LICM shouldn't hoist nodes if hoisted nodes exited in that code block
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
2
3         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
4         https://bugs.webkit.org/show_bug.cgi?id=185126
5
6         Reviewed by Saam Barati.
7         
8         I found this bug by accident when I was writing this test for something else.
9         
10         This change also speeds up other benchmarks of this case that we already had. They are all called
11         the licm-dragons tests.
12
13         * microbenchmarks/licm-dragons-two-structures.js: Added.
14         (foo):
15
16 2018-04-29  Commit Queue  <commit-queue@webkit.org>
17
18         Unreviewed, rolling out r231137.
19         https://bugs.webkit.org/show_bug.cgi?id=185118
20
21         It is breaking Test262 language/expressions/multiplication
22         /order-of-evaluation.js (Requested by caiolima on #webkit).
23
24         Reverted changeset:
25
26         "[ESNext][BigInt] Implement support for "*" operation"
27         https://bugs.webkit.org/show_bug.cgi?id=183721
28         https://trac.webkit.org/changeset/231137
29
30 2018-04-28  Saam Barati  <sbarati@apple.com>
31
32         We don't model regexp effects properly
33         https://bugs.webkit.org/show_bug.cgi?id=185059
34         <rdar://problem/39736150>
35
36         Reviewed by Filip Pizlo.
37
38         * stress/regexp-exec-test-effectful-last-index.js: Added.
39         (assert):
40         (foo):
41         (i.regexLastIndex.toString):
42         (bar):
43
44 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
45
46         Token misspelled "tocken" in error message string
47         https://bugs.webkit.org/show_bug.cgi?id=185030
48
49         Reviewed by Saam Barati.
50
51         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
52         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
53         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
54         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
55         (testSyntaxError.String.raw.v):
56         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
57         (testSyntaxError.String.raw.a):
58
59 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
60
61         [ESNext][BigInt] Implement support for "*" operation
62         https://bugs.webkit.org/show_bug.cgi?id=183721
63
64         Reviewed by Saam Barati.
65
66         * bigIntTests.yaml:
67         * stress/big-int-mul-jit.js: Added.
68         * stress/big-int-mul-to-primitive-precedence.js: Added.
69         * stress/big-int-mul-to-primitive.js: Added.
70         * stress/big-int-mul-type-error.js: Added.
71         * stress/big-int-mul-wrapped-value.js: Added.
72         * stress/big-int-multiplication.js: Added.
73         * stress/big-int-multiply-memory-stress.js: Added.
74
75 2018-04-28  Commit Queue  <commit-queue@webkit.org>
76
77         Unreviewed, rolling out r231131.
78         https://bugs.webkit.org/show_bug.cgi?id=185112
79
80         It is breaking Debug build due to unchecked exception
81         (Requested by caiolima on #webkit).
82
83         Reverted changeset:
84
85         "[ESNext][BigInt] Implement support for "*" operation"
86         https://bugs.webkit.org/show_bug.cgi?id=183721
87         https://trac.webkit.org/changeset/231131
88
89 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
90
91         [ESNext][BigInt] Implement support for "*" operation
92         https://bugs.webkit.org/show_bug.cgi?id=183721
93
94         Reviewed by Saam Barati.
95
96         * bigIntTests.yaml:
97         * stress/big-int-mul-jit.js: Added.
98         * stress/big-int-mul-to-primitive-precedence.js: Added.
99         * stress/big-int-mul-to-primitive.js: Added.
100         * stress/big-int-mul-type-error.js: Added.
101         * stress/big-int-mul-wrapped-value.js: Added.
102         * stress/big-int-multiplication.js: Added.
103         * stress/big-int-multiply-memory-stress.js: Added.
104
105 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
106
107         Unreviewed, rolling out r231086.
108
109         Caused JSC test failures due to an unchecked exception.
110
111         Reverted changeset:
112
113         "[ESNext][BigInt] Implement support for "*" operation"
114         https://bugs.webkit.org/show_bug.cgi?id=183721
115         https://trac.webkit.org/changeset/231086
116
117 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
118
119         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
120
121         * test262.yaml: Mark tests as passing.
122
123 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
124
125         [ESNext][BigInt] Implement support for "*" operation
126         https://bugs.webkit.org/show_bug.cgi?id=183721
127
128         Reviewed by Saam Barati.
129
130         * bigIntTests.yaml:
131         * stress/big-int-mul-jit.js: Added.
132         * stress/big-int-mul-to-primitive-precedence.js: Added.
133         * stress/big-int-mul-to-primitive.js: Added.
134         * stress/big-int-mul-type-error.js: Added.
135         * stress/big-int-mul-wrapped-value.js: Added.
136         * stress/big-int-multiplication.js: Added.
137         * stress/big-int-multiply-memory-stress.js: Added.
138
139 2018-04-25  Robin Morisset  <rmorisset@apple.com>
140
141         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
142         https://bugs.webkit.org/show_bug.cgi?id=184773
143         <rdar://problem/37773612>
144
145         Reviewed by Filip Pizlo.
146
147         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
148         so I decided to add it to the stress tests nonetheless.
149
150         * stress/create-rest-while-having-a-bad-time.js: Added.
151         (f):
152         (g):
153         (h):
154
155 2018-04-25  Keith Miller  <keith_miller@apple.com>
156
157         Add missing scope release to functionProtoFuncToString
158         https://bugs.webkit.org/show_bug.cgi?id=184995
159
160         Reviewed by Saam Barati.
161
162         * stress/function-toString-arrow.js: Added.
163         (async):
164
165 2018-04-24  Keith Miller  <keith_miller@apple.com>
166
167         fromCharCode is missing some exception checks
168         https://bugs.webkit.org/show_bug.cgi?id=184952
169
170         Reviewed by Saam Barati.
171
172         * stress/fromCharCode-exception-check.js: Added.
173         (get catch):
174
175 2018-04-24  Mark Lam  <mark.lam@apple.com>
176
177         Gardening: test fix after r230863.
178         https://bugs.webkit.org/show_bug.cgi?id=184846
179         <rdar://problem/39390672>
180
181         Not reviewed.
182
183         * stress/json-stringified-overflow-2.js:
184         (catch):
185         * stress/json-stringified-overflow.js:
186         (catch):
187
188 2018-04-20  JF Bastien  <jfbastien@apple.com>
189
190         Handle more JSON stringify OOM
191         https://bugs.webkit.org/show_bug.cgi?id=184846
192         <rdar://problem/39390672>
193
194         Reviewed by Mark Lam.
195
196         * stress/json-stringified-overflow-2.js: Added. Same as the one
197         below, but with a bigger input which will trigger a different code
198         path.
199         (catch):
200         * stress/json-stringified-overflow.js: Modify the test to only
201         catch OOM on stringification. not on string creation.
202
203 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
204
205         [WebAssembly][Modules] Import tables in wasm modules
206         https://bugs.webkit.org/show_bug.cgi?id=184738
207
208         Reviewed by JF Bastien.
209
210         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
211         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
212         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
213         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
214         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
215         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
216         * wasm/modules/wasm-imports-wasm-exports.js:
217         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
218         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
219         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
220         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
221
222 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
223
224         [WebAssembly][Modules] Import globals from wasm modules
225         https://bugs.webkit.org/show_bug.cgi?id=184736
226
227         Reviewed by JF Bastien.
228
229         * wasm.yaml:
230         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
231         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
232         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
233         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
234         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
235         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
236         * wasm/modules/wasm-imports-wasm-exports.js:
237         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
238         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
239         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
240         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
241
242 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
243
244         Unreviewed, reland r230697, r230720, and r230724.
245         https://bugs.webkit.org/show_bug.cgi?id=184600
246
247         * wasm.yaml:
248         * wasm/modules/constant.wasm: Added.
249         * wasm/modules/constant.wat: Added.
250         * wasm/modules/default-import-star-error.js: Added.
251         (then):
252         * wasm/modules/default-import-star-error/entry.wasm: Added.
253         * wasm/modules/default-import-star-error/entry.wat: Added.
254         * wasm/modules/default-import-star-error/t0.js: Added.
255         * wasm/modules/default-import-star-error/t1.js: Added.
256         * wasm/modules/default-import-star-error/t2.js: Added.
257         (export.default.Cocoa):
258         * wasm/modules/js-wasm-cycle.js: Added.
259         * wasm/modules/js-wasm-cycle/entry.js: Added.
260         (from.string_appeared_here.export.return42):
261         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
262         * wasm/modules/js-wasm-cycle/sum.wat: Added.
263         * wasm/modules/js-wasm-function-namespace.js: Added.
264         (assert.throws):
265         * wasm/modules/js-wasm-function.js: Added.
266         (assert.throws):
267         * wasm/modules/js-wasm-global-namespace.js: Added.
268         (assert.throws):
269         * wasm/modules/js-wasm-global.js: Added.
270         (assert.throws):
271         * wasm/modules/js-wasm-memory-namespace.js: Added.
272         (assert.throws):
273         * wasm/modules/js-wasm-memory.js: Added.
274         (assert.throws):
275         * wasm/modules/js-wasm-start.js: Added.
276         (then):
277         * wasm/modules/js-wasm-table-namespace.js: Added.
278         (assert.throws):
279         * wasm/modules/js-wasm-table.js: Added.
280         (assert.throws):
281         * wasm/modules/memory.wasm: Added.
282         * wasm/modules/memory.wat: Added.
283         * wasm/modules/run-from-wasm.wasm: Added.
284         * wasm/modules/run-from-wasm.wat: Added.
285         * wasm/modules/run-from-wasm/check.js: Added.
286         (export.check):
287         * wasm/modules/start.wasm: Added.
288         * wasm/modules/start.wat: Added.
289         * wasm/modules/sum.wasm: Added.
290         * wasm/modules/sum.wat: Added.
291         * wasm/modules/table.wasm: Added.
292         * wasm/modules/table.wat: Added.
293         * wasm/modules/wasm-imports-js-exports.js: Added.
294         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
295         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
296         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
297         (export.sum):
298         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
299         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
300         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
301         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
302         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
303         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
304         * wasm/modules/wasm-imports-wasm-exports.js: Added.
305         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
306         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
307         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
308         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
309         * wasm/modules/wasm-js-cycle.js: Added.
310         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
311         * wasm/modules/wasm-js-cycle/entry.wat: Added.
312         * wasm/modules/wasm-js-cycle/sum.js: Added.
