jsc shell's flashHeapAccess() should not do JS work after releasing access to the...
[WebKit-https.git] / JSTests / ChangeLog
1 2017-11-30  Mark Lam  <mark.lam@apple.com>
2
3         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
4         https://bugs.webkit.org/show_bug.cgi?id=180219
5         <rdar://problem/35696536>
6
7         Reviewed by Filip Pizlo.
8
9         * stress/regress-180219.js: Added.
10
11 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
12
13         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
14         https://bugs.webkit.org/show_bug.cgi?id=180190
15
16         Reviewed by Mark Lam.
17
18         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
19         (shouldBe):
20         (test1):
21         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
22         (shouldBe):
23         (test1):
24         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
25         (shouldBe):
26         (test1):
27         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
28         (shouldBe):
29         (test1):
30         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
31         (shouldBe):
32         (test1):
33         * stress/operation-in-may-have-negative-int32.js: Added.
34         (shouldBe):
35         (test2):
36         * stress/operation-in-negative-int32-cast.js: Added.
37         (shouldBe):
38         (test1):
39
40 2017-11-28  JF Bastien  <jfbastien@apple.com>
41
42         Strict and sloppy functions shouldn't share structure
43         https://bugs.webkit.org/show_bug.cgi?id=180103
44         <rdar://problem/35667847>
45
46         Reviewed by Saam Barati.
47
48         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
49         because the IC was wrong.
50         (foo):
51         (bar):
52         (baz):
53         (catch):
54         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
55         in this patch, but may as well test odd strict mode corner cases.
56         (bar):
57         (baz):
58         (catch):
59         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
60         (foo):
61         (bar):
62         (baz):
63         (catch):
64         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
65         next file, but with invalidation of the FunctionExecutable's
66         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
67         slower path.
68         (foo):
69         (bar.const.x):
70         (bar.const.y):
71         (bar):
72         (catch):
73         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
74         strict nesting works correctly.
75         (foo):
76         (bar.baz):
77         (bar):
78         * stress/strict-function-structure.js: Added. The test used to
79         assert in objectProtoFuncHasOwnProperty.
80         (foo):
81         (bar):
82         (baz):
83         * stress/strict-nested-function-structure.js: Added. Nesting.
84         (foo):
85         (bar):
86         (baz.boo):
87         (baz):
88
89 2017-11-29  Robin Morisset  <rmorisset@apple.com>
90
91         The recursive tail call optimisation is wrong on closures
92         https://bugs.webkit.org/show_bug.cgi?id=179835
93
94         Reviewed by Saam Barati.
95
96         * stress/closure-recursive-tail-call.js: Added.
97         (makeClosure):
98
99 2017-11-27  JF Bastien  <jfbastien@apple.com>
100
101         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
102         https://bugs.webkit.org/show_bug.cgi?id=180051
103         <rdar://problem/35614371>
104
105         Reviewed by Saam Barati.
106
107         * stress/rest-parameter-negative.js: Added.
108         (__f_5484):
109         (catch):
110         (__f_5485):
111         (__v_22598.catch):
112
113 2017-11-27  Saam Barati  <sbarati@apple.com>
114
115         Spread can escape when CreateRest does not
116         https://bugs.webkit.org/show_bug.cgi?id=180057
117         <rdar://problem/35676119>
118
119         Reviewed by JF Bastien.
120
121         * stress/spread-escapes-but-create-rest-does-not.js: Added.
122         (assert):
123         (getProperties):
124         (theFunc):
125         (let.obj.valueOf):
126
127 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
128
129         [DFG] Add NormalizeMapKey DFG IR
130         https://bugs.webkit.org/show_bug.cgi?id=179912
131
132         Reviewed by Saam Barati.
133
134         * stress/map-untyped-normalize-cse.js: Added.
135         (shouldBe):
136         (test):
137         * stress/map-untyped-normalize.js: Added.
138         (shouldBe):
139         (test):
140         * stress/set-untyped-normalize-cse.js: Added.
141         (shouldBe):
142         (set return.set has.set has):
143         * stress/set-untyped-normalize.js: Added.
144         (shouldBe):
145         (set return.set has):
146
147 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
148
149         [FTL] Support DeleteById and DeleteByVal
150         https://bugs.webkit.org/show_bug.cgi?id=180022
151
152         Reviewed by Saam Barati.
153
154         * stress/delete-by-id.js: Added.
155         (shouldBe):
156         (test1):
157         (test2):
158         * stress/delete-by-val-ftl.js: Added.
159         (shouldBe):
160         (test1):
161         (test2):
162
163 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
164
165         [DFG] Introduce {Set,Map,WeakMap}Fields
166         https://bugs.webkit.org/show_bug.cgi?id=179925
167
168         Reviewed by Saam Barati.
169
170         * stress/map-set-clobber-map-get.js: Added.
171         (shouldBe):
172         (test):
173         * stress/map-set-does-not-clobber-set-has.js: Added.
174         (shouldBe):
175         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
176         (shouldBe):
177         (test):
178         * stress/set-add-clobber-set-has.js: Added.
179         (shouldBe):
180         * stress/set-add-does-not-clobber-map-get.js: Added.
181         (shouldBe):
182
183 2017-11-24  Mark Lam  <mark.lam@apple.com>
184
185         Move unsafe jsc shell test functions to the $vm object.
186         https://bugs.webkit.org/show_bug.cgi?id=179980
187
188         Reviewed by Yusuke Suzuki.
189
190         * controlFlowProfiler/driver/driver.js:
191         * controlFlowProfiler/execution-count.js:
192         * controlFlowProfiler/if-statement.js:
193         * controlFlowProfiler/loop-statements.js:
194         * controlFlowProfiler/switch-statements.js:
195         * controlFlowProfiler/test-jit.js:
196         * exceptionFuzz/3d-cube.js:
197         * exceptionFuzz/date-format-xparb.js:
198         * exceptionFuzz/earley-boyer.js:
199         * heapProfiler/basic-edges.js:
200         * heapProfiler/property-edge-types.js:
201         * microbenchmarks/try-get-by-id-basic.js:
202         * microbenchmarks/try-get-by-id-polymorphic.js:
203         * modules/namespace-object-try-get.js:
204         * stress/argument-count-bytecode.js:
205         * stress/argument-intrinsic-basic.js:
206         * stress/argument-intrinsic-inlining-use-caller-arg.js:
207         * stress/argument-intrinsic-inlining-with-result-escape.js:
208         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
209         * stress/argument-intrinsic-inlining-with-vararg.js:
210         * stress/argument-intrinsic-nested-inlining.js:
211         * stress/argument-intrinsic-not-convert-to-get-argument.js:
212         * stress/argument-intrinsic-with-stack-write.js:
213         * stress/arity-mismatch-get-argument.js:
214         * stress/array-message-passing.js:
215         * stress/array-push-with-force-exit.js:
216         * stress/check-dom-with-signature.js:
217         * stress/check-sub-class.js:
218         * stress/compare-eq-incomplete-profile.js:
219         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
220         * stress/do-eval-virtual-call-correctly.js:
221         * stress/dom-jit-with-poly-proto.js:
222         * stress/domjit-exception-ic.js:
223         * stress/domjit-exception.js:
224         * stress/domjit-getter-complex-with-incorrect-object.js:
225         * stress/domjit-getter-complex.js:
226         * stress/domjit-getter-poly.js:
227         * stress/domjit-getter-proto.js:
228         * stress/domjit-getter-super-poly.js:
229         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
230         * stress/domjit-getter-type-check.js:
231         * stress/domjit-getter.js:
232         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
233         * stress/for-in-proxy-target-changed-structure.js:
234         * stress/for-in-proxy.js:
235         * stress/generational-opaque-roots.js:
236         * stress/global-const-redeclaration-setting-2.js:
237         * stress/global-const-redeclaration-setting-3.js:
238         * stress/global-const-redeclaration-setting-4.js:
239         * stress/global-const-redeclaration-setting-5.js:
240         * stress/global-const-redeclaration-setting.js:
241         * stress/import-basic.js:
242         * stress/import-from-eval.js:
243         * stress/import-reject-with-exception.js:
244         * stress/import-syntax.js:
245         * stress/impure-get-own-property-slot-inline-cache.js:
246         * stress/is-constructor.js:
247         * stress/istypedarrayview-intrinsic.js:
248         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
249         * stress/jsc-test-functions-should-be-more-robust.js:
250         * stress/object-toString-with-proxy.js:
251         * stress/poly-proto-custom-value-and-accessor.js:
252         * stress/proxy-inline-cache.js:
253         * stress/re-execute-error-module.js:
254         * stress/regress-150532.js:
255         * stress/regress-156992.js:
256         * stress/regress-179619.js:
257         * stress/resources/shadow-chicken-support.js:
258         * stress/runtime-array.js:
259         * stress/sampling-profiler-microtasks.js:
260         * stress/shadow-chicken-enabled.js:
261         * stress/spread-correct-global-object-on-exception.js:
262         * stress/super-get-by-id.js:
263         * stress/tailCallForwardArguments.js:
264         * stress/to-object-intrinsic-boolean-edge.js:
265         * stress/to-object-intrinsic-null-or-undefined-edge.js:
266         * stress/to-object-intrinsic-number-edge.js:
267         * stress/to-object-intrinsic-object-edge.js:
268         * stress/to-object-intrinsic-string-edge.js:
269         * stress/to-object-intrinsic-symbol-edge.js:
270         * stress/to-object-intrinsic.js:
271         * stress/try-catch-custom-getter-as-get-by-id.js:
272         * stress/try-get-by-id-poly-proto.js:
273         * stress/try-get-by-id-should-spill-registers-dfg.js:
274         * stress/try-get-by-id.js:
275         * typeProfiler/arrow-functions.js:
276         * typeProfiler/basic.js:
277         * typeProfiler/captured.js:
278         * typeProfiler/classes.js:
279         * typeProfiler/dfg-jit-optimizations.js:
280         * typeProfiler/dictionary-mode.js:
281         * typeProfiler/es6-block-scoping.js:
282         * typeProfiler/es6-classes.js:
283         * typeProfiler/inheritance.js:
284         * typeProfiler/int52-dfg.js:
285         * typeProfiler/loop.js:
286         * typeProfiler/optional-fields.js:
287         * typeProfiler/overflow.js:
288         * typeProfiler/return.js:
289         * typeProfiler/symbol.js:
290         * typeProfiler/weird-prototype-chain.js:
291
292 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
293
294         [DFG][FTL] Support MapSet / SetAdd intrinsics
295         https://bugs.webkit.org/show_bug.cgi?id=179858
296
297         Reviewed by Saam Barati.
298
299         * microbenchmarks/map-has-and-set.js: Added.
300         (test):
301         * stress/map-set-check-failure.js: Added.
302         (shouldBe):
303         (shouldThrow):
304         (target):
305         * stress/map-set-cse.js: Added.
306         (shouldBe):
307         (test):
308         * stress/set-add-check-failure.js: Added.
309         (shouldBe):
310         (shouldThrow):
311         (set shouldThrow):
312         * stress/set-add-cse.js: Added.
313         (shouldBe):
314
315 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
316
317         [JSC] Allow poly proto for intrinsic getters
318         https://bugs.webkit.org/show_bug.cgi?id=179550
319
320         Reviewed by Saam Barati.
321
322         This change is also tested by existing tests.
323
324             1. stress/intrinsic-getter-with-poly-proto.js
325             2. stress/poly-proto-intrinsic-getter-correctness.js
326
327         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
328         (shouldBe):
329         (makePolyProtoObject.foo.C):
330         (makePolyProtoObject.foo):
331         (makePolyProtoObject):
332         (target):
333         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
334         (shouldBe):
335         (makePolyProtoObject.foo.C):
336         (makePolyProtoObject.foo):
337         (makePolyProtoObject):
338         (target):
339
340 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
341
342         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
343         https://bugs.webkit.org/show_bug.cgi?id=179744
344
345         Reviewed by Michael Catanzaro.
346
347         This test uses too much memory for our buildbots on these platforms
348         and gets OOM-killed.
349
350         * stress/unshiftCountSlowCase-correct-postCapacity.js:
351         Skip if $memoryLimited and linux.
352
353 2017-11-17  JF Bastien  <jfbastien@apple.com>
354
355         WebAssembly JS API: throw when a promise can't be created
356         https://bugs.webkit.org/show_bug.cgi?id=179826
357         <rdar://problem/35455813>
358
359         Reviewed by Mark Lam.
360
361         Test WebAssembly.{compile,instantiate} where promise creation
362         fails because of a stack overflow.
363
364         * wasm/js-api/promise-stack-overflow.js: Added.
365         (const.runNearStackLimit.f.const.t):
366         (async.testCompile):
367         (async.testInstantiate):
368
369 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
370
371         Unreviewed, mark regress-178385.js as memory exhausting
372
373         * stress/regress-178385.js:
374
375 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
376
377         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
378
379         Unreviewed test gardening.
380
381         * test262.yaml:
382
383 2017-11-16  Robin Morisset  <rmorisset@apple.com>
384
385         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
386         https://bugs.webkit.org/show_bug.cgi?id=179763
387         <rdar://problem/35550513>
388
389         Reviewed by Keith Miller.
390
391         Just adding a slightly cleaned-up version of the original fuzzer-found test.
392
393         * stress/tdz-this-in-try-catch.js: Added.
394         (__v_6388):
395         (__v_6392):
396
397 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
398
399         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
400         https://bugs.webkit.org/show_bug.cgi?id=179594
401
402         Reviewed by Saam Barati.
403
404         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
405         (shouldBe):
406         (args):
407         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
408         (shouldBe):
409         (args):
410
411 2017-11-14  Saam Barati  <sbarati@apple.com>
412
413         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
414         https://bugs.webkit.org/show_bug.cgi?id=179639
415         <rdar://problem/35513018>
416
417         Reviewed by JF Bastien.
418
419         * wasm/function-tests/grow-memory-cause-gc.js: Added.
420         (escape):
421         (i.func):
422
423 2017-11-13  Mark Lam  <mark.lam@apple.com>
424
425         Add more overflow check book-keeping for MarkedArgumentBuffer.
426         https://bugs.webkit.org/show_bug.cgi?id=179634
427         <rdar://problem/35492517>
428
429         Reviewed by Saam Barati.
430
431         * stress/regress-179634.js: Added.
432
433 2017-11-13  Mark Lam  <mark.lam@apple.com>
434
435         Make the jsc shell loadGetterFromGetterSetter() function more robust.
436         https://bugs.webkit.org/show_bug.cgi?id=179619
437         <rdar://problem/35492518>
438
439         Reviewed by Saam Barati.
440
441         * stress/regress-179619.js: Added.
442
443 2017-11-12  Mark Lam  <mark.lam@apple.com>
444
445         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
446         https://bugs.webkit.org/show_bug.cgi?id=179562
447         <rdar://problem/35467022>
448
449         Reviewed by Saam Barati.
450
451         * regress-179562.js: Added.
