90a0f3db1deebfa4d6a51d2b6d8d10aabbb84275
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-29  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r231137.
4         https://bugs.webkit.org/show_bug.cgi?id=185118
5
6         It is breaking Test262 language/expressions/multiplication
7         /order-of-evaluation.js (Requested by caiolima on #webkit).
8
9         Reverted changeset:
10
11         "[ESNext][BigInt] Implement support for "*" operation"
12         https://bugs.webkit.org/show_bug.cgi?id=183721
13         https://trac.webkit.org/changeset/231137
14
15 2018-04-28  Saam Barati  <sbarati@apple.com>
16
17         We don't model regexp effects properly
18         https://bugs.webkit.org/show_bug.cgi?id=185059
19         <rdar://problem/39736150>
20
21         Reviewed by Filip Pizlo.
22
23         * stress/regexp-exec-test-effectful-last-index.js: Added.
24         (assert):
25         (foo):
26         (i.regexLastIndex.toString):
27         (bar):
28
29 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
30
31         Token misspelled "tocken" in error message string
32         https://bugs.webkit.org/show_bug.cgi?id=185030
33
34         Reviewed by Saam Barati.
35
36         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
37         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
38         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
39         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
40         (testSyntaxError.String.raw.v):
41         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
42         (testSyntaxError.String.raw.a):
43
44 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
45
46         [ESNext][BigInt] Implement support for "*" operation
47         https://bugs.webkit.org/show_bug.cgi?id=183721
48
49         Reviewed by Saam Barati.
50
51         * bigIntTests.yaml:
52         * stress/big-int-mul-jit.js: Added.
53         * stress/big-int-mul-to-primitive-precedence.js: Added.
54         * stress/big-int-mul-to-primitive.js: Added.
55         * stress/big-int-mul-type-error.js: Added.
56         * stress/big-int-mul-wrapped-value.js: Added.
57         * stress/big-int-multiplication.js: Added.
58         * stress/big-int-multiply-memory-stress.js: Added.
59
60 2018-04-28  Commit Queue  <commit-queue@webkit.org>
61
62         Unreviewed, rolling out r231131.
63         https://bugs.webkit.org/show_bug.cgi?id=185112
64
65         It is breaking Debug build due to unchecked exception
66         (Requested by caiolima on #webkit).
67
68         Reverted changeset:
69
70         "[ESNext][BigInt] Implement support for "*" operation"
71         https://bugs.webkit.org/show_bug.cgi?id=183721
72         https://trac.webkit.org/changeset/231131
73
74 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
75
76         [ESNext][BigInt] Implement support for "*" operation
77         https://bugs.webkit.org/show_bug.cgi?id=183721
78
79         Reviewed by Saam Barati.
80
81         * bigIntTests.yaml:
82         * stress/big-int-mul-jit.js: Added.
83         * stress/big-int-mul-to-primitive-precedence.js: Added.
84         * stress/big-int-mul-to-primitive.js: Added.
85         * stress/big-int-mul-type-error.js: Added.
86         * stress/big-int-mul-wrapped-value.js: Added.
87         * stress/big-int-multiplication.js: Added.
88         * stress/big-int-multiply-memory-stress.js: Added.
89
90 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
91
92         Unreviewed, rolling out r231086.
93
94         Caused JSC test failures due to an unchecked exception.
95
96         Reverted changeset:
97
98         "[ESNext][BigInt] Implement support for "*" operation"
99         https://bugs.webkit.org/show_bug.cgi?id=183721
100         https://trac.webkit.org/changeset/231086
101
102 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
103
104         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
105
106         * test262.yaml: Mark tests as passing.
107
108 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
109
110         [ESNext][BigInt] Implement support for "*" operation
111         https://bugs.webkit.org/show_bug.cgi?id=183721
112
113         Reviewed by Saam Barati.
114
115         * bigIntTests.yaml:
116         * stress/big-int-mul-jit.js: Added.
117         * stress/big-int-mul-to-primitive-precedence.js: Added.
118         * stress/big-int-mul-to-primitive.js: Added.
119         * stress/big-int-mul-type-error.js: Added.
120         * stress/big-int-mul-wrapped-value.js: Added.
121         * stress/big-int-multiplication.js: Added.
122         * stress/big-int-multiply-memory-stress.js: Added.
123
124 2018-04-25  Robin Morisset  <rmorisset@apple.com>
125
126         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
127         https://bugs.webkit.org/show_bug.cgi?id=184773
128         <rdar://problem/37773612>
129
130         Reviewed by Filip Pizlo.
131
132         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
133         so I decided to add it to the stress tests nonetheless.
134
135         * stress/create-rest-while-having-a-bad-time.js: Added.
136         (f):
137         (g):
138         (h):
139
140 2018-04-25  Keith Miller  <keith_miller@apple.com>
141
142         Add missing scope release to functionProtoFuncToString
143         https://bugs.webkit.org/show_bug.cgi?id=184995
144
145         Reviewed by Saam Barati.
146
147         * stress/function-toString-arrow.js: Added.
148         (async):
149
150 2018-04-24  Keith Miller  <keith_miller@apple.com>
151
152         fromCharCode is missing some exception checks
153         https://bugs.webkit.org/show_bug.cgi?id=184952
154
155         Reviewed by Saam Barati.
156
157         * stress/fromCharCode-exception-check.js: Added.
158         (get catch):
159
160 2018-04-24  Mark Lam  <mark.lam@apple.com>
161
162         Gardening: test fix after r230863.
163         https://bugs.webkit.org/show_bug.cgi?id=184846
164         <rdar://problem/39390672>
165
166         Not reviewed.
167
168         * stress/json-stringified-overflow-2.js:
169         (catch):
170         * stress/json-stringified-overflow.js:
171         (catch):
172
173 2018-04-20  JF Bastien  <jfbastien@apple.com>
174
175         Handle more JSON stringify OOM
176         https://bugs.webkit.org/show_bug.cgi?id=184846
177         <rdar://problem/39390672>
178
179         Reviewed by Mark Lam.
180
181         * stress/json-stringified-overflow-2.js: Added. Same as the one
182         below, but with a bigger input which will trigger a different code
183         path.
184         (catch):
185         * stress/json-stringified-overflow.js: Modify the test to only
186         catch OOM on stringification. not on string creation.
187
188 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
189
190         [WebAssembly][Modules] Import tables in wasm modules
191         https://bugs.webkit.org/show_bug.cgi?id=184738
192
193         Reviewed by JF Bastien.
194
195         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
196         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
197         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
198         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
199         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
200         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
201         * wasm/modules/wasm-imports-wasm-exports.js:
202         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
203         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
204         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
205         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
206
207 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
208
209         [WebAssembly][Modules] Import globals from wasm modules
210         https://bugs.webkit.org/show_bug.cgi?id=184736
211
212         Reviewed by JF Bastien.
213
214         * wasm.yaml:
215         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
216         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
217         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
218         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
219         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
220         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
221         * wasm/modules/wasm-imports-wasm-exports.js:
222         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
223         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
224         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
225         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
226
227 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
228
229         Unreviewed, reland r230697, r230720, and r230724.
230         https://bugs.webkit.org/show_bug.cgi?id=184600
231
232         * wasm.yaml:
233         * wasm/modules/constant.wasm: Added.
234         * wasm/modules/constant.wat: Added.
235         * wasm/modules/default-import-star-error.js: Added.
236         (then):
237         * wasm/modules/default-import-star-error/entry.wasm: Added.
238         * wasm/modules/default-import-star-error/entry.wat: Added.
239         * wasm/modules/default-import-star-error/t0.js: Added.
240         * wasm/modules/default-import-star-error/t1.js: Added.
241         * wasm/modules/default-import-star-error/t2.js: Added.
242         (export.default.Cocoa):
243         * wasm/modules/js-wasm-cycle.js: Added.
244         * wasm/modules/js-wasm-cycle/entry.js: Added.
245         (from.string_appeared_here.export.return42):
246         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
247         * wasm/modules/js-wasm-cycle/sum.wat: Added.
248         * wasm/modules/js-wasm-function-namespace.js: Added.
249         (assert.throws):
250         * wasm/modules/js-wasm-function.js: Added.
251         (assert.throws):
252         * wasm/modules/js-wasm-global-namespace.js: Added.
253         (assert.throws):
254         * wasm/modules/js-wasm-global.js: Added.
255         (assert.throws):
256         * wasm/modules/js-wasm-memory-namespace.js: Added.
257         (assert.throws):
258         * wasm/modules/js-wasm-memory.js: Added.
259         (assert.throws):
260         * wasm/modules/js-wasm-start.js: Added.
261         (then):
262         * wasm/modules/js-wasm-table-namespace.js: Added.
263         (assert.throws):
264         * wasm/modules/js-wasm-table.js: Added.
265         (assert.throws):
266         * wasm/modules/memory.wasm: Added.
267         * wasm/modules/memory.wat: Added.
268         * wasm/modules/run-from-wasm.wasm: Added.
269         * wasm/modules/run-from-wasm.wat: Added.
270         * wasm/modules/run-from-wasm/check.js: Added.
271         (export.check):
272         * wasm/modules/start.wasm: Added.
273         * wasm/modules/start.wat: Added.
274         * wasm/modules/sum.wasm: Added.
275         * wasm/modules/sum.wat: Added.
276         * wasm/modules/table.wasm: Added.
277         * wasm/modules/table.wat: Added.
278         * wasm/modules/wasm-imports-js-exports.js: Added.
279         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
280         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
281         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
282         (export.sum):
283         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
284         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
285         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
286         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
287         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
288         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
289         * wasm/modules/wasm-imports-wasm-exports.js: Added.
290         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
291         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
292         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
293         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
294         * wasm/modules/wasm-js-cycle.js: Added.
295         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
296         * wasm/modules/wasm-js-cycle/entry.wat: Added.
297         * wasm/modules/wasm-js-cycle/sum.js: Added.
298         (from.string_appeared_here.export.sum):
299         * wasm/modules/wasm-wasm-cycle.js: Added.
300         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
301         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
302         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
303         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
304
305 2018-04-17  Commit Queue  <commit-queue@webkit.org>
306
307         Unreviewed, rolling out r230697, r230720, and r230724.
308         https://bugs.webkit.org/show_bug.cgi?id=184717
309
310         These caused multiple failures on the Test262 testers.
311         (Requested by mlewis13 on #webkit).
312
313         Reverted changesets:
314
315         "[WebAssembly][Modules] Prototype wasm import"
316         https://bugs.webkit.org/show_bug.cgi?id=184600
317         https://trac.webkit.org/changeset/230697
318
319         "[WebAssembly][Modules] Implement function import from wasm
320         modules"
321         https://bugs.webkit.org/show_bug.cgi?id=184689
322         https://trac.webkit.org/changeset/230720
323
324         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
325         https://bugs.webkit.org/show_bug.cgi?id=184703
326         https://trac.webkit.org/changeset/230724
327
328 2018-04-17  JF Bastien  <jfbastien@apple.com>
329
330         A put is not an ExistingProperty put when we transition a structure because of an attributes change
331         https://bugs.webkit.org/show_bug.cgi?id=184706
332         <rdar://problem/38871451>
333
334         Reviewed by Saam Barati.
335
336         * stress/put-by-id-direct-strict-transition.js: Added.
337         (const.foo):
338         (j.const.obj.set hello):
339         * stress/put-by-id-direct-transition.js: Added.
340         (const.foo):
341         (j.const.obj.set hello):
342         * stress/put-getter-setter-by-id-strict-transition.js: Added.
343         (const.foo):
344         (j.const.obj.set hello):
345         * stress/put-getter-setter-by-id-transition.js: Added.
346         (const.foo):
347         (j.const.obj.set hello):
348
349 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
350
351         PutStackSinkingPhase should know that KillStack means ConflictingFlush
352         https://bugs.webkit.org/show_bug.cgi?id=184672
353
354         Reviewed by Michael Saboff.
355
356         * stress/sink-put-stack-over-kill-stack.js: Added.
357         (avocado_1):
358         (apricot_0):
359         (__c_0):
360         (banana_2):
361
362 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
363
364         [JSC] Rename runWebAssembly to runWebAssemblySuite
365         https://bugs.webkit.org/show_bug.cgi?id=184703
366
367         Reviewed by JF Bastien.
368
369         And add runWebAssembly as a command to simplely run wasm modules.
370
371         * wasm.yaml:
372
373 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
374
375         [WebAssembly][Modules] Implement function import from wasm modules
376         https://bugs.webkit.org/show_bug.cgi?id=184689
377
378         Reviewed by JF Bastien.
379
380         * wasm.yaml:
381         * wasm/modules/js-wasm-cycle.js: Added.
382         * wasm/modules/js-wasm-cycle/entry.js: Added.
383         (from.string_appeared_here.export.return42):
384         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
385         * wasm/modules/js-wasm-cycle/sum.wat: Added.
386         * wasm/modules/run-from-wasm.wasm: Added.
387         * wasm/modules/run-from-wasm.wat: Added.
388         * wasm/modules/run-from-wasm/check.js: Added.
389         (export.check):
390         * wasm/modules/wasm-imports-js-exports.js: Added.
391         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
392         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
393         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
394         (export.sum):
395         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
396         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
397         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
398         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
399         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
400         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
401         * wasm/modules/wasm-imports-wasm-exports.js: Added.
402         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
403         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
404         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
405         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
406         * wasm/modules/wasm-js-cycle.js: Added.
407         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
408         * wasm/modules/wasm-js-cycle/entry.wat: Added.
409         * wasm/modules/wasm-js-cycle/sum.js: Added.
410         (from.string_appeared_here.export.sum):
411         * wasm/modules/wasm-wasm-cycle.js: Added.
412         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
413         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
414         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
415         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
416
417 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
418
419         [WebAssembly][Modules] Prototype wasm import
420         https://bugs.webkit.org/show_bug.cgi?id=184600
421
422         Reviewed by JF Bastien.
423
424         Add wasm and wat files since module loader want to load wasm files from FS.
425         Currently, importing the other modules from wasm is not supported.
426
427         * wasm.yaml:
428         * wasm/modules/constant.wasm: Added.
429         * wasm/modules/constant.wat: Added.
430         * wasm/modules/js-wasm-function-namespace.js: Added.
431         (assert.throws):
432         * wasm/modules/js-wasm-function.js: Added.
433         (assert.throws):
434         * wasm/modules/js-wasm-global-namespace.js: Added.
435         (assert.throws):
436         * wasm/modules/js-wasm-global.js: Added.
437         (assert.throws):
438         * wasm/modules/js-wasm-memory-namespace.js: Added.
439         (assert.throws):
440         * wasm/modules/js-wasm-memory.js: Added.
441         (assert.throws):
442         * wasm/modules/js-wasm-start.js: Added.
443         (then):
444         * wasm/modules/js-wasm-table-namespace.js: Added.
445         (assert.throws):
446         * wasm/modules/js-wasm-table.js: Added.
447         (assert.throws):
448         * wasm/modules/memory.wasm: Added.
449         * wasm/modules/memory.wat: Added.
450         * wasm/modules/start.wasm: Added.
451         * wasm/modules/start.wat: Added.
452         * wasm/modules/sum.wasm: Added.
453         * wasm/modules/sum.wat: Added.
454         * wasm/modules/table.wasm: Added.
455         * wasm/modules/table.wat: Added.
456
457 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
458
459         Function.prototype.caller shouldn't return generator bodies
460         https://bugs.webkit.org/show_bug.cgi?id=184630
461
462         Reviewed by Yusuke Suzuki.
463
464         * stress/function-caller-async-arrow-function-body.js: Added.
465         * stress/function-caller-async-function-body.js: Added.
466         * stress/function-caller-async-generator-body.js: Added.
467         * stress/function-caller-generator-body.js: Added.
468         * stress/function-caller-generator-method-body.js: Added.
469
470 2018-04-12  Tomas Popela  <tpopela@redhat.com>
471
472         Unreviewed, skip JIT tests if it isn't enabled
473
474         See https://bugs.webkit.org/show_bug.cgi?id=182730.
475
476         * stress/big-int-spec-to-primitive.js:
477         * stress/big-int-spec-to-this.js:
478
479 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
480
481         [ESNext][BigInt] Add support for BigInt in SpeculatedType
482         https://bugs.webkit.org/show_bug.cgi?id=182470
483
484         Reviewed by Saam Barati.
485
486         * stress/big-int-spec-to-primitive.js: Added.
487         * stress/big-int-spec-to-this.js: Added.
488         * stress/big-int-strict-equals-jit.js: Added.
489         * stress/big-int-strict-spec-to-this.js: Added.
490         * stress/big-int-type-of-proven-type.js: Added.
491
492 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
493
494         DFG AI and clobberize should agree with each other
495         https://bugs.webkit.org/show_bug.cgi?id=184440
496
497         Reviewed by Saam Barati.
498         
499         Add tests for all of the bugs I fixed.
500
501         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
502         (foo):
503         * stress/new-typed-array-cse-effects.js: Added.
