9843b3cb3c1a2d584ba7d77b4cba042788e2bc9c
[WebKit-https.git] / JSTests / ChangeLog
1 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
4         https://bugs.webkit.org/show_bug.cgi?id=181848
5
6         Reviewed by Sam Weinig.
7
8         * microbenchmarks/regexp-u-global-es5.js: Added.
9         (fn):
10         * microbenchmarks/regexp-u-global-es6.js: Added.
11         (fn):
12         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
13         (shouldBe):
14         (test):
15         (i.switch):
16         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
17         (shouldBe):
18         (test):
19
20 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
21
22         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
23         https://bugs.webkit.org/show_bug.cgi?id=183334
24
25         Reviewed by Žan Doberšek.
26
27         * stress/var-injection-cache-invalidation.js:
28
29 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
30
31         [ARM] Disable tests that run out of memory
32         https://bugs.webkit.org/show_bug.cgi?id=182699
33
34         Reviewed by Žan Doberšek.
35
36         Skip tests that run of of memory. Do not run
37         modules/module-jit-reachability.js without LLInt to prevent
38         running out of executable memory.
39
40         * modules.yaml:
41         * modules/module-jit-reachability.js:
42         * stress/has-own-property-name-cache-string-keys.js:
43         * stress/has-own-property-name-cache-symbol-keys.js:
44
45 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
46
47         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
48         https://bugs.webkit.org/show_bug.cgi?id=183173
49
50         Reviewed by Saam Barati.
51
52         * stress/async-arrow-function-in-class-heritage.js: Added.
53         (testSyntax):
54         (testSyntaxError):
55         (SyntaxError):
56
57 2018-03-01  Saam Barati  <sbarati@apple.com>
58
59         We need to clear cached structures when having a bad time
60         https://bugs.webkit.org/show_bug.cgi?id=183256
61         <rdar://problem/36245022>
62
63         Reviewed by Mark Lam.
64
65         * stress/having-a-bad-time-with-derived-arrays.js: Added.
66         (assert):
67         (defineSetter):
68         (iterate):
69         (doSlice):
70
71 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
72
73         JSC crash with `import("")`
74         https://bugs.webkit.org/show_bug.cgi?id=183175
75
76         Reviewed by Saam Barati.
77
78         * stress/import-with-empty-string.js: Added.
79
80 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
81
82         Unreviewed, skip FTL tests if FTL is disabled
83         https://bugs.webkit.org/show_bug.cgi?id=183071
84
85         * stress/has-indexed-property-array-storage-ftl.js:
86         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
87
88 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
89
90         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
91         https://bugs.webkit.org/show_bug.cgi?id=182965
92
93         Reviewed by Saam Barati.
94
95         * stress/put-by-val-array-storage.js: Added.
96         (shouldBe):
97         (testArrayStorageInBounds):
98         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
99         (shouldBe):
100         (testInt32.createBuiltin):
101         (set for):
102         * stress/put-by-val-slow-put-array-storage.js: Added.
103         (shouldBe):
104         (testArrayStorageInBounds):
105
106 2018-02-26  Saam Barati  <sbarati@apple.com>
107
108         validateStackAccess should not validate if the offset is within the stack bounds
109         https://bugs.webkit.org/show_bug.cgi?id=183067
110         <rdar://problem/37749988>
111
112         Reviewed by Mark Lam.
113
114         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
115         (assert):
116         (test.a):
117         (test.b):
118         (test):
119
120 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
121
122         Unreviewed, skip FTL tests if FTL is disabled
123         https://bugs.webkit.org/show_bug.cgi?id=183071
124
125         * stress/has-indexed-property-array-storage-ftl.js:
126         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
127
128 2018-02-23  Saam Barati  <sbarati@apple.com>
129
130         Make Number.isInteger an intrinsic
131         https://bugs.webkit.org/show_bug.cgi?id=183088
132
133         Reviewed by JF Bastien.
134
135         * stress/number-is-integer-intrinsic.js: Added.
136
137 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
138
139         WebAssembly: cache memory address / size on instance
140         https://bugs.webkit.org/show_bug.cgi?id=177305
141
142         Reviewed by JF Bastien.
143
144         * wasm/function-tests/memory-reuse.js: Added.
145         (createWasmInstance):
146         (doCheckTrap):
147         (doMemoryGrow):
148         (doCheck):
149         (checkWasmInstancesWithSharedMemory):
150
151 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
152
153         [JSC] Implement $vm.ftlTrue function for FTL testing
154         https://bugs.webkit.org/show_bug.cgi?id=183071
155
156         Reviewed by Mark Lam.
157
158         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
159         (foo):
160         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
161         (foo):
162         * stress/dead-fiat-value-to-int52.js:
163         (foo):
164         * stress/dead-osr-entry-value.js:
165         (foo):
166         * stress/fiat-value-to-int52-then-exit-not-double.js:
167         (foo):
168         * stress/fiat-value-to-int52-then-exit-not-int52.js:
169         (foo):
170         * stress/fiat-value-to-int52-then-fail-to-fold.js:
171         (foo):
172         * stress/fiat-value-to-int52-then-fold.js:
173         (foo):
174         * stress/fiat-value-to-int52.js:
175         (foo):
176         * stress/fold-based-on-int32-proof-mul-branch.js:
177         (foo):
178         * stress/fold-profiled-call-to-call.js:
179         (foo):
180         * stress/fold-to-double-constant-then-exit.js:
181         (foo):
182         * stress/fold-to-int52-constant-then-exit.js:
183         (foo):
184         * stress/fold-to-primitive-in-cfa.js:
185         (foo):
186         * stress/fold-to-primitive-to-identity-in-cfa.js:
187         (foo):
188         * stress/has-indexed-property-array-storage-ftl.js: Added.
189         (shouldBe):
190         (test1):
191         (test2):
192         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
193         (shouldBe):
194         (test1):
195         (test2):
196         * stress/int52-ai-add-then-filter-int32.js:
197         (foo):
198         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
199         (foo):
200         * stress/int52-ai-mul-then-filter-int32.js:
201         (foo):
202         * stress/int52-ai-neg-then-filter-int32.js:
203         (foo):
204         * stress/int52-ai-sub-then-filter-int32.js:
205         (foo):
206         * stress/licm-pre-header-cannot-exit-nested.js:
207         (foo):
208         * stress/licm-pre-header-cannot-exit.js:
209         (foo):
210         * stress/sparse-array-entry-update-144067.js:
211         (useMemoryToTriggerGCs):
212         * stress/test-spec-misc.js:
213         (foo):
214         * stress/tricky-array-bounds-checks.js:
215         (foo):
216
217 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
218
219         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
220         https://bugs.webkit.org/show_bug.cgi?id=182792
221
222         Reviewed by Mark Lam.
223
224         * stress/has-indexed-property-array-storage.js: Added.
225         (shouldBe):
226         (test1):
227         (test2):
228         * stress/has-indexed-property-slow-put-array-storage.js: Added.
229         (shouldBe):
230         (test1):
231         (test2):
232
233 2018-02-20  Saam Barati  <sbarati@apple.com>
234
235         DFG::VarargsForwardingPhase should eliminate getting argument length
236         https://bugs.webkit.org/show_bug.cgi?id=182959
237
238         Reviewed by Keith Miller.
239
240         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
241
242 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
243
244         [FTL] Support ArrayPush for ArrayStorage
245         https://bugs.webkit.org/show_bug.cgi?id=182782
246
247         Reviewed by Saam Barati.
248
249         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
250
251         * stress/array-push-array-storage-beyond-int32.js: Added.
252         (shouldBe):
253         (test):
254         * stress/array-push-array-storage.js: Added.
255         (shouldBe):
256         (test):
257         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
258         (shouldBe):
259         (test):
260         * stress/array-push-multiple-storage-continuous.js: Added.
261         (shouldBe):
262         (test):
263
264 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
265
266         [FTL] Support ArrayPop for ArrayStorage
267         https://bugs.webkit.org/show_bug.cgi?id=182783
268
269         Reviewed by Saam Barati.
270
271         * stress/array-pop-array-storage.js: Added.
272         (shouldBe):
273         (test):
274
275 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
276
277         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
278         https://bugs.webkit.org/show_bug.cgi?id=182731
279
280         Reviewed by Saam Barati.
281
282         * stress/arrayify-array-storage-array.js: Added.
283         (shouldBe):
284         (testArrayStorage):
285         * stress/arrayify-array-storage-non-array.js: Added.
286         (shouldBe):
287         (testArrayStorage):
288         * stress/arrayify-array-storage.js: Added.
289         (shouldBe):
290         (testArrayStorage):
291         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
292         (shouldBe):
293         (testArrayStorage):
294         * stress/arrayify-slow-put-array-storage.js: Added.
295         (shouldBe):
296         (testArrayStorage):
297
298 2018-02-19  Saam Barati  <sbarati@apple.com>
299
300         Don't use JSFunction's allocation profile when getting the prototype can be effectful
301         https://bugs.webkit.org/show_bug.cgi?id=182942
302         <rdar://problem/37584764>
303
304         Reviewed by Mark Lam.
305
306         * stress/get-prototype-create-this-effectful.js: Added.
307
308 2018-02-16  Saam Barati  <sbarati@apple.com>
309
310         Fix bugs from r228411
311         https://bugs.webkit.org/show_bug.cgi?id=182851
312         <rdar://problem/37577732>
313
314         Reviewed by JF Bastien.
315
316         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
317
318 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
319
320         Unreviewed, roll out r228366 since it did not progress anything.
321
322         * stress/gc-error-stack.js: Removed.
323         * stress/no-gc-error-stack.js: Removed.
324
325 2018-02-15  Tomas Popela  <tpopela@redhat.com>
326
327         Many stress tests fail with JIT disabled
328         https://bugs.webkit.org/show_bug.cgi?id=182730
329
330         Reviewed by Saam Barati.
331
332         These tests are broken by design if the JIT is disabled - they test
333         the return value of numberOfDFGCompiles(), which is always set to
334         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
335
336         * stress/arith-abs-on-various-types.js:
337         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
338         * stress/arith-acos-on-various-types.js:
339         * stress/arith-acosh-on-various-types.js:
340         * stress/arith-asin-on-various-types.js:
341         * stress/arith-asinh-on-various-types.js:
342         * stress/arith-atan-on-various-types.js:
343         * stress/arith-atanh-on-various-types.js:
344         * stress/arith-cbrt-on-various-types.js:
345         * stress/arith-ceil-on-various-types.js:
346         * stress/arith-clz32-on-various-types.js:
347         * stress/arith-cos-on-various-types.js:
348         * stress/arith-cosh-on-various-types.js:
349         * stress/arith-expm1-on-various-types.js:
350         * stress/arith-floor-on-various-types.js:
351         * stress/arith-fround-on-various-types.js:
352         * stress/arith-log-on-various-types.js:
353         * stress/arith-log10-on-various-types.js:
354         * stress/arith-log2-on-various-types.js:
355         * stress/arith-negate-on-various-types.js:
356         * stress/arith-round-on-various-types.js:
357         * stress/arith-sin-on-various-types.js:
358         * stress/arith-sinh-on-various-types.js:
359         * stress/arith-sqrt-on-various-types.js:
360         * stress/arith-tan-on-various-types.js:
361         * stress/arith-tanh-on-various-types.js:
362         * stress/arith-trunc-on-various-types.js:
363         * stress/compare-strict-eq-on-various-types.js:
364
365 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
366
367         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
368
369         Unreviewed test gardening.
370
371         * stress/new-largeish-contiguous-array-with-size.js:
372
373 2018-02-14  Saam Barati  <sbarati@apple.com>
374
375         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
376         https://bugs.webkit.org/show_bug.cgi?id=182801
377
378         Reviewed by Keith Miller.
379
380         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
381
382 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
383
384         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
385         https://bugs.webkit.org/show_bug.cgi?id=182526
386
387         Unreviewed test gardening.
388
389         * stress/activation-sink-default-value-tdz-error.js:
390
391 2018-02-13  Saam Barati  <sbarati@apple.com>
392
393         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
394         https://bugs.webkit.org/show_bug.cgi?id=182755
395         <rdar://problem/37080864>
396
397         Reviewed by Keith Miller.
398
399         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
400         (test1.o.get 10005):
401         (test1):
402         (test2.o.get 1000):
403         (test2):
404
405 2018-02-13  Caitlin Potter  <caitp@igalia.com>
406
407         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
408         https://bugs.webkit.org/show_bug.cgi?id=182717
409
410         Reviewed by Yusuke Suzuki.
411
412         https://github.com/tc39/ecma262/pull/890 imposes a change to template
413         literals, to allow template callsite arrays to be collected when the
414         code containing the tagged template call is collected. This spec change
415         has received concensus and been ratified.
416
417         This change eliminates the eternal map associating template contents
418         with arrays.
419
420         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
421         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
422         * stress/tagged-templates-identity.js:
423         * stress/template-string-tags-eval.js:
424         * test262.yaml:
425
426 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
427
428         Support GetArrayLength on ArrayStorage in the FTL
429         https://bugs.webkit.org/show_bug.cgi?id=182625
430
431         Reviewed by Saam Barati.
432
433         * stress/array-storage-length.js: Added.
434         (shouldBe):
435         (testInBound):
436         (testUncountable):
437         (testSlowPutInBound):
438         (testSlowPutUncountable):
439         * stress/undecided-length.js: Added.
440         (shouldBe):
441         (test2):
442
443 2018-02-12  Saam Barati  <sbarati@apple.com>
444
445         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
446         https://bugs.webkit.org/show_bug.cgi?id=182706
447         <rdar://problem/36833681>
448
449         Reviewed by Filip Pizlo.
450
451         * stress/get-array-length-phantom-new-array-buffer.js: Added.
