigacage-typed-arrays.js: Added.
2597         (foo):
2598
2599 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2600
2601         Unreviewed, rolling out r222791 and r222873.
2602         https://bugs.webkit.org/show_bug.cgi?id=178031
2603
2604         Caused crashes with workers/wasm LayoutTests (Requested by
2605         ryanhaddad on #webkit).
2606
2607         Reverted changesets:
2608
2609         "WebAssembly: no VM / JS version of everything but Instance"
2610         https://bugs.webkit.org/show_bug.cgi?id=177473
2611         http://trac.webkit.org/changeset/222791
2612
2613         "WebAssembly: address no VM / JS follow-ups"
2614         https://bugs.webkit.org/show_bug.cgi?id=177887
2615         http://trac.webkit.org/changeset/222873
2616
2617 2017-10-05  Saam Barati  <sbarati@apple.com>
2618
2619         Make sure all prototypes under poly proto get added into the VM's prototype map
2620         https://bugs.webkit.org/show_bug.cgi?id=177909
2621
2622         Reviewed by Keith Miller.
2623
2624         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2625         (assert):
2626         (foo.C):
2627         (foo):
2628         (set x):
2629
2630 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2631
2632         [JSC] Introduce import.meta
2633         https://bugs.webkit.org/show_bug.cgi?id=177703
2634
2635         Reviewed by Filip Pizlo.
2636
2637         * modules/import-meta-syntax.js: Added.
2638         (shouldThrow):
2639         (shouldNotThrow):
2640         * modules/import-meta.js: Added.
2641         * modules/import-meta/cocoa.js: Added.
2642         * modules/resources/assert.js:
2643         (export.shouldNotThrow):
2644         * stress/import-syntax.js:
2645
2646 2017-10-04  Saam Barati  <sbarati@apple.com>
2647
2648         Make pertinent AccessCases watch the poly proto watchpoint
2649         https://bugs.webkit.org/show_bug.cgi?id=177765
2650
2651         Reviewed by Keith Miller.
2652
2653         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2654         (assert):
2655         (foo.C):
2656         (foo):
2657         (validate):
2658         * stress/poly-proto-clear-stub.js: Added.
2659         (assert):
2660         (foo.C):
2661         (foo):
2662
2663 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2664
2665         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2666
2667         Unreviewed test gardening.
2668
2669         * test262.yaml:
2670
2671 2017-10-04  Saam Barati  <sbarati@apple.com>
2672
2673         3 poly-proto JSC tests timing out on debug after r222827
2674         https://bugs.webkit.org/show_bug.cgi?id=177880
2675
2676         Rubber stamped by Mark Lam.
2677
2678         * microbenchmarks/poly-proto-access.js:
2679         * typeProfiler/deltablue-for-of.js:
2680         * typeProfiler/getter-richards.js:
2681
2682 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2683
2684         Unreviewed, marking tco-catch.js as a failure after test262 update
2685         https://bugs.webkit.org/show_bug.cgi?id=177859
2686
2687         * test262.yaml:
2688
2689 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2690
2691         Unreviewed, marking one async iterator test262 test failed
2692         https://bugs.webkit.org/show_bug.cgi?id=177859
2693
2694         * test262.yaml:
2695
2696 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2697
2698         [Test262] Update Test262 to Oct 4 version
2699         https://bugs.webkit.org/show_bug.cgi?id=177859
2700
2701         Reviewed by Sam Weinig.
2702
2703         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2704         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2705
2706         * test262.yaml:
2707         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2708         (checkSequence):
2709         * test262/harness/typeCoercion.js:
2710         (testCoercibleToIndexZero):
2711         (testCoercibleToIndexOne):
2712         (testCoercibleToIndexFromIndex):
2713         (testNotCoercibleToIndex.testPrimitiveValue):
2714         (testNotCoercibleToInteger):
2715         (testCoercibleToBigIntZero.testPrimitiveValue):
2716         (testCoercibleToBigIntZero):
2717         (testCoercibleToBigIntOne.testPrimitiveValue):
2718         (testCoercibleToBigIntOne):
2719         (testPrimitiveValue):
2720         (testCoercibleToBigIntFromBigInt):
2721         (testNotCoercibleToBigInt.testPrimitiveValue):
2722         (testNotCoercibleToBigInt.testStringValue):
2723         (testNotCoercibleToBigInt):
2724         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2725         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2726         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2727         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2728         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2729         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2730         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2731         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2732         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2733         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2734         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2735         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2736         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2737         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2738         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2739         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2740         (testCoercibleToBigIntZero):
2741         (testCoercibleToBigIntOne):
2742         (testNotCoercibleToBigInt):
2743         (MyError): Deleted.