504         (foo):
505         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
506         (foo.theO):
507         (foo):
508         * stress/string-from-char-code-change-structure-not-dead.js: Added.
509         (foo):
510         (i.valueOf):
511         (weirdValue.valueOf):
512         * stress/string-from-char-code-change-structure.js: Added.
513         (foo):
514         (i.valueOf):
515         (weirdValue.valueOf):
516
517 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
518
519         Fix errant Test262 files CRLF to LF for consistency with the original source
520         https://bugs.webkit.org/show_bug.cgi?id=184425
521
522         Reviewed by Yusuke Suzuki.
523
524         * test262/test/built-ins/Math/acosh/nan-returns.js:
525         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
526         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
527         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
528         * test262/test/built-ins/Math/cbrt/prop-desc.js:
529         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
530         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
531         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
532         * test262/test/built-ins/Math/log2/log2-basicTests.js:
533         * test262/test/built-ins/Math/sign/sign-specialVals.js:
534         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
535         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
536         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
537         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
538
539 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
540
541         Unreviewed, remove incorrect entry in test262.yaml
542         https://bugs.webkit.org/show_bug.cgi?id=184266
543
544         * test262.yaml:
545
546 2018-04-08  Valerie Young  <valerie@bocoup.com>
547
548         [JSC] Update Test262 to April 6 version
549         https://bugs.webkit.org/show_bug.cgi?id=184266
550
551         Rubber stamped by Yusuke Suzuki.
552
553 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
554
555         [JSC] Introduce op_get_by_id_direct
556         https://bugs.webkit.org/show_bug.cgi?id=183970
557
558         Reviewed by Filip Pizlo.
559
560         * stress/generator-prototype-copy.js: Added.
561         (gen):
562         (catch):
563         Adopted JF's tests.
564
565         * stress/generator-type-check.js: Added.
566         (shouldThrow):
567         (foo2):
568         (i.shouldThrow):
569         * stress/get-by-id-direct-getter.js: Added.
570         (shouldBe):
571         (shouldThrow):
572         (obj.get hello):
573         (builtin.createBuiltin):
574         (obj2.get length):
575         * stress/get-by-id-direct.js: Added.
576         (shouldBe):
577         (shouldThrow):
578         (builtin.createBuiltin):
579         * test262.yaml:
580         We fixed long-standing spec compatibility issue.
581         As a result, this patch makes several test262 tests passed!
582
583
584 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
585
586         Unreviewed, annotate test with @skip if $memoryLimited
587         https://bugs.webkit.org/show_bug.cgi?id=183894
588
589         * stress/json-stringified-overflow.js:
590
591 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
592
593         Add svn:eol-style to line-terminator-normalisation-CR.js
594         https://bugs.webkit.org/show_bug.cgi?id=184341
595
596         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
597
598 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
599
600         Unreviewed, remove errant LF from existing test262 test for CR line endings.
601
602         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
603
604 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
605
606         Unreviewed, rolling out r230320.
607
608         Revert fix, as the root cause lies elsewhere.
609
610         Reverted changeset:
611
612         "[test262] Mark line-terminator-normalisation-CR.js as a
613         binary file."
614         https://bugs.webkit.org/show_bug.cgi?id=184341
615         https://trac.webkit.org/changeset/230320
616
617 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
618
619         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
620         https://bugs.webkit.org/show_bug.cgi?id=184341
621
622         Reviewed by Yusuke Suzuki.
623
624         This test is all about CR line endings, but `svn-apply` can't deal with them.
625         Treating the file as binary ensures that its contents never are never shown in a diff.
626
627         * .gitattributes: Added.
628
629 2018-04-05  Robin Morisset  <rmorisset@apple.com>
630
631         Fix testcase (missing try/catch).
632         https://bugs.webkit.org/show_bug.cgi?id=183657
633
634         Unreviewed.
635
636         * stress/large-unshift-splice.js
637
638 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
639
640         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
641         https://bugs.webkit.org/show_bug.cgi?id=184319
642
643         Reviewed by Saam Barati.
644
645         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
646         (foo):
647         (bar):
648         * stress/array-push-nan-to-double-array.js: Added.
649         (foo):
650         (bar):
651
652 2018-04-03  Mark Lam  <mark.lam@apple.com>
653
654         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
655         https://bugs.webkit.org/show_bug.cgi?id=184284
656
657         Reviewed by Saam Barati.
658
659         * stress/js-fixed-array-out-of-memory.js:
660
661 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
662
663         JSC crash in JIT code with for-of loop and Array/Set iterators
664         https://bugs.webkit.org/show_bug.cgi?id=183174
665
666         Reviewed by Saam Barati.
667
668         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
669         (foo):
670         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
671         (f):
672
673 2018-03-30  JF Bastien  <jfbastien@apple.com>
674
675         WebAssembly: support DataView compilation
676         https://bugs.webkit.org/show_bug.cgi?id=183342
677
678         Reviewed by Mark Lam.
679
680         Test WebAssembly compilation using a DataView with offset.
681
682         * wasm/regress/183342.js: Added.
683         (attempt.catch):
684
685 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
686
687         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
688         https://bugs.webkit.org/show_bug.cgi?id=184189
689
690         Reviewed by JF Bastien.
691
692         * stress/load-hole-from-scope-into-live-var.js: Added.
693         (result.eval.try.switch):
694         (catch):
695
696 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
697
698         Unreviewed, rolling out r230102.
699
700         Caused assertion failures on JSC bots.
701
702         Reverted changeset:
703
704         "A stack overflow in the parsing of a builtin (called by
705         createExecutable) cause a crash instead of a catchable js
706         exception"
707         https://bugs.webkit.org/show_bug.cgi?id=184074
708         https://trac.webkit.org/changeset/230102
709
710 2018-03-30  Robin Morisset  <rmorisset@apple.com>
711
712         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
713         https://bugs.webkit.org/show_bug.cgi?id=183812
714
715         Reviewed by Keith Miller.
716
717         * stress/inlining-unreachable-non-tail.js: Added.
718         (foo.):
719         (foo):
720
721 2018-03-30  Robin Morisset  <rmorisset@apple.com>
722
723         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
724         https://bugs.webkit.org/show_bug.cgi?id=184074
725         <rdar://problem/37165897>
726
727         Reviewed by Keith Miller.
728
729         * stress/stack-overflow-while-parsing-builtin.js: Added.
730         (f):
731
732 2018-03-30  Robin Morisset  <rmorisset@apple.com>
733
734         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
735         https://bugs.webkit.org/show_bug.cgi?id=183657
736
737         Reviewed by Keith Miller.
738
739         * stress/large-unshift-splice.js: Added.
740         (make_contig_arr):
741
742 2018-03-28  Robin Morisset  <rmorisset@apple.com>
743
744         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
745         https://bugs.webkit.org/show_bug.cgi?id=183894
746
747         Reviewed by Saam Barati.
748
749         * stress/json-stringified-overflow.js: Added.
750         (catch):
751
752 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
753
754         DFG should know that CreateThis can be effectful
755         https://bugs.webkit.org/show_bug.cgi?id=184013
756
757         Reviewed by Saam Barati.
758
759         * stress/create-this-property-change.js: Added.
760         (Foo):
761         (RealBar):
762         (get if):
763         * stress/create-this-structure-change-without-cse.js: Added.
764         (Foo):
765         (RealBar):
766         (get if):
767         * stress/create-this-structure-change.js: Added.
768         (Foo):
769         (RealBar):
770         (get if):
771
772 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
773
774         [DFG] Introduces fused compare and jump
775         https://bugs.webkit.org/show_bug.cgi?id=177100
776
777         Reviewed by Mark Lam.
778
779         * stress/fused-jeq-slow.js: Added.
780         (shouldBe):
781         (testJEQ):
782         (testJNEQB):
783         (testJEQB):
784         (testJNEQF):
785         (testJEQF):
786         * stress/fused-jeq.js: Added.
787         (shouldBe):
788         (testJEQ):
789         (testJNEQB):
790         (testJEQB):
791         (testJNEQF):
792         (testJEQF):
793         * stress/fused-jstricteq-slow.js: Added.
794         (shouldBe):
795         (testJSTRICTEQ):
796         (testJNSTRICTEQB):
797         (testJSTRICTEQB):
798         (testJNSTRICTEQF):
799         (testJSTRICTEQF):
800         * stress/fused-jstricteq.js: Added.
801         (shouldBe):
802         (testJSTRICTEQ):
803         (testJNSTRICTEQB):
804         (testJSTRICTEQB):
805         (testJNSTRICTEQF):
806         (testJSTRICTEQF):
807
808 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
809
810         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
811         https://bugs.webkit.org/show_bug.cgi?id=183559
812
813         Reviewed by Mark Lam.
814
815         * stress/double-to-string-in-loop-removed.js: Added.
816         (test):
817         * stress/int32-to-string-in-loop-removed.js: Added.
818         (test):
819         * stress/int52-to-string-in-loop-removed.js: Added.
820         (test):
821
822 2018-03-22  Michael Saboff  <msaboff@apple.com>
823
824         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
825         https://bugs.webkit.org/show_bug.cgi?id=183901
826
827         Reviewed by Keith Miller.
828
829         New test.
830
831         * stress/array-reverse-doesnt-clobber.js: Added.
832         (testArrayReverse):
833         (createArrayOfArrays):
834         (createArrayStorage):
835
836 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
837
838         ScopedArguments should do poisoning and index masking
839         https://bugs.webkit.org/show_bug.cgi?id=183863
840
841         Reviewed by Mark Lam.
842         
843         Adds another stress test of scoped arguments.
844
845         * stress/scoped-arguments-test.js: Added.
846         (foo):
847
848 2018-03-20  Saam Barati  <sbarati@apple.com>
849
850         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
851         https://bugs.webkit.org/show_bug.cgi?id=183795
852         <rdar://problem/38298694>
853
854         Reviewed by JF Bastien.
855
856         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
857         (foo):
858         (bar):
859
860 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
861
862         [DFG][FTL] Add vectorLengthHint for NewArray
863         https://bugs.webkit.org/show_bug.cgi?id=183694
864
865         Reviewed by Saam Barati.
866
867         * stress/vector-length-hint-array-constructor.js: Added.
868         (shouldBe):
869         (test):
870         * stress/vector-length-hint-new-array.js: Added.
871         (shouldBe):
872         (test):
873
874 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
875
876         [DFG][FTL] Make ArraySlice(0) code tight
877         https://bugs.webkit.org/show_bug.cgi?id=183590
878
879         Reviewed by Saam Barati.
880
881         * stress/array-slice-with-zero.js: Added.
882         (shouldBe):
883         (test):
884         (test2):
885         * stress/array-slice-zero-args.js: Added.
886         (shouldBe):
887         (test):
888
889 2018-03-14  Caitlin Potter  <caitp@igalia.com>
890
891         [JSC] fix order of evaluation for ClassDefinitionEvaluation
892         https://bugs.webkit.org/show_bug.cgi?id=183523
893
894         Reviewed by Keith Miller.
895
896         Computed property names need to be evaluated in source order during class
897         definition evaluation, as it's observable (and specified to work this way).
898
899         This change improves compatibility with Chromium.
900
901         * stress/class_elements.js: Added.
902         (test):
903         (test.C.prototype.effect):
904         (test.C.effect):
905         (test.C.prototype.get effect):
906         (test.C.prototype.set effect):
907         (test.C):
908
909 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
910
911         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
912         https://bugs.webkit.org/show_bug.cgi?id=183310
913
914         Reviewed by Filip Pizlo.
915
916         * stress/ai-create-this-to-new-object-fire.js: Added.
917         (assert):
918         (test):
919         (func):
920         (check):
921         (test.body.A):
922         (test.body.B):
923         (test.body):
924         * stress/ai-create-this-to-new-object.js: Added.
925         (assert):
926         (test):
927         (func):
928         (check):
929         (test.body.A):
930         (test.body.B):
931         (test.body):
932
933 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
934
935         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
936         https://bugs.webkit.org/show_bug.cgi?id=181848
937
938         Reviewed by Sam Weinig.
939
940         * microbenchmarks/regexp-u-global-es5.js: Added.
941         (fn):
942         * microbenchmarks/regexp-u-global-es6.js: Added.
943         (fn):
944         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
945         (shouldBe):
946         (test):
947         (i.switch):
948         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
949         (shouldBe):
950         (test):
951
952 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
953
954         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
955         https://bugs.webkit.org/show_bug.cgi?id=183334
956
957         Reviewed by Žan Doberšek.
958
959         * stress/var-injection-cache-invalidation.js:
960
961 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
962
963         [ARM] Disable tests that run out of memory
964         https://bugs.webkit.org/show_bug.cgi?id=182699
965
966         Reviewed by Žan Doberšek.
967
968         Skip tests that run of of memory. Do not run
969         modules/module-jit-reachability.js without LLInt to prevent
970         running out of executable memory.
971
972         * modules.yaml:
973         * modules/module-jit-reachability.js:
974         * stress/has-own-property-name-cache-string-keys.js:
975         * stress/has-own-property-name-cache-symbol-keys.js:
976
977 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
980         https://bugs.webkit.org/show_bug.cgi?id=183173
981
982         Reviewed by Saam Barati.
983
984         * stress/async-arrow-function-in-class-heritage.js: Added.
985         (testSyntax):
986         (testSyntaxError):
987         (SyntaxError):
988
989 2018-03-01  Saam Barati  <sbarati@apple.com>
990
991         We need to clear cached structures when having a bad time
992         https://bugs.webkit.org/show_bug.cgi?id=183256
993         <rdar://problem/36245022>
994
995         Reviewed by Mark Lam.
996
997         * stress/having-a-bad-time-with-derived-arrays.js: Added.
998         (assert):
999         (defineSetter):
1000         (iterate):
1001         (doSlice):
1002
1003 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1004
1005         JSC crash with `import("")`
1006         https://bugs.webkit.org/show_bug.cgi?id=183175
1007
1008         Reviewed by Saam Barati.
1009
1010         * stress/import-with-empty-string.js: Added.
1011
1012 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1013
1014         Unreviewed, skip FTL tests if FTL is disabled
1015         https://bugs.webkit.org/show_bug.cgi?id=183071
1016
1017         * stress/has-indexed-property-array-storage-ftl.js:
1018         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1019
1020 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1021
1022         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1023         https://bugs.webkit.org/show_bug.cgi?id=182965
1024
1025         Reviewed by Saam Barati.
1026
1027         * stress/put-by-val-array-storage.js: Added.
1028         (shouldBe):
1029         (testArrayStorageInBounds):
1030         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1031         (shouldBe):
1032         (testInt32.createBuiltin):
1033         (set for):
1034         * stress/put-by-val-slow-put-array-storage.js: Added.
1035         (shouldBe):
1036         (testArrayStorageInBounds):
1037
1038 2018-02-26  Saam Barati  <sbarati@apple.com>
1039
1040         validateStackAccess should not validate if the offset is within the stack bounds
1041         https://bugs.webkit.org/show_bug.cgi?id=183067
1042         <rdar://problem/37749988>
1043
1044         Reviewed by Mark Lam.
1045
1046         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1047         (assert):
1048         (test.a):
1049         (test.b):
1050         (test):
1051
1052 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1053
1054         Unreviewed, skip FTL tests if FTL is disabled
1055         https://bugs.webkit.org/show_bug.cgi?id=183071
1056
1057         * stress/has-indexed-property-array-storage-ftl.js:
1058         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1059
1060 2018-02-23  Saam Barati  <sbarati@apple.com>
1061
1062         Make Number.isInteger an intrinsic
1063         https://bugs.webkit.org/show_bug.cgi?id=183088
1064
1065         Reviewed by JF Bastien.
1066
1067         * stress/number-is-integer-intrinsic.js: Added.
1068
1069 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1070
1071         WebAssembly: cache memory address / size on instance
1072         https://bugs.webkit.org/show_bug.cgi?id=177305
1073
1074         Reviewed by JF Bastien.
1075
1076         * wasm/function-tests/memory-reuse.js: Added.
1077         (createWasmInstance):
1078         (doCheckTrap):
1079         (doMemoryGrow):
1080         (doCheck):
1081         (checkWasmInstancesWithSharedMemory):
1082
1083 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1084
1085         [JSC] Implement $vm.ftlTrue function for FTL testing
1086         https://bugs.webkit.org/show_bug.cgi?id=183071
1087
1088         Reviewed by Mark Lam.
1089
1090         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1091         (foo):
1092         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1093         (foo):
1094         * stress/dead-fiat-value-to-int52.js:
1095         (foo):
1096         * stress/dead-osr-entry-value.js:
1097         (foo):
1098         * stress/fiat-value-to-int52-then-exit-not-double.js:
1099         (foo):
1100         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1101         (foo):
1102         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1103         (foo):
1104         * stress/fiat-value-to-int52-then-fold.js:
1105         (foo):
1106         * stress/fiat-value-to-int52.js:
1107         (foo):
1108         * stress/fold-based-on-int32-proof-mul-branch.js:
1109         (foo):
1110         * stress/fold-profiled-call-to-call.js:
1111         (foo):
1112         * stress/fold-to-double-constant-then-exit.js:
1113         (foo):
1114         * stress/fold-to-int52-constant-then-exit.js:
1115         (foo):
1116         * stress/fold-to-primitive-in-cfa.js:
1117         (foo):
1118         * stress/fold-to-primitive-to-identity-in-cfa.js:
1119         (foo):
1120         * stress/has-indexed-property-array-storage-ftl.js: Added.