313         (from.string_appeared_here.export.sum):
314         * wasm/modules/wasm-wasm-cycle.js: Added.
315         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
316         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
317         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
318         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
319
320 2018-04-17  Commit Queue  <commit-queue@webkit.org>
321
322         Unreviewed, rolling out r230697, r230720, and r230724.
323         https://bugs.webkit.org/show_bug.cgi?id=184717
324
325         These caused multiple failures on the Test262 testers.
326         (Requested by mlewis13 on #webkit).
327
328         Reverted changesets:
329
330         "[WebAssembly][Modules] Prototype wasm import"
331         https://bugs.webkit.org/show_bug.cgi?id=184600
332         https://trac.webkit.org/changeset/230697
333
334         "[WebAssembly][Modules] Implement function import from wasm
335         modules"
336         https://bugs.webkit.org/show_bug.cgi?id=184689
337         https://trac.webkit.org/changeset/230720
338
339         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
340         https://bugs.webkit.org/show_bug.cgi?id=184703
341         https://trac.webkit.org/changeset/230724
342
343 2018-04-17  JF Bastien  <jfbastien@apple.com>
344
345         A put is not an ExistingProperty put when we transition a structure because of an attributes change
346         https://bugs.webkit.org/show_bug.cgi?id=184706
347         <rdar://problem/38871451>
348
349         Reviewed by Saam Barati.
350
351         * stress/put-by-id-direct-strict-transition.js: Added.
352         (const.foo):
353         (j.const.obj.set hello):
354         * stress/put-by-id-direct-transition.js: Added.
355         (const.foo):
356         (j.const.obj.set hello):
357         * stress/put-getter-setter-by-id-strict-transition.js: Added.
358         (const.foo):
359         (j.const.obj.set hello):
360         * stress/put-getter-setter-by-id-transition.js: Added.
361         (const.foo):
362         (j.const.obj.set hello):
363
364 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
365
366         PutStackSinkingPhase should know that KillStack means ConflictingFlush
367         https://bugs.webkit.org/show_bug.cgi?id=184672
368
369         Reviewed by Michael Saboff.
370
371         * stress/sink-put-stack-over-kill-stack.js: Added.
372         (avocado_1):
373         (apricot_0):
374         (__c_0):
375         (banana_2):
376
377 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
378
379         [JSC] Rename runWebAssembly to runWebAssemblySuite
380         https://bugs.webkit.org/show_bug.cgi?id=184703
381
382         Reviewed by JF Bastien.
383
384         And add runWebAssembly as a command to simplely run wasm modules.
385
386         * wasm.yaml:
387
388 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
389
390         [WebAssembly][Modules] Implement function import from wasm modules
391         https://bugs.webkit.org/show_bug.cgi?id=184689
392
393         Reviewed by JF Bastien.
394
395         * wasm.yaml:
396         * wasm/modules/js-wasm-cycle.js: Added.
397         * wasm/modules/js-wasm-cycle/entry.js: Added.
398         (from.string_appeared_here.export.return42):
399         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
400         * wasm/modules/js-wasm-cycle/sum.wat: Added.
401         * wasm/modules/run-from-wasm.wasm: Added.
402         * wasm/modules/run-from-wasm.wat: Added.
403         * wasm/modules/run-from-wasm/check.js: Added.
404         (export.check):
405         * wasm/modules/wasm-imports-js-exports.js: Added.
406         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
407         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
408         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
409         (export.sum):
410         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
411         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
412         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
413         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
414         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
415         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
416         * wasm/modules/wasm-imports-wasm-exports.js: Added.
417         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
418         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
419         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
420         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
421         * wasm/modules/wasm-js-cycle.js: Added.
422         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
423         * wasm/modules/wasm-js-cycle/entry.wat: Added.
424         * wasm/modules/wasm-js-cycle/sum.js: Added.
425         (from.string_appeared_here.export.sum):
426         * wasm/modules/wasm-wasm-cycle.js: Added.
427         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
428         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
429         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
430         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
431
432 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
433
434         [WebAssembly][Modules] Prototype wasm import
435         https://bugs.webkit.org/show_bug.cgi?id=184600
436
437         Reviewed by JF Bastien.
438
439         Add wasm and wat files since module loader want to load wasm files from FS.
440         Currently, importing the other modules from wasm is not supported.
441
442         * wasm.yaml:
443         * wasm/modules/constant.wasm: Added.
444         * wasm/modules/constant.wat: Added.
445         * wasm/modules/js-wasm-function-namespace.js: Added.
446         (assert.throws):
447         * wasm/modules/js-wasm-function.js: Added.
448         (assert.throws):
449         * wasm/modules/js-wasm-global-namespace.js: Added.
450         (assert.throws):
451         * wasm/modules/js-wasm-global.js: Added.
452         (assert.throws):
453         * wasm/modules/js-wasm-memory-namespace.js: Added.
454         (assert.throws):
455         * wasm/modules/js-wasm-memory.js: Added.
456         (assert.throws):
457         * wasm/modules/js-wasm-start.js: Added.
458         (then):
459         * wasm/modules/js-wasm-table-namespace.js: Added.
460         (assert.throws):
461         * wasm/modules/js-wasm-table.js: Added.
462         (assert.throws):
463         * wasm/modules/memory.wasm: Added.
464         * wasm/modules/memory.wat: Added.
465         * wasm/modules/start.wasm: Added.
466         * wasm/modules/start.wat: Added.
467         * wasm/modules/sum.wasm: Added.
468         * wasm/modules/sum.wat: Added.
469         * wasm/modules/table.wasm: Added.
470         * wasm/modules/table.wat: Added.
471
472 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
473
474         Function.prototype.caller shouldn't return generator bodies
475         https://bugs.webkit.org/show_bug.cgi?id=184630
476
477         Reviewed by Yusuke Suzuki.
478
479         * stress/function-caller-async-arrow-function-body.js: Added.
480         * stress/function-caller-async-function-body.js: Added.
481         * stress/function-caller-async-generator-body.js: Added.
482         * stress/function-caller-generator-body.js: Added.
483         * stress/function-caller-generator-method-body.js: Added.
484
485 2018-04-12  Tomas Popela  <tpopela@redhat.com>
486
487         Unreviewed, skip JIT tests if it isn't enabled
488
489         See https://bugs.webkit.org/show_bug.cgi?id=182730.
490
491         * stress/big-int-spec-to-primitive.js:
492         * stress/big-int-spec-to-this.js:
493
494 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
495
496         [ESNext][BigInt] Add support for BigInt in SpeculatedType
497         https://bugs.webkit.org/show_bug.cgi?id=182470
498
499         Reviewed by Saam Barati.
500
501         * stress/big-int-spec-to-primitive.js: Added.
502         * stress/big-int-spec-to-this.js: Added.
503         * stress/big-int-strict-equals-jit.js: Added.
504         * stress/big-int-strict-spec-to-this.js: Added.
505         * stress/big-int-type-of-proven-type.js: Added.
506
507 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
508
509         DFG AI and clobberize should agree with each other
510         https://bugs.webkit.org/show_bug.cgi?id=184440
511
512         Reviewed by Saam Barati.
513         
514         Add tests for all of the bugs I fixed.
515
516         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
517         (foo):
518         * stress/new-typed-array-cse-effects.js: Added.
519         (foo):
520         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
521         (foo.theO):
522         (foo):
523         * stress/string-from-char-code-change-structure-not-dead.js: Added.
524         (foo):
525         (i.valueOf):
526         (weirdValue.valueOf):
527         * stress/string-from-char-code-change-structure.js: Added.
528         (foo):
529         (i.valueOf):
530         (weirdValue.valueOf):
531
532 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
533
534         Fix errant Test262 files CRLF to LF for consistency with the original source
535         https://bugs.webkit.org/show_bug.cgi?id=184425
536
537         Reviewed by Yusuke Suzuki.
538
539         * test262/test/built-ins/Math/acosh/nan-returns.js:
540         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
541         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
542         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
543         * test262/test/built-ins/Math/cbrt/prop-desc.js:
544         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
545         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
546         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
547         * test262/test/built-ins/Math/log2/log2-basicTests.js:
548         * test262/test/built-ins/Math/sign/sign-specialVals.js:
549         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
550         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
551         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
552         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
553
554 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
555
556         Unreviewed, remove incorrect entry in test262.yaml
557         https://bugs.webkit.org/show_bug.cgi?id=184266
558
559         * test262.yaml:
560
561 2018-04-08  Valerie Young  <valerie@bocoup.com>
562
563         [JSC] Update Test262 to April 6 version
564         https://bugs.webkit.org/show_bug.cgi?id=184266
565
566         Rubber stamped by Yusuke Suzuki.
567
568 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         [JSC] Introduce op_get_by_id_direct
571         https://bugs.webkit.org/show_bug.cgi?id=183970
572
573         Reviewed by Filip Pizlo.
574
575         * stress/generator-prototype-copy.js: Added.
576         (gen):
577         (catch):
578         Adopted JF's tests.
579
580         * stress/generator-type-check.js: Added.
581         (shouldThrow):
582         (foo2):
583         (i.shouldThrow):
584         * stress/get-by-id-direct-getter.js: Added.
585         (shouldBe):
586         (shouldThrow):
587         (obj.get hello):
588         (builtin.createBuiltin):
589         (obj2.get length):
590         * stress/get-by-id-direct.js: Added.
591         (shouldBe):
592         (shouldThrow):
593         (builtin.createBuiltin):
594         * test262.yaml:
595         We fixed long-standing spec compatibility issue.
596         As a result, this patch makes several test262 tests passed!
597
598
599 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
600
601         Unreviewed, annotate test with @skip if $memoryLimited
602         https://bugs.webkit.org/show_bug.cgi?id=183894
603
604         * stress/json-stringified-overflow.js:
605
606 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
607
608         Add svn:eol-style to line-terminator-normalisation-CR.js
609         https://bugs.webkit.org/show_bug.cgi?id=184341
610
611         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
612
613 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
614
615         Unreviewed, remove errant LF from existing test262 test for CR line endings.
616
617         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
618
619 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
620
621         Unreviewed, rolling out r230320.
622
623         Revert fix, as the root cause lies elsewhere.
624
625         Reverted changeset:
626
627         "[test262] Mark line-terminator-normalisation-CR.js as a
628         binary file."