2744         (valueOf): Deleted.
2745         (toString): Deleted.
2746         (Symbol.toPrimitive): Deleted.
2747         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2748         (testCoercibleToIndexZero):
2749         (testCoercibleToIndexOne):
2750         (testNotCoercibleToIndex):
2751         (MyError): Deleted.
2752         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2753         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2754         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2755         (BigInt.asIntN.valueOf): Deleted.
2756         (BigInt.asIntN.toString): Deleted.
2757         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2758         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2759         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2760         (testCoercibleToBigIntZero):
2761         (testCoercibleToBigIntOne):
2762         (testNotCoercibleToBigInt):
2763         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
2764         (testCoercibleToIndexZero):
2765         (testCoercibleToIndexOne):
2766         (testNotCoercibleToIndex):
2767         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
2768         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
2769         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
2770         (bits.valueOf):
2771         (bigint.valueOf):
2772         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
2773         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
2774         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
2775         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
2776         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
2777         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
2778         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
2779         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
2780         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
2781         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
2782         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
2783         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
2784         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
2785         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
2786         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
2787         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
2788         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
2789         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
2790         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
2791         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
2792         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
2793         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
2794         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
2795         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
2796         (replacer):
2797         (BigInt.prototype.toJSON):
2798         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
2799         (replacer):
2800         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
2801         (BigInt.prototype.toJSON):
2802         * test262/test/built-ins/JSON/stringify/bigint.js:
2803         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
2804         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
2805         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
2806         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
2807         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
2808         * test262/test/built-ins/Object/proto-from-ctor.js:
2809         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
2810         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
2811         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
2812         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
2813         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
2814         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
2815         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
2816         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
2817         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
2818         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
2819         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
2820         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
2821         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
2822         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
2823         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
2824         * test262/test/built-ins/Proxy/get-fn-realm.js:
2825         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
2826         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
2827         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
2828         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
2829         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
2830         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
2831         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
2832         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
2833         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
2834         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
2835         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
2836         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
2837         (i6.replace):
2838         (i6b.replace):
2839         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
2840         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
2841         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
2842         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
2843         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
2844         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
2845         * test262/test/built-ins/RegExp/u180e.js: Added.
2846         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
2847         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
2848         * test262/test/built-ins/String/proto-from-ctor-realm.js:
2849         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
2850         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
2851         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
2852         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
2853         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
2854         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
2855         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
2856         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
2857         * test262/test/built-ins/String/prototype/endsWith/length.js:
2858         * test262/test/built-ins/String/prototype/endsWith/name.js:
2859         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
2860         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
2861         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
2862         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
2863         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
2864         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
2865         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
2866         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
2867         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
2868         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
2869         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
2870         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
2871         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
2872         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
2873         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
2874         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
2875         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
2876         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
2877         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
2878         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
2879         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
2880         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
2881         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
2882         * test262/test/built-ins/String/prototype/includes/includes.js:
2883         * test262/test/built-ins/String/prototype/includes/length.js:
2884         * test262/test/built-ins/String/prototype/includes/name.js:
2885         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