1121         (shouldBe):
1122         (test1):
1123         (test2):
1124         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1125         (shouldBe):
1126         (test1):
1127         (test2):
1128         * stress/int52-ai-add-then-filter-int32.js:
1129         (foo):
1130         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1131         (foo):
1132         * stress/int52-ai-mul-then-filter-int32.js:
1133         (foo):
1134         * stress/int52-ai-neg-then-filter-int32.js:
1135         (foo):
1136         * stress/int52-ai-sub-then-filter-int32.js:
1137         (foo):
1138         * stress/licm-pre-header-cannot-exit-nested.js:
1139         (foo):
1140         * stress/licm-pre-header-cannot-exit.js:
1141         (foo):
1142         * stress/sparse-array-entry-update-144067.js:
1143         (useMemoryToTriggerGCs):
1144         * stress/test-spec-misc.js:
1145         (foo):
1146         * stress/tricky-array-bounds-checks.js:
1147         (foo):
1148
1149 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1150
1151         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1152         https://bugs.webkit.org/show_bug.cgi?id=182792
1153
1154         Reviewed by Mark Lam.
1155
1156         * stress/has-indexed-property-array-storage.js: Added.
1157         (shouldBe):
1158         (test1):
1159         (test2):
1160         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1161         (shouldBe):
1162         (test1):
1163         (test2):
1164
1165 2018-02-20  Saam Barati  <sbarati@apple.com>
1166
1167         DFG::VarargsForwardingPhase should eliminate getting argument length
1168         https://bugs.webkit.org/show_bug.cgi?id=182959
1169
1170         Reviewed by Keith Miller.
1171
1172         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1173
1174 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1175
1176         [FTL] Support ArrayPush for ArrayStorage
1177         https://bugs.webkit.org/show_bug.cgi?id=182782
1178
1179         Reviewed by Saam Barati.
1180
1181         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1182
1183         * stress/array-push-array-storage-beyond-int32.js: Added.
1184         (shouldBe):
1185         (test):
1186         * stress/array-push-array-storage.js: Added.
1187         (shouldBe):
1188         (test):
1189         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1190         (shouldBe):
1191         (test):
1192         * stress/array-push-multiple-storage-continuous.js: Added.
1193         (shouldBe):
1194         (test):
1195
1196 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1197
1198         [FTL] Support ArrayPop for ArrayStorage
1199         https://bugs.webkit.org/show_bug.cgi?id=182783
1200
1201         Reviewed by Saam Barati.
1202
1203         * stress/array-pop-array-storage.js: Added.
1204         (shouldBe):
1205         (test):
1206
1207 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1208
1209         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1210         https://bugs.webkit.org/show_bug.cgi?id=182731
1211
1212         Reviewed by Saam Barati.
1213
1214         * stress/arrayify-array-storage-array.js: Added.
1215         (shouldBe):
1216         (testArrayStorage):
1217         * stress/arrayify-array-storage-non-array.js: Added.
1218         (shouldBe):
1219         (testArrayStorage):
1220         * stress/arrayify-array-storage.js: Added.
1221         (shouldBe):
1222         (testArrayStorage):
1223         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1224         (shouldBe):
1225         (testArrayStorage):
1226         * stress/arrayify-slow-put-array-storage.js: Added.
1227         (shouldBe):
1228         (testArrayStorage):
1229
1230 2018-02-19  Saam Barati  <sbarati@apple.com>
1231
1232         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1233         https://bugs.webkit.org/show_bug.cgi?id=182942
1234         <rdar://problem/37584764>
1235
1236         Reviewed by Mark Lam.
1237
1238         * stress/get-prototype-create-this-effectful.js: Added.
1239
1240 2018-02-16  Saam Barati  <sbarati@apple.com>
1241
1242         Fix bugs from r228411
1243         https://bugs.webkit.org/show_bug.cgi?id=182851
1244         <rdar://problem/37577732>
1245
1246         Reviewed by JF Bastien.
1247
1248         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1249
1250 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1251
1252         Unreviewed, roll out r228366 since it did not progress anything.
1253
1254         * stress/gc-error-stack.js: Removed.
1255         * stress/no-gc-error-stack.js: Removed.
1256
1257 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1258
1259         Many stress tests fail with JIT disabled
1260         https://bugs.webkit.org/show_bug.cgi?id=182730
1261
1262         Reviewed by Saam Barati.
1263
1264         These tests are broken by design if the JIT is disabled - they test
1265         the return value of numberOfDFGCompiles(), which is always set to
1266         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1267
1268         * stress/arith-abs-on-various-types.js:
1269         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1270         * stress/arith-acos-on-various-types.js:
1271         * stress/arith-acosh-on-various-types.js:
1272         * stress/arith-asin-on-various-types.js:
1273         * stress/arith-asinh-on-various-types.js:
1274         * stress/arith-atan-on-various-types.js:
1275         * stress/arith-atanh-on-various-types.js:
1276         * stress/arith-cbrt-on-various-types.js:
1277         * stress/arith-ceil-on-various-types.js:
1278         * stress/arith-clz32-on-various-types.js:
1279         * stress/arith-cos-on-various-types.js:
1280         * stress/arith-cosh-on-various-types.js:
1281         * stress/arith-expm1-on-various-types.js:
1282         * stress/arith-floor-on-various-types.js:
1283         * stress/arith-fround-on-various-types.js:
1284         * stress/arith-log-on-various-types.js:
1285         * stress/arith-log10-on-various-types.js:
1286         * stress/arith-log2-on-various-types.js:
1287         * stress/arith-negate-on-various-types.js:
1288         * stress/arith-round-on-various-types.js:
1289         * stress/arith-sin-on-various-types.js:
1290         * stress/arith-sinh-on-various-types.js:
1291         * stress/arith-sqrt-on-various-types.js:
1292         * stress/arith-tan-on-various-types.js:
1293         * stress/arith-tanh-on-various-types.js:
1294         * stress/arith-trunc-on-various-types.js:
1295         * stress/compare-strict-eq-on-various-types.js:
1296
1297 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1298
1299         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1300
1301         Unreviewed test gardening.
1302
1303         * stress/new-largeish-contiguous-array-with-size.js:
1304
1305 2018-02-14  Saam Barati  <sbarati@apple.com>
1306
1307         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1308         https://bugs.webkit.org/show_bug.cgi?id=182801
1309
1310         Reviewed by Keith Miller.
1311
1312         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1313
1314 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1315
1316         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1317         https://bugs.webkit.org/show_bug.cgi?id=182526
1318
1319         Unreviewed test gardening.
1320
1321         * stress/activation-sink-default-value-tdz-error.js:
1322
1323 2018-02-13  Saam Barati  <sbarati@apple.com>
1324
1325         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1326         https://bugs.webkit.org/show_bug.cgi?id=182755
1327         <rdar://problem/37080864>
1328
1329         Reviewed by Keith Miller.
1330
1331         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1332         (test1.o.get 10005):
1333         (test1):
1334         (test2.o.get 1000):
1335         (test2):
1336
1337 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1338
1339         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1340         https://bugs.webkit.org/show_bug.cgi?id=182717
1341
1342         Reviewed by Yusuke Suzuki.
1343
1344         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1345         literals, to allow template callsite arrays to be collected when the
1346         code containing the tagged template call is collected. This spec change
1347         has received concensus and been ratified.
1348
1349         This change eliminates the eternal map associating template contents
1350         with arrays.
1351
1352         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1353         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1354         * stress/tagged-templates-identity.js:
1355         * stress/template-string-tags-eval.js:
1356         * test262.yaml:
1357
1358 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1359
1360         Support GetArrayLength on ArrayStorage in the FTL
1361         https://bugs.webkit.org/show_bug.cgi?id=182625
1362
1363         Reviewed by Saam Barati.
1364
1365         * stress/array-storage-length.js: Added.
1366         (shouldBe):
1367         (testInBound):
1368         (testUncountable):
1369         (testSlowPutInBound):
1370         (testSlowPutUncountable):
1371         * stress/undecided-length.js: Added.
1372         (shouldBe):
1373         (test2):
1374
1375 2018-02-12  Saam Barati  <sbarati@apple.com>
1376
1377         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1378         https://bugs.webkit.org/show_bug.cgi?id=182706
1379         <rdar://problem/36833681>
1380
1381         Reviewed by Filip Pizlo.
1382
1383         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1384         (effects):
1385         (foo):
1386
1387 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1388
1389         Don't waste memory for error.stack
1390         https://bugs.webkit.org/show_bug.cgi?id=182656
1391
1392         Reviewed by Saam Barati.
1393         
1394         Tests the policy.
1395
1396         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1397         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1398
1399 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1400
1401         [JSC] Update Test262 to Feb 9 version
1402         https://bugs.webkit.org/show_bug.cgi?id=182468
1403
1404         Reviewed by Saam Barati.
1405
1406 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1407
1408         Unreviewed, fix invalid line terminator in old test262 file part 2
1409         https://bugs.webkit.org/show_bug.cgi?id=182468
1410
1411         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1412
1413 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1414
1415         Unreviewed, fix invalid line terminator in old test262 file
1416         https://bugs.webkit.org/show_bug.cgi?id=182468
1417
1418         * test262/test/language/literals/regexp/7.8.5-1.js:
1419
1420 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1421
1422         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1423         https://bugs.webkit.org/show_bug.cgi?id=182440
1424
1425         Reviewed by Darin Adler.
1426
1427         * stress/array-flatmap.js: Added.
1428         (shouldBe):
1429         (shouldBeArray):
1430         (shouldThrow):
1431         (var):
1432         * stress/array-flatten.js: Added.
1433         (shouldBe):
1434         (shouldBeArray):
1435         * test262.yaml:
1436         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1437         (3.flatMap):
1438         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1439
1440 2018-02-06  Keith Miller  <keith_miller@apple.com>
1441
1442         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1443         https://bugs.webkit.org/show_bug.cgi?id=182549
1444         <rdar://problem/36189995>
1445
1446         Reviewed by Saam Barati.
1447
1448         * stress/var-injection-cache-invalidation.js: Added.
1449         (allocateLotsOfThings):
1450         (test):
1451
1452 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1453
1454         Unreviewed, follow up for test262 update
1455         https://bugs.webkit.org/show_bug.cgi?id=182288
1456
1457         * test262.yaml:
1458
1459 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1460
1461         Update test262 to Jan 30 version
1462         https://bugs.webkit.org/show_bug.cgi?id=182288
1463
1464         Unreviewed test gardening.
1465
1466         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1467
1468 2018-02-02  Saam Barati  <sbarati@apple.com>
1469
1470         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1471         https://bugs.webkit.org/show_bug.cgi?id=182368
1472         <rdar://problem/36932466>
1473
1474         Reviewed by Mark Lam.
1475
1476         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1477         (runNearStackLimit.t):
1478         (runNearStackLimit):
1479         (try.runNearStackLimit):
1480         (catch):
1481
1482 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1483
1484         Update test262 to Jan 30 version
1485         https://bugs.webkit.org/show_bug.cgi?id=182288
1486
1487         Rubber stamped by Saam Barati.
1488
1489         This patch updates test262 to the latest one, Jan 30 version.
1490         Since added and changed files are too many, we cannot create ChangeLog.
1491         The following files are changed.
1492
1493         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1494         including some special line terminators (like u2028, u2029).
1495
1496         * test262.yaml:
1497         * test262/test262-Revision.txt:
1498         * test262/*:
1499
1500 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1501
1502         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1503         https://bugs.webkit.org/show_bug.cgi?id=182411
1504
1505         Reviewed by Carlos Alberto Lopez Perez.
1506
1507         This is skipped only on arm memory limited platforms. Until recently
1508         it was not a problem on MIPS as the butterfly was not initialized. But
1509         since r227435, the butterfly is initialized in that test and therefore
1510         memory is allocated, and the test typically takes around 512M, which
1511         means it generally gets OOM-killed on the MIPS buildbot.
1512
1513         * mozilla/mozilla-tests.yaml:
1514
1515 2018-02-01  Mark Lam  <mark.lam@apple.com>
1516
1517         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1518         https://bugs.webkit.org/show_bug.cgi?id=182419
1519         <rdar://problem/37044945>
1520
1521         Reviewed by Saam Barati.
1522
1523         * stress/regress-182419.js: Added.
1524
1525 2018-02-01  Keith Miller  <keith_miller@apple.com>
1526
1527         Fix crashes due to mishandling custom sections.
1528         https://bugs.webkit.org/show_bug.cgi?id=182404
1529         <rdar://problem/36935863>
1530
1531         Reviewed by Saam Barati.
1532
1533         * wasm/Builder.js:
1534         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1535         * wasm/js-api/validate.js:
1536         (assert.truthy):
1537
1538 2018-01-31  Saam Barati  <sbarati@apple.com>
1539
1540         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1541         https://bugs.webkit.org/show_bug.cgi?id=182074
1542         <rdar://problem/36846261>
1543
1544         Reviewed by Mark Lam.
1545
1546         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1547         (assert):
1548         (let.func):
1549         (let.o.foo):
1550         (varFunc):
1551
1552 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1553
1554         Unreviewed, update test262 expects
1555         https://bugs.webkit.org/show_bug.cgi?id=182232
1556
1557         * test262.yaml:
1558
1559 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1560
1561         [JSC] Implement trimStart and trimEnd
1562         https://bugs.webkit.org/show_bug.cgi?id=182233
1563
1564         Reviewed by Mark Lam.
1565
1566         * stress/trim.js: Added.
1567         (shouldBe):
1568         (startTest):
1569         (endTest):
1570         (trimTest):
1571
1572 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1573
1574         [JSC] Relax line terminators in String to make JSON subset of JS
1575         https://bugs.webkit.org/show_bug.cgi?id=182232
1576
1577         Reviewed by Keith Miller.
1578
1579         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1580         * stress/relaxed-line-terminators-in-string.js: Added.
1581         (shouldBe):
1582
1583 2018-01-29  Michael Saboff  <msaboff@apple.com>
1584
1585         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1586         https://bugs.webkit.org/show_bug.cgi?id=182249
1587
1588         Reviewed by Keith Miller.
1589
1590         New regression test.
1591
1592         * stress/compare-clobber-untypeduse.js: Added.
1593
1594 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1595
1596         Unreviewed, rolling out r227725.
1597
1598         This caused internal failures.
1599
1600         Reverted changeset:
1601
1602         "JSC Sampling Profiler: Detect tester and testee when sampling
1603         in RegExp JIT"
1604         https://bugs.webkit.org/show_bug.cgi?id=152729
1605         https://trac.webkit.org/changeset/227725
1606
1607 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1608
1609         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1610         https://bugs.webkit.org/show_bug.cgi?id=152729
1611
1612         Reviewed by Saam Barati.
1613
1614         * stress/sampling-profiler-regexp.js: Added.
1615         (platformSupportsSamplingProfiler.test):
1616         (platformSupportsSamplingProfiler.baz):
1617         (platformSupportsSamplingProfiler):
1618
1619 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1620
1621         [DFG][FTL] WeakMap#set should have DFG node
1622         https://bugs.webkit.org/show_bug.cgi?id=180015
1623
1624         Reviewed by Saam Barati.
1625
1626         * stress/weakmap-set-change-get.js: Added.
1627         (shouldBe):
1628         (test):
1629         * stress/weakmap-set-cse.js: Added.
1630         (shouldBe):
1631         (test):
1632         * stress/weakset-add-change-get.js: Added.
1633         (shouldBe):
1634         * stress/weakset-add-cse.js: Added.
1635         (shouldBe):
1636
1637 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1638
1639         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1640         https://bugs.webkit.org/show_bug.cgi?id=182213
1641
1642         Reviewed by Mark Lam.
1643
1644         * stress/int32-min-to-string.js: Added.
1645         (shouldBe):
1646         (test2):
1647         (test4):
1648         (test8):
1649         (test16):
1650         (test32):
1651         * stress/zero-to-string.js: Added.
1652         (shouldBe):
1653         (test2):
1654         (test4):
1655         (test8):
1656         (test16):
1657         (test32):
1658
1659 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         Add more module scope related tests with code evaluation by string
1662         https://bugs.webkit.org/show_bug.cgi?id=181983
1663
1664         Reviewed by Sam Weinig.
1665
1666         Add more module scope related tests. When the original tests are landed,
1667         we do not have browser integration. This patch adds more module scope tests
1668         with dynamically created script evaluation. We add tests with Function
1669         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1670
1671         * modules/scopes-eval.js: Added.