452
453 2017-11-08  Saam Barati  <sbarati@apple.com>
454
455         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
456         https://bugs.webkit.org/show_bug.cgi?id=177792
457
458         Reviewed by Yusuke Suzuki.
459
460         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
461         (assert):
462         (foo.Foo.prototype.ensureX):
463         (foo.Foo):
464         (foo):
465         (access):
466
467 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
468
469         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
470         https://bugs.webkit.org/show_bug.cgi?id=178592
471
472         Unreviewed test gardening.
473
474         * test262.yaml:
475
476 2017-11-08  Robin Morisset  <rmorisset@apple.com>
477
478         Turn recursive tail calls into loops
479         https://bugs.webkit.org/show_bug.cgi?id=176601
480
481         Reviewed by Saam Barati.
482
483         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
484
485         Add some simple test that computes factorial in several ways, and other trivial computations.
486         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
487         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
488         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
489         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
490
491         * stress/inline-call-to-recursive-tail-call.js: Added.
492         (factorial.aux):
493         (factorial):
494         (factorial2.aux2):
495         (factorial2.id):
496         (factorial2):
497         (factorial3.aux3):
498         (factorial3):
499         (aux4):
500         (factorial4):
501         (foo):
502         (auxBar):
503         (bar):
504         (test):
505
506 2017-11-07  Mark Lam  <mark.lam@apple.com>
507
508         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
509         https://bugs.webkit.org/show_bug.cgi?id=179355
510         <rdar://problem/35263053>
511
512         Reviewed by Saam Barati.
513
514         * stress/regress-179355.js: Added.
515
516 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
517
518         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
519         https://bugs.webkit.org/show_bug.cgi?id=144458
520
521         Reviewed by Saam Barati.
522
523         * microbenchmarks/dfg-internal-function-call.js: Added.
524         (target):
525         * microbenchmarks/dfg-internal-function-construct.js: Added.
526         (target):
527         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
528         (target):
529         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
530         (target):
531         * stress/dfg-internal-function-call.js: Added.
532         (shouldBe):
533         (target):
534         * stress/dfg-internal-function-construct.js: Added.
535         (shouldBe):
536         (target):
537         * stress/internal-function-call.js: Added.
538         (shouldBe):
539         * stress/internal-function-construct.js: Added.
540         (shouldBe):
541
542 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
543
544         [Win] Skip stress/regress-178385.js.
545         https://bugs.webkit.org/show_bug.cgi?id=179298
546
547         Unreviewed test gardening.
548
549         * stress/regress-178385.js:
550
551 2017-11-03  Keith Miller  <keith_miller@apple.com>
552
553         Add test for ic with side effects
554         https://bugs.webkit.org/show_bug.cgi?id=179268
555
556         Reviewed by Saam Barati.
557
558         * stress/put-inline-cache-side-effects.js: Added.
559         (let.i.of.objs.keys):
560         (f):
561
562 2017-11-03  Mark Lam  <mark.lam@apple.com>
563
564         CachedCall (and its clients) needs overflow checks.
565         https://bugs.webkit.org/show_bug.cgi?id=179185
566
567         Reviewed by JF Bastien.
568
569         * stress/regress-179185.js: Added.
570
571 2017-11-02  Michael Saboff  <msaboff@apple.com>
572
573         DFG needs to handle code motion of code in for..in loop bodies
574         https://bugs.webkit.org/show_bug.cgi?id=179212
575
576         Reviewed by Keith Miller.
577
578         New regression test.
579
580         * stress/for-in-side-effects.js: Added.
581         (getPrototypeOf):
582         (reset):
583         (testWithoutFTL.f):
584         (testWithoutFTL):
585         (testWithFTL.f):
586         (testWithFTL):
587
588 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
589
590         AI does not correctly model the clobber case of ArithClz32
591         https://bugs.webkit.org/show_bug.cgi?id=179188
592
593         Reviewed by Michael Saboff.
594
595         * stress/arith-clz32-effects.js: Added.
596         (foo):
597         (valueOf):
598
599 2017-11-01  Michael Saboff  <msaboff@apple.com>
600
601         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
602         https://bugs.webkit.org/show_bug.cgi?id=179140
603
604         Reviewed by Saam Barati.
605
606         New regression test.
607
608         * stress/regress-179140.js: Added.
609         (testWithoutFTL):
610         (testWithFTL):
611
612 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
613
614         [JSC] Introduce @toObject
615         https://bugs.webkit.org/show_bug.cgi?id=178726
616
617         Reviewed by Saam Barati.
618
619         * stress/array-copywithin.js:
620         (shouldThrow):
621         * stress/object-constructor-boolean-edge.js: Added.
622         (shouldBe):
623         (test):
624         * stress/object-constructor-global.js: Added.
625         (shouldBe):
626         * stress/object-constructor-null-edge.js: Added.
627         (shouldBe):
628         (test):
629         * stress/object-constructor-number-edge.js: Added.
630         (shouldBe):
631         (test):
632         * stress/object-constructor-object-edge.js: Added.
633         (shouldBe):
634         (test):
635         (i.arg):
636         * stress/object-constructor-string-edge.js: Added.
637         (shouldBe):
638         (test):
639         * stress/object-constructor-symbol-edge.js: Added.
640         (shouldBe):
641         (test):
642         * stress/object-constructor-undefined-edge.js: Added.
643         (shouldBe):
644         (test):
645         * stress/symbol-array-from.js: Added.
646         (shouldBe):
647         * stress/to-object-intrinsic-boolean-edge.js: Added.
648         (shouldBe):
649         (builtin.createBuiltin):
650         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
651         (shouldThrow):
652         * stress/to-object-intrinsic-number-edge.js: Added.
653         (shouldBe):
654         (builtin.createBuiltin):
655         * stress/to-object-intrinsic-object-edge.js: Added.
656         (shouldBe):
657         (builtin.createBuiltin):
658         (i.arg):
659         * stress/to-object-intrinsic-string-edge.js: Added.
660         (shouldBe):
661         (builtin.createBuiltin):
662         * stress/to-object-intrinsic-symbol-edge.js: Added.
663         (shouldBe):
664         (builtin.createBuiltin):
665         * stress/to-object-intrinsic.js: Added.
666         (shouldBe):
667         (shouldThrow):
668         (builtin.createBuiltin):
669
670 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
671
672         [DFG][FTL] Introduce StringSlice
673         https://bugs.webkit.org/show_bug.cgi?id=178934
674
675         Reviewed by Saam Barati.
676
677         * microbenchmarks/string-slice-empty.js: Added.
678         (slice):
679         * microbenchmarks/string-slice-one-char.js: Added.
680         (slice):
681         * microbenchmarks/string-slice.js: Added.
682         (slice):
683
684 2017-10-26  Michael Saboff  <msaboff@apple.com>
685
686         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
687         https://bugs.webkit.org/show_bug.cgi?id=178890
688
689         Reviewed by Keith Miller.
690
691         New regression test.
692
693         * stress/regress-178890.js: Added.
694
695 2017-10-26  Mark Lam  <mark.lam@apple.com>
696
697         JSRopeString::RopeBuilder::append() should check for overflows.
698         https://bugs.webkit.org/show_bug.cgi?id=178385
699         <rdar://problem/35027468>
700
701         Reviewed by Saam Barati.
702
703         * stress/regress-178385.js: Added.
704
705 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
706
707         Unreviewed, rolling out r223961.
708
709         The change that required this has been rolled out.
710
711         Reverted changeset:
712
713         "Mark test262.yaml/test262/test/language/statements/try/tco-
714         catch.js as passing."
715         https://bugs.webkit.org/show_bug.cgi?id=178592
716         https://trac.webkit.org/changeset/223961
717
718 2017-10-25  Commit Queue  <commit-queue@webkit.org>
719
720         Unreviewed, rolling out r223691 and r223729.
721         https://bugs.webkit.org/show_bug.cgi?id=178834
722
723         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
724         by rniwa on #webkit).
725
726         Reverted changesets:
727
728         "Turn recursive tail calls into loops"
729         https://bugs.webkit.org/show_bug.cgi?id=176601
730         https://trac.webkit.org/changeset/223691
731
732         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
733         comparison is always false due to limited range of data type
734         [-Wtype-limits]"
735         https://bugs.webkit.org/show_bug.cgi?id=178543
736         https://trac.webkit.org/changeset/223729
737
738 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
739
740         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
741         https://bugs.webkit.org/show_bug.cgi?id=178592
742
743         Unreviewed test gardening.
744
745         * test262.yaml:
746
747 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
748
749         [FTL] Support NewStringObject
750         https://bugs.webkit.org/show_bug.cgi?id=178737
751
752         Reviewed by Saam Barati.
753
754         * stress/new-string-object.js: Added.
755         (shouldBe):
756         (test):
757
758 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
759
760         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
761         https://bugs.webkit.org/show_bug.cgi?id=178308
762
763         Reviewed by Mark Lam.
764
765         * test262.yaml:
766
767 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
768
769         [JSC] Use fastJoin in Array#toString
770         https://bugs.webkit.org/show_bug.cgi?id=178062
771
772         Reviewed by Darin Adler.
773
774         * microbenchmarks/contiguous-array-to-string.js: Added.
775         (target):
776         * microbenchmarks/double-array-to-string.js: Added.
777         (target):
778         * microbenchmarks/int32-array-to-string.js: Added.
779         (target):
780
781 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
782
783         stress/check-string-ident.js is improperly skipped
784         https://bugs.webkit.org/show_bug.cgi?id=178642
785
786         Reviewed by Saam Barati.
787
788         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
789         since it enforces the run-jsc-stress-tests script to still set up the
790         test to run, despite the skip directive that's used before.
791
792 2017-10-20  Mark Lam  <mark.lam@apple.com>
793
794         Add a test case for r214334.
795         https://bugs.webkit.org/show_bug.cgi?id=169941
796         <rdar://problem/31221258>
797
798         Reviewed by JF Bastien.
799
800         * stress/regress-169941.js: Added.
801
802 2017-10-19  JF Bastien  <jfbastien@apple.com>
803
804         WebAssembly: no VM / JS version of everything but Instance
805         https://bugs.webkit.org/show_bug.cgi?id=177473
806
807         Reviewed by Filip Pizlo, Saam Barati.
808
809         - Exceeding max on memory growth now returns a range error as per
810         spec. This is a (very minor) breaking change: it used to throw OOM
811         error. Update the corresponding test.
812
813         * wasm/js-api/memory-grow.js:
814         (assertEq):
815         * wasm/js-api/table.js:
816         (assert.throws):
817
818 2017-10-19  Mark Lam  <mark.lam@apple.com>
819
820         Stringifier::appendStringifiedValue() is missing an exception check.
821         https://bugs.webkit.org/show_bug.cgi?id=178386
822         <rdar://problem/35027610>
823
824         Reviewed by Saam Barati.
825
826         * stress/regress-178386.js: Added.
827
828 2017-10-19  Michael Saboff  <msaboff@apple.com>
829
830         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
831         https://bugs.webkit.org/show_bug.cgi?id=178521
832
833         Reviewed by JF Bastien.
834
835         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
836         now passes with the current version (5.0) of the Emoji spec.
837
838 2017-10-19  Robin Morisset  <rmorisset@apple.com>
839
840         Turn recursive tail calls into loops
841         https://bugs.webkit.org/show_bug.cgi?id=176601
842
843         Reviewed by Saam Barati.
844
845         Add some simple test that computes factorial in several ways, and other trivial computations.
846         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
847         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
848         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
849         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
850
851         * stress/inline-call-to-recursive-tail-call.js: Added.
852         (factorial.aux):
853         (factorial):
854         (factorial2.aux):
855         (factorial2.id):
856         (factorial2):
857         (factorial3.aux):
858         (factorial3):
859         (aux):
860         (factorial4):
861         (test):
862
863 2017-10-18  Mark Lam  <mark.lam@apple.com>
864
865         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
866         https://bugs.webkit.org/show_bug.cgi?id=177600
867         <rdar://problem/34710985>
868
869         Reviewed by Saam Barati.
870
871         * stress/regress-177600.js: Added.
872
873 2017-10-18  Mark Lam  <mark.lam@apple.com>
874
875         The compiler should always register a structure when it adds its transitionWatchPointSet.
876         https://bugs.webkit.org/show_bug.cgi?id=178420
877         <rdar://problem/34814024>
878
879         Reviewed by Saam Barati and Filip Pizlo.
880
881         * stress/regress-178420.js: Added.
882         (new.Array.10000.map):
883
884 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
885
886         [JSC] __proto__ getter should be fast
887         https://bugs.webkit.org/show_bug.cgi?id=178067
888
889         Reviewed by Saam Barati.
890
891         * stress/dfg-object-proto-accessor.js: Added.
892         (shouldBe):
893         (shouldThrow):
894         (target):
895         * stress/dfg-object-proto-getter.js: Added.
896         (shouldBe):
897         (shouldThrow):
898         (target):
899         * stress/dfg-object-prototype-of.js: Added.
900         (shouldBe):
901         (shouldThrow):
902         (target):
903         * stress/dfg-reflect-get-prototype-of.js: Added.
904         (shouldBe):
905         (shouldThrow):
906         (target):
907         * stress/intrinsic-getter-with-poly-proto.js: Added.
908         (shouldBe):
909         (makePolyProtoObject.foo.C):
910         (makePolyProtoObject.foo):
911         (makePolyProtoObject):
912         (target):
913         * stress/object-get-prototype-of-filtered.js: Added.
914         (shouldBe):
915         (shouldThrow):
916         (target):
917         (i.Cocoa):
918         * stress/object-get-prototype-of-mono-proto.js: Added.
919         (shouldBe):
920         (makePolyProtoObject.foo.C):
921         (makePolyProtoObject.foo):
922         (makePolyProtoObject):
923         (target):
924         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
925         (shouldBe):
926         (makePolyProtoObject.foo.C):
927         (makePolyProtoObject.foo):
928         (makePolyProtoObject):
929         (target):
930         * stress/object-get-prototype-of-poly-proto.js: Added.
931         (shouldBe):
932         (makePolyProtoObject.foo.C):
933         (makePolyProtoObject.foo):
934         (makePolyProtoObject):
935         (target):
936         * stress/object-proto-getter-filtered.js: Added.
937         (shouldBe):
938         (shouldThrow):
939         (target):
940         (i.Cocoa):
941         * stress/object-proto-getter-poly-mono-proto.js: Added.
942         (shouldBe):
943         (makePolyProtoObject.foo.C):
944         (makePolyProtoObject.foo):
945         (makePolyProtoObject):
946         (target):
947         * stress/object-proto-getter-poly-proto.js: Added.
948         (shouldBe):
949         (makePolyProtoObject.foo.C):
950         (makePolyProtoObject.foo):
951         (makePolyProtoObject):
952         (target):
953         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
954         * stress/string-proto.js: Added.