452         (effects):
453         (foo):
454
455 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
456
457         Don't waste memory for error.stack
458         https://bugs.webkit.org/show_bug.cgi?id=182656
459
460         Reviewed by Saam Barati.
461         
462         Tests the policy.
463
464         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
465         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
466
467 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
468
469         [JSC] Update Test262 to Feb 9 version
470         https://bugs.webkit.org/show_bug.cgi?id=182468
471
472         Reviewed by Saam Barati.
473
474 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
475
476         Unreviewed, fix invalid line terminator in old test262 file part 2
477         https://bugs.webkit.org/show_bug.cgi?id=182468
478
479         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
480
481 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
482
483         Unreviewed, fix invalid line terminator in old test262 file
484         https://bugs.webkit.org/show_bug.cgi?id=182468
485
486         * test262/test/language/literals/regexp/7.8.5-1.js:
487
488 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
489
490         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
491         https://bugs.webkit.org/show_bug.cgi?id=182440
492
493         Reviewed by Darin Adler.
494
495         * stress/array-flatmap.js: Added.
496         (shouldBe):
497         (shouldBeArray):
498         (shouldThrow):
499         (var):
500         * stress/array-flatten.js: Added.
501         (shouldBe):
502         (shouldBeArray):
503         * test262.yaml:
504         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
505         (3.flatMap):
506         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
507
508 2018-02-06  Keith Miller  <keith_miller@apple.com>
509
510         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
511         https://bugs.webkit.org/show_bug.cgi?id=182549
512         <rdar://problem/36189995>
513
514         Reviewed by Saam Barati.
515
516         * stress/var-injection-cache-invalidation.js: Added.
517         (allocateLotsOfThings):
518         (test):
519
520 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
521
522         Unreviewed, follow up for test262 update
523         https://bugs.webkit.org/show_bug.cgi?id=182288
524
525         * test262.yaml:
526
527 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
528
529         Update test262 to Jan 30 version
530         https://bugs.webkit.org/show_bug.cgi?id=182288
531
532         Unreviewed test gardening.
533
534         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
535
536 2018-02-02  Saam Barati  <sbarati@apple.com>
537
538         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
539         https://bugs.webkit.org/show_bug.cgi?id=182368
540         <rdar://problem/36932466>
541
542         Reviewed by Mark Lam.
543
544         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
545         (runNearStackLimit.t):
546         (runNearStackLimit):
547         (try.runNearStackLimit):
548         (catch):
549
550 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
551
552         Update test262 to Jan 30 version
553         https://bugs.webkit.org/show_bug.cgi?id=182288
554
555         Rubber stamped by Saam Barati.
556
557         This patch updates test262 to the latest one, Jan 30 version.
558         Since added and changed files are too many, we cannot create ChangeLog.
559         The following files are changed.
560
561         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
562         including some special line terminators (like u2028, u2029).
563
564         * test262.yaml:
565         * test262/test262-Revision.txt:
566         * test262/*:
567
568 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
569
570         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
571         https://bugs.webkit.org/show_bug.cgi?id=182411
572
573         Reviewed by Carlos Alberto Lopez Perez.
574
575         This is skipped only on arm memory limited platforms. Until recently
576         it was not a problem on MIPS as the butterfly was not initialized. But
577         since r227435, the butterfly is initialized in that test and therefore
578         memory is allocated, and the test typically takes around 512M, which
579         means it generally gets OOM-killed on the MIPS buildbot.
580
581         * mozilla/mozilla-tests.yaml:
582
583 2018-02-01  Mark Lam  <mark.lam@apple.com>
584
585         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
586         https://bugs.webkit.org/show_bug.cgi?id=182419
587         <rdar://problem/37044945>
588
589         Reviewed by Saam Barati.
590
591         * stress/regress-182419.js: Added.
592
593 2018-02-01  Keith Miller  <keith_miller@apple.com>
594
595         Fix crashes due to mishandling custom sections.
596         https://bugs.webkit.org/show_bug.cgi?id=182404
597         <rdar://problem/36935863>
598
599         Reviewed by Saam Barati.
600
601         * wasm/Builder.js:
602         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
603         * wasm/js-api/validate.js:
604         (assert.truthy):
605
606 2018-01-31  Saam Barati  <sbarati@apple.com>
607
608         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
609         https://bugs.webkit.org/show_bug.cgi?id=182074
610         <rdar://problem/36846261>
611
612         Reviewed by Mark Lam.
613
614         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
615         (assert):
616         (let.func):
617         (let.o.foo):
618         (varFunc):
619
620 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
621
622         Unreviewed, update test262 expects
623         https://bugs.webkit.org/show_bug.cgi?id=182232
624
625         * test262.yaml:
626
627 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
628
629         [JSC] Implement trimStart and trimEnd
630         https://bugs.webkit.org/show_bug.cgi?id=182233
631
632         Reviewed by Mark Lam.
633
634         * stress/trim.js: Added.
635         (shouldBe):
636         (startTest):
637         (endTest):
638         (trimTest):
639
640 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
641
642         [JSC] Relax line terminators in String to make JSON subset of JS
643         https://bugs.webkit.org/show_bug.cgi?id=182232
644
645         Reviewed by Keith Miller.
646
647         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
648         * stress/relaxed-line-terminators-in-string.js: Added.
649         (shouldBe):
650
651 2018-01-29  Michael Saboff  <msaboff@apple.com>
652
653         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
654         https://bugs.webkit.org/show_bug.cgi?id=182249
655
656         Reviewed by Keith Miller.
657
658         New regression test.
659
660         * stress/compare-clobber-untypeduse.js: Added.
661
662 2018-01-29  Matt Lewis  <jlewis3@apple.com>
663
664         Unreviewed, rolling out r227725.
665
666         This caused internal failures.
667
668         Reverted changeset:
669
670         "JSC Sampling Profiler: Detect tester and testee when sampling
671         in RegExp JIT"
672         https://bugs.webkit.org/show_bug.cgi?id=152729
673         https://trac.webkit.org/changeset/227725
674
675 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
676
677         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
678         https://bugs.webkit.org/show_bug.cgi?id=152729
679
680         Reviewed by Saam Barati.
681
682         * stress/sampling-profiler-regexp.js: Added.
683         (platformSupportsSamplingProfiler.test):
684         (platformSupportsSamplingProfiler.baz):
685         (platformSupportsSamplingProfiler):
686
687 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
688
689         [DFG][FTL] WeakMap#set should have DFG node
690         https://bugs.webkit.org/show_bug.cgi?id=180015
691
692         Reviewed by Saam Barati.
693
694         * stress/weakmap-set-change-get.js: Added.
695         (shouldBe):
696         (test):
697         * stress/weakmap-set-cse.js: Added.
698         (shouldBe):
699         (test):
700         * stress/weakset-add-change-get.js: Added.
701         (shouldBe):
702         * stress/weakset-add-cse.js: Added.
703         (shouldBe):
704
705 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
706
707         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
708         https://bugs.webkit.org/show_bug.cgi?id=182213
709
710         Reviewed by Mark Lam.
711
712         * stress/int32-min-to-string.js: Added.
713         (shouldBe):
714         (test2):
715         (test4):
716         (test8):
717         (test16):
718         (test32):
719         * stress/zero-to-string.js: Added.
720         (shouldBe):
721         (test2):
722         (test4):
723         (test8):
724         (test16):
725         (test32):
726
727 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
728
729         Add more module scope related tests with code evaluation by string
730         https://bugs.webkit.org/show_bug.cgi?id=181983
731
732         Reviewed by Sam Weinig.
733
734         Add more module scope related tests. When the original tests are landed,
735         we do not have browser integration. This patch adds more module scope tests
736         with dynamically created script evaluation. We add tests with Function
737         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
738
739         * modules/scopes-eval.js: Added.
740         (shouldBe):
741         * modules/scopes.js:
742         (shouldBe):
743
744 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
745
746         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
747
748         * microbenchmarks/array-push-3.js: Removed.
749         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
750         * microbenchmarks/double-to-int32.js: Removed.
751         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
752         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
753         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
754         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
755         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
756         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
757         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
758         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
759         * microbenchmarks/map-constant-key.js: Removed.
760         * microbenchmarks/nested-function-parsing.js: Removed.
761         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
762         * microbenchmarks/spread-large-array.js: Removed.
763         * microbenchmarks/string-add-constant-folding.js: Removed.
764         * microbenchmarks/to-lower-case.js: Removed.
765         * microbenchmarks/undefined-property-access.js: Removed.
766         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
767         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
768         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
769         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
770         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
771         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
772         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
773         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
774         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
775         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
776         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
777         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
778         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
779         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
780         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
781         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
782         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
783         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
784
785 2018-01-23  Robin Morisset  <rmorisset@apple.com>
786
787         Update the argument count in DFGByteCodeParser::handleRecursiveCall
788         https://bugs.webkit.org/show_bug.cgi?id=181739
789         <rdar://problem/36627662>
790
791         Reviewed by Saam Barati.
792
793         * stress/recursive-tail-call-with-different-argument-count.js: Added.
794         (foo):
795         (bar):
796
797 2018-01-22  Michael Saboff  <msaboff@apple.com>
798
799         DFG abstract interpreter needs to properly model effects of some Math ops
800         https://bugs.webkit.org/show_bug.cgi?id=181886
801
802         Reviewed by Saam Barati.
803
804         New regression test.
805
806         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
807         (test):
808
809 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
810
811         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
812         https://bugs.webkit.org/show_bug.cgi?id=181182
813
814         Reviewed by Darin Adler.
815
816         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
817         * stress/big-int-prototype-to-string-exception.js: Added.
818         * stress/big-int-prototype-to-string-wrong-values.js: Added.
819         * stress/number-prototype-to-string-cast-overflow.js: Added.
820         * stress/number-prototype-to-string-exception.js: Added.
821         * stress/number-prototype-to-string-wrong-values.js: Added.
822
823 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
824
825         Disable Atomics when SharedArrayBuffer isn’t enabled
826         https://bugs.webkit.org/show_bug.cgi?id=181572
827
828         Unreviewed test gardening.
829
830         * test262.yaml: Skip tests that fail after this change.
831
832 2018-01-19  Saam Barati  <sbarati@apple.com>
833
834         Kill ArithNegate's ArithProfile assert inside BytecodeParser
835         https://bugs.webkit.org/show_bug.cgi?id=181877
836         <rdar://problem/36630552>
837
838         Reviewed by Mark Lam.
839
840         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
841         (runNearStackLimit):
842         (f1):
843         (f2):
844         (f3):
845         (i.catch):
846         (i.try.runNearStackLimit):
847         (catch):
848
849 2018-01-19  Saam Barati  <sbarati@apple.com>
850
851         Spread's effects are modeled incorrectly both in AI and in Clobberize
852         https://bugs.webkit.org/show_bug.cgi?id=181867
853         <rdar://problem/36290415>
854
855         Reviewed by Michael Saboff.
856
857         * stress/ai-needs-to-model-spreads-effects.js: Added.
858         (try.p.Symbol.iterator):
859         (try.go):
860         (catch):
861         * stress/clobberize-needs-to-model-spread-effects.js: Added.
862         (assert):
863         (foo):
864         (a.Symbol.iterator):
865
866 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
867
868         Unreviewed, reduce count of iteration to fix timing out debug JSC test
869         https://bugs.webkit.org/show_bug.cgi?id=181535
870
871         * stress/inserted-recovery-with-set-last-index.js:
872
873 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
874
875         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
876         https://bugs.webkit.org/show_bug.cgi?id=181535
877
878         Reviewed by Saam Barati.
879
880         * stress/inserted-recovery-with-set-last-index.js: Added.
881         (shouldBe):
882         (foo):
883         * stress/materialize-regexp-at-osr-exit.js: Added.
884         (shouldBe):
885         (test):
886         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
887         (shouldBe):
888         (test):
889         * stress/materialize-regexp-cyclic-regexp.js: Added.
890         (shouldBe):
891         (test):
892         (i.switch):
893         * stress/materialize-regexp-cyclic.js: Added.
894         (shouldBe):
895         (test):
896         (i.switch):
897         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
898         (bar):
899         (foo):
900         (test):
901         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
902         (bar):
903         (foo):
904         (test):
905         * stress/materialize-regexp.js: Added.
906         (shouldBe):
907         (test):
908         * stress/phantom-regexp-regexp-exec.js: Added.
909         (shouldBe):
910         (test):
911         * stress/phantom-regexp-string-match.js: Added.
912         (shouldBe):
913         (test):
914         * stress/regexp-last-index-sinking.js: Added.
915         (shouldBe):
916         (test):
917
918 2018-01-17  Saam Barati  <sbarati@apple.com>
919
920         Disable Atomics when SharedArrayBuffer isn’t enabled
921         https://bugs.webkit.org/show_bug.cgi?id=181572
922         <rdar://problem/36553206>
923
924         Reviewed by Michael Saboff.
925
926         * stress/isLockFree.js:
927
928 2018-01-17  Saam Barati  <sbarati@apple.com>
929
930         DFG::Node::convertToConstant needs to clear the varargs flags
931         https://bugs.webkit.org/show_bug.cgi?id=181697
932         <rdar://problem/36497332>
933
934         Reviewed by Yusuke Suzuki.
935
936         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
937         (doIndexOf):
938         (bar):
939         (i.bar):
940
941 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
942
943         Unreviewed, rolling out r226937.
944
945         Tests added with this change are failing due to a missing
946         exception check.
947
948         Reverted changeset:
949
950         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
951         double to int32_t"
952         https://bugs.webkit.org/show_bug.cgi?id=181182
953         https://trac.webkit.org/changeset/226937
954
955 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
956
957         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
958         https://bugs.webkit.org/show_bug.cgi?id=181182
959
960         Reviewed by Darin Adler.
961
962         * bigIntTests.yaml:
963         * stress/big-int-constructor.js:
964         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
965         (assert):
966         (assertThrowRangeError):
967         * stress/number-prototype-to-string-cast-overflow.js: Added.