1672         (shouldBe):
1673         * modules/scopes.js:
1674         (shouldBe):
1675
1676 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1677
1678         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1679
1680         * microbenchmarks/array-push-3.js: Removed.
1681         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1682         * microbenchmarks/double-to-int32.js: Removed.
1683         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1684         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1685         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1686         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1687         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1688         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1689         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1690         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1691         * microbenchmarks/map-constant-key.js: Removed.
1692         * microbenchmarks/nested-function-parsing.js: Removed.
1693         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1694         * microbenchmarks/spread-large-array.js: Removed.
1695         * microbenchmarks/string-add-constant-folding.js: Removed.
1696         * microbenchmarks/to-lower-case.js: Removed.
1697         * microbenchmarks/undefined-property-access.js: Removed.
1698         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1699         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1700         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1701         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1702         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1703         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1704         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1705         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1706         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1707         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1708         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1709         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1710         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1711         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1712         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1713         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1714         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1715         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1716
1717 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1718
1719         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1720         https://bugs.webkit.org/show_bug.cgi?id=181739
1721         <rdar://problem/36627662>
1722
1723         Reviewed by Saam Barati.
1724
1725         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1726         (foo):
1727         (bar):
1728
1729 2018-01-22  Michael Saboff  <msaboff@apple.com>
1730
1731         DFG abstract interpreter needs to properly model effects of some Math ops
1732         https://bugs.webkit.org/show_bug.cgi?id=181886
1733
1734         Reviewed by Saam Barati.
1735
1736         New regression test.
1737
1738         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1739         (test):
1740
1741 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1742
1743         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1744         https://bugs.webkit.org/show_bug.cgi?id=181182
1745
1746         Reviewed by Darin Adler.
1747
1748         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1749         * stress/big-int-prototype-to-string-exception.js: Added.
1750         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1751         * stress/number-prototype-to-string-cast-overflow.js: Added.
1752         * stress/number-prototype-to-string-exception.js: Added.
1753         * stress/number-prototype-to-string-wrong-values.js: Added.
1754
1755 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1756
1757         Disable Atomics when SharedArrayBuffer isn’t enabled
1758         https://bugs.webkit.org/show_bug.cgi?id=181572
1759
1760         Unreviewed test gardening.
1761
1762         * test262.yaml: Skip tests that fail after this change.
1763
1764 2018-01-19  Saam Barati  <sbarati@apple.com>
1765
1766         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1767         https://bugs.webkit.org/show_bug.cgi?id=181877
1768         <rdar://problem/36630552>
1769
1770         Reviewed by Mark Lam.
1771
1772         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1773         (runNearStackLimit):
1774         (f1):
1775         (f2):
1776         (f3):
1777         (i.catch):
1778         (i.try.runNearStackLimit):
1779         (catch):
1780
1781 2018-01-19  Saam Barati  <sbarati@apple.com>
1782
1783         Spread's effects are modeled incorrectly both in AI and in Clobberize
1784         https://bugs.webkit.org/show_bug.cgi?id=181867
1785         <rdar://problem/36290415>
1786
1787         Reviewed by Michael Saboff.
1788
1789         * stress/ai-needs-to-model-spreads-effects.js: Added.
1790         (try.p.Symbol.iterator):
1791         (try.go):
1792         (catch):
1793         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1794         (assert):
1795         (foo):
1796         (a.Symbol.iterator):
1797
1798 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1799
1800         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1801         https://bugs.webkit.org/show_bug.cgi?id=181535
1802
1803         * stress/inserted-recovery-with-set-last-index.js:
1804
1805 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1806
1807         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1808         https://bugs.webkit.org/show_bug.cgi?id=181535
1809
1810         Reviewed by Saam Barati.
1811
1812         * stress/inserted-recovery-with-set-last-index.js: Added.
1813         (shouldBe):
1814         (foo):
1815         * stress/materialize-regexp-at-osr-exit.js: Added.
1816         (shouldBe):
1817         (test):
1818         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1819         (shouldBe):
1820         (test):
1821         * stress/materialize-regexp-cyclic-regexp.js: Added.
1822         (shouldBe):
1823         (test):
1824         (i.switch):
1825         * stress/materialize-regexp-cyclic.js: Added.
1826         (shouldBe):
1827         (test):
1828         (i.switch):
1829         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1830         (bar):
1831         (foo):
1832         (test):
1833         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1834         (bar):
1835         (foo):
1836         (test):
1837         * stress/materialize-regexp.js: Added.
1838         (shouldBe):
1839         (test):
1840         * stress/phantom-regexp-regexp-exec.js: Added.
1841         (shouldBe):
1842         (test):
1843         * stress/phantom-regexp-string-match.js: Added.
1844         (shouldBe):
1845         (test):
1846         * stress/regexp-last-index-sinking.js: Added.
1847         (shouldBe):
1848         (test):
1849
1850 2018-01-17  Saam Barati  <sbarati@apple.com>
1851
1852         Disable Atomics when SharedArrayBuffer isn’t enabled
1853         https://bugs.webkit.org/show_bug.cgi?id=181572
1854         <rdar://problem/36553206>
1855
1856         Reviewed by Michael Saboff.
1857
1858         * stress/isLockFree.js:
1859
1860 2018-01-17  Saam Barati  <sbarati@apple.com>
1861
1862         DFG::Node::convertToConstant needs to clear the varargs flags
1863         https://bugs.webkit.org/show_bug.cgi?id=181697
1864         <rdar://problem/36497332>
1865
1866         Reviewed by Yusuke Suzuki.
1867
1868         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1869         (doIndexOf):
1870         (bar):
1871         (i.bar):
1872
1873 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1874
1875         Unreviewed, rolling out r226937.
1876
1877         Tests added with this change are failing due to a missing
1878         exception check.
1879
1880         Reverted changeset:
1881
1882         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1883         double to int32_t"
1884         https://bugs.webkit.org/show_bug.cgi?id=181182
1885         https://trac.webkit.org/changeset/226937
1886
1887 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1888
1889         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1890         https://bugs.webkit.org/show_bug.cgi?id=181182
1891
1892         Reviewed by Darin Adler.
1893
1894         * bigIntTests.yaml:
1895         * stress/big-int-constructor.js:
1896         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1897         (assert):
1898         (assertThrowRangeError):
1899         * stress/number-prototype-to-string-cast-overflow.js: Added.
1900         (assert):
1901         (assertThrowRangeError):
1902
1903 2018-01-12  Saam Barati  <sbarati@apple.com>
1904
1905         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1906         https://bugs.webkit.org/show_bug.cgi?id=181177
1907         <rdar://problem/36205704>
1908
1909         Reviewed by Yusuke Suzuki.
1910
1911         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1912         (runNearStackLimit.t):
1913         (runNearStackLimit):
1914         (test.f):
1915         (test):
1916
1917 2018-01-12  Saam Barati  <sbarati@apple.com>
1918
1919         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1920         https://bugs.webkit.org/show_bug.cgi?id=181562
1921         <rdar://problem/36445624>
1922
1923         Reviewed by Yusuke Suzuki.
1924
1925         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1926         (f):
1927         (foo):
1928
1929 2018-01-11  Saam Barati  <sbarati@apple.com>
1930
1931         When inserting Unreachable in byte code parser we need to flush all the right things
1932         https://bugs.webkit.org/show_bug.cgi?id=181509
1933         <rdar://problem/36423110>
1934
1935         Reviewed by Mark Lam.
1936
1937         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1938
1939 2018-01-11  Saam Barati  <sbarati@apple.com>
1940
1941         JITMathIC code in the FTL is wrong when code gets duplicated
1942         https://bugs.webkit.org/show_bug.cgi?id=181525
1943         <rdar://problem/36351993>
1944
1945         Reviewed by Michael Saboff and Keith Miller.
1946
1947         * stress/allow-math-ic-b3-code-duplication.js: Added.
1948
1949 2018-01-11  Saam Barati  <sbarati@apple.com>
1950
1951         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1952         https://bugs.webkit.org/show_bug.cgi?id=181508
1953
1954         Reviewed by Yusuke Suzuki.
1955
1956         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1957         (assert):
1958         (test1.foo):
1959         (test1):
1960         (test2.foo):
1961         (test2):
1962
1963 2018-01-09  Mark Lam  <mark.lam@apple.com>
1964
1965         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1966         https://bugs.webkit.org/show_bug.cgi?id=181388
1967         <rdar://problem/36349351>
1968
1969         Reviewed by Saam Barati.
1970
1971         * stress/regress-181388.js: Added.
1972
1973 2018-01-08  JF Bastien  <jfbastien@apple.com>
1974
1975         WebAssembly: mask indexed accesses to Table
1976         https://bugs.webkit.org/show_bug.cgi?id=181412
1977         <rdar://problem/36363236>
1978
1979         Reviewed by Saam Barati.
1980
1981         Update error messages.
1982
1983         * wasm/js-api/table.js:
1984         (assert.throws.WebAssembly.Table.prototype.grow):
1985
1986 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1987
1988         Disable SharedArrayBuffer tests missed in r226386.
1989         https://bugs.webkit.org/show_bug.cgi?id=181266
1990
1991         Unreviewed test gardening.
1992
1993         * test262.yaml:
1994
1995 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1996
1997         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1998         https://bugs.webkit.org/show_bug.cgi?id=181321
1999
2000         Reviewed by Saam Barati.
2001
2002         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2003         (shouldBe):
2004         (testFunction):
2005         * test262.yaml:
2006
2007 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2008
2009         Unreviewed, attempt to fix test262 after r226386.
2010
2011         * test262.yaml:
2012
2013 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2014
2015         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2016         https://bugs.webkit.org/show_bug.cgi?id=179911
2017
2018         Reviewed by Saam Barati.
2019
2020         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2021
2022         * stress/map-set-change-get.js: Added.
2023         (shouldBe):
2024         (test):
2025         * stress/map-set-create-bucket.js: Added.
2026         (shouldBe):
2027         (test):
2028         * stress/set-add-create-bucket.js: Added.
2029         (shouldBe):
2030
2031 2018-01-03  Michael Saboff  <msaboff@apple.com>
2032
2033         Disable SharedArrayBuffers from Web API
2034         https://bugs.webkit.org/show_bug.cgi?id=181266
2035
2036         Reviewed by Saam Barati.
2037
2038         Disabled SharedArrayBuffer tests.
2039
2040         * stress/SharedArrayBuffer-opt.js:
2041         * stress/SharedArrayBuffer.js:
2042         * stress/array-buffer-byte-length.js:
2043         * stress/atomics-add-uint32.js:
2044         * stress/atomics-known-int-use.js:
2045         * stress/atomics-neg-zero.js:
2046         * stress/atomics-store-return.js:
2047         * stress/lars-sab-workers.js:
2048         * stress/regress-159779-1.js:
2049         * stress/regress-159779-2.js:
2050         * stress/regress-170473.js:
2051         * test262.yaml:
2052
2053 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2054
2055         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2056         https://bugs.webkit.org/show_bug.cgi?id=181258
2057
2058         Reviewed by Antonio Gomes.
2059
2060         * stress/big-int-constructor-gc.js:
2061         * stress/big-int-constructor-oom.js:
2062
2063 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2064
2065         Inlining of a function that ends in op_unreachable crashes
2066         https://bugs.webkit.org/show_bug.cgi?id=181027
2067
2068         Reviewed by Filip Pizlo.
2069
2070         * stress/inlining-unreachable.js: Added.
2071         (bar):
2072         (baz):
2073         (i.catch):
2074
2075 2018-01-02  Saam Barati  <sbarati@apple.com>
2076
2077         Incorrect assertion inside AccessCase
2078         https://bugs.webkit.org/show_bug.cgi?id=181200
2079         <rdar://problem/35494754>
2080
2081         Reviewed by Yusuke Suzuki.
2082
2083         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2084         (ctor):
2085         (theFunc):
2086         (run):
2087
2088 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2089
2090         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2091         https://bugs.webkit.org/show_bug.cgi?id=175359
2092
2093         Reviewed by Yusuke Suzuki.
2094
2095         * bigIntTests.yaml:
2096         * stress/big-int-as-key.js: Added.
2097         * stress/big-int-constructor-gc.js: Added.
2098         * stress/big-int-constructor-oom.js: Added.
2099         * stress/big-int-constructor-properties.js: Added.
2100         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2101         * stress/big-int-constructor-prototype.js: Added.
2102         * stress/big-int-constructor.js: Added.
2103         * stress/big-int-function-apply.js:
2104         * stress/big-int-length.js: Added.
2105         * stress/big-int-prop-descriptor.js: Added.
2106         * stress/big-int-proto-constructor.js: Added.
2107         * stress/big-int-proto-name.js: Added.
2108         * stress/big-int-prototype-properties.js: Added.
2109         * stress/big-int-prototype-proto.js: Added.
2110         * stress/big-int-prototype-value-of.js: Added.
2111         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2112         * stress/big-int-prototype-to-string-apply.js: Added.
2113         * stress/big-int-to-object.js: Added.
2114         * stress/big-int-to-string.js: Added.
2115
2116 2017-12-28  Saam Barati  <sbarati@apple.com>
2117
2118         Assertion used to determine if something is an async generator is wrong
2119         https://bugs.webkit.org/show_bug.cgi?id=181168
2120         <rdar://problem/35640560>
2121
2122         Reviewed by Yusuke Suzuki.
2123
2124         * stress/async-generator-assertion.js: Added.
2125
2126 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2127
2128         Skip stress/splay-flash-access tests on memory limited platforms
2129         https://bugs.webkit.org/show_bug.cgi?id=181086
2130
2131         Reviewed by Carlos Alberto Lopez Perez.
2132
2133         These tests use about 185M of memory, and occasionally get OOM-killed
2134         on memory limited platforms.
2135
2136         * stress/splay-flash-access-1ms.js:
2137         * stress/splay-flash-access.js:
2138
2139 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2140
2141         Skip slow jsc tests on embedded platforms
2142         https://bugs.webkit.org/show_bug.cgi?id=180937
2143
2144         Reviewed by Carlos Alberto Lopez Perez.
2145
2146         The tests typeProfiler/deltablue-for-of.js and
2147         typeProfiler/getter-richards.js take a very long time in the
2148         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2149         thus always timeout. They should be skipped on these platforms.
2150
2151         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2152         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2153
2154 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2155
2156         [JSC] Do not check isValid() in op_new_regexp
2157         https://bugs.webkit.org/show_bug.cgi?id=180970
2158
2159         Reviewed by Saam Barati.
2160
2161         * stress/regexp-syntax-error-invalid-flags.js: Added.
2162         (shouldThrow):
2163
2164 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2165
2166         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2167         https://bugs.webkit.org/show_bug.cgi?id=180712
2168
2169         Reviewed by Michael Catanzaro.
2170
2171         stress/call-apply-exponential-bytecode-size.js crashes if the
2172         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2173         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2174         should skip the test on other platforms.
2175
2176         * stress/call-apply-exponential-bytecode-size.js:
2177
2178 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2179
2180         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2181         https://bugs.webkit.org/show_bug.cgi?id=179762
2182
2183         Reviewed by Saam Barati.
2184
2185         * stress/call-varargs-double-new-array-buffer.js: Added.
2186         (assert):
2187         (bar):
2188         (foo):
2189         * stress/call-varargs-spread-new-array-buffer.js: Added.
2190         (assert):
2191         (bar):
2192         (foo):
2193         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2194         (assert):
2195         (bar):
2196         (foo):
2197         * stress/forward-varargs-double-new-array-buffer.js: Added.
2198         (assert):
2199         (test.baz):
2200         (test.bar):
2201         (test.foo):
2202         (test):
2203         * stress/new-array-buffer-sinking-osrexit.js: Added.
2204         (target):
2205         (test):
2206         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2207         (shouldBe):
2208         (test):
2209         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2210         (shouldBe):
2211         (target):
2212         (test):
2213         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2214         (assert):
2215         (test1.bar):
2216         (test1.foo):
2217         (test1):
2218         (test2.bar):
2219         (test2.foo):
2220         (test3.baz):
2221         (test3.bar):
2222         (test3.foo):
2223         (test4.baz):
2224         (test4.bar):
2225         (test4.foo):
2226         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2227         (assert):
2228         (test.baz):
2229         (test.bar):
2230         (test.foo):
2231         (test):
2232         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2233         (assert):
2234         (baz):
2235         (bar):
2236         (effects):
2237         (foo):
2238
2239 2017-12-14  Saam Barati  <sbarati@apple.com>
2240
2241         The CleanUp after LICM is erroneously removing a Check
2242         https://bugs.webkit.org/show_bug.cgi?id=180852
2243         <rdar://problem/36063494>
2244
2245         Reviewed by Filip Pizlo.
2246
2247         * stress/dont-run-cleanup-after-licm.js: Added.