629         https://bugs.webkit.org/show_bug.cgi?id=184341
630         https://trac.webkit.org/changeset/230320
631
632 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
633
634         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
635         https://bugs.webkit.org/show_bug.cgi?id=184341
636
637         Reviewed by Yusuke Suzuki.
638
639         This test is all about CR line endings, but `svn-apply` can't deal with them.
640         Treating the file as binary ensures that its contents never are never shown in a diff.
641
642         * .gitattributes: Added.
643
644 2018-04-05  Robin Morisset  <rmorisset@apple.com>
645
646         Fix testcase (missing try/catch).
647         https://bugs.webkit.org/show_bug.cgi?id=183657
648
649         Unreviewed.
650
651         * stress/large-unshift-splice.js
652
653 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
654
655         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
656         https://bugs.webkit.org/show_bug.cgi?id=184319
657
658         Reviewed by Saam Barati.
659
660         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
661         (foo):
662         (bar):
663         * stress/array-push-nan-to-double-array.js: Added.
664         (foo):
665         (bar):
666
667 2018-04-03  Mark Lam  <mark.lam@apple.com>
668
669         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
670         https://bugs.webkit.org/show_bug.cgi?id=184284
671
672         Reviewed by Saam Barati.
673
674         * stress/js-fixed-array-out-of-memory.js:
675
676 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
677
678         JSC crash in JIT code with for-of loop and Array/Set iterators
679         https://bugs.webkit.org/show_bug.cgi?id=183174
680
681         Reviewed by Saam Barati.
682
683         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
684         (foo):
685         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
686         (f):
687
688 2018-03-30  JF Bastien  <jfbastien@apple.com>
689
690         WebAssembly: support DataView compilation
691         https://bugs.webkit.org/show_bug.cgi?id=183342
692
693         Reviewed by Mark Lam.
694
695         Test WebAssembly compilation using a DataView with offset.
696
697         * wasm/regress/183342.js: Added.
698         (attempt.catch):
699
700 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
701
702         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
703         https://bugs.webkit.org/show_bug.cgi?id=184189
704
705         Reviewed by JF Bastien.
706
707         * stress/load-hole-from-scope-into-live-var.js: Added.
708         (result.eval.try.switch):
709         (catch):
710
711 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
712
713         Unreviewed, rolling out r230102.
714
715         Caused assertion failures on JSC bots.
716
717         Reverted changeset:
718
719         "A stack overflow in the parsing of a builtin (called by
720         createExecutable) cause a crash instead of a catchable js
721         exception"
722         https://bugs.webkit.org/show_bug.cgi?id=184074
723         https://trac.webkit.org/changeset/230102
724
725 2018-03-30  Robin Morisset  <rmorisset@apple.com>
726
727         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
728         https://bugs.webkit.org/show_bug.cgi?id=183812
729
730         Reviewed by Keith Miller.
731
732         * stress/inlining-unreachable-non-tail.js: Added.
733         (foo.):
734         (foo):
735
736 2018-03-30  Robin Morisset  <rmorisset@apple.com>
737
738         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
739         https://bugs.webkit.org/show_bug.cgi?id=184074
740         <rdar://problem/37165897>
741
742         Reviewed by Keith Miller.
743
744         * stress/stack-overflow-while-parsing-builtin.js: Added.
745         (f):
746
747 2018-03-30  Robin Morisset  <rmorisset@apple.com>
748
749         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
750         https://bugs.webkit.org/show_bug.cgi?id=183657
751
752         Reviewed by Keith Miller.
753
754         * stress/large-unshift-splice.js: Added.
755         (make_contig_arr):
756
757 2018-03-28  Robin Morisset  <rmorisset@apple.com>
758
759         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
760         https://bugs.webkit.org/show_bug.cgi?id=183894
761
762         Reviewed by Saam Barati.
763
764         * stress/json-stringified-overflow.js: Added.
765         (catch):
766
767 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
768
769         DFG should know that CreateThis can be effectful
770         https://bugs.webkit.org/show_bug.cgi?id=184013
771
772         Reviewed by Saam Barati.
773
774         * stress/create-this-property-change.js: Added.
775         (Foo):
776         (RealBar):
777         (get if):
778         * stress/create-this-structure-change-without-cse.js: Added.
779         (Foo):
780         (RealBar):
781         (get if):
782         * stress/create-this-structure-change.js: Added.
783         (Foo):
784         (RealBar):
785         (get if):
786
787 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
788
789         [DFG] Introduces fused compare and jump
790         https://bugs.webkit.org/show_bug.cgi?id=177100
791
792         Reviewed by Mark Lam.
793
794         * stress/fused-jeq-slow.js: Added.
795         (shouldBe):
796         (testJEQ):
797         (testJNEQB):
798         (testJEQB):
799         (testJNEQF):
800         (testJEQF):
801         * stress/fused-jeq.js: Added.
802         (shouldBe):
803         (testJEQ):
804         (testJNEQB):
805         (testJEQB):
806         (testJNEQF):
807         (testJEQF):
808         * stress/fused-jstricteq-slow.js: Added.
809         (shouldBe):
810         (testJSTRICTEQ):
811         (testJNSTRICTEQB):
812         (testJSTRICTEQB):
813         (testJNSTRICTEQF):
814         (testJSTRICTEQF):
815         * stress/fused-jstricteq.js: Added.
816         (shouldBe):
817         (testJSTRICTEQ):
818         (testJNSTRICTEQB):
819         (testJSTRICTEQB):
820         (testJNSTRICTEQF):
821         (testJSTRICTEQF):
822
823 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
824
825         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
826         https://bugs.webkit.org/show_bug.cgi?id=183559
827
828         Reviewed by Mark Lam.
829
830         * stress/double-to-string-in-loop-removed.js: Added.
831         (test):
832         * stress/int32-to-string-in-loop-removed.js: Added.
833         (test):
834         * stress/int52-to-string-in-loop-removed.js: Added.
835         (test):
836
837 2018-03-22  Michael Saboff  <msaboff@apple.com>
838
839         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
840         https://bugs.webkit.org/show_bug.cgi?id=183901
841
842         Reviewed by Keith Miller.
843
844         New test.
845
846         * stress/array-reverse-doesnt-clobber.js: Added.
847         (testArrayReverse):
848         (createArrayOfArrays):
849         (createArrayStorage):
850
851 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
852
853         ScopedArguments should do poisoning and index masking
854         https://bugs.webkit.org/show_bug.cgi?id=183863
855
856         Reviewed by Mark Lam.
857         
858         Adds another stress test of scoped arguments.
859
860         * stress/scoped-arguments-test.js: Added.
861         (foo):
862
863 2018-03-20  Saam Barati  <sbarati@apple.com>
864
865         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
866         https://bugs.webkit.org/show_bug.cgi?id=183795
867         <rdar://problem/38298694>
868
869         Reviewed by JF Bastien.
870
871         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
872         (foo):
873         (bar):
874
875 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
876
877         [DFG][FTL] Add vectorLengthHint for NewArray
878         https://bugs.webkit.org/show_bug.cgi?id=183694
879
880         Reviewed by Saam Barati.
881
882         * stress/vector-length-hint-array-constructor.js: Added.
883         (shouldBe):
884         (test):
885         * stress/vector-length-hint-new-array.js: Added.
886         (shouldBe):
887         (test):
888
889 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
890
891         [DFG][FTL] Make ArraySlice(0) code tight
892         https://bugs.webkit.org/show_bug.cgi?id=183590
893
894         Reviewed by Saam Barati.
895
896         * stress/array-slice-with-zero.js: Added.
897         (shouldBe):
898         (test):
899         (test2):
900         * stress/array-slice-zero-args.js: Added.
901         (shouldBe):
902         (test):
903
904 2018-03-14  Caitlin Potter  <caitp@igalia.com>
905
906         [JSC] fix order of evaluation for ClassDefinitionEvaluation
907         https://bugs.webkit.org/show_bug.cgi?id=183523
908
909         Reviewed by Keith Miller.
910
911         Computed property names need to be evaluated in source order during class
912         definition evaluation, as it's observable (and specified to work this way).
913
914         This change improves compatibility with Chromium.
915
916         * stress/class_elements.js: Added.
917         (test):
918         (test.C.prototype.effect):
919         (test.C.effect):
920         (test.C.prototype.get effect):
921         (test.C.prototype.set effect):
922         (test.C):
923
924 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
925
926         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
927         https://bugs.webkit.org/show_bug.cgi?id=183310
928
929         Reviewed by Filip Pizlo.
930
931         * stress/ai-create-this-to-new-object-fire.js: Added.
932         (assert):
933         (test):
934         (func):
935         (check):
936         (test.body.A):
937         (test.body.B):
938         (test.body):
939         * stress/ai-create-this-to-new-object.js: Added.
940         (assert):
941         (test):
942         (func):
943         (check):
944         (test.body.A):
945         (test.body.B):
946         (test.body):
947
948 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
949
950         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
951         https://bugs.webkit.org/show_bug.cgi?id=181848
952
953         Reviewed by Sam Weinig.
954
955         * microbenchmarks/regexp-u-global-es5.js: Added.
956         (fn):
957         * microbenchmarks/regexp-u-global-es6.js: Added.
958         (fn):
959         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
960         (shouldBe):
961         (test):
962         (i.switch):
963         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
964         (shouldBe):
965         (test):
966
967 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
968
969         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
970         https://bugs.webkit.org/show_bug.cgi?id=183334
971
972         Reviewed by Žan Doberšek.
973
974         * stress/var-injection-cache-invalidation.js:
975
976 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
977
978         [ARM] Disable tests that run out of memory
979         https://bugs.webkit.org/show_bug.cgi?id=182699
980
981         Reviewed by Žan Doberšek.
982
983         Skip tests that run of of memory. Do not run
984         modules/module-jit-reachability.js without LLInt to prevent
985         running out of executable memory.
986
987         * modules.yaml:
988         * modules/module-jit-reachability.js:
989         * stress/has-own-property-name-cache-string-keys.js:
990         * stress/has-own-property-name-cache-symbol-keys.js:
991
992 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
993
994         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
995         https://bugs.webkit.org/show_bug.cgi?id=183173
996
997         Reviewed by Saam Barati.
998
999         * stress/async-arrow-function-in-class-heritage.js: Added.