968         (assert):
969         (assertThrowRangeError):
970
971 2018-01-12  Saam Barati  <sbarati@apple.com>
972
973         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
974         https://bugs.webkit.org/show_bug.cgi?id=181177
975         <rdar://problem/36205704>
976
977         Reviewed by Yusuke Suzuki.
978
979         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
980         (runNearStackLimit.t):
981         (runNearStackLimit):
982         (test.f):
983         (test):
984
985 2018-01-12  Saam Barati  <sbarati@apple.com>
986
987         Each variant of a polymorphic inlined call should be exitOK at the top of the block
988         https://bugs.webkit.org/show_bug.cgi?id=181562
989         <rdar://problem/36445624>
990
991         Reviewed by Yusuke Suzuki.
992
993         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
994         (f):
995         (foo):
996
997 2018-01-11  Saam Barati  <sbarati@apple.com>
998
999         When inserting Unreachable in byte code parser we need to flush all the right things
1000         https://bugs.webkit.org/show_bug.cgi?id=181509
1001         <rdar://problem/36423110>
1002
1003         Reviewed by Mark Lam.
1004
1005         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1006
1007 2018-01-11  Saam Barati  <sbarati@apple.com>
1008
1009         JITMathIC code in the FTL is wrong when code gets duplicated
1010         https://bugs.webkit.org/show_bug.cgi?id=181525
1011         <rdar://problem/36351993>
1012
1013         Reviewed by Michael Saboff and Keith Miller.
1014
1015         * stress/allow-math-ic-b3-code-duplication.js: Added.
1016
1017 2018-01-11  Saam Barati  <sbarati@apple.com>
1018
1019         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1020         https://bugs.webkit.org/show_bug.cgi?id=181508
1021
1022         Reviewed by Yusuke Suzuki.
1023
1024         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1025         (assert):
1026         (test1.foo):
1027         (test1):
1028         (test2.foo):
1029         (test2):
1030
1031 2018-01-09  Mark Lam  <mark.lam@apple.com>
1032
1033         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1034         https://bugs.webkit.org/show_bug.cgi?id=181388
1035         <rdar://problem/36349351>
1036
1037         Reviewed by Saam Barati.
1038
1039         * stress/regress-181388.js: Added.
1040
1041 2018-01-08  JF Bastien  <jfbastien@apple.com>
1042
1043         WebAssembly: mask indexed accesses to Table
1044         https://bugs.webkit.org/show_bug.cgi?id=181412
1045         <rdar://problem/36363236>
1046
1047         Reviewed by Saam Barati.
1048
1049         Update error messages.
1050
1051         * wasm/js-api/table.js:
1052         (assert.throws.WebAssembly.Table.prototype.grow):
1053
1054 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1055
1056         Disable SharedArrayBuffer tests missed in r226386.
1057         https://bugs.webkit.org/show_bug.cgi?id=181266
1058
1059         Unreviewed test gardening.
1060
1061         * test262.yaml:
1062
1063 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1064
1065         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1066         https://bugs.webkit.org/show_bug.cgi?id=181321
1067
1068         Reviewed by Saam Barati.
1069
1070         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1071         (shouldBe):
1072         (testFunction):
1073         * test262.yaml:
1074
1075 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1076
1077         Unreviewed, attempt to fix test262 after r226386.
1078
1079         * test262.yaml:
1080
1081 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1084         https://bugs.webkit.org/show_bug.cgi?id=179911
1085
1086         Reviewed by Saam Barati.
1087
1088         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1089
1090         * stress/map-set-change-get.js: Added.
1091         (shouldBe):
1092         (test):
1093         * stress/map-set-create-bucket.js: Added.
1094         (shouldBe):
1095         (test):
1096         * stress/set-add-create-bucket.js: Added.
1097         (shouldBe):
1098
1099 2018-01-03  Michael Saboff  <msaboff@apple.com>
1100
1101         Disable SharedArrayBuffers from Web API
1102         https://bugs.webkit.org/show_bug.cgi?id=181266
1103
1104         Reviewed by Saam Barati.
1105
1106         Disabled SharedArrayBuffer tests.
1107
1108         * stress/SharedArrayBuffer-opt.js:
1109         * stress/SharedArrayBuffer.js:
1110         * stress/array-buffer-byte-length.js:
1111         * stress/atomics-add-uint32.js:
1112         * stress/atomics-known-int-use.js:
1113         * stress/atomics-neg-zero.js:
1114         * stress/atomics-store-return.js:
1115         * stress/lars-sab-workers.js:
1116         * stress/regress-159779-1.js:
1117         * stress/regress-159779-2.js:
1118         * stress/regress-170473.js:
1119         * test262.yaml:
1120
1121 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1122
1123         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1124         https://bugs.webkit.org/show_bug.cgi?id=181258
1125
1126         Reviewed by Antonio Gomes.
1127
1128         * stress/big-int-constructor-gc.js:
1129         * stress/big-int-constructor-oom.js:
1130
1131 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1132
1133         Inlining of a function that ends in op_unreachable crashes
1134         https://bugs.webkit.org/show_bug.cgi?id=181027
1135
1136         Reviewed by Filip Pizlo.
1137
1138         * stress/inlining-unreachable.js: Added.
1139         (bar):
1140         (baz):
1141         (i.catch):
1142
1143 2018-01-02  Saam Barati  <sbarati@apple.com>
1144
1145         Incorrect assertion inside AccessCase
1146         https://bugs.webkit.org/show_bug.cgi?id=181200
1147         <rdar://problem/35494754>
1148
1149         Reviewed by Yusuke Suzuki.
1150
1151         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1152         (ctor):
1153         (theFunc):
1154         (run):
1155
1156 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1157
1158         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1159         https://bugs.webkit.org/show_bug.cgi?id=175359
1160
1161         Reviewed by Yusuke Suzuki.
1162
1163         * bigIntTests.yaml:
1164         * stress/big-int-as-key.js: Added.
1165         * stress/big-int-constructor-gc.js: Added.
1166         * stress/big-int-constructor-oom.js: Added.
1167         * stress/big-int-constructor-properties.js: Added.
1168         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1169         * stress/big-int-constructor-prototype.js: Added.
1170         * stress/big-int-constructor.js: Added.
1171         * stress/big-int-function-apply.js:
1172         * stress/big-int-length.js: Added.
1173         * stress/big-int-prop-descriptor.js: Added.
1174         * stress/big-int-proto-constructor.js: Added.
1175         * stress/big-int-proto-name.js: Added.
1176         * stress/big-int-prototype-properties.js: Added.
1177         * stress/big-int-prototype-proto.js: Added.
1178         * stress/big-int-prototype-value-of.js: Added.
1179         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1180         * stress/big-int-prototype-to-string-apply.js: Added.
1181         * stress/big-int-to-object.js: Added.
1182         * stress/big-int-to-string.js: Added.
1183
1184 2017-12-28  Saam Barati  <sbarati@apple.com>
1185
1186         Assertion used to determine if something is an async generator is wrong
1187         https://bugs.webkit.org/show_bug.cgi?id=181168
1188         <rdar://problem/35640560>
1189
1190         Reviewed by Yusuke Suzuki.
1191
1192         * stress/async-generator-assertion.js: Added.
1193
1194 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1195
1196         Skip stress/splay-flash-access tests on memory limited platforms
1197         https://bugs.webkit.org/show_bug.cgi?id=181086
1198
1199         Reviewed by Carlos Alberto Lopez Perez.
1200
1201         These tests use about 185M of memory, and occasionally get OOM-killed
1202         on memory limited platforms.
1203
1204         * stress/splay-flash-access-1ms.js:
1205         * stress/splay-flash-access.js:
1206
1207 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1208
1209         Skip slow jsc tests on embedded platforms
1210         https://bugs.webkit.org/show_bug.cgi?id=180937
1211
1212         Reviewed by Carlos Alberto Lopez Perez.
1213
1214         The tests typeProfiler/deltablue-for-of.js and
1215         typeProfiler/getter-richards.js take a very long time in the
1216         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1217         thus always timeout. They should be skipped on these platforms.
1218
1219         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1220         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1221
1222 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1223
1224         [JSC] Do not check isValid() in op_new_regexp
1225         https://bugs.webkit.org/show_bug.cgi?id=180970
1226
1227         Reviewed by Saam Barati.
1228
1229         * stress/regexp-syntax-error-invalid-flags.js: Added.
1230         (shouldThrow):
1231
1232 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1233
1234         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1235         https://bugs.webkit.org/show_bug.cgi?id=180712
1236
1237         Reviewed by Michael Catanzaro.
1238
1239         stress/call-apply-exponential-bytecode-size.js crashes if the
1240         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1241         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1242         should skip the test on other platforms.
1243
1244         * stress/call-apply-exponential-bytecode-size.js:
1245
1246 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1247
1248         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1249         https://bugs.webkit.org/show_bug.cgi?id=179762
1250
1251         Reviewed by Saam Barati.
1252
1253         * stress/call-varargs-double-new-array-buffer.js: Added.
1254         (assert):
1255         (bar):
1256         (foo):
1257         * stress/call-varargs-spread-new-array-buffer.js: Added.
1258         (assert):
1259         (bar):
1260         (foo):
1261         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1262         (assert):
1263         (bar):
1264         (foo):
1265         * stress/forward-varargs-double-new-array-buffer.js: Added.
1266         (assert):
1267         (test.baz):
1268         (test.bar):
1269         (test.foo):
1270         (test):
1271         * stress/new-array-buffer-sinking-osrexit.js: Added.
1272         (target):
1273         (test):
1274         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1275         (shouldBe):
1276         (test):
1277         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1278         (shouldBe):
1279         (target):
1280         (test):
1281         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1282         (assert):
1283         (test1.bar):
1284         (test1.foo):
1285         (test1):
1286         (test2.bar):
1287         (test2.foo):
1288         (test3.baz):
1289         (test3.bar):
1290         (test3.foo):
1291         (test4.baz):
1292         (test4.bar):
1293         (test4.foo):
1294         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1295         (assert):
1296         (test.baz):
1297         (test.bar):
1298         (test.foo):
1299         (test):
1300         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1301         (assert):
1302         (baz):
1303         (bar):
1304         (effects):
1305         (foo):
1306
1307 2017-12-14  Saam Barati  <sbarati@apple.com>
1308
1309         The CleanUp after LICM is erroneously removing a Check
1310         https://bugs.webkit.org/show_bug.cgi?id=180852
1311         <rdar://problem/36063494>
1312
1313         Reviewed by Filip Pizlo.
1314
1315         * stress/dont-run-cleanup-after-licm.js: Added.
1316
1317 2017-12-14  Michael Saboff  <msaboff@apple.com>
1318
1319         REGRESSION (r225695): Repro crash on yahoo login page
1320         https://bugs.webkit.org/show_bug.cgi?id=180761
1321
1322         Reviewed by JF Bastien.
1323
1324         New regression test.
1325
1326         * stress/regress-180761.js: Added.
1327
1328 2017-12-13  Keith Miller  <keith_miller@apple.com>
1329
1330         JSObjects should have a mask for loading indexed properties
1331         https://bugs.webkit.org/show_bug.cgi?id=180768
1332
1333         Reviewed by Mark Lam.
1334
1335         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1336         (test):
1337
1338 2017-12-13  Saam Barati  <sbarati@apple.com>
1339
1340         Arrow functions need their own structure because they have different properties than sloppy functions
1341         https://bugs.webkit.org/show_bug.cgi?id=180779
1342         <rdar://problem/35814591>
1343
1344         Reviewed by Mark Lam.
1345
1346         * stress/arrow-function-needs-its-own-structure.js: Added.
1347         (assert):
1348         (readPrototype):
1349         (noInline.let.f1):
1350         (noInline):
1351
1352 2017-12-13  Saam Barati  <sbarati@apple.com>
1353
1354         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1355         https://bugs.webkit.org/show_bug.cgi?id=163579
1356         <rdar://problem/35455798>
1357
1358         Reviewed by Mark Lam.
1359
1360         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1361         (assert):
1362         (test1):
1363         (i.test1):
1364         (i.test1.C):
1365         (i.test1.async.foo):
1366         (i.test1.foo):
1367         (test2):
1368
1369 2017-12-13  Saam Barati  <sbarati@apple.com>
1370
1371         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1372         https://bugs.webkit.org/show_bug.cgi?id=180734
1373         <rdar://problem/35640547>
1374
1375         Reviewed by Yusuke Suzuki.
1376
1377         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1378         (__isPropertyOfType):
1379         (__getProperties):
1380         (__getObjects):
1381         (__getRandomObject):
1382         (theClass.):
1383         (theClass):
1384         (childClass):
1385         (counter.catch):
1386
1387 2017-12-12  Saam Barati  <sbarati@apple.com>
1388
1389         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1390         https://bugs.webkit.org/show_bug.cgi?id=180725
1391         <rdar://problem/35970511>
1392
1393         Reviewed by Michael Saboff.
1394
1395         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1396         (f1):
1397         (f2):
1398         (let.o2.valueOf):
1399
1400 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1401
1402         [JSC] Implement optimized WeakMap and WeakSet
1403         https://bugs.webkit.org/show_bug.cgi?id=179929
1404
1405         Reviewed by Saam Barati.
1406
1407         * microbenchmarks/weak-map-key.js:
1408         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1409         (assert):
1410         (objectKey):
1411         (let.start.Date.now):
1412         * stress/basic-weakmap.js: Added.
1413         (shouldBe):
1414         (test):
1415         * stress/basic-weakset.js: Added.
1416         (shouldBe):
1417         (test.set new):
1418         * stress/weakmap-cse-set-break.js: Added.
1419         (shouldBe):
1420         (test):
1421         * stress/weakmap-cse.js: Added.
1422         (shouldBe):
1423         (test):
1424         * stress/weakmap-gc.js: Added.
1425         (test):
1426         * stress/weakset-cse-add-break.js: Added.
1427         (shouldBe):
1428         (test.set new):
1429         * stress/weakset-cse.js: Added.
1430         (shouldBe):
1431         (test.set new):
1432         * stress/weakset-gc.js: Added.
1433         (test.set add):
1434         (test.set new):
1435         (test):
1436
1437 2017-12-12  Saam Barati  <sbarati@apple.com>
1438
1439         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1440         https://bugs.webkit.org/show_bug.cgi?id=180723
1441         <rdar://problem/35859726>
1442
1443         Reviewed by JF Bastien.
1444
1445         * stress/get-my-argument-by-val-constant-folding.js: Added.
1446         (test):
1447         (catch):
1448
1449 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1450
1451         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1452         https://bugs.webkit.org/show_bug.cgi?id=179000
1453
1454         Reviewed by Darin Adler and Yusuke Suzuki.
1455
1456         * bigIntTests.yaml: Added.
1457         * stress/big-int-literal-line-terminator.js: Added.
1458         * stress/big-int-literals.js: Added.
1459         * stress/big-int-operations-error.js: Added.