2248
2249 2017-12-14  Michael Saboff  <msaboff@apple.com>
2250
2251         REGRESSION (r225695): Repro crash on yahoo login page
2252         https://bugs.webkit.org/show_bug.cgi?id=180761
2253
2254         Reviewed by JF Bastien.
2255
2256         New regression test.
2257
2258         * stress/regress-180761.js: Added.
2259
2260 2017-12-13  Keith Miller  <keith_miller@apple.com>
2261
2262         JSObjects should have a mask for loading indexed properties
2263         https://bugs.webkit.org/show_bug.cgi?id=180768
2264
2265         Reviewed by Mark Lam.
2266
2267         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2268         (test):
2269
2270 2017-12-13  Saam Barati  <sbarati@apple.com>
2271
2272         Arrow functions need their own structure because they have different properties than sloppy functions
2273         https://bugs.webkit.org/show_bug.cgi?id=180779
2274         <rdar://problem/35814591>
2275
2276         Reviewed by Mark Lam.
2277
2278         * stress/arrow-function-needs-its-own-structure.js: Added.
2279         (assert):
2280         (readPrototype):
2281         (noInline.let.f1):
2282         (noInline):
2283
2284 2017-12-13  Saam Barati  <sbarati@apple.com>
2285
2286         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2287         https://bugs.webkit.org/show_bug.cgi?id=163579
2288         <rdar://problem/35455798>
2289
2290         Reviewed by Mark Lam.
2291
2292         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2293         (assert):
2294         (test1):
2295         (i.test1):
2296         (i.test1.C):
2297         (i.test1.async.foo):
2298         (i.test1.foo):
2299         (test2):
2300
2301 2017-12-13  Saam Barati  <sbarati@apple.com>
2302
2303         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2304         https://bugs.webkit.org/show_bug.cgi?id=180734
2305         <rdar://problem/35640547>
2306
2307         Reviewed by Yusuke Suzuki.
2308
2309         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2310         (__isPropertyOfType):
2311         (__getProperties):
2312         (__getObjects):
2313         (__getRandomObject):
2314         (theClass.):
2315         (theClass):
2316         (childClass):
2317         (counter.catch):
2318
2319 2017-12-12  Saam Barati  <sbarati@apple.com>
2320
2321         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2322         https://bugs.webkit.org/show_bug.cgi?id=180725
2323         <rdar://problem/35970511>
2324
2325         Reviewed by Michael Saboff.
2326
2327         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2328         (f1):
2329         (f2):
2330         (let.o2.valueOf):
2331
2332 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2333
2334         [JSC] Implement optimized WeakMap and WeakSet
2335         https://bugs.webkit.org/show_bug.cgi?id=179929
2336
2337         Reviewed by Saam Barati.
2338
2339         * microbenchmarks/weak-map-key.js:
2340         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2341         (assert):
2342         (objectKey):
2343         (let.start.Date.now):
2344         * stress/basic-weakmap.js: Added.
2345         (shouldBe):
2346         (test):
2347         * stress/basic-weakset.js: Added.
2348         (shouldBe):
2349         (test.set new):
2350         * stress/weakmap-cse-set-break.js: Added.
2351         (shouldBe):
2352         (test):
2353         * stress/weakmap-cse.js: Added.
2354         (shouldBe):
2355         (test):
2356         * stress/weakmap-gc.js: Added.
2357         (test):
2358         * stress/weakset-cse-add-break.js: Added.
2359         (shouldBe):
2360         (test.set new):
2361         * stress/weakset-cse.js: Added.
2362         (shouldBe):
2363         (test.set new):
2364         * stress/weakset-gc.js: Added.
2365         (test.set add):
2366         (test.set new):
2367         (test):
2368
2369 2017-12-12  Saam Barati  <sbarati@apple.com>
2370
2371         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2372         https://bugs.webkit.org/show_bug.cgi?id=180723
2373         <rdar://problem/35859726>
2374
2375         Reviewed by JF Bastien.
2376
2377         * stress/get-my-argument-by-val-constant-folding.js: Added.
2378         (test):
2379         (catch):
2380
2381 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2382
2383         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2384         https://bugs.webkit.org/show_bug.cgi?id=179000
2385
2386         Reviewed by Darin Adler and Yusuke Suzuki.
2387
2388         * bigIntTests.yaml: Added.
2389         * stress/big-int-literal-line-terminator.js: Added.
2390         * stress/big-int-literals.js: Added.
2391         * stress/big-int-operations-error.js: Added.
2392         * stress/big-int-type-of.js: Added.
2393         * stress/big-int-white-space-trailing-leading.js: Added.
2394         * stress/big-int-function-apply.js: Added.
2395
2396 2017-12-11  Saam Barati  <sbarati@apple.com>
2397
2398         We need to disableCaching() in ErrorInstance when we materialize properties
2399         https://bugs.webkit.org/show_bug.cgi?id=180343
2400         <rdar://problem/35833002>
2401
2402         Reviewed by Mark Lam.
2403
2404         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2405         (assert):
2406         (makeError):
2407         (storeToStack):
2408         (storeToStackAlreadyMaterialized):
2409
2410 2017-12-05  JF Bastien  <jfbastien@apple.com>
2411
2412         WebAssembly: don't eagerly checksum
2413         https://bugs.webkit.org/show_bug.cgi?id=180441
2414         <rdar://problem/35156628>
2415
2416         Reviewed by Saam Barati.
2417
2418         Checksum is now disabled, so tests only have <?> as the module
2419         name.
2420
2421         * wasm/function-tests/nameSection.js:
2422         * wasm/function-tests/stack-overflow.js:
2423         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2424         (assertOverflows.assertThrows):
2425         (assertOverflows):
2426         * wasm/function-tests/stack-trace.js:
2427
2428 2017-12-04  JF Bastien  <jfbastien@apple.com>
2429
2430         Proxy all functions, except the $ objects
2431         https://bugs.webkit.org/show_bug.cgi?id=180375
2432
2433         Reviewed by Saam Barati.
2434
2435         It looks like this test may have broken some executions because I
2436         call some internal objects. Explicitly ignore objects whose name
2437         starts with "$" because it's a bad idea anyways.
2438
2439         * stress/proxy-all-the-parameters.js:
2440         (generateObjects):
2441         (get throw):
2442
2443 2017-12-04  Saam Barati  <sbarati@apple.com>
2444
2445         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2446         https://bugs.webkit.org/show_bug.cgi?id=180366
2447         <rdar://problem/35685877>
2448
2449         Reviewed by Michael Saboff.
2450
2451         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2452         (theParent):
2453         (test1.base.getParentStaticValue):
2454         (test1.base):
2455         (test1.__v_24888.prototype.set prop):
2456         (test1.__v_24888):
2457         (test2.base.getParentStaticValue):
2458         (test2.base):
2459         (test2.__v_24888.prototype.set prop):
2460         (test2.__v_24888):
2461         (test2):
2462
2463 2017-12-01  JF Bastien  <jfbastien@apple.com>
2464
2465         Try proxying all function arguments
2466         https://bugs.webkit.org/show_bug.cgi?id=180306
2467
2468         Reviewed by Saam Barati.
2469
2470         * stress/proxy-all-the-parameters.js: Added.
2471         (isPropertyOfType):
2472         (getProperties):
2473         (generateObjects):
2474         (getObjects):
2475         (getFunctions):
2476         (get throw):
2477         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2478
2479 2017-12-01  JF Bastien  <jfbastien@apple.com>
2480
2481         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2482         https://bugs.webkit.org/show_bug.cgi?id=180297
2483         <rdar://problem/35745556>
2484
2485         Reviewed by Mark Lam.
2486
2487         * stress/math-exceptions.js: Added.
2488         (get try):
2489         (catch):
2490
2491 2017-12-01  JF Bastien  <jfbastien@apple.com>
2492
2493         JavaScriptCore: add test for weird class static getters
2494         https://bugs.webkit.org/show_bug.cgi?id=180281
2495         <rdar://problem/35592139>
2496
2497         Reviewed by Mark Lam.
2498
2499         I fixed a bug for it in r224927 and didn't add a test. Do so.
2500
2501         * stress/class-static-get-weird.js: Added.
2502         (c.prototype.get name):
2503         (c):
2504         (c.prototype.get arguments):
2505         (c.prototype.get caller):
2506         (c.prototype.get length):
2507
2508 2017-12-01  Saam Barati  <sbarati@apple.com>
2509
2510         Having a bad time needs to handle ArrayClass indexing type as well
2511         https://bugs.webkit.org/show_bug.cgi?id=180274
2512         <rdar://problem/35667869>
2513
2514         Reviewed by Keith Miller and Mark Lam.
2515
2516         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2517         (assert):
2518         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2519         (assert):
2520
2521 2017-12-01  JF Bastien  <jfbastien@apple.com>
2522
2523         WebAssembly: restore cached stack limit after out-call
2524         https://bugs.webkit.org/show_bug.cgi?id=179106
2525         <rdar://problem/35337525>
2526
2527         Reviewed by Saam Barati.
2528
2529         * wasm/function-tests/double-instance.js: Added.
2530         (const.imp.boom):
2531         (const.imp.get callAnother):
2532
2533 2017-11-30  JF Bastien  <jfbastien@apple.com>
2534
2535         WebAssembly: improve stack trace
2536         https://bugs.webkit.org/show_bug.cgi?id=179343
2537
2538         Reviewed by Saam Barati.
2539
2540         Update the tests to follow the new format. Notably, SHA1 module
2541         hash is now included in traces, and stubs are properly identified.
2542
2543         * wasm/assert.js: Add an assertion which matches regular expressions.
2544         * wasm/function-tests/nameSection.js:
2545         * wasm/function-tests/stack-overflow.js:
2546         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2547         (assertOverflows.assertThrows.wasm.1):
2548         (assertOverflows.assertThrows.wasm.0):
2549         (assertOverflows.assertThrows):
2550         (assertOverflows):
2551         * wasm/function-tests/stack-trace.js:
2552         (import.Builder.from.string_appeared_here.assert): Deleted.
2553         * wasm/function-tests/trap-after-cross-instance-call.js:
2554         (wasmFrameCountFromError):
2555         * wasm/function-tests/trap-load-2.js:
2556         (wasmFrameCountFromError):
2557         * wasm/function-tests/trap-load.js:
2558         (wasmFrameCountFromError):
2559
2560 2017-11-30  Mark Lam  <mark.lam@apple.com>
2561
2562         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2563         https://bugs.webkit.org/show_bug.cgi?id=180219
2564         <rdar://problem/35696536>
2565
2566         Reviewed by Filip Pizlo.
2567
2568         * stress/regress-180219.js: Added.
2569
2570 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2571
2572         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2573         https://bugs.webkit.org/show_bug.cgi?id=180190
2574
2575         Reviewed by Mark Lam.
2576
2577         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2578         (shouldBe):
2579         (test1):
2580         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2581         (shouldBe):
2582         (test1):
2583         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2584         (shouldBe):
2585         (test1):
2586         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2587         (shouldBe):
2588         (test1):
2589         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2590         (shouldBe):
2591         (test1):
2592         * stress/operation-in-may-have-negative-int32.js: Added.
2593         (shouldBe):
2594         (test2):
2595         * stress/operation-in-negative-int32-cast.js: Added.
2596         (shouldBe):
2597         (test1):
2598
2599 2017-11-28  JF Bastien  <jfbastien@apple.com>
2600
2601         Strict and sloppy functions shouldn't share structure
2602         https://bugs.webkit.org/show_bug.cgi?id=180103
2603         <rdar://problem/35667847>
2604
2605         Reviewed by Saam Barati.
2606
2607         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2608         because the IC was wrong.
2609         (foo):
2610         (bar):
2611         (baz):
2612         (catch):
2613         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2614         in this patch, but may as well test odd strict mode corner cases.
2615         (bar):
2616         (baz):
2617         (catch):
2618         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2619         (foo):
2620         (bar):
2621         (baz):
2622         (catch):
2623         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2624         next file, but with invalidation of the FunctionExecutable's
2625         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2626         slower path.
2627         (foo):
2628         (bar.const.x):
2629         (bar.const.y):
2630         (bar):
2631         (catch):
2632         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2633         strict nesting works correctly.
2634         (foo):
2635         (bar.baz):
2636         (bar):
2637         * stress/strict-function-structure.js: Added. The test used to
2638         assert in objectProtoFuncHasOwnProperty.
2639         (foo):
2640         (bar):
2641         (baz):
2642         * stress/strict-nested-function-structure.js: Added. Nesting.
2643         (foo):
2644         (bar):
2645         (baz.boo):
2646         (baz):
2647
2648 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2649
2650         The recursive tail call optimisation is wrong on closures
2651         https://bugs.webkit.org/show_bug.cgi?id=179835
2652
2653         Reviewed by Saam Barati.
2654
2655         * stress/closure-recursive-tail-call.js: Added.
2656         (makeClosure):
2657
2658 2017-11-27  JF Bastien  <jfbastien@apple.com>
2659
2660         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2661         https://bugs.webkit.org/show_bug.cgi?id=180051
2662         <rdar://problem/35614371>
2663
2664         Reviewed by Saam Barati.
2665
2666         * stress/rest-parameter-negative.js: Added.
2667         (__f_5484):
2668         (catch):
2669         (__f_5485):
2670         (__v_22598.catch):
2671
2672 2017-11-27  Saam Barati  <sbarati@apple.com>
2673
2674         Spread can escape when CreateRest does not
2675         https://bugs.webkit.org/show_bug.cgi?id=180057
2676         <rdar://problem/35676119>
2677
2678         Reviewed by JF Bastien.
2679
2680         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2681         (assert):
2682         (getProperties):
2683         (theFunc):
2684         (let.obj.valueOf):
2685
2686 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2687
2688         [DFG] Add NormalizeMapKey DFG IR
2689         https://bugs.webkit.org/show_bug.cgi?id=179912
2690
2691         Reviewed by Saam Barati.
2692
2693         * stress/map-untyped-normalize-cse.js: Added.
2694         (shouldBe):
2695         (test):
2696         * stress/map-untyped-normalize.js: Added.
2697         (shouldBe):
2698         (test):
2699         * stress/set-untyped-normalize-cse.js: Added.
2700         (shouldBe):
2701         (set return.set has.set has):
2702         * stress/set-untyped-normalize.js: Added.
2703         (shouldBe):
2704         (set return.set has):
2705
2706 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2707
2708         [FTL] Support DeleteById and DeleteByVal
2709         https://bugs.webkit.org/show_bug.cgi?id=180022
2710
2711         Reviewed by Saam Barati.
2712
2713         * stress/delete-by-id.js: Added.
2714         (shouldBe):
2715         (test1):
2716         (test2):
2717         * stress/delete-by-val-ftl.js: Added.
2718         (shouldBe):
2719         (test1):
2720         (test2):
2721
2722 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2723
2724         [DFG] Introduce {Set,Map,WeakMap}Fields
2725         https://bugs.webkit.org/show_bug.cgi?id=179925
2726
2727         Reviewed by Saam Barati.
2728
2729         * stress/map-set-clobber-map-get.js: Added.
2730         (shouldBe):
2731         (test):
2732         * stress/map-set-does-not-clobber-set-has.js: Added.
2733         (shouldBe):
2734         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2735         (shouldBe):
2736         (test):
2737         * stress/set-add-clobber-set-has.js: Added.
2738         (shouldBe):
2739         * stress/set-add-does-not-clobber-map-get.js: Added.