1000         (testSyntax):
1001         (testSyntaxError):
1002         (SyntaxError):
1003
1004 2018-03-01  Saam Barati  <sbarati@apple.com>
1005
1006         We need to clear cached structures when having a bad time
1007         https://bugs.webkit.org/show_bug.cgi?id=183256
1008         <rdar://problem/36245022>
1009
1010         Reviewed by Mark Lam.
1011
1012         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1013         (assert):
1014         (defineSetter):
1015         (iterate):
1016         (doSlice):
1017
1018 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1019
1020         JSC crash with `import("")`
1021         https://bugs.webkit.org/show_bug.cgi?id=183175
1022
1023         Reviewed by Saam Barati.
1024
1025         * stress/import-with-empty-string.js: Added.
1026
1027 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1028
1029         Unreviewed, skip FTL tests if FTL is disabled
1030         https://bugs.webkit.org/show_bug.cgi?id=183071
1031
1032         * stress/has-indexed-property-array-storage-ftl.js:
1033         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1034
1035 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1036
1037         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1038         https://bugs.webkit.org/show_bug.cgi?id=182965
1039
1040         Reviewed by Saam Barati.
1041
1042         * stress/put-by-val-array-storage.js: Added.
1043         (shouldBe):
1044         (testArrayStorageInBounds):
1045         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1046         (shouldBe):
1047         (testInt32.createBuiltin):
1048         (set for):
1049         * stress/put-by-val-slow-put-array-storage.js: Added.
1050         (shouldBe):
1051         (testArrayStorageInBounds):
1052
1053 2018-02-26  Saam Barati  <sbarati@apple.com>
1054
1055         validateStackAccess should not validate if the offset is within the stack bounds
1056         https://bugs.webkit.org/show_bug.cgi?id=183067
1057         <rdar://problem/37749988>
1058
1059         Reviewed by Mark Lam.
1060
1061         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1062         (assert):
1063         (test.a):
1064         (test.b):
1065         (test):
1066
1067 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1068
1069         Unreviewed, skip FTL tests if FTL is disabled
1070         https://bugs.webkit.org/show_bug.cgi?id=183071
1071
1072         * stress/has-indexed-property-array-storage-ftl.js:
1073         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1074
1075 2018-02-23  Saam Barati  <sbarati@apple.com>
1076
1077         Make Number.isInteger an intrinsic
1078         https://bugs.webkit.org/show_bug.cgi?id=183088
1079
1080         Reviewed by JF Bastien.
1081
1082         * stress/number-is-integer-intrinsic.js: Added.
1083
1084 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1085
1086         WebAssembly: cache memory address / size on instance
1087         https://bugs.webkit.org/show_bug.cgi?id=177305
1088
1089         Reviewed by JF Bastien.
1090
1091         * wasm/function-tests/memory-reuse.js: Added.
1092         (createWasmInstance):
1093         (doCheckTrap):
1094         (doMemoryGrow):
1095         (doCheck):
1096         (checkWasmInstancesWithSharedMemory):
1097
1098 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1099
1100         [JSC] Implement $vm.ftlTrue function for FTL testing
1101         https://bugs.webkit.org/show_bug.cgi?id=183071
1102
1103         Reviewed by Mark Lam.
1104
1105         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1106         (foo):
1107         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1108         (foo):
1109         * stress/dead-fiat-value-to-int52.js:
1110         (foo):
1111         * stress/dead-osr-entry-value.js:
1112         (foo):
1113         * stress/fiat-value-to-int52-then-exit-not-double.js:
1114         (foo):
1115         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1116         (foo):
1117         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1118         (foo):
1119         * stress/fiat-value-to-int52-then-fold.js:
1120         (foo):
1121         * stress/fiat-value-to-int52.js:
1122         (foo):
1123         * stress/fold-based-on-int32-proof-mul-branch.js:
1124         (foo):
1125         * stress/fold-profiled-call-to-call.js:
1126         (foo):
1127         * stress/fold-to-double-constant-then-exit.js:
1128         (foo):
1129         * stress/fold-to-int52-constant-then-exit.js:
1130         (foo):
1131         * stress/fold-to-primitive-in-cfa.js:
1132         (foo):
1133         * stress/fold-to-primitive-to-identity-in-cfa.js:
1134         (foo):
1135         * stress/has-indexed-property-array-storage-ftl.js: Added.
1136         (shouldBe):
1137         (test1):
1138         (test2):
1139         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1140         (shouldBe):
1141         (test1):
1142         (test2):
1143         * stress/int52-ai-add-then-filter-int32.js:
1144         (foo):
1145         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1146         (foo):
1147         * stress/int52-ai-mul-then-filter-int32.js:
1148         (foo):
1149         * stress/int52-ai-neg-then-filter-int32.js:
1150         (foo):
1151         * stress/int52-ai-sub-then-filter-int32.js:
1152         (foo):
1153         * stress/licm-pre-header-cannot-exit-nested.js:
1154         (foo):
1155         * stress/licm-pre-header-cannot-exit.js:
1156         (foo):
1157         * stress/sparse-array-entry-update-144067.js:
1158         (useMemoryToTriggerGCs):
1159         * stress/test-spec-misc.js:
1160         (foo):
1161         * stress/tricky-array-bounds-checks.js:
1162         (foo):
1163
1164 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1165
1166         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1167         https://bugs.webkit.org/show_bug.cgi?id=182792
1168
1169         Reviewed by Mark Lam.
1170
1171         * stress/has-indexed-property-array-storage.js: Added.
1172         (shouldBe):
1173         (test1):
1174         (test2):
1175         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1176         (shouldBe):
1177         (test1):
1178         (test2):
1179
1180 2018-02-20  Saam Barati  <sbarati@apple.com>
1181
1182         DFG::VarargsForwardingPhase should eliminate getting argument length
1183         https://bugs.webkit.org/show_bug.cgi?id=182959
1184
1185         Reviewed by Keith Miller.
1186
1187         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1188
1189 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1190
1191         [FTL] Support ArrayPush for ArrayStorage
1192         https://bugs.webkit.org/show_bug.cgi?id=182782
1193
1194         Reviewed by Saam Barati.
1195
1196         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1197
1198         * stress/array-push-array-storage-beyond-int32.js: Added.
1199         (shouldBe):
1200         (test):
1201         * stress/array-push-array-storage.js: Added.
1202         (shouldBe):
1203         (test):
1204         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1205         (shouldBe):
1206         (test):
1207         * stress/array-push-multiple-storage-continuous.js: Added.
1208         (shouldBe):
1209         (test):
1210
1211 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1212
1213         [FTL] Support ArrayPop for ArrayStorage
1214         https://bugs.webkit.org/show_bug.cgi?id=182783
1215
1216         Reviewed by Saam Barati.
1217
1218         * stress/array-pop-array-storage.js: Added.
1219         (shouldBe):
1220         (test):
1221
1222 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1223
1224         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1225         https://bugs.webkit.org/show_bug.cgi?id=182731
1226
1227         Reviewed by Saam Barati.
1228
1229         * stress/arrayify-array-storage-array.js: Added.
1230         (shouldBe):
1231         (testArrayStorage):
1232         * stress/arrayify-array-storage-non-array.js: Added.
1233         (shouldBe):
1234         (testArrayStorage):
1235         * stress/arrayify-array-storage.js: Added.
1236         (shouldBe):
1237         (testArrayStorage):
1238         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1239         (shouldBe):
1240         (testArrayStorage):
1241         * stress/arrayify-slow-put-array-storage.js: Added.
1242         (shouldBe):
1243         (testArrayStorage):
1244
1245 2018-02-19  Saam Barati  <sbarati@apple.com>
1246
1247         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1248         https://bugs.webkit.org/show_bug.cgi?id=182942
1249         <rdar://problem/37584764>
1250
1251         Reviewed by Mark Lam.
1252
1253         * stress/get-prototype-create-this-effectful.js: Added.
1254
1255 2018-02-16  Saam Barati  <sbarati@apple.com>
1256
1257         Fix bugs from r228411
1258         https://bugs.webkit.org/show_bug.cgi?id=182851
1259         <rdar://problem/37577732>
1260
1261         Reviewed by JF Bastien.
1262
1263         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1264
1265 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1266
1267         Unreviewed, roll out r228366 since it did not progress anything.
1268
1269         * stress/gc-error-stack.js: Removed.
1270         * stress/no-gc-error-stack.js: Removed.
1271
1272 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1273
1274         Many stress tests fail with JIT disabled
1275         https://bugs.webkit.org/show_bug.cgi?id=182730
1276
1277         Reviewed by Saam Barati.
1278
1279         These tests are broken by design if the JIT is disabled - they test
1280         the return value of numberOfDFGCompiles(), which is always set to
1281         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1282
1283         * stress/arith-abs-on-various-types.js:
1284         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1285         * stress/arith-acos-on-various-types.js:
1286         * stress/arith-acosh-on-various-types.js:
1287         * stress/arith-asin-on-various-types.js:
1288         * stress/arith-asinh-on-various-types.js:
1289         * stress/arith-atan-on-various-types.js:
1290         * stress/arith-atanh-on-various-types.js:
1291         * stress/arith-cbrt-on-various-types.js:
1292         * stress/arith-ceil-on-various-types.js:
1293         * stress/arith-clz32-on-various-types.js:
1294         * stress/arith-cos-on-various-types.js:
1295         * stress/arith-cosh-on-various-types.js:
1296         * stress/arith-expm1-on-various-types.js:
1297         * stress/arith-floor-on-various-types.js:
1298         * stress/arith-fround-on-various-types.js:
1299         * stress/arith-log-on-various-types.js:
1300         * stress/arith-log10-on-various-types.js:
1301         * stress/arith-log2-on-various-types.js:
1302         * stress/arith-negate-on-various-types.js:
1303         * stress/arith-round-on-various-types.js:
1304         * stress/arith-sin-on-various-types.js:
1305         * stress/arith-sinh-on-various-types.js:
1306         * stress/arith-sqrt-on-various-types.js:
1307         * stress/arith-tan-on-various-types.js:
1308         * stress/arith-tanh-on-various-types.js:
1309         * stress/arith-trunc-on-various-types.js:
1310         * stress/compare-strict-eq-on-various-types.js:
1311
1312 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1313
1314         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1315
1316         Unreviewed test gardening.
1317
1318         * stress/new-largeish-contiguous-array-with-size.js:
1319
1320 2018-02-14  Saam Barati  <sbarati@apple.com>
1321
1322         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1323         https://bugs.webkit.org/show_bug.cgi?id=182801
1324
1325         Reviewed by Keith Miller.
1326
1327         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1328
1329 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1330
1331         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1332         https://bugs.webkit.org/show_bug.cgi?id=182526
1333
1334         Unreviewed test gardening.
1335
1336         * stress/activation-sink-default-value-tdz-error.js:
1337
1338 2018-02-13  Saam Barati  <sbarati@apple.com>
1339
1340         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1341         https://bugs.webkit.org/show_bug.cgi?id=182755
1342         <rdar://problem/37080864>
1343
1344         Reviewed by Keith Miller.
1345
1346         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1347         (test1.o.get 10005):
1348         (test1):
1349         (test2.o.get 1000):
1350         (test2):
1351
1352 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1353
1354         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1355         https://bugs.webkit.org/show_bug.cgi?id=182717
1356
1357         Reviewed by Yusuke Suzuki.
1358
1359         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1360         literals, to allow template callsite arrays to be collected when the
1361         code containing the tagged template call is collected. This spec change
1362         has received concensus and been ratified.