1460         * stress/big-int-type-of.js: Added.
1461         * stress/big-int-white-space-trailing-leading.js: Added.
1462         * stress/big-int-function-apply.js: Added.
1463
1464 2017-12-11  Saam Barati  <sbarati@apple.com>
1465
1466         We need to disableCaching() in ErrorInstance when we materialize properties
1467         https://bugs.webkit.org/show_bug.cgi?id=180343
1468         <rdar://problem/35833002>
1469
1470         Reviewed by Mark Lam.
1471
1472         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1473         (assert):
1474         (makeError):
1475         (storeToStack):
1476         (storeToStackAlreadyMaterialized):
1477
1478 2017-12-05  JF Bastien  <jfbastien@apple.com>
1479
1480         WebAssembly: don't eagerly checksum
1481         https://bugs.webkit.org/show_bug.cgi?id=180441
1482         <rdar://problem/35156628>
1483
1484         Reviewed by Saam Barati.
1485
1486         Checksum is now disabled, so tests only have <?> as the module
1487         name.
1488
1489         * wasm/function-tests/nameSection.js:
1490         * wasm/function-tests/stack-overflow.js:
1491         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1492         (assertOverflows.assertThrows):
1493         (assertOverflows):
1494         * wasm/function-tests/stack-trace.js:
1495
1496 2017-12-04  JF Bastien  <jfbastien@apple.com>
1497
1498         Proxy all functions, except the $ objects
1499         https://bugs.webkit.org/show_bug.cgi?id=180375
1500
1501         Reviewed by Saam Barati.
1502
1503         It looks like this test may have broken some executions because I
1504         call some internal objects. Explicitly ignore objects whose name
1505         starts with "$" because it's a bad idea anyways.
1506
1507         * stress/proxy-all-the-parameters.js:
1508         (generateObjects):
1509         (get throw):
1510
1511 2017-12-04  Saam Barati  <sbarati@apple.com>
1512
1513         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1514         https://bugs.webkit.org/show_bug.cgi?id=180366
1515         <rdar://problem/35685877>
1516
1517         Reviewed by Michael Saboff.
1518
1519         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1520         (theParent):
1521         (test1.base.getParentStaticValue):
1522         (test1.base):
1523         (test1.__v_24888.prototype.set prop):
1524         (test1.__v_24888):
1525         (test2.base.getParentStaticValue):
1526         (test2.base):
1527         (test2.__v_24888.prototype.set prop):
1528         (test2.__v_24888):
1529         (test2):
1530
1531 2017-12-01  JF Bastien  <jfbastien@apple.com>
1532
1533         Try proxying all function arguments
1534         https://bugs.webkit.org/show_bug.cgi?id=180306
1535
1536         Reviewed by Saam Barati.
1537
1538         * stress/proxy-all-the-parameters.js: Added.
1539         (isPropertyOfType):
1540         (getProperties):
1541         (generateObjects):
1542         (getObjects):
1543         (getFunctions):
1544         (get throw):
1545         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1546
1547 2017-12-01  JF Bastien  <jfbastien@apple.com>
1548
1549         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1550         https://bugs.webkit.org/show_bug.cgi?id=180297
1551         <rdar://problem/35745556>
1552
1553         Reviewed by Mark Lam.
1554
1555         * stress/math-exceptions.js: Added.
1556         (get try):
1557         (catch):
1558
1559 2017-12-01  JF Bastien  <jfbastien@apple.com>
1560
1561         JavaScriptCore: add test for weird class static getters
1562         https://bugs.webkit.org/show_bug.cgi?id=180281
1563         <rdar://problem/35592139>
1564
1565         Reviewed by Mark Lam.
1566
1567         I fixed a bug for it in r224927 and didn't add a test. Do so.
1568
1569         * stress/class-static-get-weird.js: Added.
1570         (c.prototype.get name):
1571         (c):
1572         (c.prototype.get arguments):
1573         (c.prototype.get caller):
1574         (c.prototype.get length):
1575
1576 2017-12-01  Saam Barati  <sbarati@apple.com>
1577
1578         Having a bad time needs to handle ArrayClass indexing type as well
1579         https://bugs.webkit.org/show_bug.cgi?id=180274
1580         <rdar://problem/35667869>
1581
1582         Reviewed by Keith Miller and Mark Lam.
1583
1584         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1585         (assert):
1586         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1587         (assert):
1588
1589 2017-12-01  JF Bastien  <jfbastien@apple.com>
1590
1591         WebAssembly: restore cached stack limit after out-call
1592         https://bugs.webkit.org/show_bug.cgi?id=179106
1593         <rdar://problem/35337525>
1594
1595         Reviewed by Saam Barati.
1596
1597         * wasm/function-tests/double-instance.js: Added.
1598         (const.imp.boom):
1599         (const.imp.get callAnother):
1600
1601 2017-11-30  JF Bastien  <jfbastien@apple.com>
1602
1603         WebAssembly: improve stack trace
1604         https://bugs.webkit.org/show_bug.cgi?id=179343
1605
1606         Reviewed by Saam Barati.
1607
1608         Update the tests to follow the new format. Notably, SHA1 module
1609         hash is now included in traces, and stubs are properly identified.
1610
1611         * wasm/assert.js: Add an assertion which matches regular expressions.
1612         * wasm/function-tests/nameSection.js:
1613         * wasm/function-tests/stack-overflow.js:
1614         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1615         (assertOverflows.assertThrows.wasm.1):
1616         (assertOverflows.assertThrows.wasm.0):
1617         (assertOverflows.assertThrows):
1618         (assertOverflows):
1619         * wasm/function-tests/stack-trace.js:
1620         (import.Builder.from.string_appeared_here.assert): Deleted.
1621         * wasm/function-tests/trap-after-cross-instance-call.js:
1622         (wasmFrameCountFromError):
1623         * wasm/function-tests/trap-load-2.js:
1624         (wasmFrameCountFromError):
1625         * wasm/function-tests/trap-load.js:
1626         (wasmFrameCountFromError):
1627
1628 2017-11-30  Mark Lam  <mark.lam@apple.com>
1629
1630         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1631         https://bugs.webkit.org/show_bug.cgi?id=180219
1632         <rdar://problem/35696536>
1633
1634         Reviewed by Filip Pizlo.
1635
1636         * stress/regress-180219.js: Added.
1637
1638 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1639
1640         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1641         https://bugs.webkit.org/show_bug.cgi?id=180190
1642
1643         Reviewed by Mark Lam.
1644
1645         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1646         (shouldBe):
1647         (test1):
1648         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1649         (shouldBe):
1650         (test1):
1651         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1652         (shouldBe):
1653         (test1):
1654         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1655         (shouldBe):
1656         (test1):
1657         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1658         (shouldBe):
1659         (test1):
1660         * stress/operation-in-may-have-negative-int32.js: Added.
1661         (shouldBe):
1662         (test2):
1663         * stress/operation-in-negative-int32-cast.js: Added.
1664         (shouldBe):
1665         (test1):
1666
1667 2017-11-28  JF Bastien  <jfbastien@apple.com>
1668
1669         Strict and sloppy functions shouldn't share structure
1670         https://bugs.webkit.org/show_bug.cgi?id=180103
1671         <rdar://problem/35667847>
1672
1673         Reviewed by Saam Barati.
1674
1675         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1676         because the IC was wrong.
1677         (foo):
1678         (bar):
1679         (baz):
1680         (catch):
1681         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1682         in this patch, but may as well test odd strict mode corner cases.
1683         (bar):
1684         (baz):
1685         (catch):
1686         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1687         (foo):
1688         (bar):
1689         (baz):
1690         (catch):
1691         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1692         next file, but with invalidation of the FunctionExecutable's
1693         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1694         slower path.
1695         (foo):
1696         (bar.const.x):
1697         (bar.const.y):
1698         (bar):
1699         (catch):
1700         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1701         strict nesting works correctly.
1702         (foo):
1703         (bar.baz):
1704         (bar):
1705         * stress/strict-function-structure.js: Added. The test used to
1706         assert in objectProtoFuncHasOwnProperty.
1707         (foo):
1708         (bar):
1709         (baz):
1710         * stress/strict-nested-function-structure.js: Added. Nesting.
1711         (foo):
1712         (bar):
1713         (baz.boo):
1714         (baz):
1715
1716 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1717
1718         The recursive tail call optimisation is wrong on closures
1719         https://bugs.webkit.org/show_bug.cgi?id=179835
1720
1721         Reviewed by Saam Barati.
1722
1723         * stress/closure-recursive-tail-call.js: Added.
1724         (makeClosure):
1725
1726 2017-11-27  JF Bastien  <jfbastien@apple.com>
1727
1728         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1729         https://bugs.webkit.org/show_bug.cgi?id=180051
1730         <rdar://problem/35614371>
1731
1732         Reviewed by Saam Barati.
1733
1734         * stress/rest-parameter-negative.js: Added.
1735         (__f_5484):
1736         (catch):
1737         (__f_5485):
1738         (__v_22598.catch):
1739
1740 2017-11-27  Saam Barati  <sbarati@apple.com>
1741
1742         Spread can escape when CreateRest does not
1743         https://bugs.webkit.org/show_bug.cgi?id=180057
1744         <rdar://problem/35676119>
1745
1746         Reviewed by JF Bastien.
1747
1748         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1749         (assert):
1750         (getProperties):
1751         (theFunc):
1752         (let.obj.valueOf):
1753
1754 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1755
1756         [DFG] Add NormalizeMapKey DFG IR
1757         https://bugs.webkit.org/show_bug.cgi?id=179912
1758
1759         Reviewed by Saam Barati.
1760
1761         * stress/map-untyped-normalize-cse.js: Added.
1762         (shouldBe):
1763         (test):
1764         * stress/map-untyped-normalize.js: Added.
1765         (shouldBe):
1766         (test):
1767         * stress/set-untyped-normalize-cse.js: Added.
1768         (shouldBe):
1769         (set return.set has.set has):
1770         * stress/set-untyped-normalize.js: Added.
1771         (shouldBe):
1772         (set return.set has):
1773
1774 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1775
1776         [FTL] Support DeleteById and DeleteByVal
1777         https://bugs.webkit.org/show_bug.cgi?id=180022
1778
1779         Reviewed by Saam Barati.
1780
1781         * stress/delete-by-id.js: Added.
1782         (shouldBe):
1783         (test1):
1784         (test2):
1785         * stress/delete-by-val-ftl.js: Added.
1786         (shouldBe):
1787         (test1):
1788         (test2):
1789
1790 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1791
1792         [DFG] Introduce {Set,Map,WeakMap}Fields
1793         https://bugs.webkit.org/show_bug.cgi?id=179925
1794
1795         Reviewed by Saam Barati.
1796
1797         * stress/map-set-clobber-map-get.js: Added.
1798         (shouldBe):
1799         (test):
1800         * stress/map-set-does-not-clobber-set-has.js: Added.
1801         (shouldBe):
1802         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1803         (shouldBe):
1804         (test):
1805         * stress/set-add-clobber-set-has.js: Added.
1806         (shouldBe):
1807         * stress/set-add-does-not-clobber-map-get.js: Added.
1808         (shouldBe):
1809
1810 2017-11-24  Mark Lam  <mark.lam@apple.com>
1811
1812         Move unsafe jsc shell test functions to the $vm object.
1813         https://bugs.webkit.org/show_bug.cgi?id=179980
1814
1815         Reviewed by Yusuke Suzuki.
1816
1817         * controlFlowProfiler/driver/driver.js:
1818         * controlFlowProfiler/execution-count.js:
1819         * controlFlowProfiler/if-statement.js:
1820         * controlFlowProfiler/loop-statements.js:
1821         * controlFlowProfiler/switch-statements.js:
1822         * controlFlowProfiler/test-jit.js:
1823         * exceptionFuzz/3d-cube.js:
1824         * exceptionFuzz/date-format-xparb.js:
1825         * exceptionFuzz/earley-boyer.js:
1826         * heapProfiler/basic-edges.js:
1827         * heapProfiler/property-edge-types.js:
1828         * microbenchmarks/try-get-by-id-basic.js:
1829         * microbenchmarks/try-get-by-id-polymorphic.js:
1830         * modules/namespace-object-try-get.js:
1831         * stress/argument-count-bytecode.js:
1832         * stress/argument-intrinsic-basic.js:
1833         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1834         * stress/argument-intrinsic-inlining-with-result-escape.js:
1835         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1836         * stress/argument-intrinsic-inlining-with-vararg.js:
1837         * stress/argument-intrinsic-nested-inlining.js:
1838         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1839         * stress/argument-intrinsic-with-stack-write.js:
1840         * stress/arity-mismatch-get-argument.js:
1841         * stress/array-message-passing.js:
1842         * stress/array-push-with-force-exit.js:
1843         * stress/check-dom-with-signature.js:
1844         * stress/check-sub-class.js:
1845         * stress/compare-eq-incomplete-profile.js:
1846         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1847         * stress/do-eval-virtual-call-correctly.js:
1848         * stress/dom-jit-with-poly-proto.js:
1849         * stress/domjit-exception-ic.js:
1850         * stress/domjit-exception.js:
1851         * stress/domjit-getter-complex-with-incorrect-object.js:
1852         * stress/domjit-getter-complex.js:
1853         * stress/domjit-getter-poly.js:
1854         * stress/domjit-getter-proto.js:
1855         * stress/domjit-getter-super-poly.js:
1856         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1857         * stress/domjit-getter-type-check.js:
1858         * stress/domjit-getter.js:
1859         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1860         * stress/for-in-proxy-target-changed-structure.js:
1861         * stress/for-in-proxy.js:
1862         * stress/generational-opaque-roots.js:
1863         * stress/global-const-redeclaration-setting-2.js:
1864         * stress/global-const-redeclaration-setting-3.js:
1865         * stress/global-const-redeclaration-setting-4.js:
1866         * stress/global-const-redeclaration-setting-5.js:
1867         * stress/global-const-redeclaration-setting.js:
1868         * stress/import-basic.js:
1869         * stress/import-from-eval.js:
1870         * stress/import-reject-with-exception.js:
1871         * stress/import-syntax.js:
1872         * stress/impure-get-own-property-slot-inline-cache.js:
1873         * stress/is-constructor.js:
1874         * stress/istypedarrayview-intrinsic.js:
1875         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1876         * stress/jsc-test-functions-should-be-more-robust.js:
1877         * stress/object-toString-with-proxy.js:
1878         * stress/poly-proto-custom-value-and-accessor.js:
1879         * stress/proxy-inline-cache.js:
1880         * stress/re-execute-error-module.js:
1881         * stress/regress-150532.js:
1882         * stress/regress-156992.js:
1883         * stress/regress-179619.js:
1884         * stress/resources/shadow-chicken-support.js:
1885         * stress/runtime-array.js:
1886         * stress/sampling-profiler-microtasks.js:
1887         * stress/shadow-chicken-enabled.js:
1888         * stress/spread-correct-global-object-on-exception.js:
1889         * stress/super-get-by-id.js:
1890         * stress/tailCallForwardArguments.js:
1891         * stress/to-object-intrinsic-boolean-edge.js:
1892         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1893         * stress/to-object-intrinsic-number-edge.js:
1894         * stress/to-object-intrinsic-object-edge.js:
1895         * stress/to-object-intrinsic-string-edge.js:
1896         * stress/to-object-intrinsic-symbol-edge.js:
1897         * stress/to-object-intrinsic.js:
1898         * stress/try-catch-custom-getter-as-get-by-id.js:
1899         * stress/try-get-by-id-poly-proto.js:
1900         * stress/try-get-by-id-should-spill-registers-dfg.js:
1901         * stress/try-get-by-id.js:
1902         * typeProfiler/arrow-functions.js:
1903         * typeProfiler/basic.js:
1904         * typeProfiler/captured.js:
1905         * typeProfiler/classes.js:
1906         * typeProfiler/dfg-jit-optimizations.js:
1907         * typeProfiler/dictionary-mode.js:
1908         * typeProfiler/es6-block-scoping.js:
1909         * typeProfiler/es6-classes.js:
1910         * typeProfiler/inheritance.js:
1911         * typeProfiler/int52-dfg.js:
1912         * typeProfiler/loop.js:
1913         * typeProfiler/optional-fields.js:
1914         * typeProfiler/overflow.js:
1915         * typeProfiler/return.js:
1916         * typeProfiler/symbol.js:
1917         * typeProfiler/weird-prototype-chain.js:
1918
1919 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1920
1921         [DFG][FTL] Support MapSet / SetAdd intrinsics
1922         https://bugs.webkit.org/show_bug.cgi?id=179858
1923
1924         Reviewed by Saam Barati.
1925
1926         * microbenchmarks/map-has-and-set.js: Added.
1927         (test):
1928         * stress/map-set-check-failure.js: Added.
1929         (shouldBe):
1930         (shouldThrow):
1931         (target):
1932         * stress/map-set-cse.js: Added.
1933         (shouldBe):
1934         (test):
1935         * stress/set-add-check-failure.js: Added.
1936         (shouldBe):
1937         (shouldThrow):
1938         (set shouldThrow):
1939         * stress/set-add-cse.js: Added.
1940         (shouldBe):
1941
1942 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1943
1944         [JSC] Allow poly proto for intrinsic getters
1945         https://bugs.webkit.org/show_bug.cgi?id=179550
1946
1947         Reviewed by Saam Barati.
1948
1949         This change is also tested by existing tests.
1950
1951             1. stress/intrinsic-getter-with-poly-proto.js
1952             2. stress/poly-proto-intrinsic-getter-correctness.js
1953
1954         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1955         (shouldBe):
1956         (makePolyProtoObject.foo.C):
1957         (makePolyProtoObject.foo):
1958         (makePolyProtoObject):
1959         (target):
1960         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1961         (shouldBe):
1962         (makePolyProtoObject.foo.C):
1963         (makePolyProtoObject.foo):
1964         (makePolyProtoObject):
1965         (target):
1966
1967 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1968
1969         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1970         https://bugs.webkit.org/show_bug.cgi?id=179744
1971
1972         Reviewed by Michael Catanzaro.
1973
1974         This test uses too much memory for our buildbots on these platforms
1975         and gets OOM-killed.
1976
1977         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1978         Skip if $memoryLimited and linux.
1979
1980 2017-11-17  JF Bastien  <jfbastien@apple.com>
1981
1982         WebAssembly JS API: throw when a promise can't be created
1983         https://bugs.webkit.org/show_bug.cgi?id=179826
1984         <rdar://problem/35455813>
1985
1986         Reviewed by Mark Lam.
1987
1988         Test WebAssembly.{compile,instantiate} where promise creation
1989         fails because of a stack overflow.
1990
1991         * wasm/js-api/promise-stack-overflow.js: Added.
1992         (const.runNearStackLimit.f.const.t):
1993         (async.testCompile):
1994         (async.testInstantiate):
1995
1996 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1997
1998         Unreviewed, mark regress-178385.js as memory exhausting
1999
2000         * stress/regress-178385.js:
2001
2002 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2003
2004         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2005
2006         Unreviewed test gardening.
2007
2008         * test262.yaml:
2009
2010 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2011
2012         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2013         https://bugs.webkit.org/show_bug.cgi?id=179763
2014         <rdar://problem/35550513>
2015
2016         Reviewed by Keith Miller.
2017
2018         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2019
2020         * stress/tdz-this-in-try-catch.js: Added.
2021         (__v_6388):
2022         (__v_6392):
2023
2024 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2025
2026         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2027         https://bugs.webkit.org/show_bug.cgi?id=179594
2028
2029         Reviewed by Saam Barati.
2030
2031         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2032         (shouldBe):
2033         (args):
2034         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2035         (shouldBe):
2036         (args):
2037
2038 2017-11-14  Saam Barati  <sbarati@apple.com>
2039
2040         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2041         https://bugs.webkit.org/show_bug.cgi?id=179639
2042         <rdar://problem/35513018>
2043
2044         Reviewed by JF Bastien.
2045
2046         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2047         (escape):
2048         (i.func):
2049
2050 2017-11-13  Mark Lam  <mark.lam@apple.com>
2051
2052         Add more overflow check book-keeping for MarkedArgumentBuffer.
2053         https://bugs.webkit.org/show_bug.cgi?id=179634
2054         <rdar://problem/35492517>
2055
2056         Reviewed by Saam Barati.
2057
2058         * stress/regress-179634.js: Added.
2059
2060 2017-11-13  Mark Lam  <mark.lam@apple.com>
2061
2062         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2063         https://bugs.webkit.org/show_bug.cgi?id=179619
2064         <rdar://problem/35492518>
2065
2066         Reviewed by Saam Barati.
2067
2068         * stress/regress-179619.js: Added.
2069
2070 2017-11-12  Mark Lam  <mark.lam@apple.com>
2071
2072         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2073         https://bugs.webkit.org/show_bug.cgi?id=179562
2074         <rdar://problem/35467022>
2075
2076         Reviewed by Saam Barati.
2077
2078         * regress-179562.js: Added.
2079
2080 2017-11-08  Saam Barati  <sbarati@apple.com>
2081
2082         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2083         https://bugs.webkit.org/show_bug.cgi?id=177792
2084
2085         Reviewed by Yusuke Suzuki.
2086
2087         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2088         (assert):
2089         (foo.Foo.prototype.ensureX):
2090         (foo.Foo):
2091         (foo):
2092         (access):
2093
2094 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2095
2096         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2097         https://bugs.webkit.org/show_bug.cgi?id=178592
2098
2099         Unreviewed test gardening.
2100
2101         * test262.yaml:
2102
2103 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2104
2105         Turn recursive tail calls into loops
2106         https://bugs.webkit.org/show_bug.cgi?id=176601
2107
2108         Reviewed by Saam Barati.
2109
2110         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2111
2112         Add some simple test that computes factorial in several ways, and other trivial computations.
2113         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2114         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2115         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2116         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2117
2118         * stress/inline-call-to-recursive-tail-call.js: Added.
2119         (factorial.aux):
2120         (factorial):
2121         (factorial2.aux2):
2122         (factorial2.id):
2123         (factorial2):
2124         (factorial3.aux3):
2125         (factorial3):
2126         (aux4):
2127         (factorial4):
2128         (foo):
2129         (auxBar):
2130         (bar):
2131         (test):
2132
2133 2017-11-07  Mark Lam  <mark.lam@apple.com>
2134
2135         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2136         https://bugs.webkit.org/show_bug.cgi?id=179355
2137         <rdar://problem/35263053>
2138
2139         Reviewed by Saam Barati.
2140
2141         * stress/regress-179355.js: Added.
2142
2143 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2144
2145         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2146         https://bugs.webkit.org/show_bug.cgi?id=144458
2147
2148         Reviewed by Saam Barati.
2149
2150         * microbenchmarks/dfg-internal-function-call.js: Added.
2151         (target):
2152         * microbenchmarks/dfg-internal-function-construct.js: Added.
2153         (target):
2154         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2155         (target):
2156         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2157         (target):
2158         * stress/dfg-internal-function-call.js: Added.
2159         (shouldBe):
2160         (target):
2161         * stress/dfg-internal-function-construct.js: Added.
2162         (shouldBe):
2163         (target):
2164         * stress/internal-function-call.js: Added.
2165         (shouldBe):
2166         * stress/internal-function-construct.js: Added.
2167         (shouldBe):
2168
2169 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2170
2171         [Win] Skip stress/regress-178385.js.
2172         https://bugs.webkit.org/show_bug.cgi?id=179298
2173
2174         Unreviewed test gardening.
2175
2176         * stress/regress-178385.js:
2177
2178 2017-11-03  Keith Miller  <keith_miller@apple.com>
2179
2180         Add test for ic with side effects
2181         https://bugs.webkit.org/show_bug.cgi?id=179268
2182
2183         Reviewed by Saam Barati.
2184
2185         * stress/put-inline-cache-side-effects.js: Added.
2186         (let.i.of.objs.keys):
2187         (f):
2188
2189 2017-11-03  Mark Lam  <mark.lam@apple.com>
2190
2191         CachedCall (and its clients) needs overflow checks.
2192         https://bugs.webkit.org/show_bug.cgi?id=179185
2193
2194         Reviewed by JF Bastien.
2195
2196         * stress/regress-179185.js: Added.
2197
2198 2017-11-02  Michael Saboff  <msaboff@apple.com>
2199
2200         DFG needs to handle code motion of code in for..in loop bodies
2201         https://bugs.webkit.org/show_bug.cgi?id=179212
2202
2203         Reviewed by Keith Miller.
2204
2205         New regression test.
2206
2207         * stress/for-in-side-effects.js: Added.
2208         (getPrototypeOf):
2209         (reset):
2210         (testWithoutFTL.f):
2211         (testWithoutFTL):
2212         (testWithFTL.f):
2213         (testWithFTL):
2214
2215 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2216
2217         AI does not correctly model the clobber case of ArithClz32
2218         https://bugs.webkit.org/show_bug.cgi?id=179188
2219
2220         Reviewed by Michael Saboff.
2221
2222         * stress/arith-clz32-effects.js: Added.
2223         (foo):
2224         (valueOf):
2225
2226 2017-11-01  Michael Saboff  <msaboff@apple.com>
2227
2228         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2229         https://bugs.webkit.org/show_bug.cgi?id=179140
2230
2231         Reviewed by Saam Barati.
2232
2233         New regression test.
2234
2235         * stress/regress-179140.js: Added.
2236         (testWithoutFTL):
2237         (testWithFTL):
2238
2239 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2240
2241         [JSC] Introduce @toObject
2242         https://bugs.webkit.org/show_bug.cgi?id=178726
2243
2244         Reviewed by Saam Barati.
2245
2246         * stress/array-copywithin.js:
2247         (shouldThrow):
2248         * stress/object-constructor-boolean-edge.js: Added.
2249         (shouldBe):
2250         (test):
2251         * stress/object-constructor-global.js: Added.
2252         (shouldBe):
2253         * stress/object-constructor-null-edge.js: Added.
2254         (shouldBe):
2255         (test):
2256         * stress/object-constructor-number-edge.js: Added.
2257         (shouldBe):
2258         (test):
2259         * stress/object-constructor-object-edge.js: Added.
2260         (shouldBe):
2261         (test):
2262         (i.arg):
2263         * stress/object-constructor-string-edge.js: Added.
2264         (shouldBe):
2265         (test):
2266         * stress/object-constructor-symbol-edge.js: Added.
2267         (shouldBe):
2268         (test):
2269         * stress/object-constructor-undefined-edge.js: Added.
2270         (shouldBe):
2271         (test):
2272         * stress/symbol-array-from.js: Added.
2273         (shouldBe):
2274         * stress/to-object-intrinsic-boolean-edge.js: Added.
2275         (shouldBe):
2276         (builtin.createBuiltin):
2277         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2278         (shouldThrow):
2279         * stress/to-object-intrinsic-number-edge.js: Added.
2280         (shouldBe):
2281         (builtin.createBuiltin):
2282         * stress/to-object-intrinsic-object-edge.js: Added.
2283         (shouldBe):
2284         (builtin.createBuiltin):
2285         (i.arg):
2286         * stress/to-object-intrinsic-string-edge.js: Added.
2287         (shouldBe):
2288         (builtin.createBuiltin):
2289         * stress/to-object-intrinsic-symbol-edge.js: Added.
2290         (shouldBe):
2291         (builtin.createBuiltin):
2292         * stress/to-object-intrinsic.js: Added.
2293         (shouldBe):
2294         (shouldThrow):
2295         (builtin.createBuiltin):
2296
2297 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2298
2299         [DFG][FTL] Introduce StringSlice
2300         https://bugs.webkit.org/show_bug.cgi?id=178934
2301
2302         Reviewed by Saam Barati.
2303
2304         * microbenchmarks/string-slice-empty.js: Added.
2305         (slice):
2306         * microbenchmarks/string-slice-one-char.js: Added.
2307         (slice):
2308         * microbenchmarks/string-slice.js: Added.
2309         (slice):
2310
2311 2017-10-26  Michael Saboff  <msaboff@apple.com>
2312
2313         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2314         https://bugs.webkit.org/show_bug.cgi?id=178890
2315
2316         Reviewed by Keith Miller.
2317
2318         New regression test.
2319
2320         * stress/regress-178890.js: Added.