955         (shouldBe):
956         (target):
957
958 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
959
960         Unreviewed, rolling out r223523.
961
962         A test for this change is failing on debug JSC bots.
963
964         Reverted changeset:
965
966         "[JSC] __proto__ getter should be fast"
967         https://bugs.webkit.org/show_bug.cgi?id=178067
968         https://trac.webkit.org/changeset/223523
969
970 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
971
972         [JSC] __proto__ getter should be fast
973         https://bugs.webkit.org/show_bug.cgi?id=178067
974
975         Reviewed by Saam Barati.
976
977         * stress/dfg-object-proto-accessor.js: Added.
978         (shouldBe):
979         (shouldThrow):
980         (target):
981         * stress/dfg-object-proto-getter.js: Added.
982         (shouldBe):
983         (shouldThrow):
984         (target):
985         * stress/dfg-object-prototype-of.js: Added.
986         (shouldBe):
987         (shouldThrow):
988         (target):
989         * stress/dfg-reflect-get-prototype-of.js: Added.
990         (shouldBe):
991         (shouldThrow):
992         (target):
993         * stress/object-get-prototype-of-filtered.js: Added.
994         (shouldBe):
995         (shouldThrow):
996         (target):
997         (i.Cocoa):
998         * stress/object-get-prototype-of-mono-proto.js: Added.
999         (shouldBe):
1000         (makePolyProtoObject.foo.C):
1001         (makePolyProtoObject.foo):
1002         (makePolyProtoObject):
1003         (target):
1004         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
1005         (shouldBe):
1006         (makePolyProtoObject.foo.C):
1007         (makePolyProtoObject.foo):
1008         (makePolyProtoObject):
1009         (target):
1010         * stress/object-get-prototype-of-poly-proto.js: Added.
1011         (shouldBe):
1012         (makePolyProtoObject.foo.C):
1013         (makePolyProtoObject.foo):
1014         (makePolyProtoObject):
1015         (target):
1016         * stress/object-proto-getter-filtered.js: Added.
1017         (shouldBe):
1018         (shouldThrow):
1019         (target):
1020         (i.Cocoa):
1021         * stress/object-proto-getter-poly-mono-proto.js: Added.
1022         (shouldBe):
1023         (makePolyProtoObject.foo.C):
1024         (makePolyProtoObject.foo):
1025         (makePolyProtoObject):
1026         (target):
1027         * stress/object-proto-getter-poly-proto.js: Added.
1028         (shouldBe):
1029         (makePolyProtoObject.foo.C):
1030         (makePolyProtoObject.foo):
1031         (makePolyProtoObject):
1032         (target):
1033         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
1034         * stress/string-proto.js: Added.
1035         (shouldBe):
1036         (target):
1037
1038 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1039
1040         Reland "Add Above/Below comparisons for UInt32 patterns"
1041         https://bugs.webkit.org/show_bug.cgi?id=177281
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/uint32-comparison-jump.js: Added.
1046         (shouldBe):
1047         (above):
1048         (aboveOrEqual):
1049         (below):
1050         (belowOrEqual):
1051         (notAbove):
1052         (notAboveOrEqual):
1053         (notBelow):
1054         (notBelowOrEqual):
1055         * stress/uint32-comparison.js: Added.
1056         (shouldBe):
1057         (above):
1058         (aboveOrEqual):
1059         (below):
1060         (belowOrEqual):
1061         (aboveTest):
1062         (aboveOrEqualTest):
1063         (belowTest):
1064         (belowOrEqualTest):
1065
1066 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1067
1068         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
1069         https://bugs.webkit.org/show_bug.cgi?id=178210
1070
1071         Reviewed by Saam Barati.
1072
1073         * wasm/function-tests/trap-from-start-async.js:
1074         (async.StartTrapsAsync):
1075         * wasm/function-tests/trap-from-start.js:
1076         (StartTraps):
1077         * wasm/js-api/web-assembly-function.js:
1078         (assert.eq.Object.getPrototypeOf):
1079         * wasm/js-api/wrapper-function.js:
1080         (return.new.WebAssembly.Module):
1081         (assert.throws.makeInstance): Deleted.
1082         (assert.throws.Bar): Deleted.
1083         (assert.throws): Deleted.
1084
1085 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
1086
1087         Enable gigacage on iOS
1088         https://bugs.webkit.org/show_bug.cgi?id=177586
1089
1090         Reviewed by JF Bastien.
1091         
1092         Add tests for when Gigacage gets runtime disabled.
1093
1094         * stress/disable-gigacage-arrays.js: Added.
1095         (foo):
1096         * stress/disable-gigacage-strings.js: Added.
1097         (foo):
1098         * stress/disable-gigacage-typed-arrays.js: Added.
1099         (foo):
1100
1101 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1102
1103         import.meta should not be assignable
1104         https://bugs.webkit.org/show_bug.cgi?id=178202
1105
1106         Reviewed by Saam Barati.
1107
1108         * modules/import-meta-assignment.js: Added.
1109         (shouldThrow):
1110         (SyntaxError.import.meta.can.shouldThrow):
1111
1112 2017-10-11  Saam Barati  <sbarati@apple.com>
1113
1114         Unreviewed. Actually skip certain type profiler tests in debug.
1115
1116         * typeProfiler.yaml:
1117         * typeProfiler/deltablue-for-of.js:
1118         * typeProfiler/getter-richards.js:
1119
1120 2017-10-11  Commit Queue  <commit-queue@webkit.org>
1121
1122         Unreviewed, rolling out r223113 and r223121.
1123         https://bugs.webkit.org/show_bug.cgi?id=178182
1124
1125         Reintroduced 20% regression on Kraken (Requested by rniwa on
1126         #webkit).
1127
1128         Reverted changesets:
1129
1130         "Enable gigacage on iOS"
1131         https://bugs.webkit.org/show_bug.cgi?id=177586
1132         https://trac.webkit.org/changeset/223113
1133
1134         "Use one virtual allocation for all gigacages and their
1135         runways"
1136         https://bugs.webkit.org/show_bug.cgi?id=178050
1137         https://trac.webkit.org/changeset/223121
1138
1139 2017-10-11  Michael Saboff  <msaboff@apple.com>
1140
1141         Disable test262 named capture group tests with direct unicode names and with references before definitions
1142         https://bugs.webkit.org/show_bug.cgi?id=178177
1143
1144         Reviewed by Keith Miller.
1145
1146         Bugs to track fixing these test are:
1147         https://bugs.webkit.org/show_bug.cgi?id=178174 -
1148             "Add support in named capture group identifiers for direct surrogate pairs"
1149         https://bugs.webkit.org/show_bug.cgi?id=178175 -
1150             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
1151
1152         * test262.yaml:
1153
1154 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
1155
1156         Object properties are undefined in super.call() but not in this.call()
1157         https://bugs.webkit.org/show_bug.cgi?id=177230
1158
1159         Reviewed by Saam Barati.
1160
1161         * stress/super-call-function-subclass.js: Added.
1162         (assert):
1163         (A.prototype.t):
1164         (A):
1165         * stress/super-dot-call-and-apply.js: Added.
1166         (assert):
1167         (A):
1168         (A.prototype.call):
1169         (A.prototype.apply):
1170         (B.prototype.testSuper):
1171         (B):
1172         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
1173         (D.prototype.testSuper):
1174         (D):
1175
1176 2017-10-10  Saam Barati  <sbarati@apple.com>
1177
1178         The prototype cache should be aware of the Executable it generates a Structure for
1179         https://bugs.webkit.org/show_bug.cgi?id=177907
1180
1181         Reviewed by Filip Pizlo.
1182
1183         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
1184         (assert):
1185         (foo.C):
1186         (foo):
1187         (bar.C):
1188         (bar):
1189         (access):
1190         (makeLongChain):
1191         (accessY):
1192
1193 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1194
1195         `async` should be able to be used as an imported binding name
1196         https://bugs.webkit.org/show_bug.cgi?id=176573
1197
1198         Reviewed by Saam Barati.
1199
1200         * modules/import-default-async.js: Added.
1201         * modules/import-named-async-as.js: Added.
1202         * modules/import-named-async.js: Added.
1203         * modules/import-named-async/target.js: Added.
1204         * modules/import-namespace-async.js: Added.
1205         * test262.yaml:
1206
1207 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
1208
1209         Enable gigacage on iOS
1210         https://bugs.webkit.org/show_bug.cgi?id=177586
1211
1212         Reviewed by JF Bastien.
1213         
1214         Add tests for when Gigacage gets runtime disabled.
1215
1216         * stress/disable-gigacage-arrays.js: Added.
1217         (foo):
1218         * stress/disable-gigacage-strings.js: Added.
1219         (foo):
1220         * stress/disable-gigacage-typed-arrays.js: Added.
1221         (foo):
1222
1223 2017-10-09  Michael Saboff  <msaboff@apple.com>
1224
1225         Implement RegExp Unicode property escapes
1226         https://bugs.webkit.org/show_bug.cgi?id=172069
1227
1228         Reviewed by JF Bastien.
1229
1230         Enabled Unicode Property tests.
1231
1232         * test262.yaml:
1233
1234 2017-10-09  Commit Queue  <commit-queue@webkit.org>
1235
1236         Unreviewed, rolling out r223015 and r223025.
1237         https://bugs.webkit.org/show_bug.cgi?id=178093
1238
1239         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
1240         #webkit).
1241
1242         Reverted changesets:
1243
1244         "Enable gigacage on iOS"
1245         https://bugs.webkit.org/show_bug.cgi?id=177586
1246         http://trac.webkit.org/changeset/223015
1247
1248         "Unreviewed, disable Gigacage on ARM64 Linux"
1249         https://bugs.webkit.org/show_bug.cgi?id=177586
1250         http://trac.webkit.org/changeset/223025
1251
1252 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
1253
1254         Update expectations for test262 tests that pass after r223043.
1255         https://bugs.webkit.org/show_bug.cgi?id=176685
1256
1257         Unreviewed test gardening.
1258
1259         * test262.yaml:
1260
1261 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
1262
1263         Unreviewed, rolling out r223022.
1264
1265         This change introduced 18 test262 failures.
1266
1267         Reverted changeset:
1268
1269         "`async` should be able to be used as an imported binding
1270         name"
1271         https://bugs.webkit.org/show_bug.cgi?id=176573
1272         http://trac.webkit.org/changeset/223022
1273
1274 2017-10-09  Saam Barati  <sbarati@apple.com>
1275
1276         3 poly-proto JSC tests timing out on debug after r222827
1277         https://bugs.webkit.org/show_bug.cgi?id=177880
1278         <rdar://problem/34817122>
1279
1280         Unreviewed.
1281
1282         I'm skipping these type profiler tests on debug since they are long running.
1283
1284         * typeProfiler/deltablue-for-of.js:
1285         * typeProfiler/getter-richards.js:
1286
1287 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1288
1289         Safari 10 /11 problem with if (!await get(something)).
1290         https://bugs.webkit.org/show_bug.cgi?id=176685
1291
1292         Reviewed by Saam Barati.
1293
1294         * stress/async-await-basic.js:
1295         (awaitEpression.async):
1296         * stress/async-await-syntax.js:
1297         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
1298         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
1299
1300 2017-10-08  Saam Barati  <sbarati@apple.com>
1301
1302         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
1303
1304         * typeProfiler/deltablue-for-of.js:
1305         * typeProfiler/getter-richards.js:
1306
1307 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1308
1309         `async` should be able to be used as an imported binding name
1310         https://bugs.webkit.org/show_bug.cgi?id=176573
1311
1312         Reviewed by Darin Adler.
1313
1314         * modules/import-default-async.js: Added.
1315         * modules/import-named-async-as.js: Added.
1316         * modules/import-named-async.js: Added.
1317         * modules/import-named-async/target.js: Added.
1318         * modules/import-namespace-async.js: Added.
1319
1320 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
1321
1322         Enable gigacage on iOS
1323         https://bugs.webkit.org/show_bug.cgi?id=177586
1324
1325         Reviewed by JF Bastien.
1326         
1327         Add tests for when Gigacage gets runtime disabled.
1328
1329         * stress/disable-gigacage-arrays.js: Added.
1330         (foo):
1331         * stress/disable-gigacage-strings.js: Added.
1332         (foo):
1333         * stress/disable-gigacage-typed-arrays.js: Added.
1334         (foo):
1335
1336 2017-10-06  Commit Queue  <commit-queue@webkit.org>
1337
1338         Unreviewed, rolling out r222791 and r222873.
1339         https://bugs.webkit.org/show_bug.cgi?id=178031
1340
1341         Caused crashes with workers/wasm LayoutTests (Requested by
1342         ryanhaddad on #webkit).
1343
1344         Reverted changesets:
1345
1346         "WebAssembly: no VM / JS version of everything but Instance"
1347         https://bugs.webkit.org/show_bug.cgi?id=177473
1348         http://trac.webkit.org/changeset/222791
1349
1350         "WebAssembly: address no VM / JS follow-ups"
1351         https://bugs.webkit.org/show_bug.cgi?id=177887
1352         http://trac.webkit.org/changeset/222873
1353
1354 2017-10-05  Saam Barati  <sbarati@apple.com>
1355
1356         Make sure all prototypes under poly proto get added into the VM's prototype map
1357         https://bugs.webkit.org/show_bug.cgi?id=177909
1358
1359         Reviewed by Keith Miller.
1360
1361         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
1362         (assert):
1363         (foo.C):
1364         (foo):
1365         (set x):
1366
1367 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1368
1369         [JSC] Introduce import.meta
1370         https://bugs.webkit.org/show_bug.cgi?id=177703
1371
1372         Reviewed by Filip Pizlo.
1373
1374         * modules/import-meta-syntax.js: Added.
1375         (shouldThrow):
1376         (shouldNotThrow):
1377         * modules/import-meta.js: Added.
1378         * modules/import-meta/cocoa.js: Added.
1379         * modules/resources/assert.js:
1380         (export.shouldNotThrow):
1381         * stress/import-syntax.js:
1382
1383 2017-10-04  Saam Barati  <sbarati@apple.com>
1384
1385         Make pertinent AccessCases watch the poly proto watchpoint
1386         https://bugs.webkit.org/show_bug.cgi?id=177765
1387
1388         Reviewed by Keith Miller.
1389
1390         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
1391         (assert):
1392         (foo.C):
1393         (foo):
1394         (validate):
1395         * stress/poly-proto-clear-stub.js: Added.