2886         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
2887         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
2888         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
2889         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
2890         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
2891         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
2892         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
2893         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
2894         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
2895         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
2896         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
2897         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
2898         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
2899         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
2900         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
2901         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
2902         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
2903         * test262/test/built-ins/String/prototype/trim/u180e.js:
2904         * test262/test/built-ins/Symbol/for/cross-realm.js:
2905         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
2906         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
2907         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
2908         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
2909         * test262/test/built-ins/Symbol/match/cross-realm.js:
2910         * test262/test/built-ins/Symbol/replace/cross-realm.js:
2911         * test262/test/built-ins/Symbol/search/cross-realm.js:
2912         * test262/test/built-ins/Symbol/species/cross-realm.js:
2913         * test262/test/built-ins/Symbol/split/cross-realm.js:
2914         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
2915         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
2916         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
2917         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
2918         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
2919         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
2920         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
2921         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
2922         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
2923         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
2924         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
2925         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
2926         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
2927         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
2928         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
2929         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
2930         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
2931         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
2932         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
2933         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
2934         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
2935         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
2936         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
2937         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
2938         * test262/test/language/comments/mongolian-vowel-separator-single.js:
2939         * test262/test/language/eval-code/indirect/realm.js:
2940         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
2941         (o.get z):
2942         (o.get a):
2943         * test262/test/language/expressions/call/eval-realm-indirect.js:
2944         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
2945         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
2946         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
2947         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
2948         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
2949         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
2950         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
2951         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
2952         * test262/test/language/expressions/greater-than/bigint-and-number.js:
2953         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
2954         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
2955         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
2956         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
2957         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
2958         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
2959         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
2960         * test262/test/language/expressions/less-than/bigint-and-number.js:
2961         * test262/test/language/expressions/new/non-ctor-err-realm.js:
2962         * test262/test/language/expressions/super/realm.js:
2963         * test262/test/language/expressions/tagged-template/cache-realm.js:
2964         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
2965         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
2966         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
2967         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
2968         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
2969         * test262/test/language/literals/string/mongolian-vowel-separator.js:
2970         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
2971         (o.get z):
2972         (o.get a):
2973         * test262/test/language/statements/for-of/iterator-next-reference.js:
2974         (next):
2975         (iterator.next): Deleted.
2976         (x.of.iterable.): Deleted.
2977         (x.of.iterable.get return): Deleted.
2978         (x.of.iterable.iterator.next): Deleted.
2979         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
2980         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
2981         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
2982         * test262/test/language/white-space/mongolian-vowel-separator.js:
2983         * test262/test262-Revision.txt:
2984
2985 2017-10-03  Saam Barati  <sbarati@apple.com>
2986
2987         Implement polymorphic prototypes
2988         https://bugs.webkit.org/show_bug.cgi?id=176391
2989
2990         Reviewed by Filip Pizlo.
2991
2992         * microbenchmarks/poly-proto-access.js: Added.
2993         (assert):
2994         (foo.C):
2995         (foo.C.prototype.get bar):
2996         (foo):
2997         (bar):
2998         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
2999         (assert):
3000         (makePolyProtoObject.foo.C):
3001         (makePolyProtoObject.foo):
3002         (makePolyProtoObject):
3003         (performSet):
3004         * microbenchmarks/poly-proto-setter-speed.js: Added.
3005         (assert):
3006         (makePolyProtoObject.foo.C):
3007         (makePolyProtoObject.foo.C.prototype.set p):
3008         (makePolyProtoObject.foo):
3009         (makePolyProtoObject):
3010         (performSet):
3011         * stress/constructor-with-return.js:
3012         (i.tests.forEach.Constructor):
3013         (i.tests.forEach):
3014         (tests.forEach.Constructor): Deleted.
3015         (tests.forEach): Deleted.
3016         * stress/dom-jit-with-poly-proto.js: Added.
3017         (assert):
3018         (makePolyProtoObject.foo.C):
3019         (makePolyProtoObject.foo):
3020         (makePolyProtoObject):
3021         (validate):
3022         * stress/poly-proto-custom-value-and-accessor.js: Added.
3023         (assert):
3024         (makePolyProtoObject.foo.C):
3025         (makePolyProtoObject.foo):
3026         (makePolyProtoObject):
3027         (items.forEach):
3028         (set get for):
3029         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3030         (assert):
3031         (makePolyProtoObject.foo.C):
3032         (makePolyProtoObject.foo):
3033         (makePolyProtoObject):
3034         (foo):
3035         * stress/poly-proto-miss.js: Added.
3036         (makePolyProtoInstanceWithNullPrototype.foo.C):
3037         (makePolyProtoInstanceWithNullPrototype.foo):
3038         (makePolyProtoInstanceWithNullPrototype):
3039         (assert):
3040         (validate):
3041         * stress/poly-proto-op-in-caching.js: Added.
3042         (assert):
3043         (makePolyProtoObject.foo.C):
3044         (makePolyProtoObject.foo):
3045         (makePolyProtoObject):
3046         (validate):
3047         (validate2):
3048         * stress/poly-proto-put-transition.js: Added.