2321
2322 2017-10-26  Mark Lam  <mark.lam@apple.com>
2323
2324         JSRopeString::RopeBuilder::append() should check for overflows.
2325         https://bugs.webkit.org/show_bug.cgi?id=178385
2326         <rdar://problem/35027468>
2327
2328         Reviewed by Saam Barati.
2329
2330         * stress/regress-178385.js: Added.
2331
2332 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2333
2334         Unreviewed, rolling out r223961.
2335
2336         The change that required this has been rolled out.
2337
2338         Reverted changeset:
2339
2340         "Mark test262.yaml/test262/test/language/statements/try/tco-
2341         catch.js as passing."
2342         https://bugs.webkit.org/show_bug.cgi?id=178592
2343         https://trac.webkit.org/changeset/223961
2344
2345 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2346
2347         Unreviewed, rolling out r223691 and r223729.
2348         https://bugs.webkit.org/show_bug.cgi?id=178834
2349
2350         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2351         by rniwa on #webkit).
2352
2353         Reverted changesets:
2354
2355         "Turn recursive tail calls into loops"
2356         https://bugs.webkit.org/show_bug.cgi?id=176601
2357         https://trac.webkit.org/changeset/223691
2358
2359         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2360         comparison is always false due to limited range of data type
2361         [-Wtype-limits]"
2362         https://bugs.webkit.org/show_bug.cgi?id=178543
2363         https://trac.webkit.org/changeset/223729
2364
2365 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2366
2367         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2368         https://bugs.webkit.org/show_bug.cgi?id=178592
2369
2370         Unreviewed test gardening.
2371
2372         * test262.yaml:
2373
2374 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2375
2376         [FTL] Support NewStringObject
2377         https://bugs.webkit.org/show_bug.cgi?id=178737
2378
2379         Reviewed by Saam Barati.
2380
2381         * stress/new-string-object.js: Added.
2382         (shouldBe):
2383         (test):
2384
2385 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2386
2387         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2388         https://bugs.webkit.org/show_bug.cgi?id=178308
2389
2390         Reviewed by Mark Lam.
2391
2392         * test262.yaml:
2393
2394 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2395
2396         [JSC] Use fastJoin in Array#toString
2397         https://bugs.webkit.org/show_bug.cgi?id=178062
2398
2399         Reviewed by Darin Adler.
2400
2401         * microbenchmarks/contiguous-array-to-string.js: Added.
2402         (target):
2403         * microbenchmarks/double-array-to-string.js: Added.
2404         (target):
2405         * microbenchmarks/int32-array-to-string.js: Added.
2406         (target):
2407
2408 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2409
2410         stress/check-string-ident.js is improperly skipped
2411         https://bugs.webkit.org/show_bug.cgi?id=178642
2412
2413         Reviewed by Saam Barati.
2414
2415         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2416         since it enforces the run-jsc-stress-tests script to still set up the
2417         test to run, despite the skip directive that's used before.
2418
2419 2017-10-20  Mark Lam  <mark.lam@apple.com>
2420
2421         Add a test case for r214334.
2422         https://bugs.webkit.org/show_bug.cgi?id=169941
2423         <rdar://problem/31221258>
2424
2425         Reviewed by JF Bastien.
2426
2427         * stress/regress-169941.js: Added.
2428
2429 2017-10-19  JF Bastien  <jfbastien@apple.com>
2430
2431         WebAssembly: no VM / JS version of everything but Instance
2432         https://bugs.webkit.org/show_bug.cgi?id=177473
2433
2434         Reviewed by Filip Pizlo, Saam Barati.
2435
2436         - Exceeding max on memory growth now returns a range error as per
2437         spec. This is a (very minor) breaking change: it used to throw OOM
2438         error. Update the corresponding test.
2439
2440         * wasm/js-api/memory-grow.js:
2441         (assertEq):
2442         * wasm/js-api/table.js:
2443         (assert.throws):
2444
2445 2017-10-19  Mark Lam  <mark.lam@apple.com>
2446
2447         Stringifier::appendStringifiedValue() is missing an exception check.
2448         https://bugs.webkit.org/show_bug.cgi?id=178386
2449         <rdar://problem/35027610>
2450
2451         Reviewed by Saam Barati.
2452
2453         * stress/regress-178386.js: Added.
2454
2455 2017-10-19  Michael Saboff  <msaboff@apple.com>
2456
2457         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2458         https://bugs.webkit.org/show_bug.cgi?id=178521
2459
2460         Reviewed by JF Bastien.
2461
2462         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2463         now passes with the current version (5.0) of the Emoji spec.
2464
2465 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2466
2467         Turn recursive tail calls into loops
2468         https://bugs.webkit.org/show_bug.cgi?id=176601
2469
2470         Reviewed by Saam Barati.
2471
2472         Add some simple test that computes factorial in several ways, and other trivial computations.
2473         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2474         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2475         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2476         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2477
2478         * stress/inline-call-to-recursive-tail-call.js: Added.
2479         (factorial.aux):
2480         (factorial):
2481         (factorial2.aux):
2482         (factorial2.id):
2483         (factorial2):
2484         (factorial3.aux):
2485         (factorial3):
2486         (aux):
2487         (factorial4):
2488         (test):
2489
2490 2017-10-18  Mark Lam  <mark.lam@apple.com>
2491
2492         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2493         https://bugs.webkit.org/show_bug.cgi?id=177600
2494         <rdar://problem/34710985>
2495
2496         Reviewed by Saam Barati.
2497
2498         * stress/regress-177600.js: Added.
2499
2500 2017-10-18  Mark Lam  <mark.lam@apple.com>
2501
2502         The compiler should always register a structure when it adds its transitionWatchPointSet.
2503         https://bugs.webkit.org/show_bug.cgi?id=178420
2504         <rdar://problem/34814024>
2505
2506         Reviewed by Saam Barati and Filip Pizlo.
2507
2508         * stress/regress-178420.js: Added.
2509         (new.Array.10000.map):
2510
2511 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2512
2513         [JSC] __proto__ getter should be fast
2514         https://bugs.webkit.org/show_bug.cgi?id=178067
2515
2516         Reviewed by Saam Barati.
2517
2518         * stress/dfg-object-proto-accessor.js: Added.
2519         (shouldBe):
2520         (shouldThrow):
2521         (target):
2522         * stress/dfg-object-proto-getter.js: Added.
2523         (shouldBe):
2524         (shouldThrow):
2525         (target):
2526         * stress/dfg-object-prototype-of.js: Added.
2527         (shouldBe):
2528         (shouldThrow):
2529         (target):
2530         * stress/dfg-reflect-get-prototype-of.js: Added.
2531         (shouldBe):
2532         (shouldThrow):
2533         (target):
2534         * stress/intrinsic-getter-with-poly-proto.js: Added.
2535         (shouldBe):
2536         (makePolyProtoObject.foo.C):
2537         (makePolyProtoObject.foo):
2538         (makePolyProtoObject):
2539         (target):
2540         * stress/object-get-prototype-of-filtered.js: Added.
2541         (shouldBe):
2542         (shouldThrow):
2543         (target):
2544         (i.Cocoa):
2545         * stress/object-get-prototype-of-mono-proto.js: Added.
2546         (shouldBe):
2547         (makePolyProtoObject.foo.C):
2548         (makePolyProtoObject.foo):
2549         (makePolyProtoObject):
2550         (target):
2551         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2552         (shouldBe):
2553         (makePolyProtoObject.foo.C):
2554         (makePolyProtoObject.foo):
2555         (makePolyProtoObject):
2556         (target):
2557         * stress/object-get-prototype-of-poly-proto.js: Added.
2558         (shouldBe):
2559         (makePolyProtoObject.foo.C):
2560         (makePolyProtoObject.foo):
2561         (makePolyProtoObject):
2562         (target):
2563         * stress/object-proto-getter-filtered.js: Added.
2564         (shouldBe):
2565         (shouldThrow):
2566         (target):
2567         (i.Cocoa):
2568         * stress/object-proto-getter-poly-mono-proto.js: Added.
2569         (shouldBe):
2570         (makePolyProtoObject.foo.C):
2571         (makePolyProtoObject.foo):
2572         (makePolyProtoObject):
2573         (target):
2574         * stress/object-proto-getter-poly-proto.js: Added.
2575         (shouldBe):
2576         (makePolyProtoObject.foo.C):
2577         (makePolyProtoObject.foo):
2578         (makePolyProtoObject):
2579         (target):
2580         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2581         * stress/string-proto.js: Added.
2582         (shouldBe):
2583         (target):
2584
2585 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2586
2587         Unreviewed, rolling out r223523.
2588
2589         A test for this change is failing on debug JSC bots.
2590
2591         Reverted changeset:
2592
2593         "[JSC] __proto__ getter should be fast"
2594         https://bugs.webkit.org/show_bug.cgi?id=178067
2595         https://trac.webkit.org/changeset/223523
2596
2597 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2598
2599         [JSC] __proto__ getter should be fast
2600         https://bugs.webkit.org/show_bug.cgi?id=178067
2601
2602         Reviewed by Saam Barati.
2603
2604         * stress/dfg-object-proto-accessor.js: Added.
2605         (shouldBe):
2606         (shouldThrow):
2607         (target):
2608         * stress/dfg-object-proto-getter.js: Added.
2609         (shouldBe):
2610         (shouldThrow):
2611         (target):
2612         * stress/dfg-object-prototype-of.js: Added.
2613         (shouldBe):
2614         (shouldThrow):
2615         (target):
2616         * stress/dfg-reflect-get-prototype-of.js: Added.
2617         (shouldBe):
2618         (shouldThrow):
2619         (target):
2620         * stress/object-get-prototype-of-filtered.js: Added.
2621         (shouldBe):
2622         (shouldThrow):
2623         (target):
2624         (i.Cocoa):
2625         * stress/object-get-prototype-of-mono-proto.js: Added.
2626         (shouldBe):
2627         (makePolyProtoObject.foo.C):
2628         (makePolyProtoObject.foo):
2629         (makePolyProtoObject):
2630         (target):
2631         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2632         (shouldBe):
2633         (makePolyProtoObject.foo.C):
2634         (makePolyProtoObject.foo):
2635         (makePolyProtoObject):
2636         (target):
2637         * stress/object-get-prototype-of-poly-proto.js: Added.
2638         (shouldBe):
2639         (makePolyProtoObject.foo.C):
2640         (makePolyProtoObject.foo):
2641         (makePolyProtoObject):
2642         (target):
2643         * stress/object-proto-getter-filtered.js: Added.
2644         (shouldBe):
2645         (shouldThrow):
2646         (target):
2647         (i.Cocoa):
2648         * stress/object-proto-getter-poly-mono-proto.js: Added.
2649         (shouldBe):
2650         (makePolyProtoObject.foo.C):
2651         (makePolyProtoObject.foo):
2652         (makePolyProtoObject):
2653         (target):
2654         * stress/object-proto-getter-poly-proto.js: Added.
2655         (shouldBe):
2656         (makePolyProtoObject.foo.C):
2657         (makePolyProtoObject.foo):
2658         (makePolyProtoObject):
2659         (target):
2660         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2661         * stress/string-proto.js: Added.
2662         (shouldBe):
2663         (target):
2664
2665 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2666
2667         Reland "Add Above/Below comparisons for UInt32 patterns"
2668         https://bugs.webkit.org/show_bug.cgi?id=177281
2669
2670         Reviewed by Saam Barati.
2671
2672         * stress/uint32-comparison-jump.js: Added.
2673         (shouldBe):
2674         (above):
2675         (aboveOrEqual):
2676         (below):
2677         (belowOrEqual):
2678         (notAbove):
2679         (notAboveOrEqual):
2680         (notBelow):
2681         (notBelowOrEqual):
2682         * stress/uint32-comparison.js: Added.
2683         (shouldBe):
2684         (above):
2685         (aboveOrEqual):
2686         (below):
2687         (belowOrEqual):
2688         (aboveTest):
2689         (aboveOrEqualTest):
2690         (belowTest):
2691         (belowOrEqualTest):
2692
2693 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2694
2695         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2696         https://bugs.webkit.org/show_bug.cgi?id=178210
2697
2698         Reviewed by Saam Barati.
2699
2700         * wasm/function-tests/trap-from-start-async.js:
2701         (async.StartTrapsAsync):
2702         * wasm/function-tests/trap-from-start.js:
2703         (StartTraps):
2704         * wasm/js-api/web-assembly-function.js:
2705         (assert.eq.Object.getPrototypeOf):
2706         * wasm/js-api/wrapper-function.js:
2707         (return.new.WebAssembly.Module):
2708         (assert.throws.makeInstance): Deleted.
2709         (assert.throws.Bar): Deleted.
2710         (assert.throws): Deleted.
2711
2712 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2713
2714         Enable gigacage on iOS
2715         https://bugs.webkit.org/show_bug.cgi?id=177586
2716
2717         Reviewed by JF Bastien.
2718         
2719         Add tests for when Gigacage gets runtime disabled.
2720
2721         * stress/disable-gigacage-arrays.js: Added.
2722         (foo):
2723         * stress/disable-gigacage-strings.js: Added.
2724         (foo):
2725         * stress/disable-gigacage-typed-arrays.js: Added.
2726         (foo):
2727
2728 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2729
2730         import.meta should not be assignable
2731         https://bugs.webkit.org/show_bug.cgi?id=178202
2732
2733         Reviewed by Saam Barati.
2734
2735         * modules/import-meta-assignment.js: Added.
2736         (shouldThrow):
2737         (SyntaxError.import.meta.can.shouldThrow):
2738
2739 2017-10-11  Saam Barati  <sbarati@apple.com>
2740
2741         Unreviewed. Actually skip certain type profiler tests in debug.
2742
2743         * typeProfiler.yaml:
2744         * typeProfiler/deltablue-for-of.js:
2745         * typeProfiler/getter-richards.js:
2746
2747 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2748
2749         Unreviewed, rolling out r223113 and r223121.
2750         https://bugs.webkit.org/show_bug.cgi?id=178182
2751
2752         Reintroduced 20% regression on Kraken (Requested by rniwa on
2753         #webkit).