1396         (assert):
1397         (foo.C):
1398         (foo):
1399
1400 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
1401
1402         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
1403
1404         Unreviewed test gardening.
1405
1406         * test262.yaml:
1407
1408 2017-10-04  Saam Barati  <sbarati@apple.com>
1409
1410         3 poly-proto JSC tests timing out on debug after r222827
1411         https://bugs.webkit.org/show_bug.cgi?id=177880
1412
1413         Rubber stamped by Mark Lam.
1414
1415         * microbenchmarks/poly-proto-access.js:
1416         * typeProfiler/deltablue-for-of.js:
1417         * typeProfiler/getter-richards.js:
1418
1419 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
1420
1421         Unreviewed, marking tco-catch.js as a failure after test262 update
1422         https://bugs.webkit.org/show_bug.cgi?id=177859
1423
1424         * test262.yaml:
1425
1426 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1427
1428         Unreviewed, marking one async iterator test262 test failed
1429         https://bugs.webkit.org/show_bug.cgi?id=177859
1430
1431         * test262.yaml:
1432
1433 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1434
1435         [Test262] Update Test262 to Oct 4 version
1436         https://bugs.webkit.org/show_bug.cgi?id=177859
1437
1438         Reviewed by Sam Weinig.
1439
1440         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
1441         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
1442
1443         * test262.yaml:
1444         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
1445         (checkSequence):
1446         * test262/harness/typeCoercion.js:
1447         (testCoercibleToIndexZero):
1448         (testCoercibleToIndexOne):
1449         (testCoercibleToIndexFromIndex):
1450         (testNotCoercibleToIndex.testPrimitiveValue):
1451         (testNotCoercibleToInteger):
1452         (testCoercibleToBigIntZero.testPrimitiveValue):
1453         (testCoercibleToBigIntZero):
1454         (testCoercibleToBigIntOne.testPrimitiveValue):
1455         (testCoercibleToBigIntOne):
1456         (testPrimitiveValue):
1457         (testCoercibleToBigIntFromBigInt):
1458         (testNotCoercibleToBigInt.testPrimitiveValue):
1459         (testNotCoercibleToBigInt.testStringValue):
1460         (testNotCoercibleToBigInt):
1461         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
1462         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
1463         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
1464         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
1465         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
1466         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
1467         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
1468         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
1469         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
1470         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
1471         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
1472         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
1473         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
1474         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
1475         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
1476         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
1477         (testCoercibleToBigIntZero):
1478         (testCoercibleToBigIntOne):
1479         (testNotCoercibleToBigInt):
1480         (MyError): Deleted.
1481         (valueOf): Deleted.
1482         (toString): Deleted.
1483         (Symbol.toPrimitive): Deleted.
1484         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
1485         (testCoercibleToIndexZero):
1486         (testCoercibleToIndexOne):
1487         (testNotCoercibleToIndex):
1488         (MyError): Deleted.
1489         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
1490         (assert.sameValue.BigInt.asIntN.toString): Deleted.
1491         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
1492         (BigInt.asIntN.valueOf): Deleted.
1493         (BigInt.asIntN.toString): Deleted.
1494         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
1495         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
1496         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
1497         (testCoercibleToBigIntZero):
1498         (testCoercibleToBigIntOne):
1499         (testNotCoercibleToBigInt):
1500         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
1501         (testCoercibleToIndexZero):
1502         (testCoercibleToIndexOne):
1503         (testNotCoercibleToIndex):
1504         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
1505         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
1506         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
1507         (bits.valueOf):
1508         (bigint.valueOf):
1509         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
1510         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
1511         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
1512         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
1513         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
1514         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
1515         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
1516         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
1517         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
1518         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
1519         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
1520         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
1521         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
1522         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
1523         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
1524         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
1525         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
1526         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
1527         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
1528         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
1529         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
1530         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
1531         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
1532         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
1533         (replacer):
1534         (BigInt.prototype.toJSON):
1535         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
1536         (replacer):
1537         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
1538         (BigInt.prototype.toJSON):
1539         * test262/test/built-ins/JSON/stringify/bigint.js:
1540         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
1541         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
1542         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
1543         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
1544         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
1545         * test262/test/built-ins/Object/proto-from-ctor.js:
1546         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
1547         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
1548         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
1549         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
1550         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
1551         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
1552         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
1553         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
1554         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
1555         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
1556         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
1557         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
1558         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
1559         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
1560         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
1561         * test262/test/built-ins/Proxy/get-fn-realm.js:
1562         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
1563         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
1564         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
1565         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
1566         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
1567         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
1568         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
1569         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
1570         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
1571         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
1572         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
1573         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
1574         (i6.replace):
1575         (i6b.replace):
1576         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
1577         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
1578         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
1579         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
1580         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
1581         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
1582         * test262/test/built-ins/RegExp/u180e.js: Added.
1583         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
1584         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
1585         * test262/test/built-ins/String/proto-from-ctor-realm.js:
1586         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
1587         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
1588         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
1589         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
1590         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
1591         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
1592         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
1593         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
1594         * test262/test/built-ins/String/prototype/endsWith/length.js:
1595         * test262/test/built-ins/String/prototype/endsWith/name.js:
1596         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
1597         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
1598         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
1599         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
1600         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
1601         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
1602         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
1603         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
1604         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
1605         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
1606         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
1607         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
1608         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
1609         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
1610         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
1611         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
1612         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
1613         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
1614         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
1615         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
1616         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
1617         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
1618         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
1619         * test262/test/built-ins/String/prototype/includes/includes.js:
1620         * test262/test/built-ins/String/prototype/includes/length.js:
1621         * test262/test/built-ins/String/prototype/includes/name.js:
1622         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
1623         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
1624         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
1625         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
1626         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
1627         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
1628         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
1629         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
1630         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
1631         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
1632         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
1633         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
1634         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
1635         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
1636         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
1637         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
1638         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
1639         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
1640         * test262/test/built-ins/String/prototype/trim/u180e.js:
1641         * test262/test/built-ins/Symbol/for/cross-realm.js:
1642         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
1643         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
1644         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
1645         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
1646         * test262/test/built-ins/Symbol/match/cross-realm.js:
1647         * test262/test/built-ins/Symbol/replace/cross-realm.js:
1648         * test262/test/built-ins/Symbol/search/cross-realm.js:
1649         * test262/test/built-ins/Symbol/species/cross-realm.js:
1650         * test262/test/built-ins/Symbol/split/cross-realm.js:
1651         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
1652         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
1653         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
1654         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
1655         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
1656         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
1657         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
1658         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
1659         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
1660         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
1661         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
1662         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
1663         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
1664         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
1665         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
1666         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
1667         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
1668         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
1669         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
1670         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
1671         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
1672         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
1673         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
1674         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
1675         * test262/test/language/comments/mongolian-vowel-separator-single.js:
1676         * test262/test/language/eval-code/indirect/realm.js:
1677         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
1678         (o.get z):
1679         (o.get a):
1680         * test262/test/language/expressions/call/eval-realm-indirect.js:
1681         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
1682         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
1683         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
1684         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
1685         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
1686         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
1687         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
1688         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
1689         * test262/test/language/expressions/greater-than/bigint-and-number.js:
1690         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
1691         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
1692         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
1693         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
1694         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
1695         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
1696         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
1697         * test262/test/language/expressions/less-than/bigint-and-number.js:
1698         * test262/test/language/expressions/new/non-ctor-err-realm.js:
1699         * test262/test/language/expressions/super/realm.js:
1700         * test262/test/language/expressions/tagged-template/cache-realm.js:
1701         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
1702         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
1703         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
1704         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
1705         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
1706         * test262/test/language/literals/string/mongolian-vowel-separator.js:
1707         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
1708         (o.get z):
1709         (o.get a):
1710         * test262/test/language/statements/for-of/iterator-next-reference.js:
1711         (next):
1712         (iterator.next): Deleted.
1713         (x.of.iterable.): Deleted.
1714         (x.of.iterable.get return): Deleted.
1715         (x.of.iterable.iterator.next): Deleted.
1716         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
1717         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
1718         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
1719         * test262/test/language/white-space/mongolian-vowel-separator.js:
1720         * test262/test262-Revision.txt:
1721
1722 2017-10-03  Saam Barati  <sbarati@apple.com>
1723
1724         Implement polymorphic prototypes
1725         https://bugs.webkit.org/show_bug.cgi?id=176391
1726
1727         Reviewed by Filip Pizlo.
1728
1729         * microbenchmarks/poly-proto-access.js: Added.
1730         (assert):
1731         (foo.C):
1732         (foo.C.prototype.get bar):
1733         (foo):
1734         (bar):
1735         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
1736         (assert):
1737         (makePolyProtoObject.foo.C):
1738         (makePolyProtoObject.foo):
1739         (makePolyProtoObject):
1740         (performSet):
1741         * microbenchmarks/poly-proto-setter-speed.js: Added.
1742         (assert):
1743         (makePolyProtoObject.foo.C):
1744         (makePolyProtoObject.foo.C.prototype.set p):
1745         (makePolyProtoObject.foo):
1746         (makePolyProtoObject):
1747         (performSet):
1748         * stress/constructor-with-return.js:
1749         (i.tests.forEach.Constructor):
1750         (i.tests.forEach):
1751         (tests.forEach.Constructor): Deleted.
1752         (tests.forEach): Deleted.
1753         * stress/dom-jit-with-poly-proto.js: Added.
1754         (assert):
1755         (makePolyProtoObject.foo.C):
1756         (makePolyProtoObject.foo):
1757         (makePolyProtoObject):
1758         (validate):
1759         * stress/poly-proto-custom-value-and-accessor.js: Added.
1760         (assert):
1761         (makePolyProtoObject.foo.C):
1762         (makePolyProtoObject.foo):
1763         (makePolyProtoObject):
1764         (items.forEach):
1765         (set get for):
1766         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
1767         (assert):
1768         (makePolyProtoObject.foo.C):
1769         (makePolyProtoObject.foo):
1770         (makePolyProtoObject):
1771         (foo):
1772         * stress/poly-proto-miss.js: Added.
1773         (makePolyProtoInstanceWithNullPrototype.foo.C):
1774         (makePolyProtoInstanceWithNullPrototype.foo):
1775         (makePolyProtoInstanceWithNullPrototype):
1776         (assert):
1777         (validate):
1778         * stress/poly-proto-op-in-caching.js: Added.
1779         (assert):
1780         (makePolyProtoObject.foo.C):
1781         (makePolyProtoObject.foo):
1782         (makePolyProtoObject):
1783         (validate):
1784         (validate2):
1785         * stress/poly-proto-put-transition.js: Added.
1786         (assert):
1787         (makePolyProtoObject.foo.C):
1788         (makePolyProtoObject.foo):
1789         (makePolyProtoObject):
1790         (performSet):
1791         (i.obj.__proto__.set p):
1792         * stress/poly-proto-set-prototype.js: Added.
1793         (assert):
1794         (let.alternateProto.get x):
1795         (let.alternateProto2.get y):
1796         (let.alternateProto2.get x):
1797         (foo.C):
1798         (foo):
1799         (validate):
1800         * stress/poly-proto-setter.js: Added.
1801         (assert):
1802         (makePolyProtoObject.foo.C):
1803         (makePolyProtoObject.foo.C.prototype.set p):
1804         (makePolyProtoObject.foo.C.prototype.get p):
1805         (makePolyProtoObject.foo):
1806         (makePolyProtoObject):
1807         (performSet):
1808         * stress/poly-proto-using-inheritance.js: Added.
1809         (assert):
1810         (foo.C):
1811         (foo.C.prototype.get baz):
1812         (foo):
1813         (bar.C):
1814         (bar):
1815         (validate):
1816         * stress/primitive-poly-proto.js: Added.
1817         (makePolyProtoInstance.foo.C):
1818         (makePolyProtoInstance.foo):
1819         (makePolyProtoInstance):
1820         (assert):
1821         (validate):
1822         * stress/prototype-is-not-js-object.js: Added.
1823         (foo.bar):
1824         (foo):
1825         (assert):
1826         (validate):
1827         * stress/try-get-by-id-poly-proto.js: Added.
1828         (assert):
1829         (makePolyProtoObject.foo.C):
1830         (makePolyProtoObject.foo):
1831         (makePolyProtoObject):
1832         (tryGetByIdText):
1833         (x.__proto__.get bar):
1834         (validate):
1835         * typeProfiler/overflow.js:
1836
1837 2017-10-03  JF Bastien  <jfbastien@apple.com>
1838
1839         WebAssembly: no VM / JS version of everything but Instance
1840         https://bugs.webkit.org/show_bug.cgi?id=177473
1841
1842         Reviewed by Filip Pizlo.
1843
1844         - Exceeding max on memory growth now returns a range error as per
1845         spec. This is a (very minor) breaking change: it used to throw OOM
1846         error. Update the corresponding test.
1847
1848         * wasm/js-api/memory-grow.js:
1849         (assertEq):
1850         * wasm/js-api/table.js:
1851         (assert.throws):
1852
1853 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
1854
1855         Skip JSC test stress/regress-159779-2.js on debug.
1856         https://bugs.webkit.org/show_bug.cgi?id=177204
1857
1858         Unreviewed test gardening.
1859
1860         * stress/regress-159779-2.js:
1861
1862 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
1863
1864         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
1865         https://bugs.webkit.org/show_bug.cgi?id=175642
1866
1867         Reviewed by Darin Adler.
1868
1869         * ChakraCore/test/Function/apply3.baseline-jsc:
1870
1871 2017-10-01  Commit Queue  <commit-queue@webkit.org>
1872
1873         Unreviewed, rolling out r222564.
1874         https://bugs.webkit.org/show_bug.cgi?id=177720
1875
1876         "It regressed JetStream by 2% on iOS caused by a 50%
1877         regression on the bigfib subtest" (Requested by saamyjoon on
1878         #webkit).
1879
1880         Reverted changeset:
1881
1882         "Add Above/Below comparisons for UInt32 patterns"
1883         https://bugs.webkit.org/show_bug.cgi?id=177281
1884         http://trac.webkit.org/changeset/222564
1885
1886 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1887
1888         [DFG] Support ArrayPush with multiple args
1889         https://bugs.webkit.org/show_bug.cgi?id=175823
1890
1891         Reviewed by Saam Barati.
1892
1893         * microbenchmarks/array-push-0.js: Added.
1894         (arrayPush0):
1895         * microbenchmarks/array-push-1.js: Added.
1896         (arrayPush1):
1897         * microbenchmarks/array-push-2.js: Added.
1898         (arrayPush2):
1899         * microbenchmarks/array-push-3.js: Added.
1900         (arrayPush3):
1901         * stress/array-push-multiple-contiguous.js: Added.
1902         (shouldBe):
1903         (test):
1904         * stress/array-push-multiple-double-nan.js: Added.
1905         (shouldBe):
1906         (test):
1907         * stress/array-push-multiple-double.js: Added.
1908         (shouldBe):
1909         (test):
1910         * stress/array-push-multiple-int32.js: Added.
1911         (shouldBe):
1912         (test):
1913         * stress/array-push-multiple-many-contiguous.js: Added.
1914         (shouldBe):
1915         (test):
1916         * stress/array-push-multiple-many-double.js: Added.
1917         (shouldBe):
1918         (test):
1919         * stress/array-push-multiple-many-int32.js: Added.
1920         (shouldBe):
1921         (test):
1922         * stress/array-push-multiple-many-storage.js: Added.
1923         (shouldBe):
1924         (test):
1925         * stress/array-push-multiple-storage.js: Added.
1926         (shouldBe):
1927         (test):
1928         * stress/array-push-with-force-exit.js: Added.