3049         (assert):
3050         (makePolyProtoObject.foo.C):
3051         (makePolyProtoObject.foo):
3052         (makePolyProtoObject):
3053         (performSet):
3054         (i.obj.__proto__.set p):
3055         * stress/poly-proto-set-prototype.js: Added.
3056         (assert):
3057         (let.alternateProto.get x):
3058         (let.alternateProto2.get y):
3059         (let.alternateProto2.get x):
3060         (foo.C):
3061         (foo):
3062         (validate):
3063         * stress/poly-proto-setter.js: Added.
3064         (assert):
3065         (makePolyProtoObject.foo.C):
3066         (makePolyProtoObject.foo.C.prototype.set p):
3067         (makePolyProtoObject.foo.C.prototype.get p):
3068         (makePolyProtoObject.foo):
3069         (makePolyProtoObject):
3070         (performSet):
3071         * stress/poly-proto-using-inheritance.js: Added.
3072         (assert):
3073         (foo.C):
3074         (foo.C.prototype.get baz):
3075         (foo):
3076         (bar.C):
3077         (bar):
3078         (validate):
3079         * stress/primitive-poly-proto.js: Added.
3080         (makePolyProtoInstance.foo.C):
3081         (makePolyProtoInstance.foo):
3082         (makePolyProtoInstance):
3083         (assert):
3084         (validate):
3085         * stress/prototype-is-not-js-object.js: Added.
3086         (foo.bar):
3087         (foo):
3088         (assert):
3089         (validate):
3090         * stress/try-get-by-id-poly-proto.js: Added.
3091         (assert):
3092         (makePolyProtoObject.foo.C):
3093         (makePolyProtoObject.foo):
3094         (makePolyProtoObject):
3095         (tryGetByIdText):
3096         (x.__proto__.get bar):
3097         (validate):
3098         * typeProfiler/overflow.js:
3099
3100 2017-10-03  JF Bastien  <jfbastien@apple.com>
3101
3102         WebAssembly: no VM / JS version of everything but Instance
3103         https://bugs.webkit.org/show_bug.cgi?id=177473
3104
3105         Reviewed by Filip Pizlo.
3106
3107         - Exceeding max on memory growth now returns a range error as per
3108         spec. This is a (very minor) breaking change: it used to throw OOM
3109         error. Update the corresponding test.
3110
3111         * wasm/js-api/memory-grow.js:
3112         (assertEq):
3113         * wasm/js-api/table.js:
3114         (assert.throws):
3115
3116 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3117
3118         Skip JSC test stress/regress-159779-2.js on debug.
3119         https://bugs.webkit.org/show_bug.cgi?id=177204
3120
3121         Unreviewed test gardening.
3122
3123         * stress/regress-159779-2.js:
3124
3125 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3126
3127         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3128         https://bugs.webkit.org/show_bug.cgi?id=175642
3129
3130         Reviewed by Darin Adler.
3131
3132         * ChakraCore/test/Function/apply3.baseline-jsc:
3133
3134 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3135
3136         Unreviewed, rolling out r222564.
3137         https://bugs.webkit.org/show_bug.cgi?id=177720
3138
3139         "It regressed JetStream by 2% on iOS caused by a 50%
3140         regression on the bigfib subtest" (Requested by saamyjoon on
3141         #webkit).
3142
3143         Reverted changeset:
3144
3145         "Add Above/Below comparisons for UInt32 patterns"
3146         https://bugs.webkit.org/show_bug.cgi?id=177281
3147         http://trac.webkit.org/changeset/222564
3148
3149 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3150
3151         [DFG] Support ArrayPush with multiple args
3152         https://bugs.webkit.org/show_bug.cgi?id=175823
3153
3154         Reviewed by Saam Barati.
3155
3156         * microbenchmarks/array-push-0.js: Added.
3157         (arrayPush0):
3158         * microbenchmarks/array-push-1.js: Added.
3159         (arrayPush1):
3160         * microbenchmarks/array-push-2.js: Added.
3161         (arrayPush2):
3162         * microbenchmarks/array-push-3.js: Added.
3163         (arrayPush3):
3164         * stress/array-push-multiple-contiguous.js: Added.
3165         (shouldBe):
3166         (test):
3167         * stress/array-push-multiple-double-nan.js: Added.
3168         (shouldBe):
3169         (test):
3170         * stress/array-push-multiple-double.js: Added.
3171         (shouldBe):
3172         (test):
3173         * stress/array-push-multiple-int32.js: Added.