2754
2755         Reverted changesets:
2756
2757         "Enable gigacage on iOS"
2758         https://bugs.webkit.org/show_bug.cgi?id=177586
2759         https://trac.webkit.org/changeset/223113
2760
2761         "Use one virtual allocation for all gigacages and their
2762         runways"
2763         https://bugs.webkit.org/show_bug.cgi?id=178050
2764         https://trac.webkit.org/changeset/223121
2765
2766 2017-10-11  Michael Saboff  <msaboff@apple.com>
2767
2768         Disable test262 named capture group tests with direct unicode names and with references before definitions
2769         https://bugs.webkit.org/show_bug.cgi?id=178177
2770
2771         Reviewed by Keith Miller.
2772
2773         Bugs to track fixing these test are:
2774         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2775             "Add support in named capture group identifiers for direct surrogate pairs"
2776         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2777             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2778
2779         * test262.yaml:
2780
2781 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2782
2783         Object properties are undefined in super.call() but not in this.call()
2784         https://bugs.webkit.org/show_bug.cgi?id=177230
2785
2786         Reviewed by Saam Barati.
2787
2788         * stress/super-call-function-subclass.js: Added.
2789         (assert):
2790         (A.prototype.t):
2791         (A):
2792         * stress/super-dot-call-and-apply.js: Added.
2793         (assert):
2794         (A):
2795         (A.prototype.call):
2796         (A.prototype.apply):
2797         (B.prototype.testSuper):
2798         (B):
2799         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2800         (D.prototype.testSuper):
2801         (D):
2802
2803 2017-10-10  Saam Barati  <sbarati@apple.com>
2804
2805         The prototype cache should be aware of the Executable it generates a Structure for
2806         https://bugs.webkit.org/show_bug.cgi?id=177907
2807
2808         Reviewed by Filip Pizlo.
2809
2810         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2811         (assert):
2812         (foo.C):
2813         (foo):
2814         (bar.C):
2815         (bar):
2816         (access):
2817         (makeLongChain):
2818         (accessY):
2819
2820 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2821
2822         `async` should be able to be used as an imported binding name
2823         https://bugs.webkit.org/show_bug.cgi?id=176573
2824
2825         Reviewed by Saam Barati.
2826
2827         * modules/import-default-async.js: Added.
2828         * modules/import-named-async-as.js: Added.
2829         * modules/import-named-async.js: Added.
2830         * modules/import-named-async/target.js: Added.
2831         * modules/import-namespace-async.js: Added.
2832         * test262.yaml:
2833
2834 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2835
2836         Enable gigacage on iOS
2837         https://bugs.webkit.org/show_bug.cgi?id=177586
2838
2839         Reviewed by JF Bastien.
2840         
2841         Add tests for when Gigacage gets runtime disabled.
2842
2843         * stress/disable-gigacage-arrays.js: Added.
2844         (foo):
2845         * stress/disable-gigacage-strings.js: Added.
2846         (foo):
2847         * stress/disable-gigacage-typed-arrays.js: Added.
2848         (foo):
2849
2850 2017-10-09  Michael Saboff  <msaboff@apple.com>
2851
2852         Implement RegExp Unicode property escapes
2853         https://bugs.webkit.org/show_bug.cgi?id=172069
2854
2855         Reviewed by JF Bastien.
2856
2857         Enabled Unicode Property tests.
2858
2859         * test262.yaml:
2860
2861 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2862
2863         Unreviewed, rolling out r223015 and r223025.
2864         https://bugs.webkit.org/show_bug.cgi?id=178093
2865
2866         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2867         #webkit).
2868
2869         Reverted changesets:
2870
2871         "Enable gigacage on iOS"
2872         https://bugs.webkit.org/show_bug.cgi?id=177586
2873         http://trac.webkit.org/changeset/223015
2874
2875         "Unreviewed, disable Gigacage on ARM64 Linux"
2876         https://bugs.webkit.org/show_bug.cgi?id=177586
2877         http://trac.webkit.org/changeset/223025
2878
2879 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2880
2881         Update expectations for test262 tests that pass after r223043.
2882         https://bugs.webkit.org/show_bug.cgi?id=176685
2883
2884         Unreviewed test gardening.
2885
2886         * test262.yaml:
2887
2888 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2889
2890         Unreviewed, rolling out r223022.
2891
2892         This change introduced 18 test262 failures.
2893
2894         Reverted changeset:
2895
2896         "`async` should be able to be used as an imported binding
2897         name"
2898         https://bugs.webkit.org/show_bug.cgi?id=176573
2899         http://trac.webkit.org/changeset/223022
2900
2901 2017-10-09  Saam Barati  <sbarati@apple.com>
2902
2903         3 poly-proto JSC tests timing out on debug after r222827
2904         https://bugs.webkit.org/show_bug.cgi?id=177880
2905         <rdar://problem/34817122>
2906
2907         Unreviewed.
2908
2909         I'm skipping these type profiler tests on debug since they are long running.
2910
2911         * typeProfiler/deltablue-for-of.js:
2912         * typeProfiler/getter-richards.js:
2913
2914 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2915
2916         Safari 10 /11 problem with if (!await get(something)).
2917         https://bugs.webkit.org/show_bug.cgi?id=176685
2918
2919         Reviewed by Saam Barati.
2920
2921         * stress/async-await-basic.js:
2922         (awaitEpression.async):
2923         * stress/async-await-syntax.js:
2924         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2925         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2926
2927 2017-10-08  Saam Barati  <sbarati@apple.com>
2928
2929         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2930
2931         * typeProfiler/deltablue-for-of.js:
2932         * typeProfiler/getter-richards.js:
2933
2934 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2935
2936         `async` should be able to be used as an imported binding name
2937         https://bugs.webkit.org/show_bug.cgi?id=176573
2938
2939         Reviewed by Darin Adler.
2940
2941         * modules/import-default-async.js: Added.
2942         * modules/import-named-async-as.js: Added.
2943         * modules/import-named-async.js: Added.
2944         * modules/import-named-async/target.js: Added.
2945         * modules/import-namespace-async.js: Added.
2946
2947 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2948
2949         Enable gigacage on iOS
2950         https://bugs.webkit.org/show_bug.cgi?id=177586
2951
2952         Reviewed by JF Bastien.
2953         
2954         Add tests for when Gigacage gets runtime disabled.
2955
2956         * stress/disable-gigacage-arrays.js: Added.
2957         (foo):
2958         * stress/disable-gigacage-strings.js: Added.
2959         (foo):
2960         * stress/disable-gigacage-typed-arrays.js: Added.
2961         (foo):
2962
2963 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2964
2965         Unreviewed, rolling out r222791 and r222873.
2966         https://bugs.webkit.org/show_bug.cgi?id=178031
2967
2968         Caused crashes with workers/wasm LayoutTests (Requested by
2969         ryanhaddad on #webkit).
2970
2971         Reverted changesets:
2972
2973         "WebAssembly: no VM / JS version of everything but Instance"
2974         https://bugs.webkit.org/show_bug.cgi?id=177473
2975         http://trac.webkit.org/changeset/222791
2976
2977         "WebAssembly: address no VM / JS follow-ups"
2978         https://bugs.webkit.org/show_bug.cgi?id=177887
2979         http://trac.webkit.org/changeset/222873
2980
2981 2017-10-05  Saam Barati  <sbarati@apple.com>
2982
2983         Make sure all prototypes under poly proto get added into the VM's prototype map
2984         https://bugs.webkit.org/show_bug.cgi?id=177909
2985
2986         Reviewed by Keith Miller.
2987
2988         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2989         (assert):
2990         (foo.C):
2991         (foo):
2992         (set x):
2993
2994 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2995
2996         [JSC] Introduce import.meta
2997         https://bugs.webkit.org/show_bug.cgi?id=177703
2998
2999         Reviewed by Filip Pizlo.
3000
3001         * modules/import-meta-syntax.js: Added.
3002         (shouldThrow):
3003         (shouldNotThrow):
3004         * modules/import-meta.js: Added.
3005         * modules/import-meta/cocoa.js: Added.
3006         * modules/resources/assert.js:
3007         (export.shouldNotThrow):
3008         * stress/import-syntax.js:
3009
3010 2017-10-04  Saam Barati  <sbarati@apple.com>
3011
3012         Make pertinent AccessCases watch the poly proto watchpoint
3013         https://bugs.webkit.org/show_bug.cgi?id=177765
3014
3015         Reviewed by Keith Miller.
3016
3017         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3018         (assert):
3019         (foo.C):
3020         (foo):
3021         (validate):
3022         * stress/poly-proto-clear-stub.js: Added.
3023         (assert):
3024         (foo.C):
3025         (foo):
3026
3027 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3028
3029         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3030
3031         Unreviewed test gardening.
3032
3033         * test262.yaml:
3034
3035 2017-10-04  Saam Barati  <sbarati@apple.com>
3036
3037         3 poly-proto JSC tests timing out on debug after r222827
3038         https://bugs.webkit.org/show_bug.cgi?id=177880
3039
3040         Rubber stamped by Mark Lam.
3041
3042         * microbenchmarks/poly-proto-access.js:
3043         * typeProfiler/deltablue-for-of.js:
3044         * typeProfiler/getter-richards.js:
3045
3046 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3047
3048         Unreviewed, marking tco-catch.js as a failure after test262 update
3049         https://bugs.webkit.org/show_bug.cgi?id=177859
3050
3051         * test262.yaml:
3052
3053 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3054
3055         Unreviewed, marking one async iterator test262 test failed
3056         https://bugs.webkit.org/show_bug.cgi?id=177859
3057
3058         * test262.yaml:
3059
3060 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3061
3062         [Test262] Update Test262 to Oct 4 version
3063         https://bugs.webkit.org/show_bug.cgi?id=177859
3064
3065         Reviewed by Sam Weinig.
3066
3067         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3068         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3069
3070         * test262.yaml:
3071         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3072         (checkSequence):
3073         * test262/harness/typeCoercion.js:
3074         (testCoercibleToIndexZero):
3075         (testCoercibleToIndexOne):
3076         (testCoercibleToIndexFromIndex):
3077         (testNotCoercibleToIndex.testPrimitiveValue):
3078         (testNotCoercibleToInteger):
3079         (testCoercibleToBigIntZero.testPrimitiveValue):
3080         (testCoercibleToBigIntZero):
3081         (testCoercibleToBigIntOne.testPrimitiveValue):
3082         (testCoercibleToBigIntOne):
3083         (testPrimitiveValue):
3084         (testCoercibleToBigIntFromBigInt):
3085         (testNotCoercibleToBigInt.testPrimitiveValue):
3086         (testNotCoercibleToBigInt.testStringValue):
3087         (testNotCoercibleToBigInt):
3088         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3089         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3090         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3091         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3092         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3093         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3094         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3095         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3096         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3097         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3098         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3099         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3100         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3101         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3102         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3103         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3104         (testCoercibleToBigIntZero):
3105         (testCoercibleToBigIntOne):
3106         (testNotCoercibleToBigInt):
3107         (MyError): Deleted.
3108         (valueOf): Deleted.
3109         (toString): Deleted.
3110         (Symbol.toPrimitive): Deleted.
3111         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3112         (testCoercibleToIndexZero):
3113         (testCoercibleToIndexOne):
3114         (testNotCoercibleToIndex):
3115         (MyError): Deleted.
3116         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3117         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3118         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3119         (BigInt.asIntN.valueOf): Deleted.
3120         (BigInt.asIntN.toString): Deleted.
3121         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3122         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3123         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3124         (testCoercibleToBigIntZero):
3125         (testCoercibleToBigIntOne):
3126         (testNotCoercibleToBigInt):
3127         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3128         (testCoercibleToIndexZero):
3129         (testCoercibleToIndexOne):
3130         (testNotCoercibleToIndex):
3131         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3132         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3133         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3134         (bits.valueOf):
3135         (bigint.valueOf):
3136         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3137         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3138         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3139         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3140         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3141         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3142         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3143         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3144         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3145         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3146         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3147         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3148         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3149         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3150         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3151         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3152         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3153         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3154         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3155         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3156         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3157         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3158         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3159         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3160         (replacer):
3161         (BigInt.prototype.toJSON):
3162         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3163         (replacer):
3164         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3165         (BigInt.prototype.toJSON):
3166         * test262/test/built-ins/JSON/stringify/bigint.js:
3167         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3168         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3169         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3170         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3171         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3172         * test262/test/built-ins/Object/proto-from-ctor.js:
3173         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3174         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3175         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3176         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3177         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3178         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3179         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3180         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3181         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3182         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3183         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3184         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3185         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3186         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3187         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3188         * test262/test/built-ins/Proxy/get-fn-realm.js:
3189         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3190         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3191         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3192         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3193         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3194         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3195         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3196         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3197         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3198         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3199         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3200         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3201         (i6.replace):
3202         (i6b.replace):
3203         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3204         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3205         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3206         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3207         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3208         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3209         * test262/test/built-ins/RegExp/u180e.js: Added.
3210         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3211         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3212         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3213         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3214         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3215         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3216         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3217         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3218         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3219         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3220         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3221         * test262/test/built-ins/String/prototype/endsWith/length.js:
3222         * test262/test/built-ins/String/prototype/endsWith/name.js:
3223         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3224         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3225         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3226         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3227         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3228         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3229         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3230         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3231         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3232         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3233         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3234         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3235         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3236         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3237         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3238         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3239         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3240         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3241         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3242         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3243         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3244         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3245         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3246         * test262/test/built-ins/String/prototype/includes/includes.js:
3247         * test262/test/built-ins/String/prototype/includes/length.js:
3248         * test262/test/built-ins/String/prototype/includes/name.js:
3249         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3250         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3251         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3252         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3253         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3254         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3255         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3256         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3257         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3258         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3259         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3260         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3261         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3262         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3263         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3264         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3265         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3266         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3267         * test262/test/built-ins/String/prototype/trim/u180e.js:
3268         * test262/test/built-ins/Symbol/for/cross-realm.js:
3269         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3270         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3271         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3272         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3273         * test262/test/built-ins/Symbol/match/cross-realm.js:
3274         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3275         * test262/test/built-ins/Symbol/search/cross-realm.js:
3276         * test262/test/built-ins/Symbol/species/cross-realm.js:
3277         * test262/test/built-ins/Symbol/split/cross-realm.js:
3278         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3279         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3280         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3281         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3282         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3283         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3284         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3285         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3286         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3287         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3288         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3289         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3290         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3291         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3292         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3293         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3294         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3295         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3296         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3297         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3298         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3299         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3300         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3301         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3302         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3303         * test262/test/language/eval-code/indirect/realm.js:
3304         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3305         (o.get z):
3306         (o.get a):
3307         * test262/test/language/expressions/call/eval-realm-indirect.js:
3308         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3309         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3310         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3311         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3312         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3313         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3314         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3315         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3316         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3317         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3318         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3319         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3320         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3321         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3322         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3323         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3324         * test262/test/language/expressions/less-than/bigint-and-number.js:
3325         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3326         * test262/test/language/expressions/super/realm.js:
3327         * test262/test/language/expressions/tagged-template/cache-realm.js:
3328         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3329         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3330         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3331         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3332         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3333         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3334         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3335         (o.get z):
3336         (o.get a):
3337         * test262/test/language/statements/for-of/iterator-next-reference.js:
3338         (next):
3339         (iterator.next): Deleted.