1363
1364         This change eliminates the eternal map associating template contents
1365         with arrays.
1366
1367         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1368         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1369         * stress/tagged-templates-identity.js:
1370         * stress/template-string-tags-eval.js:
1371         * test262.yaml:
1372
1373 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1374
1375         Support GetArrayLength on ArrayStorage in the FTL
1376         https://bugs.webkit.org/show_bug.cgi?id=182625
1377
1378         Reviewed by Saam Barati.
1379
1380         * stress/array-storage-length.js: Added.
1381         (shouldBe):
1382         (testInBound):
1383         (testUncountable):
1384         (testSlowPutInBound):
1385         (testSlowPutUncountable):
1386         * stress/undecided-length.js: Added.
1387         (shouldBe):
1388         (test2):
1389
1390 2018-02-12  Saam Barati  <sbarati@apple.com>
1391
1392         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1393         https://bugs.webkit.org/show_bug.cgi?id=182706
1394         <rdar://problem/36833681>
1395
1396         Reviewed by Filip Pizlo.
1397
1398         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1399         (effects):
1400         (foo):
1401
1402 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1403
1404         Don't waste memory for error.stack
1405         https://bugs.webkit.org/show_bug.cgi?id=182656
1406
1407         Reviewed by Saam Barati.
1408         
1409         Tests the policy.
1410
1411         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1412         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1413
1414 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1415
1416         [JSC] Update Test262 to Feb 9 version
1417         https://bugs.webkit.org/show_bug.cgi?id=182468
1418
1419         Reviewed by Saam Barati.
1420
1421 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1422
1423         Unreviewed, fix invalid line terminator in old test262 file part 2
1424         https://bugs.webkit.org/show_bug.cgi?id=182468
1425
1426         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1427
1428 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1429
1430         Unreviewed, fix invalid line terminator in old test262 file
1431         https://bugs.webkit.org/show_bug.cgi?id=182468
1432
1433         * test262/test/language/literals/regexp/7.8.5-1.js:
1434
1435 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1436
1437         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1438         https://bugs.webkit.org/show_bug.cgi?id=182440
1439
1440         Reviewed by Darin Adler.
1441
1442         * stress/array-flatmap.js: Added.
1443         (shouldBe):
1444         (shouldBeArray):
1445         (shouldThrow):
1446         (var):
1447         * stress/array-flatten.js: Added.
1448         (shouldBe):
1449         (shouldBeArray):
1450         * test262.yaml:
1451         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1452         (3.flatMap):
1453         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1454
1455 2018-02-06  Keith Miller  <keith_miller@apple.com>
1456
1457         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1458         https://bugs.webkit.org/show_bug.cgi?id=182549
1459         <rdar://problem/36189995>
1460
1461         Reviewed by Saam Barati.
1462
1463         * stress/var-injection-cache-invalidation.js: Added.
1464         (allocateLotsOfThings):
1465         (test):
1466
1467 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1468
1469         Unreviewed, follow up for test262 update
1470         https://bugs.webkit.org/show_bug.cgi?id=182288
1471
1472         * test262.yaml:
1473
1474 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1475
1476         Update test262 to Jan 30 version
1477         https://bugs.webkit.org/show_bug.cgi?id=182288
1478
1479         Unreviewed test gardening.
1480
1481         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1482
1483 2018-02-02  Saam Barati  <sbarati@apple.com>
1484
1485         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1486         https://bugs.webkit.org/show_bug.cgi?id=182368
1487         <rdar://problem/36932466>
1488
1489         Reviewed by Mark Lam.
1490
1491         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1492         (runNearStackLimit.t):
1493         (runNearStackLimit):
1494         (try.runNearStackLimit):
1495         (catch):
1496
1497 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1498
1499         Update test262 to Jan 30 version
1500         https://bugs.webkit.org/show_bug.cgi?id=182288
1501
1502         Rubber stamped by Saam Barati.
1503
1504         This patch updates test262 to the latest one, Jan 30 version.
1505         Since added and changed files are too many, we cannot create ChangeLog.
1506         The following files are changed.
1507
1508         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1509         including some special line terminators (like u2028, u2029).
1510
1511         * test262.yaml:
1512         * test262/test262-Revision.txt:
1513         * test262/*:
1514
1515 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1516
1517         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1518         https://bugs.webkit.org/show_bug.cgi?id=182411
1519
1520         Reviewed by Carlos Alberto Lopez Perez.
1521
1522         This is skipped only on arm memory limited platforms. Until recently
1523         it was not a problem on MIPS as the butterfly was not initialized. But
1524         since r227435, the butterfly is initialized in that test and therefore
1525         memory is allocated, and the test typically takes around 512M, which
1526         means it generally gets OOM-killed on the MIPS buildbot.
1527
1528         * mozilla/mozilla-tests.yaml:
1529
1530 2018-02-01  Mark Lam  <mark.lam@apple.com>
1531
1532         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1533         https://bugs.webkit.org/show_bug.cgi?id=182419
1534         <rdar://problem/37044945>
1535
1536         Reviewed by Saam Barati.
1537
1538         * stress/regress-182419.js: Added.
1539
1540 2018-02-01  Keith Miller  <keith_miller@apple.com>
1541
1542         Fix crashes due to mishandling custom sections.
1543         https://bugs.webkit.org/show_bug.cgi?id=182404
1544         <rdar://problem/36935863>
1545
1546         Reviewed by Saam Barati.
1547
1548         * wasm/Builder.js:
1549         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1550         * wasm/js-api/validate.js:
1551         (assert.truthy):
1552
1553 2018-01-31  Saam Barati  <sbarati@apple.com>
1554
1555         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1556         https://bugs.webkit.org/show_bug.cgi?id=182074
1557         <rdar://problem/36846261>
1558
1559         Reviewed by Mark Lam.
1560
1561         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1562         (assert):
1563         (let.func):
1564         (let.o.foo):
1565         (varFunc):
1566
1567 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1568
1569         Unreviewed, update test262 expects
1570         https://bugs.webkit.org/show_bug.cgi?id=182232
1571
1572         * test262.yaml:
1573
1574 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1575
1576         [JSC] Implement trimStart and trimEnd
1577         https://bugs.webkit.org/show_bug.cgi?id=182233
1578
1579         Reviewed by Mark Lam.
1580
1581         * stress/trim.js: Added.
1582         (shouldBe):
1583         (startTest):
1584         (endTest):
1585         (trimTest):
1586
1587 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1588
1589         [JSC] Relax line terminators in String to make JSON subset of JS
1590         https://bugs.webkit.org/show_bug.cgi?id=182232
1591
1592         Reviewed by Keith Miller.
1593
1594         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1595         * stress/relaxed-line-terminators-in-string.js: Added.
1596         (shouldBe):
1597
1598 2018-01-29  Michael Saboff  <msaboff@apple.com>
1599
1600         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1601         https://bugs.webkit.org/show_bug.cgi?id=182249
1602
1603         Reviewed by Keith Miller.
1604
1605         New regression test.
1606
1607         * stress/compare-clobber-untypeduse.js: Added.
1608
1609 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1610
1611         Unreviewed, rolling out r227725.
1612
1613         This caused internal failures.
1614
1615         Reverted changeset:
1616
1617         "JSC Sampling Profiler: Detect tester and testee when sampling
1618         in RegExp JIT"
1619         https://bugs.webkit.org/show_bug.cgi?id=152729
1620         https://trac.webkit.org/changeset/227725
1621
1622 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1623
1624         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1625         https://bugs.webkit.org/show_bug.cgi?id=152729
1626
1627         Reviewed by Saam Barati.
1628
1629         * stress/sampling-profiler-regexp.js: Added.
1630         (platformSupportsSamplingProfiler.test):
1631         (platformSupportsSamplingProfiler.baz):
1632         (platformSupportsSamplingProfiler):
1633
1634 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1635
1636         [DFG][FTL] WeakMap#set should have DFG node
1637         https://bugs.webkit.org/show_bug.cgi?id=180015
1638
1639         Reviewed by Saam Barati.
1640
1641         * stress/weakmap-set-change-get.js: Added.
1642         (shouldBe):
1643         (test):
1644         * stress/weakmap-set-cse.js: Added.
1645         (shouldBe):
1646         (test):
1647         * stress/weakset-add-change-get.js: Added.
1648         (shouldBe):
1649         * stress/weakset-add-cse.js: Added.
1650         (shouldBe):
1651
1652 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1653
1654         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1655         https://bugs.webkit.org/show_bug.cgi?id=182213
1656
1657         Reviewed by Mark Lam.
1658
1659         * stress/int32-min-to-string.js: Added.
1660         (shouldBe):
1661         (test2):
1662         (test4):
1663         (test8):
1664         (test16):
1665         (test32):
1666         * stress/zero-to-string.js: Added.
1667         (shouldBe):
1668         (test2):
1669         (test4):
1670         (test8):
1671         (test16):
1672         (test32):
1673
1674 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1675
1676         Add more module scope related tests with code evaluation by string
1677         https://bugs.webkit.org/show_bug.cgi?id=181983
1678
1679         Reviewed by Sam Weinig.
1680
1681         Add more module scope related tests. When the original tests are landed,
1682         we do not have browser integration. This patch adds more module scope tests
1683         with dynamically created script evaluation. We add tests with Function
1684         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1685
1686         * modules/scopes-eval.js: Added.