3174         (shouldBe):
3175         (test):
3176         * stress/array-push-multiple-many-contiguous.js: Added.
3177         (shouldBe):
3178         (test):
3179         * stress/array-push-multiple-many-double.js: Added.
3180         (shouldBe):
3181         (test):
3182         * stress/array-push-multiple-many-int32.js: Added.
3183         (shouldBe):
3184         (test):
3185         * stress/array-push-multiple-many-storage.js: Added.
3186         (shouldBe):
3187         (test):
3188         * stress/array-push-multiple-storage.js: Added.
3189         (shouldBe):
3190         (test):
3191         * stress/array-push-with-force-exit.js: Added.
3192         (target.createBuiltin):
3193
3194 2017-09-29  Saam Barati  <sbarati@apple.com>
3195
3196         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3197         https://bugs.webkit.org/show_bug.cgi?id=177639
3198
3199         Reviewed by Geoffrey Garen.
3200
3201         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3202         (assert):
3203         (Class):
3204         (items.forEach):
3205         (set get for):
3206
3207 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3208
3209         Unreviewed, rolling out r222563, r222565, and r222581.
3210         https://bugs.webkit.org/show_bug.cgi?id=177675
3211
3212         "It causes a crash when playing youtube videos" (Requested by
3213         saamyjoon on #webkit).
3214
3215         Reverted changesets:
3216
3217         "[DFG] Support ArrayPush with multiple args"
3218         https://bugs.webkit.org/show_bug.cgi?id=175823
3219         http://trac.webkit.org/changeset/222563
3220
3221         "Unreviewed, build fix after r222563"
3222         https://bugs.webkit.org/show_bug.cgi?id=175823
3223         http://trac.webkit.org/changeset/222565
3224
3225         "Unreviewed, fix x86 breaking due to exhausted registers"
3226         https://bugs.webkit.org/show_bug.cgi?id=175823
3227         http://trac.webkit.org/changeset/222581
3228
3229 2017-09-28  Mark Lam  <mark.lam@apple.com>
3230
3231         test262: Unexpected passes after r222617 and r222618.
3232         https://bugs.webkit.org/show_bug.cgi?id=177622
3233         <rdar://problem/34725960>
3234
3235         Reviewed by Saam Barati.
3236
3237         Update test262.yaml for tests that are now passing.
3238
3239         * test262.yaml:
3240
3241 2017-09-27  Michael Saboff  <msaboff@apple.com>
3242
3243         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3244         https://bugs.webkit.org/show_bug.cgi?id=177570
3245
3246         Reviewed by Filip Pizlo.
3247
3248         New regression test.
3249
3250         * stress/regress-177570.js: Added.
3251
3252 2017-09-28  Michael Saboff  <msaboff@apple.com>
3253
3254         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3255         https://bugs.webkit.org/show_bug.cgi?id=177423
3256
3257         Reviewed by Mark Lam.
3258
3259         Updated regression test.
3260
3261         * stress/regress-177423.js:
3262         (catch):
3263
3264 2017-09-27  Mark Lam  <mark.lam@apple.com>
3265
3266         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3267         https://bugs.webkit.org/show_bug.cgi?id=177584
3268         <rdar://problem/34463903>
3269
3270         Reviewed by Saam Barati.
3271
3272         * stress/regress-177584.js: Added.
3273         (assertEqual):
3274         (Array.prototype.Symbol.species):
3275
3276 2017-09-27  Saam Barati  <sbarati@apple.com>
3277
3278         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3279         https://bugs.webkit.org/show_bug.cgi?id=177523
3280
3281         Reviewed by Mark Lam.
3282
3283         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3284         (assert):
3285         (Test):
3286         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3287         (addMethods):
3288         (i.Test.prototype.propName):
3289
3290 2017-09-27  Mark Lam  <mark.lam@apple.com>
3291
3292         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3293         https://bugs.webkit.org/show_bug.cgi?id=177423
3294         <rdar://problem/34621320>
3295
3296         Reviewed by Keith Miller.
3297
3298         * stress/regress-177423.js: Added.
3299
3300 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3301
3302         Add Above/Below comparisons for UInt32 patterns
3303         https://bugs.webkit.org/show_bug.cgi?id=177281
3304
3305         Reviewed by Saam Barati.
3306
3307         * stress/uint32-comparison-jump.js: Added.