1929         (target.createBuiltin):
1930
1931 2017-09-29  Saam Barati  <sbarati@apple.com>
1932
1933         Custom GetterSetterAccessCase does not use the correct slotBase when making call
1934         https://bugs.webkit.org/show_bug.cgi?id=177639
1935
1936         Reviewed by Geoffrey Garen.
1937
1938         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
1939         (assert):
1940         (Class):
1941         (items.forEach):
1942         (set get for):
1943
1944 2017-09-29  Commit Queue  <commit-queue@webkit.org>
1945
1946         Unreviewed, rolling out r222563, r222565, and r222581.
1947         https://bugs.webkit.org/show_bug.cgi?id=177675
1948
1949         "It causes a crash when playing youtube videos" (Requested by
1950         saamyjoon on #webkit).
1951
1952         Reverted changesets:
1953
1954         "[DFG] Support ArrayPush with multiple args"
1955         https://bugs.webkit.org/show_bug.cgi?id=175823
1956         http://trac.webkit.org/changeset/222563
1957
1958         "Unreviewed, build fix after r222563"
1959         https://bugs.webkit.org/show_bug.cgi?id=175823
1960         http://trac.webkit.org/changeset/222565
1961
1962         "Unreviewed, fix x86 breaking due to exhausted registers"
1963         https://bugs.webkit.org/show_bug.cgi?id=175823
1964         http://trac.webkit.org/changeset/222581
1965
1966 2017-09-28  Mark Lam  <mark.lam@apple.com>
1967
1968         test262: Unexpected passes after r222617 and r222618.
1969         https://bugs.webkit.org/show_bug.cgi?id=177622
1970         <rdar://problem/34725960>
1971
1972         Reviewed by Saam Barati.
1973
1974         Update test262.yaml for tests that are now passing.
1975
1976         * test262.yaml:
1977
1978 2017-09-27  Michael Saboff  <msaboff@apple.com>
1979
1980         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
1981         https://bugs.webkit.org/show_bug.cgi?id=177570
1982
1983         Reviewed by Filip Pizlo.
1984
1985         New regression test.
1986
1987         * stress/regress-177570.js: Added.
1988
1989 2017-09-28  Michael Saboff  <msaboff@apple.com>
1990
1991         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
1992         https://bugs.webkit.org/show_bug.cgi?id=177423
1993
1994         Reviewed by Mark Lam.
1995
1996         Updated regression test.
1997
1998         * stress/regress-177423.js:
1999         (catch):
2000
2001 2017-09-27  Mark Lam  <mark.lam@apple.com>
2002
2003         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
2004         https://bugs.webkit.org/show_bug.cgi?id=177584
2005         <rdar://problem/34463903>
2006
2007         Reviewed by Saam Barati.
2008
2009         * stress/regress-177584.js: Added.
2010         (assertEqual):
2011         (Array.prototype.Symbol.species):
2012
2013 2017-09-27  Saam Barati  <sbarati@apple.com>
2014
2015         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
2016         https://bugs.webkit.org/show_bug.cgi?id=177523
2017
2018         Reviewed by Mark Lam.
2019
2020         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
2021         (assert):
2022         (Test):
2023         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
2024         (addMethods):
2025         (i.Test.prototype.propName):
2026
2027 2017-09-27  Mark Lam  <mark.lam@apple.com>
2028
2029         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
2030         https://bugs.webkit.org/show_bug.cgi?id=177423
2031         <rdar://problem/34621320>
2032
2033         Reviewed by Keith Miller.
2034
2035         * stress/regress-177423.js: Added.
2036
2037 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2038
2039         Add Above/Below comparisons for UInt32 patterns
2040         https://bugs.webkit.org/show_bug.cgi?id=177281
2041
2042         Reviewed by Saam Barati.
2043
2044         * stress/uint32-comparison-jump.js: Added.
2045         (shouldBe):
2046         (above):
2047         (aboveOrEqual):
2048         (below):
2049         (belowOrEqual):
2050         (notAbove):
2051         (notAboveOrEqual):
2052         (notBelow):
2053         (notBelowOrEqual):
2054         * stress/uint32-comparison.js: Added.
2055         (shouldBe):
2056         (above):
2057         (aboveOrEqual):
2058         (below):
2059         (belowOrEqual):
2060         (aboveTest):
2061         (aboveOrEqualTest):
2062         (belowTest):
2063         (belowOrEqualTest):
2064
2065 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2066
2067         [DFG] Support ArrayPush with multiple args
2068         https://bugs.webkit.org/show_bug.cgi?id=175823
2069
2070         Reviewed by Saam Barati.
2071
2072         * microbenchmarks/array-push-0.js: Added.
2073         (arrayPush0):
2074         * microbenchmarks/array-push-1.js: Added.
2075         (arrayPush1):
2076         * microbenchmarks/array-push-2.js: Added.
2077         (arrayPush2):
2078         * microbenchmarks/array-push-3.js: Added.
2079         (arrayPush3):
2080         * stress/array-push-multiple-contiguous.js: Added.
2081         (shouldBe):
2082         (test):
2083         * stress/array-push-multiple-double-nan.js: Added.
2084         (shouldBe):
2085         (test):
2086         * stress/array-push-multiple-double.js: Added.
2087         (shouldBe):
2088         (test):
2089         * stress/array-push-multiple-int32.js: Added.
2090         (shouldBe):
2091         (test):
2092         * stress/array-push-multiple-many-contiguous.js: Added.
2093         (shouldBe):
2094         (test):
2095         * stress/array-push-multiple-many-double.js: Added.
2096         (shouldBe):
2097         (test):
2098         * stress/array-push-multiple-many-int32.js: Added.
2099         (shouldBe):
2100         (test):
2101         * stress/array-push-multiple-many-storage.js: Added.
2102         (shouldBe):
2103         (test):
2104         * stress/array-push-multiple-storage.js: Added.
2105         (shouldBe):
2106         (test):
2107
2108 2017-09-26  Commit Queue  <commit-queue@webkit.org>
2109
2110         Unreviewed, rolling out r222518.
2111         https://bugs.webkit.org/show_bug.cgi?id=177507
2112
2113         Break the High Sierra build (Requested by yusukesuzuki on
2114         #webkit).
2115
2116         Reverted changeset:
2117
2118         "Add Above/Below comparisons for UInt32 patterns"
2119         https://bugs.webkit.org/show_bug.cgi?id=177281
2120         http://trac.webkit.org/changeset/222518
2121
2122 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2123
2124         Add Above/Below comparisons for UInt32 patterns
2125         https://bugs.webkit.org/show_bug.cgi?id=177281
2126
2127         Reviewed by Saam Barati.
2128
2129         * stress/uint32-comparison-jump.js: Added.
2130         (shouldBe):
2131         (above):
2132         (aboveOrEqual):
2133         (below):
2134         (belowOrEqual):
2135         (notAbove):
2136         (notAboveOrEqual):
2137         (notBelow):
2138         (notBelowOrEqual):
2139         * stress/uint32-comparison.js: Added.
2140         (shouldBe):
2141         (above):
2142         (aboveOrEqual):
2143         (below):
2144         (belowOrEqual):
2145         (aboveTest):
2146         (aboveOrEqualTest):
2147         (belowTest):
2148         (belowOrEqualTest):
2149
2150 2017-09-23  Keith Miller  <keith_miller@apple.com>
2151
2152         Fix infinite looping test262 test
2153         https://bugs.webkit.org/show_bug.cgi?id=177412
2154
2155         Reviewed by Yusuke Suzuki.
2156
2157         This test was poorly designed since failing it would cause the vm
2158         to inifinite loop. I've fixed it locally and will fix it on github pending
2159         the results of next weeks tc39 meeting.
2160
2161         * test262.yaml:
2162         * test262/test/language/statements/for-of/iterator-next-reference.js:
2163
2164 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
2165
2166         test262: $.agent became $262.agent in test262 update
2167         https://bugs.webkit.org/show_bug.cgi?id=177407
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * test262.yaml:
2172         ~320 tests pass now that we correctly make $262 available.
2173
2174 2017-09-22  Keith Miller  <keith_miller@apple.com>
2175
2176         Speculatively change iteration protocall to use the same next function
2177         https://bugs.webkit.org/show_bug.cgi?id=175653
2178
2179         Reviewed by Saam Barati.
2180
2181         Change test to match the new iteration behavior.
2182
2183         * stress/spread-optimized-properly.js:
2184
2185 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2186
2187         [DFG][FTL] Profile array vector length for array allocation
2188         https://bugs.webkit.org/show_bug.cgi?id=177051
2189
2190         Reviewed by Saam Barati.
2191
2192         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
2193         (target):
2194
2195 2017-09-22  Commit Queue  <commit-queue@webkit.org>
2196
2197         Unreviewed, rolling out r222380.
2198         https://bugs.webkit.org/show_bug.cgi?id=177352
2199
2200         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
2201         #webkit).
2202
2203         Reverted changeset:
2204
2205         "[DFG][FTL] Profile array vector length for array allocation"
2206         https://bugs.webkit.org/show_bug.cgi?id=177051
2207         http://trac.webkit.org/changeset/222380
2208
2209 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2210
2211         [DFG][FTL] Profile array vector length for array allocation
2212         https://bugs.webkit.org/show_bug.cgi?id=177051
2213
2214         Reviewed by Saam Barati.
2215
2216         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
2217         (target):
2218
2219 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
2220
2221         Skip new hanging test262 tests.
2222         https://bugs.webkit.org/show_bug.cgi?id=177326
2223
2224         Unreviewed test gardening.
2225
2226         * test262.yaml:
2227
2228 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2229
2230         Mark 6 test262 tests as passing.
2231         https://bugs.webkit.org/show_bug.cgi?id=177307
2232
2233         Unreviewed test gardening.
2234
2235         * test262.yaml:
2236
2237 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
2238
2239         Unreviewed follow-up to r222311.
2240
2241         * test262/harness/sta.js:
2242         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
2243         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
2244         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
2245         * test262/test/built-ins/Array/from/elements-added-after.js:
2246         * test262/test/built-ins/Array/from/elements-deleted-after.js:
2247         * test262/test/built-ins/Array/from/elements-updated-after.js:
2248         * test262/test/built-ins/Array/from/from-array.js:
2249         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
2250         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
2251         * test262/test/built-ins/Array/from/source-array-boundary.js:
2252         * test262/test/built-ins/Array/from/source-object-constructor.js:
2253         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
2254         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
2255         * test262/test/built-ins/Array/from/source-object-length.js:
2256         * test262/test/built-ins/Array/from/source-object-missing.js:
2257         * test262/test/built-ins/Array/from/source-object-without.js:
2258         * test262/test/built-ins/Array/from/this-null.js:
2259         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
2260         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
2261         * test262/test/language/literals/numeric/7.8.3-1gs.js:
2262         * test262/test/language/literals/numeric/7.8.3-2gs.js:
2263         * test262/test/language/literals/numeric/7.8.3-3gs.js:
2264         * test262/test/language/literals/regexp/7.8.5-1gs.js:
2265         * test262/test/language/literals/string/7.8.4-1gs.js:
2266         Fix some files that I failed to update when I applied my patch.
2267
2268 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
2269
2270         Update test262 tests
2271         https://bugs.webkit.org/show_bug.cgi?id=177220
2272
2273         Reviewed by Saam Barati and Yusuke Suzuki.
2274
2275         * test262.yaml:
2276         * test262/test262-Revision.txt:
2277         New rebaselined expectations for all tests.
2278
2279         * test262/*:
2280         Updated.
2281
2282 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2283
2284         [DFG] Remove ToThis more aggressively
2285         https://bugs.webkit.org/show_bug.cgi?id=177056
2286
2287         Reviewed by Saam Barati.
2288
2289         * stress/generator-with-this-strict.js: Added.
2290         (shouldBe):
2291         (generator):
2292         (target):
2293         * stress/generator-with-this.js: Added.
2294         (shouldBe):
2295         (generator):
2296         (target):
2297
2298 2017-09-17  Michael Saboff  <msaboff@apple.com>
2299
2300         https://bugs.webkit.org/show_bug.cgi?id=177038
2301         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
2302
2303         Reviewed by JF Bastien.
2304
2305         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
2306         as it dies using too much memory.
2307
2308 2017-09-15  Saam Barati  <sbarati@apple.com>
2309
2310         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
2311         https://bugs.webkit.org/show_bug.cgi?id=176981
2312
2313         Reviewed by Yusuke Suzuki.
2314
2315         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
2316         (assert):
2317         (verify):
2318         (func):
2319         (const.bar.createBuiltin):
2320
2321 2017-09-14  Saam Barati  <sbarati@apple.com>
2322
2323         It should be valid to exit before each set when doing arity fixup when inlining
2324         https://bugs.webkit.org/show_bug.cgi?id=176948
2325
2326         Reviewed by Keith Miller.
2327
2328         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
2329         (baz):
2330         (bar):
2331         (foo):
2332
2333 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2334
2335         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
2336         https://bugs.webkit.org/show_bug.cgi?id=176867
2337
2338         Reviewed by Sam Weinig.
2339
2340         * microbenchmarks/object-get-own-property-symbols.js: Added.
2341         (test):
2342
2343 2017-09-13  Mark Lam  <mark.lam@apple.com>
2344
2345         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
2346         https://bugs.webkit.org/show_bug.cgi?id=176888
2347         <rdar://problem/34381832>
2348
2349         Not reviewed.
2350
2351         * stress/op_mod-ConstVar.js:
2352         * stress/op_mod-VarConst.js:
2353         * stress/op_mod-VarVar.js:
2354
2355 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
2356
2357         Skip 3 op_mod tests on Debug JSC bots.
2358         https://bugs.webkit.org/show_bug.cgi?id=176630
2359
2360         Unreviewed test gardening.
2361
2362         * stress/op_mod-ConstVar.js:
2363         * stress/op_mod-VarConst.js:
2364         * stress/op_mod-VarVar.js:
2365
2366 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2367
2368         [JSC] Fix Array allocation in Object.keys
2369         https://bugs.webkit.org/show_bug.cgi?id=176826
2370
2371         Reviewed by Saam Barati.
2372
2373         * stress/object-own-property-keys.js: Added.
2374         (shouldBe):
2375
2376 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2377
2378         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
2379         https://bugs.webkit.org/show_bug.cgi?id=176010
2380
2381         Reviewed by Filip Pizlo.
2382
2383         * microbenchmarks/weak-map-key.js: Added.
2384         (assert):
2385         (objectKey):
2386         (let.start.Date.now):
2387
2388 2017-09-12  Mark Lam  <mark.lam@apple.com>
2389
2390         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
2391         https://bugs.webkit.org/show_bug.cgi?id=176630
2392
2393         Reviewed by JF Bastien.
2394
2395         Debug builds are just slow, and these tests do a lot.  They pass when I run them
2396         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
2397         a speculative fix for the bots that are seeing these fail.