1687         (shouldBe):
1688         * modules/scopes.js:
1689         (shouldBe):
1690
1691 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1692
1693         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1694
1695         * microbenchmarks/array-push-3.js: Removed.
1696         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1697         * microbenchmarks/double-to-int32.js: Removed.
1698         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1699         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1700         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1701         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1702         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1703         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1704         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1705         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1706         * microbenchmarks/map-constant-key.js: Removed.
1707         * microbenchmarks/nested-function-parsing.js: Removed.
1708         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1709         * microbenchmarks/spread-large-array.js: Removed.
1710         * microbenchmarks/string-add-constant-folding.js: Removed.
1711         * microbenchmarks/to-lower-case.js: Removed.
1712         * microbenchmarks/undefined-property-access.js: Removed.
1713         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1714         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1715         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1716         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1717         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1718         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1719         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1720         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1721         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1722         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1723         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1724         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1725         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1726         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1727         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1728         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1729         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1730         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1731
1732 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1733
1734         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1735         https://bugs.webkit.org/show_bug.cgi?id=181739
1736         <rdar://problem/36627662>
1737
1738         Reviewed by Saam Barati.
1739
1740         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1741         (foo):
1742         (bar):
1743
1744 2018-01-22  Michael Saboff  <msaboff@apple.com>
1745
1746         DFG abstract interpreter needs to properly model effects of some Math ops
1747         https://bugs.webkit.org/show_bug.cgi?id=181886
1748
1749         Reviewed by Saam Barati.
1750
1751         New regression test.
1752
1753         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1754         (test):
1755
1756 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1757
1758         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1759         https://bugs.webkit.org/show_bug.cgi?id=181182
1760
1761         Reviewed by Darin Adler.
1762
1763         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1764         * stress/big-int-prototype-to-string-exception.js: Added.
1765         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1766         * stress/number-prototype-to-string-cast-overflow.js: Added.
1767         * stress/number-prototype-to-string-exception.js: Added.
1768         * stress/number-prototype-to-string-wrong-values.js: Added.
1769
1770 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1771
1772         Disable Atomics when SharedArrayBuffer isn’t enabled
1773         https://bugs.webkit.org/show_bug.cgi?id=181572
1774
1775         Unreviewed test gardening.
1776
1777         * test262.yaml: Skip tests that fail after this change.
1778
1779 2018-01-19  Saam Barati  <sbarati@apple.com>
1780
1781         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1782         https://bugs.webkit.org/show_bug.cgi?id=181877
1783         <rdar://problem/36630552>
1784
1785         Reviewed by Mark Lam.
1786
1787         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1788         (runNearStackLimit):
1789         (f1):
1790         (f2):
1791         (f3):
1792         (i.catch):
1793         (i.try.runNearStackLimit):
1794         (catch):
1795
1796 2018-01-19  Saam Barati  <sbarati@apple.com>
1797
1798         Spread's effects are modeled incorrectly both in AI and in Clobberize
1799         https://bugs.webkit.org/show_bug.cgi?id=181867
1800         <rdar://problem/36290415>
1801
1802         Reviewed by Michael Saboff.
1803
1804         * stress/ai-needs-to-model-spreads-effects.js: Added.
1805         (try.p.Symbol.iterator):
1806         (try.go):
1807         (catch):
1808         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1809         (assert):
1810         (foo):
1811         (a.Symbol.iterator):
1812
1813 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1814
1815         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1816         https://bugs.webkit.org/show_bug.cgi?id=181535
1817
1818         * stress/inserted-recovery-with-set-last-index.js:
1819
1820 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1821
1822         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1823         https://bugs.webkit.org/show_bug.cgi?id=181535
1824
1825         Reviewed by Saam Barati.
1826
1827         * stress/inserted-recovery-with-set-last-index.js: Added.
1828         (shouldBe):
1829         (foo):
1830         * stress/materialize-regexp-at-osr-exit.js: Added.
1831         (shouldBe):
1832         (test):
1833         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1834         (shouldBe):
1835         (test):
1836         * stress/materialize-regexp-cyclic-regexp.js: Added.
1837         (shouldBe):
1838         (test):
1839         (i.switch):
1840         * stress/materialize-regexp-cyclic.js: Added.
1841         (shouldBe):
1842         (test):
1843         (i.switch):
1844         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1845         (bar):
1846         (foo):
1847         (test):
1848         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1849         (bar):
1850         (foo):
1851         (test):
1852         * stress/materialize-regexp.js: Added.
1853         (shouldBe):
1854         (test):
1855         * stress/phantom-regexp-regexp-exec.js: Added.
1856         (shouldBe):
1857         (test):
1858         * stress/phantom-regexp-string-match.js: Added.
1859         (shouldBe):
1860         (test):
1861         * stress/regexp-last-index-sinking.js: Added.
1862         (shouldBe):
1863         (test):
1864
1865 2018-01-17  Saam Barati  <sbarati@apple.com>
1866
1867         Disable Atomics when SharedArrayBuffer isn’t enabled
1868         https://bugs.webkit.org/show_bug.cgi?id=181572
1869         <rdar://problem/36553206>
1870
1871         Reviewed by Michael Saboff.
1872
1873         * stress/isLockFree.js:
1874
1875 2018-01-17  Saam Barati  <sbarati@apple.com>
1876
1877         DFG::Node::convertToConstant needs to clear the varargs flags
1878         https://bugs.webkit.org/show_bug.cgi?id=181697
1879         <rdar://problem/36497332>
1880
1881         Reviewed by Yusuke Suzuki.
1882
1883         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1884         (doIndexOf):
1885         (bar):
1886         (i.bar):
1887
1888 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1889
1890         Unreviewed, rolling out r226937.
1891
1892         Tests added with this change are failing due to a missing
1893         exception check.
1894
1895         Reverted changeset:
1896
1897         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1898         double to int32_t"
1899         https://bugs.webkit.org/show_bug.cgi?id=181182
1900         https://trac.webkit.org/changeset/226937
1901
1902 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1903
1904         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1905         https://bugs.webkit.org/show_bug.cgi?id=181182
1906
1907         Reviewed by Darin Adler.
1908
1909         * bigIntTests.yaml:
1910         * stress/big-int-constructor.js:
1911         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1912         (assert):
1913         (assertThrowRangeError):
1914         * stress/number-prototype-to-string-cast-overflow.js: Added.
1915         (assert):
1916         (assertThrowRangeError):
1917
1918 2018-01-12  Saam Barati  <sbarati@apple.com>
1919
1920         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1921         https://bugs.webkit.org/show_bug.cgi?id=181177
1922         <rdar://problem/36205704>
1923
1924         Reviewed by Yusuke Suzuki.
1925
1926         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1927         (runNearStackLimit.t):
1928         (runNearStackLimit):
1929         (test.f):
1930         (test):
1931
1932 2018-01-12  Saam Barati  <sbarati@apple.com>
1933
1934         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1935         https://bugs.webkit.org/show_bug.cgi?id=181562
1936         <rdar://problem/36445624>
1937
1938         Reviewed by Yusuke Suzuki.
1939
1940         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1941         (f):
1942         (foo):
1943
1944 2018-01-11  Saam Barati  <sbarati@apple.com>
1945
1946         When inserting Unreachable in byte code parser we need to flush all the right things
1947         https://bugs.webkit.org/show_bug.cgi?id=181509
1948         <rdar://problem/36423110>
1949
1950         Reviewed by Mark Lam.
1951
1952         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1953
1954 2018-01-11  Saam Barati  <sbarati@apple.com>
1955
1956         JITMathIC code in the FTL is wrong when code gets duplicated
1957         https://bugs.webkit.org/show_bug.cgi?id=181525
1958         <rdar://problem/36351993>
1959
1960         Reviewed by Michael Saboff and Keith Miller.
1961
1962         * stress/allow-math-ic-b3-code-duplication.js: Added.
1963
1964 2018-01-11  Saam Barati  <sbarati@apple.com>
1965
1966         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1967         https://bugs.webkit.org/show_bug.cgi?id=181508
1968
1969         Reviewed by Yusuke Suzuki.
1970
1971         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1972         (assert):
1973         (test1.foo):
1974         (test1):
1975         (test2.foo):
1976         (test2):
1977
1978 2018-01-09  Mark Lam  <mark.lam@apple.com>
1979
1980         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1981         https://bugs.webkit.org/show_bug.cgi?id=181388
1982         <rdar://problem/36349351>
1983
1984         Reviewed by Saam Barati.
1985
1986         * stress/regress-181388.js: Added.
1987
1988 2018-01-08  JF Bastien  <jfbastien@apple.com>
1989
1990         WebAssembly: mask indexed accesses to Table
1991         https://bugs.webkit.org/show_bug.cgi?id=181412
1992         <rdar://problem/36363236>
1993
1994         Reviewed by Saam Barati.
1995
1996         Update error messages.
1997
1998         * wasm/js-api/table.js:
1999         (assert.throws.WebAssembly.Table.prototype.grow):
2000
2001 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2002
2003         Disable SharedArrayBuffer tests missed in r226386.
2004         https://bugs.webkit.org/show_bug.cgi?id=181266
2005
2006         Unreviewed test gardening.
2007
2008         * test262.yaml:
2009
2010 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2011
2012         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2013         https://bugs.webkit.org/show_bug.cgi?id=181321
2014
2015         Reviewed by Saam Barati.
2016
2017         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2018         (shouldBe):
2019         (testFunction):
2020         * test262.yaml:
2021
2022 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2023
2024         Unreviewed, attempt to fix test262 after r226386.
2025
2026         * test262.yaml:
2027
2028 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2029
2030         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2031         https://bugs.webkit.org/show_bug.cgi?id=179911
2032
2033         Reviewed by Saam Barati.
2034
2035         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2036
2037         * stress/map-set-change-get.js: Added.
2038         (shouldBe):
2039         (test):
2040         * stress/map-set-create-bucket.js: Added.
2041         (shouldBe):
2042         (test):
2043         * stress/set-add-create-bucket.js: Added.