3308         (shouldBe):
3309         (above):
3310         (aboveOrEqual):
3311         (below):
3312         (belowOrEqual):
3313         (notAbove):
3314         (notAboveOrEqual):
3315         (notBelow):
3316         (notBelowOrEqual):
3317         * stress/uint32-comparison.js: Added.
3318         (shouldBe):
3319         (above):
3320         (aboveOrEqual):
3321         (below):
3322         (belowOrEqual):
3323         (aboveTest):
3324         (aboveOrEqualTest):
3325         (belowTest):
3326         (belowOrEqualTest):
3327
3328 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3329
3330         [DFG] Support ArrayPush with multiple args
3331         https://bugs.webkit.org/show_bug.cgi?id=175823
3332
3333         Reviewed by Saam Barati.
3334
3335         * microbenchmarks/array-push-0.js: Added.
3336         (arrayPush0):
3337         * microbenchmarks/array-push-1.js: Added.
3338         (arrayPush1):
3339         * microbenchmarks/array-push-2.js: Added.
3340         (arrayPush2):
3341         * microbenchmarks/array-push-3.js: Added.
3342         (arrayPush3):
3343         * stress/array-push-multiple-contiguous.js: Added.
3344         (shouldBe):
3345         (test):
3346         * stress/array-push-multiple-double-nan.js: Added.
3347         (shouldBe):
3348         (test):
3349         * stress/array-push-multiple-double.js: Added.
3350         (shouldBe):
3351         (test):
3352         * stress/array-push-multiple-int32.js: Added.
3353         (shouldBe):
3354         (test):
3355         * stress/array-push-multiple-many-contiguous.js: Added.
3356         (shouldBe):
3357         (test):
3358         * stress/array-push-multiple-many-double.js: Added.
3359         (shouldBe):
3360         (test):
3361         * stress/array-push-multiple-many-int32.js: Added.
3362         (shouldBe):
3363         (test):
3364         * stress/array-push-multiple-many-storage.js: Added.
3365         (shouldBe):
3366         (test):
3367         * stress/array-push-multiple-storage.js: Added.
3368         (shouldBe):
3369         (test):
3370
3371 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3372
3373         Unreviewed, rolling out r222518.
3374         https://bugs.webkit.org/show_bug.cgi?id=177507
3375
3376         Break the High Sierra build (Requested by yusukesuzuki on
3377         #webkit).
3378
3379         Reverted changeset:
3380
3381         "Add Above/Below comparisons for UInt32 patterns"
3382         https://bugs.webkit.org/show_bug.cgi?id=177281
3383         http://trac.webkit.org/changeset/222518
3384
3385 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3386
3387         Add Above/Below comparisons for UInt32 patterns
3388         https://bugs.webkit.org/show_bug.cgi?id=177281
3389
3390         Reviewed by Saam Barati.
3391
3392         * stress/uint32-comparison-jump.js: Added.
3393         (shouldBe):
3394         (above):
3395         (aboveOrEqual):
3396         (below):
3397         (belowOrEqual):
3398         (notAbove):
3399         (notAboveOrEqual):
3400         (notBelow):
3401         (notBelowOrEqual):
3402         * stress/uint32-comparison.js: Added.
3403         (shouldBe):
3404         (above):
3405         (aboveOrEqual):
3406         (below):
3407         (belowOrEqual):
3408         (aboveTest):
3409         (aboveOrEqualTest):
3410         (belowTest):
3411         (belowOrEqualTest):
3412
3413 2017-09-23  Keith Miller  <keith_miller@apple.com>
3414
3415         Fix infinite looping test262 test
3416         https://bugs.webkit.org/show_bug.cgi?id=177412
3417
3418         Reviewed by Yusuke Suzuki.
3419
3420         This test was poorly designed since failing it would cause the vm
3421         to inifinite loop. I've fixed it locally and will fix it on github pending
3422         the results of next weeks tc39 meeting.
3423
3424         * test262.yaml:
3425         * test262/test/language/statements/for-of/iterator-next-reference.js:
3426
3427 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3428
3429         test262: $.agent became $262.agent in test262 update
3430         https://bugs.webkit.org/show_bug.cgi?id=177407
3431
3432         Reviewed by Yusuke Suzuki.
3433
3434         * test262.yaml:
3435         ~320 tests pass now that we correctly make $262 available.