3340         (x.of.iterable.): Deleted.
3341         (x.of.iterable.get return): Deleted.
3342         (x.of.iterable.iterator.next): Deleted.
3343         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3344         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3345         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3346         * test262/test/language/white-space/mongolian-vowel-separator.js:
3347         * test262/test262-Revision.txt:
3348
3349 2017-10-03  Saam Barati  <sbarati@apple.com>
3350
3351         Implement polymorphic prototypes
3352         https://bugs.webkit.org/show_bug.cgi?id=176391
3353
3354         Reviewed by Filip Pizlo.
3355
3356         * microbenchmarks/poly-proto-access.js: Added.
3357         (assert):
3358         (foo.C):
3359         (foo.C.prototype.get bar):
3360         (foo):
3361         (bar):
3362         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3363         (assert):
3364         (makePolyProtoObject.foo.C):
3365         (makePolyProtoObject.foo):
3366         (makePolyProtoObject):
3367         (performSet):
3368         * microbenchmarks/poly-proto-setter-speed.js: Added.
3369         (assert):
3370         (makePolyProtoObject.foo.C):
3371         (makePolyProtoObject.foo.C.prototype.set p):
3372         (makePolyProtoObject.foo):
3373         (makePolyProtoObject):
3374         (performSet):
3375         * stress/constructor-with-return.js:
3376         (i.tests.forEach.Constructor):
3377         (i.tests.forEach):
3378         (tests.forEach.Constructor): Deleted.
3379         (tests.forEach): Deleted.
3380         * stress/dom-jit-with-poly-proto.js: Added.
3381         (assert):
3382         (makePolyProtoObject.foo.C):
3383         (makePolyProtoObject.foo):
3384         (makePolyProtoObject):
3385         (validate):
3386         * stress/poly-proto-custom-value-and-accessor.js: Added.
3387         (assert):
3388         (makePolyProtoObject.foo.C):
3389         (makePolyProtoObject.foo):
3390         (makePolyProtoObject):
3391         (items.forEach):
3392         (set get for):
3393         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3394         (assert):
3395         (makePolyProtoObject.foo.C):
3396         (makePolyProtoObject.foo):
3397         (makePolyProtoObject):
3398         (foo):
3399         * stress/poly-proto-miss.js: Added.
3400         (makePolyProtoInstanceWithNullPrototype.foo.C):
3401         (makePolyProtoInstanceWithNullPrototype.foo):
3402         (makePolyProtoInstanceWithNullPrototype):
3403         (assert):
3404         (validate):
3405         * stress/poly-proto-op-in-caching.js: Added.
3406         (assert):
3407         (makePolyProtoObject.foo.C):
3408         (makePolyProtoObject.foo):
3409         (makePolyProtoObject):
3410         (validate):
3411         (validate2):
3412         * stress/poly-proto-put-transition.js: Added.
3413         (assert):
3414         (makePolyProtoObject.foo.C):
3415         (makePolyProtoObject.foo):
3416         (makePolyProtoObject):
3417         (performSet):
3418         (i.obj.__proto__.set p):
3419         * stress/poly-proto-set-prototype.js: Added.
3420         (assert):
3421         (let.alternateProto.get x):
3422         (let.alternateProto2.get y):
3423         (let.alternateProto2.get x):
3424         (foo.C):
3425         (foo):
3426         (validate):
3427         * stress/poly-proto-setter.js: Added.
3428         (assert):
3429         (makePolyProtoObject.foo.C):
3430         (makePolyProtoObject.foo.C.prototype.set p):
3431         (makePolyProtoObject.foo.C.prototype.get p):
3432         (makePolyProtoObject.foo):
3433         (makePolyProtoObject):
3434         (performSet):
3435         * stress/poly-proto-using-inheritance.js: Added.
3436         (assert):
3437         (foo.C):
3438         (foo.C.prototype.get baz):
3439         (foo):
3440         (bar.C):
3441         (bar):
3442         (validate):
3443         * stress/primitive-poly-proto.js: Added.
3444         (makePolyProtoInstance.foo.C):
3445         (makePolyProtoInstance.foo):
3446         (makePolyProtoInstance):
3447         (assert):
3448         (validate):
3449         * stress/prototype-is-not-js-object.js: Added.
3450         (foo.bar):
3451         (foo):
3452         (assert):
3453         (validate):
3454         * stress/try-get-by-id-poly-proto.js: Added.
3455         (assert):
3456         (makePolyProtoObject.foo.C):
3457         (makePolyProtoObject.foo):
3458         (makePolyProtoObject):
3459         (tryGetByIdText):
3460         (x.__proto__.get bar):
3461         (validate):
3462         * typeProfiler/overflow.js:
3463
3464 2017-10-03  JF Bastien  <jfbastien@apple.com>
3465
3466         WebAssembly: no VM / JS version of everything but Instance
3467         https://bugs.webkit.org/show_bug.cgi?id=177473
3468
3469         Reviewed by Filip Pizlo.
3470
3471         - Exceeding max on memory growth now returns a range error as per
3472         spec. This is a (very minor) breaking change: it used to throw OOM
3473         error. Update the corresponding test.
3474
3475         * wasm/js-api/memory-grow.js:
3476         (assertEq):
3477         * wasm/js-api/table.js:
3478         (assert.throws):
3479
3480 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3481
3482         Skip JSC test stress/regress-159779-2.js on debug.
3483         https://bugs.webkit.org/show_bug.cgi?id=177204
3484
3485         Unreviewed test gardening.
3486
3487         * stress/regress-159779-2.js:
3488
3489 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3490
3491         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3492         https://bugs.webkit.org/show_bug.cgi?id=175642
3493
3494         Reviewed by Darin Adler.
3495
3496         * ChakraCore/test/Function/apply3.baseline-jsc:
3497
3498 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3499
3500         Unreviewed, rolling out r222564.
3501         https://bugs.webkit.org/show_bug.cgi?id=177720
3502
3503         "It regressed JetStream by 2% on iOS caused by a 50%
3504         regression on the bigfib subtest" (Requested by saamyjoon on
3505         #webkit).
3506
3507         Reverted changeset:
3508
3509         "Add Above/Below comparisons for UInt32 patterns"
3510         https://bugs.webkit.org/show_bug.cgi?id=177281
3511         http://trac.webkit.org/changeset/222564
3512
3513 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3514
3515         [DFG] Support ArrayPush with multiple args
3516         https://bugs.webkit.org/show_bug.cgi?id=175823
3517
3518         Reviewed by Saam Barati.
3519
3520         * microbenchmarks/array-push-0.js: Added.
3521         (arrayPush0):
3522         * microbenchmarks/array-push-1.js: Added.
3523         (arrayPush1):
3524         * microbenchmarks/array-push-2.js: Added.
3525         (arrayPush2):
3526         * microbenchmarks/array-push-3.js: Added.
3527         (arrayPush3):
3528         * stress/array-push-multiple-contiguous.js: Added.
3529         (shouldBe):
3530         (test):
3531         * stress/array-push-multiple-double-nan.js: Added.
3532         (shouldBe):
3533         (test):
3534         * stress/array-push-multiple-double.js: Added.
3535         (shouldBe):
3536         (test):
3537         * stress/array-push-multiple-int32.js: Added.
3538         (shouldBe):
3539         (test):
3540         * stress/array-push-multiple-many-contiguous.js: Added.
3541         (shouldBe):
3542         (test):
3543         * stress/array-push-multiple-many-double.js: Added.
3544         (shouldBe):
3545         (test):
3546         * stress/array-push-multiple-many-int32.js: Added.
3547         (shouldBe):
3548         (test):
3549         * stress/array-push-multiple-many-storage.js: Added.
3550         (shouldBe):
3551         (test):
3552         * stress/array-push-multiple-storage.js: Added.
3553         (shouldBe):
3554         (test):
3555         * stress/array-push-with-force-exit.js: Added.
3556         (target.createBuiltin):
3557
3558 2017-09-29  Saam Barati  <sbarati@apple.com>
3559
3560         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3561         https://bugs.webkit.org/show_bug.cgi?id=177639
3562
3563         Reviewed by Geoffrey Garen.
3564
3565         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3566         (assert):
3567         (Class):
3568         (items.forEach):
3569         (set get for):
3570
3571 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3572
3573         Unreviewed, rolling out r222563, r222565, and r222581.
3574         https://bugs.webkit.org/show_bug.cgi?id=177675
3575
3576         "It causes a crash when playing youtube videos" (Requested by
3577         saamyjoon on #webkit).
3578
3579         Reverted changesets:
3580
3581         "[DFG] Support ArrayPush with multiple args"
3582         https://bugs.webkit.org/show_bug.cgi?id=175823
3583         http://trac.webkit.org/changeset/222563
3584
3585         "Unreviewed, build fix after r222563"
3586         https://bugs.webkit.org/show_bug.cgi?id=175823
3587         http://trac.webkit.org/changeset/222565
3588
3589         "Unreviewed, fix x86 breaking due to exhausted registers"
3590         https://bugs.webkit.org/show_bug.cgi?id=175823
3591         http://trac.webkit.org/changeset/222581
3592
3593 2017-09-28  Mark Lam  <mark.lam@apple.com>
3594
3595         test262: Unexpected passes after r222617 and r222618.
3596         https://bugs.webkit.org/show_bug.cgi?id=177622
3597         <rdar://problem/34725960>
3598
3599         Reviewed by Saam Barati.
3600
3601         Update test262.yaml for tests that are now passing.
3602
3603         * test262.yaml:
3604
3605 2017-09-27  Michael Saboff  <msaboff@apple.com>
3606
3607         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3608         https://bugs.webkit.org/show_bug.cgi?id=177570
3609
3610         Reviewed by Filip Pizlo.
3611
3612         New regression test.
3613
3614         * stress/regress-177570.js: Added.
3615
3616 2017-09-28  Michael Saboff  <msaboff@apple.com>
3617
3618         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3619         https://bugs.webkit.org/show_bug.cgi?id=177423
3620
3621         Reviewed by Mark Lam.
3622
3623         Updated regression test.
3624
3625         * stress/regress-177423.js:
3626         (catch):
3627
3628 2017-09-27  Mark Lam  <mark.lam@apple.com>
3629
3630         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3631         https://bugs.webkit.org/show_bug.cgi?id=177584
3632         <rdar://problem/34463903>
3633
3634         Reviewed by Saam Barati.
3635
3636         * stress/regress-177584.js: Added.
3637         (assertEqual):
3638         (Array.prototype.Symbol.species):
3639
3640 2017-09-27  Saam Barati  <sbarati@apple.com>
3641
3642         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3643         https://bugs.webkit.org/show_bug.cgi?id=177523
3644
3645         Reviewed by Mark Lam.
3646
3647         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3648         (assert):
3649         (Test):
3650         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3651         (addMethods):
3652         (i.Test.prototype.propName):
3653
3654 2017-09-27  Mark Lam  <mark.lam@apple.com>
3655
3656         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3657         https://bugs.webkit.org/show_bug.cgi?id=177423
3658         <rdar://problem/34621320>
3659
3660         Reviewed by Keith Miller.
3661
3662         * stress/regress-177423.js: Added.
3663
3664 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3665
3666         Add Above/Below comparisons for UInt32 patterns
3667         https://bugs.webkit.org/show_bug.cgi?id=177281
3668
3669         Reviewed by Saam Barati.
3670
3671         * stress/uint32-comparison-jump.js: Added.
3672         (shouldBe):
3673         (above):
3674         (aboveOrEqual):
3675         (below):
3676         (belowOrEqual):
3677         (notAbove):
3678         (notAboveOrEqual):
3679         (notBelow):
3680         (notBelowOrEqual):
3681         * stress/uint32-comparison.js: Added.
3682         (shouldBe):
3683         (above):
3684         (aboveOrEqual):
3685         (below):
3686         (belowOrEqual):
3687         (aboveTest):
3688         (aboveOrEqualTest):
3689         (belowTest):
3690         (belowOrEqualTest):
3691
3692 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3693
3694         [DFG] Support ArrayPush with multiple args
3695         https://bugs.webkit.org/show_bug.cgi?id=175823
3696
3697         Reviewed by Saam Barati.
3698
3699         * microbenchmarks/array-push-0.js: Added.
3700         (arrayPush0):
3701         * microbenchmarks/array-push-1.js: Added.
3702         (arrayPush1):
3703         * microbenchmarks/array-push-2.js: Added.
3704         (arrayPush2):
3705         * microbenchmarks/array-push-3.js: Added.
3706         (arrayPush3):
3707         * stress/array-push-multiple-contiguous.js: Added.
3708         (shouldBe):
3709         (test):
3710         * stress/array-push-multiple-double-nan.js: Added.
3711         (shouldBe):
3712         (test):
3713         * stress/array-push-multiple-double.js: Added.
3714         (shouldBe):
3715         (test):
3716         * stress/array-push-multiple-int32.js: Added.
3717         (shouldBe):
3718         (test):
3719         * stress/array-push-multiple-many-contiguous.js: Added.
3720         (shouldBe):
3721         (test):
3722         * stress/array-push-multiple-many-double.js: Added.
3723         (shouldBe):
3724         (test):