2044         (shouldBe):
2045
2046 2018-01-03  Michael Saboff  <msaboff@apple.com>
2047
2048         Disable SharedArrayBuffers from Web API
2049         https://bugs.webkit.org/show_bug.cgi?id=181266
2050
2051         Reviewed by Saam Barati.
2052
2053         Disabled SharedArrayBuffer tests.
2054
2055         * stress/SharedArrayBuffer-opt.js:
2056         * stress/SharedArrayBuffer.js:
2057         * stress/array-buffer-byte-length.js:
2058         * stress/atomics-add-uint32.js:
2059         * stress/atomics-known-int-use.js:
2060         * stress/atomics-neg-zero.js:
2061         * stress/atomics-store-return.js:
2062         * stress/lars-sab-workers.js:
2063         * stress/regress-159779-1.js:
2064         * stress/regress-159779-2.js:
2065         * stress/regress-170473.js:
2066         * test262.yaml:
2067
2068 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2069
2070         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2071         https://bugs.webkit.org/show_bug.cgi?id=181258
2072
2073         Reviewed by Antonio Gomes.
2074
2075         * stress/big-int-constructor-gc.js:
2076         * stress/big-int-constructor-oom.js:
2077
2078 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2079
2080         Inlining of a function that ends in op_unreachable crashes
2081         https://bugs.webkit.org/show_bug.cgi?id=181027
2082
2083         Reviewed by Filip Pizlo.
2084
2085         * stress/inlining-unreachable.js: Added.
2086         (bar):
2087         (baz):
2088         (i.catch):
2089
2090 2018-01-02  Saam Barati  <sbarati@apple.com>
2091
2092         Incorrect assertion inside AccessCase
2093         https://bugs.webkit.org/show_bug.cgi?id=181200
2094         <rdar://problem/35494754>
2095
2096         Reviewed by Yusuke Suzuki.
2097
2098         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2099         (ctor):
2100         (theFunc):
2101         (run):
2102
2103 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2104
2105         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2106         https://bugs.webkit.org/show_bug.cgi?id=175359
2107
2108         Reviewed by Yusuke Suzuki.
2109
2110         * bigIntTests.yaml:
2111         * stress/big-int-as-key.js: Added.
2112         * stress/big-int-constructor-gc.js: Added.
2113         * stress/big-int-constructor-oom.js: Added.
2114         * stress/big-int-constructor-properties.js: Added.
2115         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2116         * stress/big-int-constructor-prototype.js: Added.
2117         * stress/big-int-constructor.js: Added.
2118         * stress/big-int-function-apply.js:
2119         * stress/big-int-length.js: Added.
2120         * stress/big-int-prop-descriptor.js: Added.
2121         * stress/big-int-proto-constructor.js: Added.
2122         * stress/big-int-proto-name.js: Added.
2123         * stress/big-int-prototype-properties.js: Added.
2124         * stress/big-int-prototype-proto.js: Added.
2125         * stress/big-int-prototype-value-of.js: Added.
2126         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2127         * stress/big-int-prototype-to-string-apply.js: Added.
2128         * stress/big-int-to-object.js: Added.
2129         * stress/big-int-to-string.js: Added.
2130
2131 2017-12-28  Saam Barati  <sbarati@apple.com>
2132
2133         Assertion used to determine if something is an async generator is wrong
2134         https://bugs.webkit.org/show_bug.cgi?id=181168
2135         <rdar://problem/35640560>
2136
2137         Reviewed by Yusuke Suzuki.
2138
2139         * stress/async-generator-assertion.js: Added.
2140
2141 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2142
2143         Skip stress/splay-flash-access tests on memory limited platforms
2144         https://bugs.webkit.org/show_bug.cgi?id=181086
2145
2146         Reviewed by Carlos Alberto Lopez Perez.
2147
2148         These tests use about 185M of memory, and occasionally get OOM-killed
2149         on memory limited platforms.
2150
2151         * stress/splay-flash-access-1ms.js:
2152         * stress/splay-flash-access.js:
2153
2154 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2155
2156         Skip slow jsc tests on embedded platforms
2157         https://bugs.webkit.org/show_bug.cgi?id=180937
2158
2159         Reviewed by Carlos Alberto Lopez Perez.
2160
2161         The tests typeProfiler/deltablue-for-of.js and
2162         typeProfiler/getter-richards.js take a very long time in the
2163         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2164         thus always timeout. They should be skipped on these platforms.
2165
2166         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2167         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2168
2169 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2170
2171         [JSC] Do not check isValid() in op_new_regexp
2172         https://bugs.webkit.org/show_bug.cgi?id=180970
2173
2174         Reviewed by Saam Barati.
2175
2176         * stress/regexp-syntax-error-invalid-flags.js: Added.
2177         (shouldThrow):
2178
2179 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2180
2181         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2182         https://bugs.webkit.org/show_bug.cgi?id=180712
2183
2184         Reviewed by Michael Catanzaro.
2185
2186         stress/call-apply-exponential-bytecode-size.js crashes if the
2187         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2188         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2189         should skip the test on other platforms.
2190
2191         * stress/call-apply-exponential-bytecode-size.js:
2192
2193 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2194
2195         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2196         https://bugs.webkit.org/show_bug.cgi?id=179762
2197
2198         Reviewed by Saam Barati.
2199
2200         * stress/call-varargs-double-new-array-buffer.js: Added.
2201         (assert):
2202         (bar):
2203         (foo):
2204         * stress/call-varargs-spread-new-array-buffer.js: Added.
2205         (assert):
2206         (bar):
2207         (foo):
2208         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2209         (assert):
2210         (bar):
2211         (foo):
2212         * stress/forward-varargs-double-new-array-buffer.js: Added.
2213         (assert):
2214         (test.baz):
2215         (test.bar):
2216         (test.foo):
2217         (test):
2218         * stress/new-array-buffer-sinking-osrexit.js: Added.
2219         (target):
2220         (test):
2221         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2222         (shouldBe):
2223         (test):
2224         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2225         (shouldBe):
2226         (target):
2227         (test):
2228         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2229         (assert):
2230         (test1.bar):
2231         (test1.foo):
2232         (test1):
2233         (test2.bar):
2234         (test2.foo):
2235         (test3.baz):
2236         (test3.bar):
2237         (test3.foo):
2238         (test4.baz):
2239         (test4.bar):
2240         (test4.foo):
2241         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2242         (assert):
2243         (test.baz):
2244         (test.bar):
2245         (test.foo):
2246         (test):
2247         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2248         (assert):
2249         (baz):
2250         (bar):
2251         (effects):
2252         (foo):
2253
2254 2017-12-14  Saam Barati  <sbarati@apple.com>
2255
2256         The CleanUp after LICM is erroneously removing a Check
2257         https://bugs.webkit.org/show_bug.cgi?id=180852
2258         <rdar://problem/36063494>
2259
2260         Reviewed by Filip Pizlo.
2261
2262         * stress/dont-run-cleanup-after-licm.js: Added.
2263
2264 2017-12-14  Michael Saboff  <msaboff@apple.com>
2265
2266         REGRESSION (r225695): Repro crash on yahoo login page
2267         https://bugs.webkit.org/show_bug.cgi?id=180761
2268
2269         Reviewed by JF Bastien.
2270
2271         New regression test.
2272
2273         * stress/regress-180761.js: Added.
2274
2275 2017-12-13  Keith Miller  <keith_miller@apple.com>
2276
2277         JSObjects should have a mask for loading indexed properties
2278         https://bugs.webkit.org/show_bug.cgi?id=180768
2279
2280         Reviewed by Mark Lam.
2281
2282         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2283         (test):
2284
2285 2017-12-13  Saam Barati  <sbarati@apple.com>
2286
2287         Arrow functions need their own structure because they have different properties than sloppy functions
2288         https://bugs.webkit.org/show_bug.cgi?id=180779
2289         <rdar://problem/35814591>
2290
2291         Reviewed by Mark Lam.
2292
2293         * stress/arrow-function-needs-its-own-structure.js: Added.
2294         (assert):
2295         (readPrototype):
2296         (noInline.let.f1):
2297         (noInline):
2298
2299 2017-12-13  Saam Barati  <sbarati@apple.com>
2300
2301         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2302         https://bugs.webkit.org/show_bug.cgi?id=163579
2303         <rdar://problem/35455798>
2304
2305         Reviewed by Mark Lam.
2306
2307         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2308         (assert):
2309         (test1):
2310         (i.test1):
2311         (i.test1.C):
2312         (i.test1.async.foo):
2313         (i.test1.foo):
2314         (test2):
2315
2316 2017-12-13  Saam Barati  <sbarati@apple.com>
2317
2318         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2319         https://bugs.webkit.org/show_bug.cgi?id=180734
2320         <rdar://problem/35640547>
2321
2322         Reviewed by Yusuke Suzuki.
2323
2324         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2325         (__isPropertyOfType):
2326         (__getProperties):
2327         (__getObjects):
2328         (__getRandomObject):
2329         (theClass.):
2330         (theClass):
2331         (childClass):
2332         (counter.catch):
2333
2334 2017-12-12  Saam Barati  <sbarati@apple.com>
2335
2336         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2337         https://bugs.webkit.org/show_bug.cgi?id=180725
2338         <rdar://problem/35970511>
2339
2340         Reviewed by Michael Saboff.
2341
2342         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2343         (f1):
2344         (f2):
2345         (let.o2.valueOf):
2346
2347 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2348
2349         [JSC] Implement optimized WeakMap and WeakSet
2350         https://bugs.webkit.org/show_bug.cgi?id=179929
2351
2352         Reviewed by Saam Barati.
2353
2354         * microbenchmarks/weak-map-key.js:
2355         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2356         (assert):
2357         (objectKey):
2358         (let.start.Date.now):
2359         * stress/basic-weakmap.js: Added.
2360         (shouldBe):
2361         (test):
2362         * stress/basic-weakset.js: Added.
2363         (shouldBe):
2364         (test.set new):
2365         * stress/weakmap-cse-set-break.js: Added.
2366         (shouldBe):
2367         (test):
2368         * stress/weakmap-cse.js: Added.
2369         (shouldBe):
2370         (test):
2371         * stress/weakmap-gc.js: Added.
2372         (test):
2373         * stress/weakset-cse-add-break.js: Added.
2374         (shouldBe):
2375         (test.set new):
2376         * stress/weakset-cse.js: Added.
2377         (shouldBe):
2378         (test.set new):
2379         * stress/weakset-gc.js: Added.
2380         (test.set add):
2381         (test.set new):
2382         (test):
2383
2384 2017-12-12  Saam Barati  <sbarati@apple.com>
2385
2386         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2387         https://bugs.webkit.org/show_bug.cgi?id=180723
2388         <rdar://problem/35859726>
2389
2390         Reviewed by JF Bastien.
2391
2392         * stress/get-my-argument-by-val-constant-folding.js: Added.