3436
3437 2017-09-22  Keith Miller  <keith_miller@apple.com>
3438
3439         Speculatively change iteration protocall to use the same next function
3440         https://bugs.webkit.org/show_bug.cgi?id=175653
3441
3442         Reviewed by Saam Barati.
3443
3444         Change test to match the new iteration behavior.
3445
3446         * stress/spread-optimized-properly.js:
3447
3448 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3449
3450         [DFG][FTL] Profile array vector length for array allocation
3451         https://bugs.webkit.org/show_bug.cgi?id=177051
3452
3453         Reviewed by Saam Barati.
3454
3455         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3456         (target):
3457
3458 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3459
3460         Unreviewed, rolling out r222380.
3461         https://bugs.webkit.org/show_bug.cgi?id=177352
3462
3463         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3464         #webkit).
3465
3466         Reverted changeset:
3467
3468         "[DFG][FTL] Profile array vector length for array allocation"
3469         https://bugs.webkit.org/show_bug.cgi?id=177051
3470         http://trac.webkit.org/changeset/222380
3471
3472 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3473
3474         [DFG][FTL] Profile array vector length for array allocation
3475         https://bugs.webkit.org/show_bug.cgi?id=177051
3476
3477         Reviewed by Saam Barati.
3478
3479         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3480         (target):
3481
3482 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3483
3484         Skip new hanging test262 tests.
3485         https://bugs.webkit.org/show_bug.cgi?id=177326
3486
3487         Unreviewed test gardening.
3488
3489         * test262.yaml:
3490
3491 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3492
3493         Mark 6 test262 tests as passing.
3494         https://bugs.webkit.org/show_bug.cgi?id=177307
3495
3496         Unreviewed test gardening.
3497
3498         * test262.yaml:
3499
3500 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3501
3502         Unreviewed follow-up to r222311.
3503
3504         * test262/harness/sta.js:
3505         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3506         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3507         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3508         * test262/test/built-ins/Array/from/elements-added-after.js:
3509         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3510         * test262/test/built-ins/Array/from/elements-updated-after.js:
3511         * test262/test/built-ins/Array/from/from-array.js:
3512         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3513         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3514         * test262/test/built-ins/Array/from/source-array-boundary.js:
3515         * test262/test/built-ins/Array/from/source-object-constructor.js:
3516         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3517         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3518         * test262/test/built-ins/Array/from/source-object-length.js:
3519         * test262/test/built-ins/Array/from/source-object-missing.js:
3520         * test262/test/built-ins/Array/from/source-object-without.js:
3521         * test262/test/built-ins/Array/from/this-null.js:
3522         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3523         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3524         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3525         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3526         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3527         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3528         * test262/test/language/literals/string/7.8.4-1gs.js:
3529         Fix some files that I failed to update when I applied my patch.
3530
3531 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3532
3533         Update test262 tests
3534         https://bugs.webkit.org/show_bug.cgi?id=177220
3535
3536         Reviewed by Saam Barati and Yusuke Suzuki.
3537
3538         * test262.yaml:
3539         * test262/test262-Revision.txt:
3540         New rebaselined expectations for all tests.
3541
3542         * test262/*:
3543         Updated.
3544
3545 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3546
3547         [DFG] Remove ToThis more aggressively
3548         https://bugs.webkit.org/show_bug.cgi?id=177056
3549
3550         Reviewed by Saam Barati.
3551
3552         * stress/generator-with-this-strict.js: Added.
3553         (shouldBe):
3554         (generator):
3555         (target):
3556         * stress/generator-with-this.js: Added.
3557         (shouldBe):
3558         (generator):
3559         (target):
3560
3561 2017-09-17  Michael Saboff  <msaboff@apple.com>
3562
3563         https://bugs.webkit.org/show_bug.cgi?id=177038
3564         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3565
3566         Reviewed by JF Bastien.
3567
3568         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3569         as it dies using too much memory.