2740         (shouldBe):
2741
2742 2017-11-24  Mark Lam  <mark.lam@apple.com>
2743
2744         Move unsafe jsc shell test functions to the $vm object.
2745         https://bugs.webkit.org/show_bug.cgi?id=179980
2746
2747         Reviewed by Yusuke Suzuki.
2748
2749         * controlFlowProfiler/driver/driver.js:
2750         * controlFlowProfiler/execution-count.js:
2751         * controlFlowProfiler/if-statement.js:
2752         * controlFlowProfiler/loop-statements.js:
2753         * controlFlowProfiler/switch-statements.js:
2754         * controlFlowProfiler/test-jit.js:
2755         * exceptionFuzz/3d-cube.js:
2756         * exceptionFuzz/date-format-xparb.js:
2757         * exceptionFuzz/earley-boyer.js:
2758         * heapProfiler/basic-edges.js:
2759         * heapProfiler/property-edge-types.js:
2760         * microbenchmarks/try-get-by-id-basic.js:
2761         * microbenchmarks/try-get-by-id-polymorphic.js:
2762         * modules/namespace-object-try-get.js:
2763         * stress/argument-count-bytecode.js:
2764         * stress/argument-intrinsic-basic.js:
2765         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2766         * stress/argument-intrinsic-inlining-with-result-escape.js:
2767         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2768         * stress/argument-intrinsic-inlining-with-vararg.js:
2769         * stress/argument-intrinsic-nested-inlining.js:
2770         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2771         * stress/argument-intrinsic-with-stack-write.js:
2772         * stress/arity-mismatch-get-argument.js:
2773         * stress/array-message-passing.js:
2774         * stress/array-push-with-force-exit.js:
2775         * stress/check-dom-with-signature.js:
2776         * stress/check-sub-class.js:
2777         * stress/compare-eq-incomplete-profile.js:
2778         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2779         * stress/do-eval-virtual-call-correctly.js:
2780         * stress/dom-jit-with-poly-proto.js:
2781         * stress/domjit-exception-ic.js:
2782         * stress/domjit-exception.js:
2783         * stress/domjit-getter-complex-with-incorrect-object.js:
2784         * stress/domjit-getter-complex.js:
2785         * stress/domjit-getter-poly.js:
2786         * stress/domjit-getter-proto.js:
2787         * stress/domjit-getter-super-poly.js:
2788         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2789         * stress/domjit-getter-type-check.js:
2790         * stress/domjit-getter.js:
2791         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2792         * stress/for-in-proxy-target-changed-structure.js:
2793         * stress/for-in-proxy.js:
2794         * stress/generational-opaque-roots.js:
2795         * stress/global-const-redeclaration-setting-2.js:
2796         * stress/global-const-redeclaration-setting-3.js:
2797         * stress/global-const-redeclaration-setting-4.js:
2798         * stress/global-const-redeclaration-setting-5.js:
2799         * stress/global-const-redeclaration-setting.js:
2800         * stress/import-basic.js:
2801         * stress/import-from-eval.js:
2802         * stress/import-reject-with-exception.js:
2803         * stress/import-syntax.js:
2804         * stress/impure-get-own-property-slot-inline-cache.js:
2805         * stress/is-constructor.js:
2806         * stress/istypedarrayview-intrinsic.js:
2807         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2808         * stress/jsc-test-functions-should-be-more-robust.js:
2809         * stress/object-toString-with-proxy.js:
2810         * stress/poly-proto-custom-value-and-accessor.js:
2811         * stress/proxy-inline-cache.js:
2812         * stress/re-execute-error-module.js:
2813         * stress/regress-150532.js:
2814         * stress/regress-156992.js:
2815         * stress/regress-179619.js:
2816         * stress/resources/shadow-chicken-support.js:
2817         * stress/runtime-array.js:
2818         * stress/sampling-profiler-microtasks.js:
2819         * stress/shadow-chicken-enabled.js:
2820         * stress/spread-correct-global-object-on-exception.js:
2821         * stress/super-get-by-id.js:
2822         * stress/tailCallForwardArguments.js:
2823         * stress/to-object-intrinsic-boolean-edge.js:
2824         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2825         * stress/to-object-intrinsic-number-edge.js:
2826         * stress/to-object-intrinsic-object-edge.js:
2827         * stress/to-object-intrinsic-string-edge.js:
2828         * stress/to-object-intrinsic-symbol-edge.js:
2829         * stress/to-object-intrinsic.js:
2830         * stress/try-catch-custom-getter-as-get-by-id.js:
2831         * stress/try-get-by-id-poly-proto.js:
2832         * stress/try-get-by-id-should-spill-registers-dfg.js:
2833         * stress/try-get-by-id.js:
2834         * typeProfiler/arrow-functions.js:
2835         * typeProfiler/basic.js:
2836         * typeProfiler/captured.js:
2837         * typeProfiler/classes.js:
2838         * typeProfiler/dfg-jit-optimizations.js:
2839         * typeProfiler/dictionary-mode.js:
2840         * typeProfiler/es6-block-scoping.js:
2841         * typeProfiler/es6-classes.js:
2842         * typeProfiler/inheritance.js:
2843         * typeProfiler/int52-dfg.js:
2844         * typeProfiler/loop.js:
2845         * typeProfiler/optional-fields.js:
2846         * typeProfiler/overflow.js:
2847         * typeProfiler/return.js:
2848         * typeProfiler/symbol.js:
2849         * typeProfiler/weird-prototype-chain.js:
2850
2851 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2852
2853         [DFG][FTL] Support MapSet / SetAdd intrinsics
2854         https://bugs.webkit.org/show_bug.cgi?id=179858
2855
2856         Reviewed by Saam Barati.
2857
2858         * microbenchmarks/map-has-and-set.js: Added.
2859         (test):
2860         * stress/map-set-check-failure.js: Added.
2861         (shouldBe):
2862         (shouldThrow):
2863         (target):
2864         * stress/map-set-cse.js: Added.
2865         (shouldBe):
2866         (test):
2867         * stress/set-add-check-failure.js: Added.
2868         (shouldBe):
2869         (shouldThrow):
2870         (set shouldThrow):
2871         * stress/set-add-cse.js: Added.
2872         (shouldBe):
2873
2874 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2875
2876         [JSC] Allow poly proto for intrinsic getters
2877         https://bugs.webkit.org/show_bug.cgi?id=179550
2878
2879         Reviewed by Saam Barati.
2880
2881         This change is also tested by existing tests.
2882
2883             1. stress/intrinsic-getter-with-poly-proto.js
2884             2. stress/poly-proto-intrinsic-getter-correctness.js
2885
2886         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2887         (shouldBe):
2888         (makePolyProtoObject.foo.C):
2889         (makePolyProtoObject.foo):
2890         (makePolyProtoObject):
2891         (target):
2892         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2893         (shouldBe):
2894         (makePolyProtoObject.foo.C):
2895         (makePolyProtoObject.foo):
2896         (makePolyProtoObject):
2897         (target):
2898
2899 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2900
2901         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2902         https://bugs.webkit.org/show_bug.cgi?id=179744
2903
2904         Reviewed by Michael Catanzaro.
2905
2906         This test uses too much memory for our buildbots on these platforms
2907         and gets OOM-killed.
2908
2909         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2910         Skip if $memoryLimited and linux.
2911
2912 2017-11-17  JF Bastien  <jfbastien@apple.com>
2913
2914         WebAssembly JS API: throw when a promise can't be created
2915         https://bugs.webkit.org/show_bug.cgi?id=179826
2916         <rdar://problem/35455813>
2917
2918         Reviewed by Mark Lam.
2919
2920         Test WebAssembly.{compile,instantiate} where promise creation
2921         fails because of a stack overflow.
2922
2923         * wasm/js-api/promise-stack-overflow.js: Added.
2924         (const.runNearStackLimit.f.const.t):
2925         (async.testCompile):
2926         (async.testInstantiate):
2927
2928 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2929
2930         Unreviewed, mark regress-178385.js as memory exhausting
2931
2932         * stress/regress-178385.js:
2933
2934 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2935
2936         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2937
2938         Unreviewed test gardening.
2939
2940         * test262.yaml:
2941
2942 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2943
2944         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2945         https://bugs.webkit.org/show_bug.cgi?id=179763
2946         <rdar://problem/35550513>
2947
2948         Reviewed by Keith Miller.
2949
2950         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2951
2952         * stress/tdz-this-in-try-catch.js: Added.
2953         (__v_6388):
2954         (__v_6392):
2955
2956 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2957
2958         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2959         https://bugs.webkit.org/show_bug.cgi?id=179594
2960
2961         Reviewed by Saam Barati.
2962
2963         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2964         (shouldBe):
2965         (args):
2966         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2967         (shouldBe):
2968         (args):
2969
2970 2017-11-14  Saam Barati  <sbarati@apple.com>
2971
2972         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2973         https://bugs.webkit.org/show_bug.cgi?id=179639
2974         <rdar://problem/35513018>
2975
2976         Reviewed by JF Bastien.
2977
2978         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2979         (escape):
2980         (i.func):
2981
2982 2017-11-13  Mark Lam  <mark.lam@apple.com>
2983
2984         Add more overflow check book-keeping for MarkedArgumentBuffer.
2985         https://bugs.webkit.org/show_bug.cgi?id=179634
2986         <rdar://problem/35492517>
2987
2988         Reviewed by Saam Barati.
2989
2990         * stress/regress-179634.js: Added.
2991
2992 2017-11-13  Mark Lam  <mark.lam@apple.com>
2993
2994         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2995         https://bugs.webkit.org/show_bug.cgi?id=179619
2996         <rdar://problem/35492518>
2997
2998         Reviewed by Saam Barati.
2999
3000         * stress/regress-179619.js: Added.
3001
3002 2017-11-12  Mark Lam  <mark.lam@apple.com>
3003
3004         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3005         https://bugs.webkit.org/show_bug.cgi?id=179562
3006         <rdar://problem/35467022>
3007
3008         Reviewed by Saam Barati.
3009
3010         * regress-179562.js: Added.
3011
3012 2017-11-08  Saam Barati  <sbarati@apple.com>
3013
3014         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3015         https://bugs.webkit.org/show_bug.cgi?id=177792
3016
3017         Reviewed by Yusuke Suzuki.
3018
3019         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3020         (assert):
3021         (foo.Foo.prototype.ensureX):
3022         (foo.Foo):
3023         (foo):
3024         (access):
3025
3026 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3027
3028         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3029         https://bugs.webkit.org/show_bug.cgi?id=178592
3030
3031         Unreviewed test gardening.
3032
3033         * test262.yaml:
3034
3035 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3036
3037         Turn recursive tail calls into loops
3038         https://bugs.webkit.org/show_bug.cgi?id=176601
3039
3040         Reviewed by Saam Barati.
3041
3042         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3043
3044         Add some simple test that computes factorial in several ways, and other trivial computations.
3045         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3046         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3047         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3048         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3049
3050         * stress/inline-call-to-recursive-tail-call.js: Added.
3051         (factorial.aux):
3052         (factorial):
3053         (factorial2.aux2):
3054         (factorial2.id):
3055         (factorial2):
3056         (factorial3.aux3):
3057         (factorial3):
3058         (aux4):
3059         (factorial4):
3060         (foo):
3061         (auxBar):
3062         (bar):
3063         (test):
3064
3065 2017-11-07  Mark Lam  <mark.lam@apple.com>
3066
3067         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3068         https://bugs.webkit.org/show_bug.cgi?id=179355
3069         <rdar://problem/35263053>
3070
3071         Reviewed by Saam Barati.
3072
3073         * stress/regress-179355.js: Added.
3074
3075 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3076
3077         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3078         https://bugs.webkit.org/show_bug.cgi?id=144458
3079
3080         Reviewed by Saam Barati.
3081
3082         * microbenchmarks/dfg-internal-function-call.js: Added.
3083         (target):
3084         * microbenchmarks/dfg-internal-function-construct.js: Added.
3085         (target):
3086         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3087         (target):
3088         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3089         (target):
3090         * stress/dfg-internal-function-call.js: Added.
3091         (shouldBe):
3092         (target):
3093         * stress/dfg-internal-function-construct.js: Added.
3094         (shouldBe):
3095         (target):
3096         * stress/internal-function-call.js: Added.
3097         (shouldBe):
3098         * stress/internal-function-construct.js: Added.
3099         (shouldBe):
3100
3101 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3102
3103         [Win] Skip stress/regress-178385.js.
3104         https://bugs.webkit.org/show_bug.cgi?id=179298
3105
3106         Unreviewed test gardening.
3107
3108         * stress/regress-178385.js:
3109
3110 2017-11-03  Keith Miller  <keith_miller@apple.com>
3111
3112         Add test for ic with side effects
3113         https://bugs.webkit.org/show_bug.cgi?id=179268
3114
3115         Reviewed by Saam Barati.
3116
3117         * stress/put-inline-cache-side-effects.js: Added.
3118         (let.i.of.objs.keys):
3119         (f):
3120
3121 2017-11-03  Mark Lam  <mark.lam@apple.com>
3122
3123         CachedCall (and its clients) needs overflow checks.
3124         https://bugs.webkit.org/show_bug.cgi?id=179185
3125
3126         Reviewed by JF Bastien.
3127
3128         * stress/regress-179185.js: Added.
3129
3130 2017-11-02  Michael Saboff  <msaboff@apple.com>
3131
3132         DFG needs to handle code motion of code in for..in loop bodies
3133         https://bugs.webkit.org/show_bug.cgi?id=179212
3134
3135         Reviewed by Keith Miller.
3136
3137         New regression test.
3138
3139         * stress/for-in-side-effects.js: Added.
3140         (getPrototypeOf):
3141         (reset):
3142         (testWithoutFTL.f):
3143         (testWithoutFTL):
3144         (testWithFTL.f):
3145         (testWithFTL):
3146
3147 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3148
3149         AI does not correctly model the clobber case of ArithClz32
3150         https://bugs.webkit.org/show_bug.cgi?id=179188
3151
3152         Reviewed by Michael Saboff.
3153
3154         * stress/arith-clz32-effects.js: Added.
3155         (foo):
3156         (valueOf):
3157
3158 2017-11-01  Michael Saboff  <msaboff@apple.com>
3159
3160         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3161         https://bugs.webkit.org/show_bug.cgi?id=179140
3162
3163         Reviewed by Saam Barati.
3164
3165         New regression test.
3166
3167         * stress/regress-179140.js: Added.
3168         (testWithoutFTL):
3169         (testWithFTL):
3170
3171 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3172
3173         [JSC] Introduce @toObject
3174         https://bugs.webkit.org/show_bug.cgi?id=178726
3175
3176         Reviewed by Saam Barati.
3177
3178         * stress/array-copywithin.js:
3179         (shouldThrow):
3180         * stress/object-constructor-boolean-edge.js: Added.
3181         (shouldBe):
3182         (test):
3183         * stress/object-constructor-global.js: Added.
3184         (shouldBe):
3185         * stress/object-constructor-null-edge.js: Added.
3186         (shouldBe):
3187         (test):
3188         * stress/object-constructor-number-edge.js: Added.
3189         (shouldBe):
3190         (test):
3191         * stress/object-constructor-object-edge.js: Added.
3192         (shouldBe):
3193         (test):
3194         (i.arg):
3195         * stress/object-constructor-string-edge.js: Added.
3196         (shouldBe):
3197         (test):
3198         * stress/object-constructor-symbol-edge.js: Added.
3199         (shouldBe):
3200         (test):
3201         * stress/object-constructor-undefined-edge.js: Added.
3202         (shouldBe):
3203         (test):
3204         * stress/symbol-array-from.js: Added.
3205         (shouldBe):
3206         * stress/to-object-intrinsic-boolean-edge.js: Added.
3207         (shouldBe):
3208         (builtin.createBuiltin):
3209         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3210         (shouldThrow):
3211         * stress/to-object-intrinsic-number-edge.js: Added.
3212         (shouldBe):
3213         (builtin.createBuiltin):
3214         * stress/to-object-intrinsic-object-edge.js: Added.
3215         (shouldBe):
3216         (builtin.createBuiltin):
3217         (i.arg):
3218         * stress/to-object-intrinsic-string-edge.js: Added.
3219         (shouldBe):
3220         (builtin.createBuiltin):
3221         * stress/to-object-intrinsic-symbol-edge.js: Added.
3222         (shouldBe):
3223         (builtin.createBuiltin):
3224         * stress/to-object-intrinsic.js: Added.
3225         (shouldBe):
3226         (shouldThrow):
3227         (builtin.createBuiltin):
3228
3229 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3230
3231         [DFG][FTL] Introduce StringSlice
3232         https://bugs.webkit.org/show_bug.cgi?id=178934
3233
3234         Reviewed by Saam Barati.
3235
3236         * microbenchmarks/string-slice-empty.js: Added.
3237         (slice):
3238         * microbenchmarks/string-slice-one-char.js: Added.
3239         (slice):
3240         * microbenchmarks/string-slice.js: Added.
3241         (slice):
3242
3243 2017-10-26  Michael Saboff  <msaboff@apple.com>
3244
3245         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3246         https://bugs.webkit.org/show_bug.cgi?id=178890
3247
3248         Reviewed by Keith Miller.
3249
3250         New regression test.
3251
3252         * stress/regress-178890.js: Added.
3253
3254 2017-10-26  Mark Lam  <mark.lam@apple.com>
3255
3256         JSRopeString::RopeBuilder::append() should check for overflows.
3257         https://bugs.webkit.org/show_bug.cgi?id=178385
3258         <rdar://problem/35027468>
3259
3260         Reviewed by Saam Barati.
3261
3262         * stress/regress-178385.js: Added.
3263
3264 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3265
3266         Unreviewed, rolling out r223961.
3267
3268         The change that required this has been rolled out.
3269
3270         Reverted changeset:
3271
3272         "Mark test262.yaml/test262/test/language/statements/try/tco-
3273         catch.js as passing."
3274         https://bugs.webkit.org/show_bug.cgi?id=178592
3275         https://trac.webkit.org/changeset/223961
3276
3277 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3278
3279         Unreviewed, rolling out r223691 and r223729.
3280         https://bugs.webkit.org/show_bug.cgi?id=178834
3281
3282         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3283         by rniwa on #webkit).