2398
2399         I also undid the skipping of the op_mod tests for debug builds.
2400
2401         * stress/op_div-ConstVar.js:
2402         * stress/op_div-VarConst.js:
2403         * stress/op_div-VarVar.js:
2404         * stress/op_mod-ConstVar.js:
2405         * stress/op_mod-VarConst.js:
2406         * stress/op_mod-VarVar.js:
2407
2408 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
2409
2410         Skip stress/value-to-boolean.js on Debug bots.
2411         https://bugs.webkit.org/show_bug.cgi?id=176787
2412
2413         Unreviewed test gardening.
2414
2415         * stress/value-to-boolean.js:
2416
2417 2017-09-11  Mark Lam  <mark.lam@apple.com>
2418
2419         Change test expectation for test262/test/language/statements/try/tco-catch.js
2420         https://bugs.webkit.org/show_bug.cgi?id=176749
2421
2422         Rubber stamped by Keith Miller.
2423
2424         It's been failing since at least r221821.  I'm changing the test expectation to
2425         fail to green the bots while I investigate some more.
2426
2427         * test262.yaml:
2428
2429 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
2430
2431         Unreviewed, rolling out r221854.
2432
2433         The test added with this change fails on 32-bit JSC bots.
2434
2435         Reverted changeset:
2436
2437         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
2438         https://bugs.webkit.org/show_bug.cgi?id=176010
2439         http://trac.webkit.org/changeset/221854
2440
2441 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2442
2443         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
2444         https://bugs.webkit.org/show_bug.cgi?id=176010
2445
2446         Reviewed by Filip Pizlo.
2447
2448         * microbenchmarks/weak-map-key.js: Added.
2449         (assert):
2450         (objectKey):
2451         (let.start.Date.now):
2452
2453 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2454
2455         [JSC] Optimize Object.keys by using careful array allocation
2456         https://bugs.webkit.org/show_bug.cgi?id=176654
2457
2458         Reviewed by Darin Adler.
2459
2460         * microbenchmarks/object-keys.js: Added.
2461         (test):
2462
2463 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
2464
2465         Error should compute .stack and friends lazily
2466         https://bugs.webkit.org/show_bug.cgi?id=176645
2467
2468         Reviewed by Saam Barati.
2469
2470         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
2471         * microbenchmarks/new-error.js: Added.
2472         * microbenchmarks/throw.js: Added.
2473
2474 2017-09-09  Mark Lam  <mark.lam@apple.com>
2475
2476         [Re-landing] Use JIT probes for DFG OSR exit.
2477         https://bugs.webkit.org/show_bug.cgi?id=175144
2478         <rdar://problem/33437050>
2479
2480         Not reviewed.  Original patch reviewed by Saam Barati.
2481
2482         Disable these tests for debug builds because they run too slow with the new OSR exit.
2483
2484         * stress/op_mod-ConstVar.js:
2485         * stress/op_mod-VarConst.js:
2486         * stress/op_mod-VarVar.js:
2487
2488 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2489
2490         [DFG] NewArrayWithSize(size)'s size does not care negative zero
2491         https://bugs.webkit.org/show_bug.cgi?id=176300
2492
2493         Reviewed by Saam Barati.
2494
2495         * stress/new-array-with-size-div.js: Added.
2496         (shouldBe):
2497         (test):
2498         (i.i):
2499
2500 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2501
2502         [DFG] PutByVal with Array::Generic is too generic
2503         https://bugs.webkit.org/show_bug.cgi?id=176345
2504
2505         Reviewed by Filip Pizlo.
2506
2507         * stress/object-assign-symbols.js: Added.
2508         (shouldBe):
2509         (test):
2510         * stress/object-assign.js: Added.
2511         (shouldBe):
2512         (test):
2513         (i.shouldBe.JSON.stringify.test):
2514
2515 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2516
2517         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
2518         https://bugs.webkit.org/show_bug.cgi?id=176590
2519
2520         Reviewed by Saam Barati.
2521
2522         * microbenchmarks/object-iterate-symbols.js: Added.
2523         (test):
2524         * microbenchmarks/object-iterate.js: Added.
2525         (test):
2526         * stress/object-iterate-symbols.js: Added.
2527         (shouldBe):
2528         (test):
2529         * stress/object-iterate.js: Added.
2530         (shouldBe):
2531         (test):
2532
2533 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
2534
2535         [Win32] 10 JSC stress tests are failing.
2536         https://bugs.webkit.org/show_bug.cgi?id=176538
2537
2538         Reviewed by Mark Lam.
2539
2540         Skip tests on Windows to make the bots green.
2541
2542         * ChakraCore.yaml:
2543         * stress/date-relaxed.js:
2544
2545 2017-09-06  Mark Lam  <mark.lam@apple.com>
2546
2547         constructGenericTypedArrayViewWithArguments() is missing an exception check.
2548         https://bugs.webkit.org/show_bug.cgi?id=176485
2549         <rdar://problem/33898874>
2550
2551         Reviewed by Keith Miller.
2552
2553         * stress/regress-176485.js: Added.
2554
2555 2017-09-05  Saam Barati  <sbarati@apple.com>
2556
2557         isNotCellSpeculation is wrong with respect to SpecEmpty
2558         https://bugs.webkit.org/show_bug.cgi?id=176429
2559
2560         Reviewed by Michael Saboff.
2561
2562         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
2563         (Foo):
2564
2565 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
2566
2567         test262: Completion values for control flow do not match the spec
2568         https://bugs.webkit.org/show_bug.cgi?id=171265
2569
2570         Reviewed by Saam Barati.
2571
2572         * stress/completion-value.js:
2573         Condensed test for completion values in top level statements.
2574
2575         * stress/super-get-by-id.js:
2576         ClassDeclaration when evaled no longer produce values. Convert
2577         these to ClassExpressions so they produce the class value.
2578         
2579         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
2580         This is a progression for currect spec behavior.
2581
2582         * mozilla/mozilla-tests.yaml:
2583         This test is now outdated, so mark it as failing for that reason.
2584
2585         * test262.yaml:
2586         Passing all "cptn" completion value tests.
2587
2588 2017-09-04  Saam Barati  <sbarati@apple.com>
2589
2590         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2591         https://bugs.webkit.org/show_bug.cgi?id=176317
2592
2593         Reviewed by Keith Miller.
2594
2595         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
2596         (Foo):
2597
2598 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2599
2600         [DFG][FTL] Efficiently execute number#toString()
2601         https://bugs.webkit.org/show_bug.cgi?id=170007
2602
2603         Reviewed by Keith Miller.
2604
2605         * microbenchmarks/number-to-string-strength-reduction.js: Added.
2606         (test):
2607         * microbenchmarks/number-to-string-with-radix-10.js: Added.
2608         (test):
2609         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
2610         (test):
2611         * microbenchmarks/number-to-string-with-radix.js: Added.
2612         (test):
2613         * stress/number-to-string-strength-reduction.js: Added.
2614         (shouldBe):
2615         (test):
2616         * stress/number-to-string-with-radix-10.js: Added.
2617         (shouldBe):
2618         (test):
2619         * stress/number-to-string-with-radix-cse.js: Added.
2620         (shouldBe):
2621         (test):
2622         * stress/number-to-string-with-radix-invalid.js: Added.
2623         (shouldThrow):
2624         * stress/number-to-string-with-radix-watchpoint.js: Added.
2625         (shouldBe):
2626         (test):
2627         (i.i.1e3.Number.prototype.toString):
2628         * stress/number-to-string-with-radix.js: Added.
2629         (shouldBe):
2630         (test):
2631
2632 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2633
2634         [DFG] Relax arity requirement
2635         https://bugs.webkit.org/show_bug.cgi?id=175523
2636
2637         Reviewed by Saam Barati.
2638
2639         * stress/arity-mismatch-arguments-length.js: Added.
2640         (shouldBe):
2641         (test1):
2642         (test):
2643         * stress/arity-mismatch-get-argument.js: Added.
2644         (shouldBe):
2645         (builtin.createBuiltin):
2646         (test):
2647         * stress/arity-mismatch-inlining-extra-slots.js: Added.
2648         (shouldBe):
2649         (inlineTarget):
2650         (test):
2651         * stress/arity-mismatch-inlining.js: Added.
2652         (shouldBe):
2653         (inlineTarget):
2654         (test):
2655         * stress/arity-mismatch-rest.js: Added.
2656         (shouldBe):
2657         (test2):
2658         (test1):
2659         (test):
2660
2661 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2662
2663         [JSC] Fix "name" and "length" of Proxy revoke function
2664         https://bugs.webkit.org/show_bug.cgi?id=176155
2665
2666         Reviewed by Mark Lam.
2667
2668         * test262.yaml:
2669
2670 2017-08-31  Saam Barati  <sbarati@apple.com>
2671
2672         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
2673         https://bugs.webkit.org/show_bug.cgi?id=176206
2674
2675         Reviewed by Keith Miller.
2676
2677         * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
2678         (a):
2679         (b):
2680         (foo):
2681
2682 2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>
2683
2684         Skip two slow JSC tests after r221422.
2685
2686         Unreviewed test gardening.
2687
2688         * stress/regexp-prototype-match-on-too-long-rope.js:
2689         * stress/regexp-prototype-test-on-too-long-rope.js:
2690
2691 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
2692
2693         Unreviewed, skipping slow tests.
2694         
2695         These tests are now timing out. They would have always been slow. The timeouts are probably because OOMs
2696         work differently now.
2697
2698         * stress/regexp-prototype-exec-on-too-long-rope.js:
2699         * stress/string-prototype-charCodeAt-on-too-long-rope.js:
2700
2701 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2702
2703         [JSC] Use reifying system for "name" property of builtin JSFunction
2704         https://bugs.webkit.org/show_bug.cgi?id=175260
2705
2706         Reviewed by Saam Barati.
2707
2708         * stress/accessors-get-set-prefix.js:
2709         * stress/builtin-function-name.js: Added.
2710         (shouldBe):
2711         (shouldThrow):
2712         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
2713         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
2714         * stress/private-name-as-anonymous-builtin.js: Added.
2715         (shouldBe):
2716         (NotPromise):
2717
2718 2017-08-30  Saam Barati  <sbarati@apple.com>
2719
2720         Unreviewed. Make test stop printing.
2721
2722         * microbenchmarks/fake-iterators-that-throw-when-finished.js:
2723
2724 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
2725
2726         Unreviewed, rolling out r221327.
2727
2728         This change caused test262 failures.
2729
2730         Reverted changeset:
2731
2732         "[JSC] Use reifying system for "name" property of builtin
2733         JSFunction"
2734         https://bugs.webkit.org/show_bug.cgi?id=175260
2735         http://trac.webkit.org/changeset/221327
2736
2737 2017-08-30  Saam Barati  <sbarati@apple.com>
2738
2739         semicolon is being interpreted as an = in the LiteralParser
2740         https://bugs.webkit.org/show_bug.cgi?id=176114
2741
2742         Reviewed by Oliver Hunt.
2743
2744         * stress/jsonp-literal-parser-semicolon-is-not-assignment.js: Added.
2745         * stress/resources/literal-parser-test-case.js: Added.
2746
2747 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
2748
2749         [ESNext] Async iteration - Implement async iteration statement: for-await-of
2750         https://bugs.webkit.org/show_bug.cgi?id=166698
2751
2752         Reviewed by Yusuke Suzuki.
2753
2754         * stress/async-iteration-for-await-of-syntax.js: Added.
2755         (assert):
2756         (checkSyntax):
2757         (checkSyntaxError):
2758         (checkSimpleAsyncGeneratorSloppyMode):
2759         (checkSimpleAsyncGeneratorStrictMode):
2760         (checkNestedAsyncGenerators):
2761         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
2762         * stress/async-iteration-for-await-of.js: Added.
2763         (assert):
2764         (async.foo):
2765         (async.boo):
2766         (const.boo.async):
2767
2768 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2769
2770         [JSC] Use reifying system for "name" property of builtin JSFunction
2771         https://bugs.webkit.org/show_bug.cgi?id=175260
2772
2773         Reviewed by Saam Barati.
2774
2775         * stress/accessors-get-set-prefix.js:
2776         * stress/builtin-function-name.js: Added.
2777         (shouldBe):
2778         (shouldThrow):
2779         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
2780         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
2781
2782 2017-08-25  Saam Barati  <sbarati@apple.com>
2783
2784         Support compiling catch in the DFG
2785         https://bugs.webkit.org/show_bug.cgi?id=174590
2786         <rdar://problem/34047845>
2787
2788         Reviewed by Filip Pizlo.
2789
2790         * microbenchmarks/delta-blue-try-catch.js: Added.
2791         (exception):
2792         (value):
2793         (OrderedCollection):
2794         (OrderedCollection.prototype.add):
2795         (OrderedCollection.prototype.at):
2796         (OrderedCollection.prototype.size):
2797         (OrderedCollection.prototype.removeFirst):
2798         (OrderedCollection.prototype.remove):
2799         (Strength):
2800         (Strength.stronger):
2801         (Strength.weaker):
2802         (Strength.weakestOf):
2803         (Strength.strongest):
2804         (Strength.prototype.nextWeaker):
2805         (Constraint):
2806         (Constraint.prototype.addConstraint):
2807         (Constraint.prototype.satisfy):
2808         (Constraint.prototype.destroyConstraint):
2809         (Constraint.prototype.isInput):
2810         (UnaryConstraint):
2811         (UnaryConstraint.prototype.addToGraph):
2812         (UnaryConstraint.prototype.chooseMethod):
2813         (UnaryConstraint.prototype.isSatisfied):
2814         (UnaryConstraint.prototype.markInputs):
2815         (UnaryConstraint.prototype.output):
2816         (UnaryConstraint.prototype.recalculate):
2817         (UnaryConstraint.prototype.markUnsatisfied):
2818         (UnaryConstraint.prototype.inputsKnown):
2819         (UnaryConstraint.prototype.removeFromGraph):
2820         (StayConstraint):
2821         (StayConstraint.prototype.execute):
2822         (EditConstraint.prototype.isInput):
2823         (EditConstraint.prototype.execute):
2824         (BinaryConstraint):
2825         (BinaryConstraint.prototype.chooseMethod):
2826         (BinaryConstraint.prototype.addToGraph):
2827         (BinaryConstraint.prototype.isSatisfied):
2828         (BinaryConstraint.prototype.markInputs):
2829         (BinaryConstraint.prototype.input):
2830         (BinaryConstraint.prototype.output):
2831         (BinaryConstraint.prototype.recalculate):
2832         (BinaryConstraint.prototype.markUnsatisfied):
2833         (BinaryConstraint.prototype.inputsKnown):
2834         (BinaryConstraint.prototype.removeFromGraph):
2835         (ScaleConstraint):
2836         (ScaleConstraint.prototype.addToGraph):
2837         (ScaleConstraint.prototype.removeFromGraph):
2838         (ScaleConstraint.prototype.markInputs):
2839         (ScaleConstraint.prototype.execute):
2840         (ScaleConstraint.prototype.recalculate):
2841         (EqualityConstraint):
2842         (EqualityConstraint.prototype.execute):
2843         (Variable):
2844         (Variable.prototype.addConstraint):
2845         (Variable.prototype.removeConstraint):
2846         (Planner):
2847         (Planner.prototype.incrementalAdd):
2848         (Planner.prototype.incrementalRemove):
2849         (Planner.prototype.newMark):
2850         (Planner.prototype.makePlan):
2851         (Planner.prototype.extractPlanFromConstraints):
2852         (Planner.prototype.addPropagate):
2853         (Planner.prototype.removePropagateFrom):
2854         (Planner.prototype.addConstraintsConsumingTo):
2855         (Plan):
2856         (Plan.prototype.addConstraint):
2857         (Plan.prototype.size):
2858         (Plan.prototype.constraintAt):
2859         (Plan.prototype.execute):
2860         (chainTest):
2861         (projectionTest):
2862         (change):
2863         (deltaBlue):
2864         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Added.