3570
3571 2017-09-15  Saam Barati  <sbarati@apple.com>
3572
3573         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3574         https://bugs.webkit.org/show_bug.cgi?id=176981
3575
3576         Reviewed by Yusuke Suzuki.
3577
3578         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3579         (assert):
3580         (verify):
3581         (func):
3582         (const.bar.createBuiltin):
3583
3584 2017-09-14  Saam Barati  <sbarati@apple.com>
3585
3586         It should be valid to exit before each set when doing arity fixup when inlining
3587         https://bugs.webkit.org/show_bug.cgi?id=176948
3588
3589         Reviewed by Keith Miller.
3590
3591         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3592         (baz):
3593         (bar):
3594         (foo):
3595
3596 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3597
3598         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3599         https://bugs.webkit.org/show_bug.cgi?id=176867
3600
3601         Reviewed by Sam Weinig.
3602
3603         * microbenchmarks/object-get-own-property-symbols.js: Added.
3604         (test):
3605
3606 2017-09-13  Mark Lam  <mark.lam@apple.com>
3607
3608         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3609         https://bugs.webkit.org/show_bug.cgi?id=176888
3610         <rdar://problem/34381832>
3611
3612         Not reviewed.
3613
3614         * stress/op_mod-ConstVar.js:
3615         * stress/op_mod-VarConst.js:
3616         * stress/op_mod-VarVar.js:
3617
3618 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3619
3620         Skip 3 op_mod tests on Debug JSC bots.
3621         https://bugs.webkit.org/show_bug.cgi?id=176630
3622
3623         Unreviewed test gardening.
3624
3625         * stress/op_mod-ConstVar.js:
3626         * stress/op_mod-VarConst.js:
3627         * stress/op_mod-VarVar.js:
3628
3629 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3630
3631         [JSC] Fix Array allocation in Object.keys
3632         https://bugs.webkit.org/show_bug.cgi?id=176826
3633
3634         Reviewed by Saam Barati.
3635
3636         * stress/object-own-property-keys.js: Added.
3637         (shouldBe):
3638
3639 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3640
3641         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3642         https://bugs.webkit.org/show_bug.cgi?id=176010
3643
3644         Reviewed by Filip Pizlo.
3645
3646         * microbenchmarks/weak-map-key.js: Added.
3647         (assert):
3648         (objectKey):
3649         (let.start.Date.now):
3650
3651 2017-09-12  Mark Lam  <mark.lam@apple.com>
3652
3653         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3654         https://bugs.webkit.org/show_bug.cgi?id=176630
3655
3656         Reviewed by JF Bastien.
3657
3658         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3659         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3660         a speculative fix for the bots that are seeing these fail.
3661
3662         I also undid the skipping of the op_mod tests for debug builds.
3663
3664         * stress/op_div-ConstVar.js:
3665         * stress/op_div-VarConst.js:
3666         * stress/op_div-VarVar.js:
3667         * stress/op_mod-ConstVar.js:
3668         * stress/op_mod-VarConst.js:
3669         * stress/op_mod-VarVar.js:
3670
3671 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3672
3673         Skip stress/value-to-boolean.js on Debug bots.
3674         https://bugs.webkit.org/show_bug.cgi?id=176787
3675
3676         Unreviewed test gardening.
3677
3678         * stress/value-to-boolean.js:
3679
3680 2017-09-11  Mark Lam  <mark.lam@apple.com>
3681
3682         Change test expectation for test262/test/language/statements/try/tco-catch.js
3683         https://bugs.webkit.org/show_bug.cgi?id=176749
3684
3685         Rubber stamped by Keith Miller.
3686
3687         It's been failing since at least r221821.  I'm changing the test expectation to
3688         fail to green the bots while I investigate some more.
3689
3690         * test262.yaml:
3691
3692 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3693
3694         Unreviewed, rolling out r221854.
3695
3696         The test added with this change fails on 32-bit JSC bots.
3697
3698         Reverted changeset:
3699
3700         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3701         https://bugs.webkit.org/show_bug.cgi?id=176010
3702         http://trac.webkit.org/changeset/221854
3703
3704 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3705
3706         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3707         https://bugs.webkit.org/show_bug.cgi?id=176010
3708
3709         Reviewed by Filip Pizlo.
3710
3711         * microbenchmarks/weak-map-key.js: Added.
3712         (assert):
3713         (objectKey):
3714         (let.start.Date.now):
3715
3716 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3717
3718         [JSC] Optimize Object.keys by using careful array allocation
3719         https://bugs.webkit.org/show_bug.cgi?id=176654
3720
3721         Reviewed by Darin Adler.
3722
3723         * microbenchmarks/object-keys.js: Added.
3724         (test):
3725
3726 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3727