3284
3285         Reverted changesets:
3286
3287         "Turn recursive tail calls into loops"
3288         https://bugs.webkit.org/show_bug.cgi?id=176601
3289         https://trac.webkit.org/changeset/223691
3290
3291         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3292         comparison is always false due to limited range of data type
3293         [-Wtype-limits]"
3294         https://bugs.webkit.org/show_bug.cgi?id=178543
3295         https://trac.webkit.org/changeset/223729
3296
3297 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3298
3299         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3300         https://bugs.webkit.org/show_bug.cgi?id=178592
3301
3302         Unreviewed test gardening.
3303
3304         * test262.yaml:
3305
3306 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3307
3308         [FTL] Support NewStringObject
3309         https://bugs.webkit.org/show_bug.cgi?id=178737
3310
3311         Reviewed by Saam Barati.
3312
3313         * stress/new-string-object.js: Added.
3314         (shouldBe):
3315         (test):
3316
3317 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3318
3319         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3320         https://bugs.webkit.org/show_bug.cgi?id=178308
3321
3322         Reviewed by Mark Lam.
3323
3324         * test262.yaml:
3325
3326 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3327
3328         [JSC] Use fastJoin in Array#toString
3329         https://bugs.webkit.org/show_bug.cgi?id=178062
3330
3331         Reviewed by Darin Adler.
3332
3333         * microbenchmarks/contiguous-array-to-string.js: Added.
3334         (target):
3335         * microbenchmarks/double-array-to-string.js: Added.
3336         (target):
3337         * microbenchmarks/int32-array-to-string.js: Added.
3338         (target):
3339
3340 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3341
3342         stress/check-string-ident.js is improperly skipped
3343         https://bugs.webkit.org/show_bug.cgi?id=178642
3344
3345         Reviewed by Saam Barati.
3346
3347         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3348         since it enforces the run-jsc-stress-tests script to still set up the
3349         test to run, despite the skip directive that's used before.
3350
3351 2017-10-20  Mark Lam  <mark.lam@apple.com>
3352
3353         Add a test case for r214334.
3354         https://bugs.webkit.org/show_bug.cgi?id=169941
3355         <rdar://problem/31221258>
3356
3357         Reviewed by JF Bastien.
3358
3359         * stress/regress-169941.js: Added.
3360
3361 2017-10-19  JF Bastien  <jfbastien@apple.com>
3362
3363         WebAssembly: no VM / JS version of everything but Instance
3364         https://bugs.webkit.org/show_bug.cgi?id=177473
3365
3366         Reviewed by Filip Pizlo, Saam Barati.
3367
3368         - Exceeding max on memory growth now returns a range error as per
3369         spec. This is a (very minor) breaking change: it used to throw OOM
3370         error. Update the corresponding test.
3371
3372         * wasm/js-api/memory-grow.js:
3373         (assertEq):
3374         * wasm/js-api/table.js:
3375         (assert.throws):
3376
3377 2017-10-19  Mark Lam  <mark.lam@apple.com>
3378
3379         Stringifier::appendStringifiedValue() is missing an exception check.
3380         https://bugs.webkit.org/show_bug.cgi?id=178386
3381         <rdar://problem/35027610>
3382
3383         Reviewed by Saam Barati.
3384
3385         * stress/regress-178386.js: Added.
3386
3387 2017-10-19  Michael Saboff  <msaboff@apple.com>
3388
3389         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3390         https://bugs.webkit.org/show_bug.cgi?id=178521
3391
3392         Reviewed by JF Bastien.
3393
3394         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3395         now passes with the current version (5.0) of the Emoji spec.
3396
3397 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3398
3399         Turn recursive tail calls into loops
3400         https://bugs.webkit.org/show_bug.cgi?id=176601
3401
3402         Reviewed by Saam Barati.
3403
3404         Add some simple test that computes factorial in several ways, and other trivial computations.
3405         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3406         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3407         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3408         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3409
3410         * stress/inline-call-to-recursive-tail-call.js: Added.
3411         (factorial.aux):
3412         (factorial):
3413         (factorial2.aux):
3414         (factorial2.id):
3415         (factorial2):
3416         (factorial3.aux):
3417         (factorial3):
3418         (aux):
3419         (factorial4):
3420         (test):
3421
3422 2017-10-18  Mark Lam  <mark.lam@apple.com>
3423
3424         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3425         https://bugs.webkit.org/show_bug.cgi?id=177600
3426         <rdar://problem/34710985>
3427
3428         Reviewed by Saam Barati.
3429
3430         * stress/regress-177600.js: Added.
3431
3432 2017-10-18  Mark Lam  <mark.lam@apple.com>
3433
3434         The compiler should always register a structure when it adds its transitionWatchPointSet.
3435         https://bugs.webkit.org/show_bug.cgi?id=178420
3436         <rdar://problem/34814024>
3437
3438         Reviewed by Saam Barati and Filip Pizlo.
3439
3440         * stress/regress-178420.js: Added.
3441         (new.Array.10000.map):
3442
3443 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3444
3445         [JSC] __proto__ getter should be fast
3446         https://bugs.webkit.org/show_bug.cgi?id=178067
3447
3448         Reviewed by Saam Barati.
3449
3450         * stress/dfg-object-proto-accessor.js: Added.
3451         (shouldBe):
3452         (shouldThrow):
3453         (target):
3454         * stress/dfg-object-proto-getter.js: Added.
3455         (shouldBe):
3456         (shouldThrow):
3457         (target):
3458         * stress/dfg-object-prototype-of.js: Added.
3459         (shouldBe):
3460         (shouldThrow):
3461         (target):
3462         * stress/dfg-reflect-get-prototype-of.js: Added.
3463         (shouldBe):
3464         (shouldThrow):
3465         (target):
3466         * stress/intrinsic-getter-with-poly-proto.js: Added.
3467         (shouldBe):
3468         (makePolyProtoObject.foo.C):
3469         (makePolyProtoObject.foo):
3470         (makePolyProtoObject):
3471         (target):
3472         * stress/object-get-prototype-of-filtered.js: Added.
3473         (shouldBe):
3474         (shouldThrow):
3475         (target):
3476         (i.Cocoa):
3477         * stress/object-get-prototype-of-mono-proto.js: Added.
3478         (shouldBe):
3479         (makePolyProtoObject.foo.C):
3480         (makePolyProtoObject.foo):
3481         (makePolyProtoObject):
3482         (target):
3483         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3484         (shouldBe):
3485         (makePolyProtoObject.foo.C):
3486         (makePolyProtoObject.foo):
3487         (makePolyProtoObject):
3488         (target):
3489         * stress/object-get-prototype-of-poly-proto.js: Added.
3490         (shouldBe):
3491         (makePolyProtoObject.foo.C):
3492         (makePolyProtoObject.foo):
3493         (makePolyProtoObject):
3494         (target):
3495         * stress/object-proto-getter-filtered.js: Added.
3496         (shouldBe):
3497         (shouldThrow):
3498         (target):
3499         (i.Cocoa):
3500         * stress/object-proto-getter-poly-mono-proto.js: Added.
3501         (shouldBe):
3502         (makePolyProtoObject.foo.C):
3503         (makePolyProtoObject.foo):
3504         (makePolyProtoObject):
3505         (target):
3506         * stress/object-proto-getter-poly-proto.js: Added.
3507         (shouldBe):
3508         (makePolyProtoObject.foo.C):
3509         (makePolyProtoObject.foo):
3510         (makePolyProtoObject):
3511         (target):
3512         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3513         * stress/string-proto.js: Added.
3514         (shouldBe):
3515         (target):
3516
3517 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3518
3519         Unreviewed, rolling out r223523.
3520
3521         A test for this change is failing on debug JSC bots.
3522
3523         Reverted changeset:
3524
3525         "[JSC] __proto__ getter should be fast"
3526         https://bugs.webkit.org/show_bug.cgi?id=178067
3527         https://trac.webkit.org/changeset/223523
3528
3529 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3530
3531         [JSC] __proto__ getter should be fast
3532         https://bugs.webkit.org/show_bug.cgi?id=178067
3533
3534         Reviewed by Saam Barati.
3535
3536         * stress/dfg-object-proto-accessor.js: Added.
3537         (shouldBe):
3538         (shouldThrow):
3539         (target):
3540         * stress/dfg-object-proto-getter.js: Added.
3541         (shouldBe):
3542         (shouldThrow):
3543         (target):
3544         * stress/dfg-object-prototype-of.js: Added.
3545         (shouldBe):
3546         (shouldThrow):
3547         (target):
3548         * stress/dfg-reflect-get-prototype-of.js: Added.
3549         (shouldBe):
3550         (shouldThrow):
3551         (target):
3552         * stress/object-get-prototype-of-filtered.js: Added.
3553         (shouldBe):
3554         (shouldThrow):
3555         (target):
3556         (i.Cocoa):
3557         * stress/object-get-prototype-of-mono-proto.js: Added.
3558         (shouldBe):
3559         (makePolyProtoObject.foo.C):
3560         (makePolyProtoObject.foo):
3561         (makePolyProtoObject):
3562         (target):
3563         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3564         (shouldBe):
3565         (makePolyProtoObject.foo.C):
3566         (makePolyProtoObject.foo):
3567         (makePolyProtoObject):
3568         (target):
3569         * stress/object-get-prototype-of-poly-proto.js: Added.
3570         (shouldBe):
3571         (makePolyProtoObject.foo.C):
3572         (makePolyProtoObject.foo):
3573         (makePolyProtoObject):
3574         (target):
3575         * stress/object-proto-getter-filtered.js: Added.
3576         (shouldBe):
3577         (shouldThrow):
3578         (target):
3579         (i.Cocoa):
3580         * stress/object-proto-getter-poly-mono-proto.js: Added.
3581         (shouldBe):
3582         (makePolyProtoObject.foo.C):
3583         (makePolyProtoObject.foo):
3584         (makePolyProtoObject):
3585         (target):
3586         * stress/object-proto-getter-poly-proto.js: Added.
3587         (shouldBe):
3588         (makePolyProtoObject.foo.C):
3589         (makePolyProtoObject.foo):
3590         (makePolyProtoObject):
3591         (target):
3592         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3593         * stress/string-proto.js: Added.
3594         (shouldBe):
3595         (target):
3596
3597 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3598
3599         Reland "Add Above/Below comparisons for UInt32 patterns"
3600         https://bugs.webkit.org/show_bug.cgi?id=177281
3601
3602         Reviewed by Saam Barati.
3603
3604         * stress/uint32-comparison-jump.js: Added.
3605         (shouldBe):
3606         (above):
3607         (aboveOrEqual):
3608         (below):
3609         (belowOrEqual):
3610         (notAbove):
3611         (notAboveOrEqual):
3612         (notBelow):
3613         (notBelowOrEqual):
3614         * stress/uint32-comparison.js: Added.
3615         (shouldBe):
3616         (above):
3617         (aboveOrEqual):
3618         (below):
3619         (belowOrEqual):
3620         (aboveTest):
3621         (aboveOrEqualTest):
3622         (belowTest):
3623         (belowOrEqualTest):
3624
3625 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3626
3627         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3628         https://bugs.webkit.org/show_bug.cgi?id=178210
3629
3630         Reviewed by Saam Barati.
3631
3632         * wasm/function-tests/trap-from-start-async.js:
3633         (async.StartTrapsAsync):
3634         * wasm/function-tests/trap-from-start.js:
3635         (StartTraps):
3636         * wasm/js-api/web-assembly-function.js:
3637         (assert.eq.Object.getPrototypeOf):
3638         * wasm/js-api/wrapper-function.js:
3639         (return.new.WebAssembly.Module):
3640         (assert.throws.makeInstance): Deleted.
3641         (assert.throws.Bar): Deleted.
3642         (assert.throws): Deleted.
3643
3644 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3645
3646         Enable gigacage on iOS
3647         https://bugs.webkit.org/show_bug.cgi?id=177586
3648
3649         Reviewed by JF Bastien.
3650         
3651         Add tests for when Gigacage gets runtime disabled.
3652
3653         * stress/disable-gigacage-arrays.js: Added.
3654         (foo):
3655         * stress/disable-gigacage-strings.js: Added.
3656         (foo):
3657         * stress/disable-gigacage-typed-arrays.js: Added.
3658         (foo):
3659
3660 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3661
3662         import.meta should not be assignable
3663         https://bugs.webkit.org/show_bug.cgi?id=178202
3664
3665         Reviewed by Saam Barati.
3666
3667         * modules/import-meta-assignment.js: Added.
3668         (shouldThrow):
3669         (SyntaxError.import.meta.can.shouldThrow):
3670
3671 2017-10-11  Saam Barati  <sbarati@apple.com>
3672
3673         Unreviewed. Actually skip certain type profiler tests in debug.
3674
3675         * typeProfiler.yaml:
3676         * typeProfiler/deltablue-for-of.js:
3677         * typeProfiler/getter-richards.js:
3678
3679 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3680
3681         Unreviewed, rolling out r223113 and r223121.
3682         https://bugs.webkit.org/show_bug.cgi?id=178182
3683
3684         Reintroduced 20% regression on Kraken (Requested by rniwa on
3685         #webkit).
3686
3687         Reverted changesets:
3688
3689         "Enable gigacage on iOS"
3690         https://bugs.webkit.org/show_bug.cgi?id=177586
3691         https://trac.webkit.org/changeset/223113
3692
3693         "Use one virtual allocation for all gigacages and their
3694         runways"
3695         https://bugs.webkit.org/show_bug.cgi?id=178050
3696         https://trac.webkit.org/changeset/223121
3697
3698 2017-10-11  Michael Saboff  <msaboff@apple.com>
3699
3700         Disable test262 named capture group tests with direct unicode names and with references before definitions
3701         https://bugs.webkit.org/show_bug.cgi?id=178177
3702
3703         Reviewed by Keith Miller.
3704
3705         Bugs to track fixing these test are:
3706         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3707             "Add support in named capture group identifiers for direct surrogate pairs"
3708         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3709             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3710
3711         * test262.yaml:
3712
3713 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3714
3715         Object properties are undefined in super.call() but not in this.call()
3716         https://bugs.webkit.org/show_bug.cgi?id=177230
3717
3718         Reviewed by Saam Barati.
3719
3720         * stress/super-call-function-subclass.js: Added.
3721         (assert):
3722         (A.prototype.t):
3723         (A):
3724         * stress/super-dot-call-and-apply.js: Added.
3725         (assert):
3726         (A):
3727         (A.prototype.call):
3728         (A.prototype.apply):
3729         (B.prototype.testSuper):
3730         (B):
3731         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3732         (D.prototype.testSuper):
3733         (D):
3734
3735 2017-10-10  Saam Barati  <sbarati@apple.com>
3736
3737         The prototype cache should be aware of the Executable it generates a Structure for
3738         https://bugs.webkit.org/show_bug.cgi?id=177907
3739
3740         Reviewed by Filip Pizlo.
3741
3742         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3743         (assert):
3744         (foo.C):
3745         (foo):
3746         (bar.C):
3747         (bar):
3748         (access):
3749         (makeLongChain):
3750         (accessY):
3751
3752 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3753
3754         `async` should be able to be used as an imported binding name
3755         https://bugs.webkit.org/show_bug.cgi?id=176573
3756
3757         Reviewed by Saam Barati.
3758
3759         * modules/import-default-async.js: Added.
3760         * modules/import-named-async-as.js: Added.
3761         * modules/import-named-async.js: Added.
3762         * modules/import-named-async/target.js: Added.
3763         * modules/import-namespace-async.js: Added.
3764         * test262.yaml:
3765
3766 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3767
3768         Enable gigacage on iOS
3769         https://bugs.webkit.org/show_bug.cgi?id=177586
3770
3771         Reviewed by JF Bastien.
3772         
3773         Add tests for when Gigacage gets runtime disabled.
3774
3775         * stress/disable-gigacage-arrays.js: Added.
3776         (foo):
3777         * stress/disable-gigacage-strings.js: Added.
3778         (foo):
3779         * stress/disable-gigacage-typed-arrays.js: Added.
3780         (foo):
3781
3782 2017-10-09  Michael Saboff  <msaboff@apple.com>
3783
3784         Implement RegExp Unicode property escapes
3785         https://bugs.webkit.org/show_bug.cgi?id=172069
3786
3787         Reviewed by JF Bastien.
3788
3789         Enabled Unicode Property tests.
3790
3791         * test262.yaml:
3792
3793 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3794
3795         Unreviewed, rolling out r223015 and r223025.
3796         https://bugs.webkit.org/show_bug.cgi?id=178093
3797
3798         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3799         #webkit).