2865         (assert):
2866         (Numbers):
2867         (Numbers.prototype.next):
2868         (return.Transpose):
2869         (return.Transpose.prototype.next):
2870         (transpose):
2871         (verifyEven):
2872         (verifyString):
2873         (foo):
2874         (runIterators):
2875         * microbenchmarks/try-catch-word-count.js: Added.
2876         (let.assert):
2877         (EOF):
2878         (let.texts):
2879         (let.o.apply):
2880         (foo):
2881         (bar):
2882         (f):
2883         (run):
2884         (test1):
2885         (test2):
2886         (test3):
2887         (fn):
2888         (A):
2889         (B):
2890         (A.prototype.getValue):
2891         (B.prototype.getParentValue):
2892         (strlen):
2893         (sum.0):
2894         (test):
2895         (result.test.o):
2896         (set add.set add):
2897         (set forEach):
2898         (stringHash):
2899         (set if):
2900         (testFunction):
2901         (set delete.set has.set add):
2902         * stress/catch-set-argument-speculation-failure.js: Added.
2903         (o):
2904         (e):
2905         (e2):
2906         (escape):
2907         (baz):
2908         (noInline.run):
2909         (noInline):
2910         * stress/osr-enter-to-catch-with-set-local-type-check-failure.js: Added.
2911         (foo):
2912         (e):
2913         (baz):
2914         (bar):
2915
2916 2017-08-24  Commit Queue  <commit-queue@webkit.org>
2917
2918         Unreviewed, rolling out r221119, r221124, and r221143.
2919         https://bugs.webkit.org/show_bug.cgi?id=175973
2920
2921         "I think it regressed JSBench by 20%" (Requested by saamyjoon
2922         on #webkit).
2923
2924         Reverted changesets:
2925
2926         "Support compiling catch in the DFG"
2927         https://bugs.webkit.org/show_bug.cgi?id=174590
2928         http://trac.webkit.org/changeset/221119
2929
2930         "Unreviewed, build fix in GTK port"
2931         https://bugs.webkit.org/show_bug.cgi?id=174590
2932         http://trac.webkit.org/changeset/221124
2933
2934         "DFG::JITCode::osrEntry should get sorted since we perform a
2935         binary search on it"
2936         https://bugs.webkit.org/show_bug.cgi?id=175893
2937         http://trac.webkit.org/changeset/221143
2938
2939 2017-08-24  Michael Saboff  <msaboff@apple.com>
2940
2941         Add support for RegExp "dotAll" flag
2942         https://bugs.webkit.org/show_bug.cgi?id=175924
2943
2944         Reviewed by Keith Miller.
2945
2946         Updated tests for new dotAll ('s' flag) changes.
2947
2948         * es6/Proxy_internal_get_calls_RegExp.prototype.flags.js:
2949         * stress/static-getter-in-names.js:
2950
2951 2017-08-24  Mark Lam  <mark.lam@apple.com>
2952
2953         Land regression test for https://bugs.webkit.org/show_bug.cgi?id=164081.
2954         https://bugs.webkit.org/show_bug.cgi?id=175940
2955         <rdar://problem/29003921>
2956
2957         Reviewed by Saam Barati.
2958
2959         * stress/regress-164081.js: Added.
2960         (shouldEqual):
2961         (testcase):
2962
2963 2017-08-24  Ryan Haddad  <ryanhaddad@apple.com>
2964
2965         Skip flaky JSC test stress/test-finally.js.
2966         https://bugs.webkit.org/show_bug.cgi?id=160283
2967
2968         Unreviewed test gardening.
2969
2970         * stress/test-finally.js:
2971
2972 2017-08-23  Saam Barati  <sbarati@apple.com>
2973
2974         Support compiling catch in the DFG
2975         https://bugs.webkit.org/show_bug.cgi?id=174590
2976
2977         Reviewed by Filip Pizlo.
2978
2979         * microbenchmarks/delta-blue-try-catch.js: Added.
2980         (exception):
2981         (value):
2982         (OrderedCollection):
2983         (OrderedCollection.prototype.add):
2984         (OrderedCollection.prototype.at):
2985         (OrderedCollection.prototype.size):
2986         (OrderedCollection.prototype.removeFirst):
2987         (OrderedCollection.prototype.remove):
2988         (Strength):
2989         (Strength.stronger):
2990         (Strength.weaker):
2991         (Strength.weakestOf):
2992         (Strength.strongest):
2993         (Strength.prototype.nextWeaker):
2994         (Constraint):
2995         (Constraint.prototype.addConstraint):
2996         (Constraint.prototype.satisfy):
2997         (Constraint.prototype.destroyConstraint):
2998         (Constraint.prototype.isInput):
2999         (UnaryConstraint):
3000         (UnaryConstraint.prototype.addToGraph):
3001         (UnaryConstraint.prototype.chooseMethod):
3002         (UnaryConstraint.prototype.isSatisfied):
3003         (UnaryConstraint.prototype.markInputs):
3004         (UnaryConstraint.prototype.output):
3005         (UnaryConstraint.prototype.recalculate):
3006         (UnaryConstraint.prototype.markUnsatisfied):
3007         (UnaryConstraint.prototype.inputsKnown):
3008         (UnaryConstraint.prototype.removeFromGraph):
3009         (StayConstraint):
3010         (StayConstraint.prototype.execute):
3011         (EditConstraint.prototype.isInput):
3012         (EditConstraint.prototype.execute):
3013         (BinaryConstraint):
3014         (BinaryConstraint.prototype.chooseMethod):
3015         (BinaryConstraint.prototype.addToGraph):
3016         (BinaryConstraint.prototype.isSatisfied):
3017         (BinaryConstraint.prototype.markInputs):
3018         (BinaryConstraint.prototype.input):
3019         (BinaryConstraint.prototype.output):
3020         (BinaryConstraint.prototype.recalculate):
3021         (BinaryConstraint.prototype.markUnsatisfied):
3022         (BinaryConstraint.prototype.inputsKnown):
3023         (BinaryConstraint.prototype.removeFromGraph):
3024         (ScaleConstraint):
3025         (ScaleConstraint.prototype.addToGraph):
3026         (ScaleConstraint.prototype.removeFromGraph):
3027         (ScaleConstraint.prototype.markInputs):
3028         (ScaleConstraint.prototype.execute):
3029         (ScaleConstraint.prototype.recalculate):
3030         (EqualityConstraint):
3031         (EqualityConstraint.prototype.execute):
3032         (Variable):
3033         (Variable.prototype.addConstraint):
3034         (Variable.prototype.removeConstraint):
3035         (Planner):
3036         (Planner.prototype.incrementalAdd):
3037         (Planner.prototype.incrementalRemove):
3038         (Planner.prototype.newMark):
3039         (Planner.prototype.makePlan):
3040         (Planner.prototype.extractPlanFromConstraints):
3041         (Planner.prototype.addPropagate):
3042         (Planner.prototype.removePropagateFrom):
3043         (Planner.prototype.addConstraintsConsumingTo):
3044         (Plan):
3045         (Plan.prototype.addConstraint):
3046         (Plan.prototype.size):
3047         (Plan.prototype.constraintAt):
3048         (Plan.prototype.execute):
3049         (chainTest):
3050         (projectionTest):
3051         (change):
3052         (deltaBlue):
3053         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Added.
3054         (assert):
3055         (Numbers):
3056         (Numbers.prototype.next):
3057         (return.Transpose):
3058         (return.Transpose.prototype.next):
3059         (transpose):
3060         (verifyEven):
3061         (verifyString):
3062         (foo):
3063         (runIterators):
3064         * microbenchmarks/try-catch-word-count.js: Added.
3065         (let.assert):
3066         (EOF):
3067         (let.texts):
3068         (let.o.apply):
3069         (foo):
3070         (bar):
3071         (f):
3072         (run):
3073         (test1):
3074         (test2):
3075         (test3):
3076         (fn):
3077         (A):
3078         (B):
3079         (A.prototype.getValue):
3080         (B.prototype.getParentValue):
3081         (strlen):
3082         (sum.0):
3083         (test):
3084         (result.test.o):
3085         (set add.set add):
3086         (set forEach):
3087         (stringHash):
3088         (set if):
3089         (testFunction):
3090         (set delete.set has.set add):
3091         * stress/catch-set-argument-speculation-failure.js: Added.
3092         (o):
3093         (e):
3094         (e2):
3095         (escape):
3096         (baz):
3097         (noInline.run):
3098         (noInline):
3099         * stress/osr-enter-to-catch-with-set-local-type-check-failure.js: Added.
3100         (foo):
3101         (e):
3102         (baz):
3103         (bar):
3104
3105 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3106
3107         [JSC] Optimize Map iteration with intrinsic
3108         https://bugs.webkit.org/show_bug.cgi?id=174355
3109
3110         Reviewed by Saam Barati.
3111
3112         * stress/map-iterator-result-should-have-expected-shape.js: Added.
3113         (shouldBe):
3114         (throw.new.Error):
3115         * stress/set-iterator-result-should-have-expected-shape.js: Added.
3116         (shouldBe):
3117         (throw.new.Error.let.iterator.set Symbol):
3118         (throw.new.Error.set add):
3119         (let.iterator.set Symbol):
3120
3121 2017-08-23  Robin Morisset  <rmorisset@apple.com>
3122
3123         Add a micro-benchmark for checking that accessing a variable within a 'with'
3124         block does not automatically prevent type prediction.
3125         https://bugs.webkit.org/show_bug.cgi?id=175738
3126
3127         Reviewed by Saam Barati.
3128
3129         * stress/with_and_arith.js: Added.
3130         (with):
3131
3132 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
3133
3134         [ESNext] Async iteration - Implement Async Generator - runtime
3135         https://bugs.webkit.org/show_bug.cgi?id=175240
3136
3137         Reviewed by Yusuke Suzuki.
3138
3139         * stress/async-iteration-async-from-sync.js: Added.
3140         (assert):
3141         (const.Logger):
3142         (this.fullfilled):
3143         (this.fullfilledDone):
3144         (this.rejected):
3145         (this.catched):
3146         (this.isFinal):
3147         (_assertLogger):
3148         (const.assertLogger):
3149         (const.getPromise.promiseHolder.return.new.Promise):
3150         (foo):
3151         (async.boo):
3152         (bar):
3153         (async.baz):
3154         (async.goo):
3155         * stress/async-iteration-basic.js: Added.
3156         (assert):
3157         (const.Logger):
3158         (this.fullfilled):
3159         (this.fullfilledDone):
3160         (this.rejected):
3161         (this.catched):
3162         (this.isFinal):
3163         (_assertLogger):
3164         (const.assertLogger):
3165         (const.getPromise.promiseHolder.return.new.Promise):
3166         (async.generator):
3167         (iterator.next.then):
3168         (async.baz):
3169         (async.boo):
3170         (async.foo):
3171         (async.goo):
3172         (A.prototype.async.foo):
3173         (A.prototype.async.boo):
3174         (A):
3175         (asyncGenExp.async):
3176         (async.joo):
3177         (j.next.then):
3178         (then):
3179         (async.koo):
3180         (async.loo):
3181         (async.moo):
3182         (async.noo):
3183         (async.ooo):
3184         (async.roo):
3185         (async.poo):
3186         (async.soo):
3187         (async.too):
3188         * stress/async-iteration-evaluation.js: Added.
3189         (assert):
3190         (async.foo):
3191         (catch):
3192         * stress/async-iteration-syntax.js:
3193         * stress/async-iteration-yield-promise.js: Added.
3194         (assert):
3195         (const.Logger):
3196         (this.fullfilled):
3197         (this.fullfilledDone):
3198         (this.rejected):
3199         (this.catched):
3200         (this.isFinal):
3201         (_assertLogger):
3202         (const.assertLogger):
3203         (const.getPromise.promiseHolder.return.new.Promise):
3204         (async.foo):
3205         (async.boo):
3206         (async.bar):
3207         * stress/async-iteration-yield-star-interface.js: Added.
3208         (assert):
3209         (const.getPromise.promiseHolder.return.new.Promise):
3210         (const.Logger):
3211         (this.fullfilled):
3212         (this.fullfilledDone):
3213         (this.rejected):
3214         (this.catched):
3215         (this.custom):
3216         (this.isFinal):
3217         (_assertLogger):
3218         (const.assertLogger):
3219         (let.asyncIter.Symbol.asyncIterator):
3220         (let.asyncIter.next):
3221         (let.asyncIter.throw):
3222         (let.asyncIter.return):
3223         (async.foo):
3224         (asyncIter.Symbol.asyncIterator):
3225         (asyncIter.next):
3226         (async.boo):
3227         (asyncIter.return):
3228         (async.bar):
3229         (async.baz):
3230         (async.foobar):
3231         * stress/async-iteration-yield-star.js: Added.
3232         (assert):
3233         (const.Logger):
3234         (this.fullfilled):
3235         (this.fullfilledDone):
3236         (this.rejected):
3237         (this.catched):
3238         (this.custom):
3239         (this.isFinal):
3240         (_assertLogger):
3241         (const.assertLogger):
3242         (const.getPromise.promiseHolder.return.new.Promise):
3243         (async.foo):
3244         (async.boo):
3245         (async.bar):
3246         (async.baz):
3247         (async.joo):
3248         (async.goo):
3249         (async.koo):
3250         (async.loo):
3251         (let.asyncIter.Symbol.asyncIterator):
3252         (let.asyncIter.next):
3253         (let.asyncIter.throw):
3254         (let.asyncIter.return):
3255         (async.moo):
3256         (async.noo):
3257         * test262.yaml:
3258
3259 2017-08-23  JF Bastien  <jfbastien@apple.com>
3260
3261         Fix printing in test
3262
3263         Unreviewed: fixing verbosity, shouldn't have been there.
3264
3265         * wasm/regress/175693.js:
3266         (else.else):
3267         (catch):
3268
3269 2017-08-18  Ryan Haddad  <ryanhaddad@apple.com>
3270
3271         Skip flaky JSC test microbenchmarks/generator-with-several-types.js.
3272         https://bugs.webkit.org/show_bug.cgi?id=172543
3273
3274         Unreviewed test gardening.
3275
3276         * microbenchmarks/generator-with-several-types.js:
3277
3278 2017-08-17  JF Bastien  <jfbastien@apple.com>
3279
3280         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
3281         https://bugs.webkit.org/show_bug.cgi?id=175693
3282         <rdar://problem/33952443>
3283
3284         Reviewed by Saam Barati.
3285
3286         Add a regression directory for WebAssembly tests.
3287
3288         * wasm.yaml:
3289         * wasm/regress/175693.js: Added.
3290         (else.else):
3291         (instance.new.WebAssembly.Instance.new.WebAssembly.Module):
3292         (catch):
3293         * wasm/regress/175693.wasm: Added.
3294
3295 2017-08-15  Robin Morisset  <rmorisset@apple.com>
3296
3297         Support the 'with' keyword in FTL.
3298         https://bugs.webkit.org/show_bug.cgi?id=175585
3299
3300         Reviewed by Saam Barati.
3301
3302         Also improve the JSTest/stress/with.js file to test
3303         what happens when non-objects are passed to with.
3304
3305         * stress/with.js:
3306         (foo):
3307         (i.catch):
3308         (i.with): Deleted.
3309
3310 2017-08-14  Keith Miller  <keith_miller@apple.com>
3311
3312         Add testing tool to lie to the DFG about profiles
3313         https://bugs.webkit.org/show_bug.cgi?id=175487
3314
3315         Reviewed by Saam Barati.
3316
3317         * stress/compare-eq-incomplete-profile.js: Added.
3318         (const.test.createBuiltin):
3319
3320 2017-08-14  Robin Morisset  <rmorisset@apple.com>
3321
3322         Support the with keyword in DFG
3323         https://bugs.webkit.org/show_bug.cgi?id=175470
3324
3325         Reviewed by Saam Barati.
3326
3327         Added a new stress-test for the 'with' keyword, that caught a bug in a
3328         previous version of this code.
3329
3330         * stress/with.js: Added.
3331         (i.with):
3332
3333 2017-08-14  Ryan Haddad  <ryanhaddad@apple.com>
3334
3335         Skip flaky JSC test test/fieldopts/objtypespec-newobj-invalidation.1.js
3336         https://bugs.webkit.org/show_bug.cgi?id=175544
3337
3338         Unreviewed test gardening.
3339
3340         * ChakraCore.yaml:
3341
3342 2017-08-09  Caitlin Potter  <caitp@igalia.com>
3343
3344         Early error on ANY operator before new.target
3345         https://bugs.webkit.org/show_bug.cgi?id=157970
3346
3347         Reviewed by Saam Barati.
3348
3349         Instead of throwing if any unary operator precedes new.target, only
3350         throw if the unary operator updates the reference.
3351
3352         The following become legal in JSC:
3353
3354         ```
3355         !new.target
3356         ~new.target
3357         typeof new.target
3358         delete new.target
3359         void new.target
3360         ```
3361
3362         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
3363
3364         * stress/new-target-syntax-errors.js:
3365         * stress/new-target.js:
3366
3367 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
3368
3369         Skip failing JSC tests stress/regress-169783.js and wasm.yaml/wasm/stress/oom.js.
3370         https://bugs.webkit.org/show_bug.cgi?id=175255
3371
3372         Unreviewed test gardening.
3373
3374         * stress/regress-169783.js:
3375         * wasm/stress/oom.js:
3376
3377 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3378
3379         REGRESSION: 2 test262/test/language/statements/async-function failures
3380         https://bugs.webkit.org/show_bug.cgi?id=175334
3381
3382         Reviewed by Yusuke Suzuki.
3383
3384         Add @skip parameters to tests, and remove test for async iterator from 
3385         async await syntax test because it is already covered by async-iterator-syntax.js
3386
3387         * stress/async-await-syntax.js:
3388         * stress/async-iteration-syntax.js:
3389
3390 2017-08-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3391
3392         Unreviewed, gardening test262 for Promise resolve / reject function length
3393         https://bugs.webkit.org/show_bug.cgi?id=175333
3394
3395         * test262.yaml:
3396
3397 2017-08-07  Robin Morisset  <rmorisset@apple.com>
3398
3399         GetOwnProperty of TypedArray indexed fields is wrongly configurable
3400         https://bugs.webkit.org/show_bug.cgi?id=175307
3401
3402         Reviewed by Saam Barati.
3403
3404         * stress/typedarray-getownproperty-not-configurable.js: Added.
3405         (assert):
3406         (foo):
3407
3408 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3409
3410         Promise resolve and reject function should have length = 1
3411         https://bugs.webkit.org/show_bug.cgi?id=175242
3412
3413         Reviewed by Saam Barati.
3414
3415         * stress/builtin-function-length.js: Added.
3416         (shouldBe):
3417         (shouldThrow):
3418         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3419         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3420
3421 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
3422
3423         [ESNext] Async iteration - Implement Async Generator - parser
3424         https://bugs.webkit.org/show_bug.cgi?id=175210
3425
3426         Reviewed by Yusuke Suzuki.
3427
3428         * stress/async-await-syntax.js:
3429         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3430         * stress/async-iteration-syntax.js: Added.
3431         (assert):
3432         (checkSyntax):
3433         (checkSyntaxError):
3434         (checkSimpleAsyncGeneratorSloppyMode):
3435         (checkSimpleAsyncGeneratorStrictMode):
3436         (checkNestedAsyncGenerators):
3437         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
3438         * stress/generator-class-methods-syntax.js:
3439
3440 2017-08-03  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3441
3442         JSC test wasm/js-api/test_memory_constructor.js should be skipped on memoryLimited
3443         https://bugs.webkit.org/show_bug.cgi?id=175150
3444
3445         Unreviewed test gardening.
3446
3447         * wasm/js-api/test_memory_constructor.js:
3448
3449 2017-08-02  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3450
3451         [Linux] JSTests/wasm/stress/oom.js should not run on Linux
3452         https://bugs.webkit.org/show_bug.cgi?id=175100
3453
3454         Reviewed by Mark Lam.
3455
3456         The JSC test JSTests/wasm/stress/oom.js tries to use all the
3457         available memory until an out of memory exception happens.
3458
3459         The Linux kernel is more tuned for server workloads than for GUI
3460         responsiveness. When a process tries to use a lot of memory, Linux
3461         will do its best to serve the request. This usually translates to
3462         free physical RAM by writing to disk dirty pages and/or moving out
3463         less recently used pages to swap (disk storage).
3464         Meanwhile it does this, the system will become unresponsive and this
3465         leads to freezes that can last even some minutes on the worst cases.
3466
3467         Therefore, let's skip this test on Linux as it will cause more harm
3468         than good on the Linux bots or on the machines of Linux developers.
3469
3470         * wasm/stress/oom.js:
3471
3472 2017-08-01  Oleksandr Skachkov  <gskachkov@gmail.com>
3473
3474         [JSC] Remove unnecessary print from stress\promise-finally.js test
3475         https://bugs.webkit.org/show_bug.cgi?id=175015
3476
3477         Reviewed by Yusuke Suzuki.
3478
3479         * stress/promise-finally.js:
3480         (p.finally):
3481         (then):
3482
3483 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3484
3485         Unreviewed, update test262 results for optional catch binding
3486
3487         * test262.yaml:
3488
3489 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3490
3491         [JSC] Support optional catch binding
3492         https://bugs.webkit.org/show_bug.cgi?id=174981
3493
3494         Reviewed by Saam Barati.
3495
3496         * stress/optional-catch-binding-syntax.js: Added.
3497         (testSyntax):
3498         (testSyntaxError):
3499         (catch.catch):
3500         * stress/optional-catch-binding.js: Added.
3501         (shouldBe):
3502         (throwException):
3503
3504 2017-07-28  Mark Lam  <mark.lam@apple.com>
3505
3506         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3507         https://bugs.webkit.org/show_bug.cgi?id=174948
3508         <rdar://problem/33495680>
3509
3510         Reviewed by Filip Pizlo.
3511
3512         * stress/regress-174948.js: Added.
3513
3514 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3515
3516         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3517         https://bugs.webkit.org/show_bug.cgi?id=174900
3518
3519         Reviewed by Saam Barati.
3520
3521         * stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js: Added.
3522         (sideEffect):
3523         (args):
3524         (test):
3525
3526 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3527
3528         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3529         https://bugs.webkit.org/show_bug.cgi?id=171637
3530
3531         Reviewed by Darin Adler.
3532
3533         * stress/domjit-getter-complex-with-incorrect-object.js:
3534         (i.shouldThrow):
3535         * stress/domjit-getter-type-check.js: Copied from JSTests/stress/domjit-getter-complex-with-incorrect-object.js.
3536         (shouldBe):
3537         (i.shouldThrow):
3538
3539 2017-07-26  JF Bastien  <jfbastien@apple.com>
3540
3541         WebAssembly: test throwing out of the start function
3542         https://bugs.webkit.org/show_bug.cgi?id=165714
3543         <rdar://problem/29760251>
3544
3545         Reviewed by Keith Miller.
3546
3547         * wasm/assert.js:
3548         * wasm/function-tests/trap-from-start.js: Added.
3549         (StartTraps):
3550         * wasm/function-tests/trap-from-start-async.js: Added.
3551         (async.StartTrapsAsync):
3552
3553 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3554
3555         [FTL] Arguments elimination is suppressed by unreachable blocks
3556         https://bugs.webkit.org/show_bug.cgi?id=174352
3557
3558         Reviewed by Filip Pizlo.
3559
3560         * stress/arguments-elimination-force-exit.js: Added.
3561         (shouldBe):
3562         (strict):
3563         (sloppy):
3564         * stress/arguments-elimination-throw.js: Added.
3565         (shouldBe):
3566         (shouldThrow):
3567         (sloppy):
3568         (isArguments):
3569
3570 2017-07-13  Mark Lam  <mark.lam@apple.com>
3571
3572         Add some additional test cases for bug 170896.
3573         https://bugs.webkit.org/show_bug.cgi?id=174491
3574
3575         Reviewed by Filip Pizlo.
3576
3577         * stress/regress-170896-with-contiguous-shape-profile.js: Copied from JSTests/stress/regress-170896.js.
3578         * stress/regress-170896-with-double-shape-profile.js: Added.
3579         (test):
3580         * stress/regress-170896-with-int32-shape-profile.js: Added.
3581         (test):
3582         * stress/regress-170896.js: Removed.
3583
3584 2017-07-13  Saam Barati  <sbarati@apple.com>
3585
3586         Missing exception check in JSObject::hasInstance
3587         https://bugs.webkit.org/show_bug.cgi?id=174455
3588         <rdar://problem/31384608>
3589
3590         Reviewed by Mark Lam.
3591
3592         * stress/has-instance-exception-check.js: Added.
3593         (assert):
3594         (let.getter.Object.getOwnPropertyDescriptor.get foo):
3595
3596 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
3597
3598         [ESnext] Implement Object Spread
3599         https://bugs.webkit.org/show_bug.cgi?id=167963
3600
3601         Reviewed by Saam Barati.
3602
3603         * stress/obj-rest-destructuring-order.js: Added.
3604         (assert):
3605         (o.get z):
3606         (o.get a):
3607         * stress/obj-spread-order.js: Added.
3608         (assert):
3609         (o.get z):
3610         (o.get a):
3611         * stress/object-spread.js: Added.
3612         (let.assert):
3613         (assert.sameValue):
3614         (let.o.get a):
3615         (let.obj.get c):
3616         (cthulhu.get x):
3617         (let.obj.set c):
3618         (calls.o.get z):
3619         (calls.o.get a):
3620         (try.let.obj.get foo):
3621         (get calls):
3622
3623 2017-07-12  Saam Barati  <sbarati@apple.com>
3624
3625         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
3626         https://bugs.webkit.org/show_bug.cgi?id=174411
3627         <rdar://problem/31696186>
3628
3629         Reviewed by Mark Lam.
3630
3631         * stress/generic-arguments-correct-delete-behavior.js: Added.
3632         (assert):
3633         (makeTest):
3634
3635 2017-07-07  Mark Lam  <mark.lam@apple.com>
3636
3637         \n\r is not the same as \r\n.
3638         https://bugs.webkit.org/show_bug.cgi?id=173053
3639
3640         Reviewed by Keith Miller.
3641
3642         * stress/regress-173053.js: Added.
3643         * stress/template-literal-line-terminators.js:
3644
3645 2017-07-06  Saam Barati  <sbarati@apple.com>
3646
3647         We are missing places where we invalidate the for-in context
3648         https://bugs.webkit.org/show_bug.cgi?id=174184
3649
3650         Reviewed by Geoffrey Garen.
3651
3652         * stress/for-in-invalidate-context-weird-assignments.js: Added.
3653         (assert):
3654         (test):
3655
3656 2017-07-05  Saam Barati  <sbarati@apple.com>
3657
3658         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
3659         https://bugs.webkit.org/show_bug.cgi?id=174188
3660         <rdar://problem/30581423>
3661
3662         Reviewed by Mark Lam.
3663
3664         * stress/new-array-having-a-bad-time-double.js: Added.
3665         (assert):
3666         (foo):
3667
3668 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3669
3670         WTF::StringImpl::copyChars segfaults when built with GCC 7
3671         https://bugs.webkit.org/show_bug.cgi?id=173407
3672
3673         Reviewed by Andreas Kling.
3674
3675         * stress/string-repeat-copy-chars-crash.js: Added.
3676         (shouldBe):
3677
3678 2017-07-03  Saam Barati  <sbarati@apple.com>
3679
3680         Skip unshiftCountSlowCase-correct-postCapacity.js on debug builds since it takes a long time to run.
3681
3682         * stress/unshiftCountSlowCase-correct-postCapacity.js:
3683
3684 2017-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3685
3686         Unreviewed, annotate dont--reserve-huge-capacity-lexer.js with $memoryLimited
3687
3688         It requires too much memory.
3689
3690         * stress/dont-reserve-huge-capacity-lexer.js:
3691
3692 2017-06-30  Michael Saboff  <msaboff@apple.com>
3693
3694         Skip a test on ARM64 platform since we run out of address space.
3695
3696         Rubber stamped by Saam Barati.
3697
3698         * stress/dont-reserve-huge-capacity-lexer.js:
3699
3700 2017-06-30  Michael Saboff  <msaboff@apple.com>
3701
3702         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3703         https://bugs.webkit.org/show_bug.cgi?id=174044
3704
3705         Reviewed by Oliver Hunt.
3706
3707         New regression test.
3708
3709         * stress/regress-174044.js: Added.
3710         (test1):
3711         (test2):
3712
3713 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
3714
3715         RegExpCachedResult::setInput should reify left and right contexts
3716         https://bugs.webkit.org/show_bug.cgi?id=173818
3717
3718         Reviewed by Keith Miller.
3719
3720         * stress/right-left-context-invalidated-by-input.js: Added.
3721         (test.validateContexts):
3722         (test):
3723
3724 2017-06-29  Saam Barati  <sbarati@apple.com>
3725
3726         Calculating postCapacity in unshiftCountSlowCase is wrong
3727         https://bugs.webkit.org/show_bug.cgi?id=173992
3728         <rdar://problem/32283199>
3729
3730         Reviewed by Keith Miller.
3731
3732         * stress/unshiftCountSlowCase-correct-postCapacity.js: Added.
3733         (temp):
3734