3800
3801         Reverted changesets:
3802
3803         "Enable gigacage on iOS"
3804         https://bugs.webkit.org/show_bug.cgi?id=177586
3805         http://trac.webkit.org/changeset/223015
3806
3807         "Unreviewed, disable Gigacage on ARM64 Linux"
3808         https://bugs.webkit.org/show_bug.cgi?id=177586
3809         http://trac.webkit.org/changeset/223025
3810
3811 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3812
3813         Update expectations for test262 tests that pass after r223043.
3814         https://bugs.webkit.org/show_bug.cgi?id=176685
3815
3816         Unreviewed test gardening.
3817
3818         * test262.yaml:
3819
3820 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3821
3822         Unreviewed, rolling out r223022.
3823
3824         This change introduced 18 test262 failures.
3825
3826         Reverted changeset:
3827
3828         "`async` should be able to be used as an imported binding
3829         name"
3830         https://bugs.webkit.org/show_bug.cgi?id=176573
3831         http://trac.webkit.org/changeset/223022
3832
3833 2017-10-09  Saam Barati  <sbarati@apple.com>
3834
3835         3 poly-proto JSC tests timing out on debug after r222827
3836         https://bugs.webkit.org/show_bug.cgi?id=177880
3837         <rdar://problem/34817122>
3838
3839         Unreviewed.
3840
3841         I'm skipping these type profiler tests on debug since they are long running.
3842
3843         * typeProfiler/deltablue-for-of.js:
3844         * typeProfiler/getter-richards.js:
3845
3846 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3847
3848         Safari 10 /11 problem with if (!await get(something)).
3849         https://bugs.webkit.org/show_bug.cgi?id=176685
3850
3851         Reviewed by Saam Barati.
3852
3853         * stress/async-await-basic.js:
3854         (awaitEpression.async):
3855         * stress/async-await-syntax.js:
3856         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3857         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3858
3859 2017-10-08  Saam Barati  <sbarati@apple.com>
3860
3861         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3862
3863         * typeProfiler/deltablue-for-of.js:
3864         * typeProfiler/getter-richards.js:
3865
3866 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3867
3868         `async` should be able to be used as an imported binding name
3869         https://bugs.webkit.org/show_bug.cgi?id=176573
3870
3871         Reviewed by Darin Adler.
3872
3873         * modules/import-default-async.js: Added.
3874         * modules/import-named-async-as.js: Added.
3875         * modules/import-named-async.js: Added.
3876         * modules/import-named-async/target.js: Added.
3877         * modules/import-namespace-async.js: Added.
3878
3879 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3880
3881         Enable gigacage on iOS
3882         https://bugs.webkit.org/show_bug.cgi?id=177586
3883
3884         Reviewed by JF Bastien.
3885         
3886         Add tests for when Gigacage gets runtime disabled.
3887
3888         * stress/disable-gigacage-arrays.js: Added.
3889         (foo):
3890         * stress/disable-gigacage-strings.js: Added.
3891         (foo):
3892         * stress/disable-gigacage-typed-arrays.js: Added.
3893         (foo):
3894
3895 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3896
3897         Unreviewed, rolling out r222791 and r222873.
3898         https://bugs.webkit.org/show_bug.cgi?id=178031
3899
3900         Caused crashes with workers/wasm LayoutTests (Requested by
3901         ryanhaddad on #webkit).
3902
3903         Reverted changesets:
3904
3905         "WebAssembly: no VM / JS version of everything but Instance"
3906         https://bugs.webkit.org/show_bug.cgi?id=177473
3907         http://trac.webkit.org/changeset/222791
3908
3909         "WebAssembly: address no VM / JS follow-ups"
3910         https://bugs.webkit.org/show_bug.cgi?id=177887
3911         http://trac.webkit.org/changeset/222873
3912
3913 2017-10-05  Saam Barati  <sbarati@apple.com>
3914
3915         Make sure all prototypes under poly proto get added into the VM's prototype map
3916         https://bugs.webkit.org/show_bug.cgi?id=177909
3917
3918         Reviewed by Keith Miller.
3919
3920         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3921         (assert):
3922         (foo.C):
3923         (foo):
3924         (set x):
3925
3926 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3927
3928         [JSC] Introduce import.meta
3929         https://bugs.webkit.org/show_bug.cgi?id=177703
3930
3931         Reviewed by Filip Pizlo.
3932
3933         * modules/import-meta-syntax.js: Added.
3934         (shouldThrow):
3935         (shouldNotThrow):
3936         * modules/import-meta.js: Added.
3937         * modules/import-meta/cocoa.js: Added.
3938         * modules/resources/assert.js:
3939         (export.shouldNotThrow):
3940         * stress/import-syntax.js:
3941
3942 2017-10-04  Saam Barati  <sbarati@apple.com>
3943
3944         Make pertinent AccessCases watch the poly proto watchpoint
3945         https://bugs.webkit.org/show_bug.cgi?id=177765
3946
3947         Reviewed by Keith Miller.
3948
3949         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3950         (assert):
3951         (foo.C):
3952         (foo):
3953         (validate):
3954         * stress/poly-proto-clear-stub.js: Added.
3955         (assert):
3956         (foo.C):
3957         (foo):
3958
3959 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3960
3961         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3962
3963         Unreviewed test gardening.
3964
3965         * test262.yaml:
3966
3967 2017-10-04  Saam Barati  <sbarati@apple.com>
3968
3969         3 poly-proto JSC tests timing out on debug after r222827
3970         https://bugs.webkit.org/show_bug.cgi?id=177880
3971
3972         Rubber stamped by Mark Lam.
3973
3974         * microbenchmarks/poly-proto-access.js:
3975         * typeProfiler/deltablue-for-of.js:
3976         * typeProfiler/getter-richards.js:
3977
3978 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3979
3980         Unreviewed, marking tco-catch.js as a failure after test262 update
3981         https://bugs.webkit.org/show_bug.cgi?id=177859
3982
3983         * test262.yaml:
3984
3985 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3986
3987         Unreviewed, marking one async iterator test262 test failed
3988         https://bugs.webkit.org/show_bug.cgi?id=177859
3989
3990         * test262.yaml:
3991
3992 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3993
3994         [Test262] Update Test262 to Oct 4 version
3995         https://bugs.webkit.org/show_bug.cgi?id=177859
3996
3997         Reviewed by Sam Weinig.
3998
3999         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
4000         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
4001
4002         * test262.yaml:
4003         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
4004         (checkSequence):
4005         * test262/harness/typeCoercion.js:
4006         (testCoercibleToIndexZero):
4007         (testCoercibleToIndexOne):
4008         (testCoercibleToIndexFromIndex):
4009         (testNotCoercibleToIndex.testPrimitiveValue):
4010         (testNotCoercibleToInteger):
4011         (testCoercibleToBigIntZero.testPrimitiveValue):
4012         (testCoercibleToBigIntZero):
4013         (testCoercibleToBigIntOne.testPrimitiveValue):
4014         (testCoercibleToBigIntOne):
4015         (testPrimitiveValue):
4016         (testCoercibleToBigIntFromBigInt):
4017         (testNotCoercibleToBigInt.testPrimitiveValue):
4018         (testNotCoercibleToBigInt.testStringValue):
4019         (testNotCoercibleToBigInt):
4020         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
4021         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
4022         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
4023         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
4024         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
4025         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
4026         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
4027         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
4028         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
4029         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
4030         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
4031         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
4032         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
4033         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
4034         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
4035         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
4036         (testCoercibleToBigIntZero):
4037         (testCoercibleToBigIntOne):
4038         (testNotCoercibleToBigInt):
4039         (MyError): Deleted.
4040         (valueOf): Deleted.
4041         (toString): Deleted.
4042         (Symbol.toPrimitive): Deleted.
4043         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
4044         (testCoercibleToIndexZero):
4045         (testCoercibleToIndexOne):
4046         (testNotCoercibleToIndex):
4047         (MyError): Deleted.
4048         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
4049         (assert.sameValue.BigInt.asIntN.toString): Deleted.
4050         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
4051         (BigInt.asIntN.valueOf): Deleted.
4052         (BigInt.asIntN.toString): Deleted.
4053         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
4054         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
4055         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
4056         (testCoercibleToBigIntZero):
4057         (testCoercibleToBigIntOne):
4058         (testNotCoercibleToBigInt):
4059         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
4060         (testCoercibleToIndexZero):
4061         (testCoercibleToIndexOne):
4062         (testNotCoercibleToIndex):
4063         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
4064         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
4065         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
4066         (bits.valueOf):
4067         (bigint.valueOf):
4068         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
4069         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
4070         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
4071         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
4072         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
4073         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
4074         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
4075         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
4076         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
4077         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
4078         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
4079         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
4080         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
4081         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
4082         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
4083         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
4084         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
4085         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
4086         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
4087         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
4088         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
4089         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
4090         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
4091         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
4092         (replacer):
4093         (BigInt.prototype.toJSON):
4094         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
4095         (replacer):
4096         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
4097         (BigInt.prototype.toJSON):
4098         * test262/test/built-ins/JSON/stringify/bigint.js:
4099         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
4100         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4101         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4102         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4103         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4104         * test262/test/built-ins/Object/proto-from-ctor.js:
4105         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4106         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4107         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4108         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4109         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4110         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4111         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4112         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4113         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4114         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4115         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4116         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4117         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4118         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4119         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4120         * test262/test/built-ins/Proxy/get-fn-realm.js:
4121         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4122         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4123         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4124         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4125         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4126         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4127         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4128         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4129         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4130         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4131         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4132         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4133         (i6.replace):
4134         (i6b.replace):
4135         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4136         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4137         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4138         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4139         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4140         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4141         * test262/test/built-ins/RegExp/u180e.js: Added.
4142         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4143         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4144         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4145         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4146         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4147         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4148         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4149         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4150         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4151         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4152         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4153         * test262/test/built-ins/String/prototype/endsWith/length.js:
4154         * test262/test/built-ins/String/prototype/endsWith/name.js:
4155         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4156         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4157         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4158         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4159         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4160         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4161         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4162         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4163         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4164         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4165         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4166         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4167         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4168         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4169         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4170         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4171         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4172         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4173         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4174         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4175         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4176         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4177         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4178         * test262/test/built-ins/String/prototype/includes/includes.js:
4179         * test262/test/built-ins/String/prototype/includes/length.js:
4180         * test262/test/built-ins/String/prototype/includes/name.js:
4181         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4182         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4183         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4184         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4185         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4186         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4187         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4188         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4189         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4190         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4191         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4192         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4193         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4194         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4195         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4196         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4197         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4198         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4199         * test262/test/built-ins/String/prototype/trim/u180e.js:
4200         * test262/test/built-ins/Symbol/for/cross-realm.js:
4201         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4202         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4203         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4204         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4205         * test262/test/built-ins/Symbol/match/cross-realm.js:
4206         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4207         * test262/test/built-ins/Symbol/search/cross-realm.js:
4208         * test262/test/built-ins/Symbol/species/cross-realm.js:
4209         * test262/test/built-ins/Symbol/split/cross-realm.js:
4210         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4211         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4212         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4213         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4214         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4215         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4216         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4217         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4218         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4219         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4220         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4221         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4222         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4223         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4224         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4225         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4226         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4227         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4228         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4229         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4230         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4231         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4232         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4233         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4234         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4235         * test262/test/language/eval-code/indirect/realm.js:
4236         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4237         (o.get z):
4238         (o.get a):
4239         * test262/test/language/expressions/call/eval-realm-indirect.js:
4240         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4241         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4242         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4243         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4244         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4245         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4246         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4247         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4248         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4249         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4250         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4251         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4252         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4253         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4254         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4255         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4256         * test262/test/language/expressions/less-than/bigint-and-number.js:
4257         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4258         * test262/test/language/expressions/super/realm.js:
4259         * test262/test/language/expressions/tagged-template/cache-realm.js:
4260         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4261         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4262         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4263         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4264         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4265         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4266         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4267         (o.get z):
4268         (o.get a):
4269         * test262/test/language/statements/for-of/iterator-next-reference.js:
4270         (next):
4271         (iterator.next): Deleted.
4272         (x.of.iterable.): Deleted.
4273         (x.of.iterable.get return): Deleted.
4274         (x.of.iterable.iterator.next): Deleted.
4275         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4276         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4277         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4278         * test262/test/language/white-space/mongolian-vowel-separator.js:
4279         * test262/test262-Revision.txt:
4280
4281 2017-10-03  Saam Barati  <sbarati@apple.com>
4282
4283         Implement polymorphic prototypes
4284         https://bugs.webkit.org/show_bug.cgi?id=176391
4285
4286         Reviewed by Filip Pizlo.
4287
4288         * microbenchmarks/poly-proto-access.js: Added.
4289         (assert):
4290         (foo.C):
4291         (foo.C.prototype.get bar):
4292         (foo):
4293         (bar):
4294         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
4295         (assert):
4296         (makePolyProtoObject.foo.C):
4297         (makePolyProtoObject.foo):
4298         (makePolyProtoObject):
4299         (performSet):
4300         * microbenchmarks/poly-proto-setter-speed.js: Added.
4301         (assert):
4302         (makePolyProtoObject.foo.C):
4303         (makePolyProtoObject.foo.C.prototype.set p):
4304         (makePolyProtoObject.foo):
4305         (makePolyProtoObject):
4306         (performSet):
4307         * stress/constructor-with-return.js:
4308         (i.tests.forEach.Constructor):
4309         (i.tests.forEach):
4310         (tests.forEach.Constructor): Deleted.
4311         (tests.forEach): Deleted.
4312         * stress/dom-jit-with-poly-proto.js: Added.
4313         (assert):
4314         (makePolyProtoObject.foo.C):
4315         (makePolyProtoObject.foo):
4316         (makePolyProtoObject):
4317         (validate):
4318         * stress/poly-proto-custom-value-and-accessor.js: Added.
4319         (assert):
4320         (makePolyProtoObject.foo.C):
4321         (makePolyProtoObject.foo):
4322         (makePolyProtoObject):
4323         (items.forEach):
4324         (set get for):
4325         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
4326         (assert):
4327         (makePolyProtoObject.foo.C):
4328         (makePolyProtoObject.foo):
4329         (makePolyProtoObject):
4330         (foo):
4331         * stress/poly-proto-miss.js: Added.
4332         (makePolyProtoInstanceWithNullPrototype.foo.C):
4333         (makePolyProtoInstanceWithNullPrototype.foo):
4334         (makePolyProtoInstanceWithNullPrototype):
4335         (assert):
4336         (validate):
4337         * stress/poly-proto-op-in-caching.js: Added.
4338         (assert):
4339         (makePolyProtoObject.foo.C):
4340         (makePolyProtoObject.foo):
4341         (makePolyProtoObject):
4342         (validate):
4343         (validate2):
4344         * stress/poly-proto-put-transition.js: Added.
4345         (assert):
4346         (makePolyProtoObject.foo.C):
4347         (makePolyProtoObject.foo):
4348         (makePolyProtoObject):
4349         (performSet):
4350         (i.obj.__proto__.set p):
4351         * stress/poly-proto-set-prototype.js: Added.
4352         (assert):
4353         (let.alternateProto.get x):
4354         (let.alternateProto2.get y):
4355         (let.alternateProto2.get x):
4356         (foo.C):
4357         (foo):
4358         (validate):
4359         * stress/poly-proto-setter.js: Added.
4360         (assert):
4361         (makePolyProtoObject.foo.C):
4362         (makePolyProtoObject.foo.C.prototype.set p):
4363         (makePolyProtoObject.foo.C.prototype.get p):
4364         (makePolyProtoObject.foo):
4365         (makePolyProtoObject):
4366         (performSet):
4367         * stress/poly-proto-using-inheritance.js: Added.
4368         (assert):
4369         (foo.C):
4370         (foo.C.prototype.get baz):
4371         (foo):
4372         (bar.C):
4373         (bar):
4374         (validate):
4375         * stress/primitive-poly-proto.js: Added.
4376         (makePolyProtoInstance.foo.C):
4377         (makePolyProtoInstance.foo):
4378         (makePolyProtoInstance):
4379         (assert):
4380         (validate):
4381         * stress/prototype-is-not-js-object.js: Added.
4382         (foo.bar):
4383         (foo):
4384         (assert):
4385         (validate):
4386         * stress/try-get-by-id-poly-proto.js: Added.
4387         (assert):
4388         (makePolyProtoObject.foo.C):
4389         (makePolyProtoObject.foo):
4390         (makePolyProtoObject):
4391         (tryGetByIdText):
4392         (x.__proto__.get bar):
4393         (validate):
4394         * typeProfiler/overflow.js:
4395
4396 2017-10-03  JF Bastien  <jfbastien@apple.com>
4397
4398         WebAssembly: no VM / JS version of everything but Instance
4399         https://bugs.webkit.org/show_bug.cgi?id=177473
4400
4401         Reviewed by Filip Pizlo.
4402
4403         - Exceeding max on memory growth now returns a range error as per
4404         spec. This is a (very minor) breaking change: it used to throw OOM
4405         error. Update the corresponding test.
4406
4407         * wasm/js-api/memory-grow.js:
4408         (assertEq):