2393         (test):
2394         (catch):
2395
2396 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2397
2398         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2399         https://bugs.webkit.org/show_bug.cgi?id=179000
2400
2401         Reviewed by Darin Adler and Yusuke Suzuki.
2402
2403         * bigIntTests.yaml: Added.
2404         * stress/big-int-literal-line-terminator.js: Added.
2405         * stress/big-int-literals.js: Added.
2406         * stress/big-int-operations-error.js: Added.
2407         * stress/big-int-type-of.js: Added.
2408         * stress/big-int-white-space-trailing-leading.js: Added.
2409         * stress/big-int-function-apply.js: Added.
2410
2411 2017-12-11  Saam Barati  <sbarati@apple.com>
2412
2413         We need to disableCaching() in ErrorInstance when we materialize properties
2414         https://bugs.webkit.org/show_bug.cgi?id=180343
2415         <rdar://problem/35833002>
2416
2417         Reviewed by Mark Lam.
2418
2419         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2420         (assert):
2421         (makeError):
2422         (storeToStack):
2423         (storeToStackAlreadyMaterialized):
2424
2425 2017-12-05  JF Bastien  <jfbastien@apple.com>
2426
2427         WebAssembly: don't eagerly checksum
2428         https://bugs.webkit.org/show_bug.cgi?id=180441
2429         <rdar://problem/35156628>
2430
2431         Reviewed by Saam Barati.
2432
2433         Checksum is now disabled, so tests only have <?> as the module
2434         name.
2435
2436         * wasm/function-tests/nameSection.js:
2437         * wasm/function-tests/stack-overflow.js:
2438         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2439         (assertOverflows.assertThrows):
2440         (assertOverflows):
2441         * wasm/function-tests/stack-trace.js:
2442
2443 2017-12-04  JF Bastien  <jfbastien@apple.com>
2444
2445         Proxy all functions, except the $ objects
2446         https://bugs.webkit.org/show_bug.cgi?id=180375
2447
2448         Reviewed by Saam Barati.
2449
2450         It looks like this test may have broken some executions because I
2451         call some internal objects. Explicitly ignore objects whose name
2452         starts with "$" because it's a bad idea anyways.
2453
2454         * stress/proxy-all-the-parameters.js:
2455         (generateObjects):
2456         (get throw):
2457
2458 2017-12-04  Saam Barati  <sbarati@apple.com>
2459
2460         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2461         https://bugs.webkit.org/show_bug.cgi?id=180366
2462         <rdar://problem/35685877>
2463
2464         Reviewed by Michael Saboff.
2465
2466         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2467         (theParent):
2468         (test1.base.getParentStaticValue):
2469         (test1.base):
2470         (test1.__v_24888.prototype.set prop):
2471         (test1.__v_24888):
2472         (test2.base.getParentStaticValue):
2473         (test2.base):
2474         (test2.__v_24888.prototype.set prop):
2475         (test2.__v_24888):
2476         (test2):
2477
2478 2017-12-01  JF Bastien  <jfbastien@apple.com>
2479
2480         Try proxying all function arguments
2481         https://bugs.webkit.org/show_bug.cgi?id=180306
2482
2483         Reviewed by Saam Barati.
2484
2485         * stress/proxy-all-the-parameters.js: Added.
2486         (isPropertyOfType):
2487         (getProperties):
2488         (generateObjects):
2489         (getObjects):
2490         (getFunctions):
2491         (get throw):
2492         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2493
2494 2017-12-01  JF Bastien  <jfbastien@apple.com>
2495
2496         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2497         https://bugs.webkit.org/show_bug.cgi?id=180297
2498         <rdar://problem/35745556>
2499
2500         Reviewed by Mark Lam.
2501
2502         * stress/math-exceptions.js: Added.
2503         (get try):
2504         (catch):
2505
2506 2017-12-01  JF Bastien  <jfbastien@apple.com>
2507
2508         JavaScriptCore: add test for weird class static getters
2509         https://bugs.webkit.org/show_bug.cgi?id=180281
2510         <rdar://problem/35592139>
2511
2512         Reviewed by Mark Lam.
2513
2514         I fixed a bug for it in r224927 and didn't add a test. Do so.
2515
2516         * stress/class-static-get-weird.js: Added.
2517         (c.prototype.get name):
2518         (c):
2519         (c.prototype.get arguments):
2520         (c.prototype.get caller):
2521         (c.prototype.get length):
2522
2523 2017-12-01  Saam Barati  <sbarati@apple.com>
2524
2525         Having a bad time needs to handle ArrayClass indexing type as well
2526         https://bugs.webkit.org/show_bug.cgi?id=180274
2527         <rdar://problem/35667869>
2528
2529         Reviewed by Keith Miller and Mark Lam.
2530
2531         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2532         (assert):
2533         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2534         (assert):
2535
2536 2017-12-01  JF Bastien  <jfbastien@apple.com>
2537
2538         WebAssembly: restore cached stack limit after out-call
2539         https://bugs.webkit.org/show_bug.cgi?id=179106
2540         <rdar://problem/35337525>
2541
2542         Reviewed by Saam Barati.
2543
2544         * wasm/function-tests/double-instance.js: Added.
2545         (const.imp.boom):
2546         (const.imp.get callAnother):
2547
2548 2017-11-30  JF Bastien  <jfbastien@apple.com>
2549
2550         WebAssembly: improve stack trace
2551         https://bugs.webkit.org/show_bug.cgi?id=179343
2552
2553         Reviewed by Saam Barati.
2554
2555         Update the tests to follow the new format. Notably, SHA1 module
2556         hash is now included in traces, and stubs are properly identified.
2557
2558         * wasm/assert.js: Add an assertion which matches regular expressions.
2559         * wasm/function-tests/nameSection.js:
2560         * wasm/function-tests/stack-overflow.js:
2561         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2562         (assertOverflows.assertThrows.wasm.1):
2563         (assertOverflows.assertThrows.wasm.0):
2564         (assertOverflows.assertThrows):
2565         (assertOverflows):
2566         * wasm/function-tests/stack-trace.js:
2567         (import.Builder.from.string_appeared_here.assert): Deleted.
2568         * wasm/function-tests/trap-after-cross-instance-call.js:
2569         (wasmFrameCountFromError):
2570         * wasm/function-tests/trap-load-2.js:
2571         (wasmFrameCountFromError):
2572         * wasm/function-tests/trap-load.js:
2573         (wasmFrameCountFromError):
2574
2575 2017-11-30  Mark Lam  <mark.lam@apple.com>
2576
2577         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2578         https://bugs.webkit.org/show_bug.cgi?id=180219
2579         <rdar://problem/35696536>
2580
2581         Reviewed by Filip Pizlo.
2582
2583         * stress/regress-180219.js: Added.
2584
2585 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2586
2587         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2588         https://bugs.webkit.org/show_bug.cgi?id=180190
2589
2590         Reviewed by Mark Lam.
2591
2592         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2593         (shouldBe):
2594         (test1):
2595         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2596         (shouldBe):
2597         (test1):
2598         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2599         (shouldBe):
2600         (test1):
2601         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2602         (shouldBe):
2603         (test1):
2604         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2605         (shouldBe):
2606         (test1):
2607         * stress/operation-in-may-have-negative-int32.js: Added.
2608         (shouldBe):
2609         (test2):
2610         * stress/operation-in-negative-int32-cast.js: Added.
2611         (shouldBe):
2612         (test1):
2613
2614 2017-11-28  JF Bastien  <jfbastien@apple.com>
2615
2616         Strict and sloppy functions shouldn't share structure
2617         https://bugs.webkit.org/show_bug.cgi?id=180103
2618         <rdar://problem/35667847>
2619
2620         Reviewed by Saam Barati.
2621
2622         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2623         because the IC was wrong.
2624         (foo):
2625         (bar):
2626         (baz):
2627         (catch):
2628         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2629         in this patch, but may as well test odd strict mode corner cases.
2630         (bar):
2631         (baz):
2632         (catch):
2633         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2634         (foo):
2635         (bar):
2636         (baz):
2637         (catch):
2638         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2639         next file, but with invalidation of the FunctionExecutable's
2640         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2641         slower path.
2642         (foo):
2643         (bar.const.x):
2644         (bar.const.y):
2645         (bar):
2646         (catch):
2647         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2648         strict nesting works correctly.
2649         (foo):
2650         (bar.baz):
2651         (bar):
2652         * stress/strict-function-structure.js: Added. The test used to
2653         assert in objectProtoFuncHasOwnProperty.
2654         (foo):
2655         (bar):
2656         (baz):
2657         * stress/strict-nested-function-structure.js: Added. Nesting.
2658         (foo):
2659         (bar):
2660         (baz.boo):
2661         (baz):
2662
2663 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2664
2665         The recursive tail call optimisation is wrong on closures
2666         https://bugs.webkit.org/show_bug.cgi?id=179835
2667
2668         Reviewed by Saam Barati.
2669
2670         * stress/closure-recursive-tail-call.js: Added.
2671         (makeClosure):
2672
2673 2017-11-27  JF Bastien  <jfbastien@apple.com>
2674
2675         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2676         https://bugs.webkit.org/show_bug.cgi?id=180051
2677         <rdar://problem/35614371>
2678
2679         Reviewed by Saam Barati.
2680
2681         * stress/rest-parameter-negative.js: Added.
2682         (__f_5484):
2683         (catch):
2684         (__f_5485):
2685         (__v_22598.catch):
2686
2687 2017-11-27  Saam Barati  <sbarati@apple.com>
2688
2689         Spread can escape when CreateRest does not
2690         https://bugs.webkit.org/show_bug.cgi?id=180057
2691         <rdar://problem/35676119>
2692
2693         Reviewed by JF Bastien.
2694
2695         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2696         (assert):
2697         (getProperties):
2698         (theFunc):
2699         (let.obj.valueOf):
2700
2701 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2702
2703         [DFG] Add NormalizeMapKey DFG IR
2704         https://bugs.webkit.org/show_bug.cgi?id=179912
2705
2706         Reviewed by Saam Barati.
2707
2708         * stress/map-untyped-normalize-cse.js: Added.
2709         (shouldBe):
2710         (test):
2711         * stress/map-untyped-normalize.js: Added.
2712         (shouldBe):
2713         (test):
2714         * stress/set-untyped-normalize-cse.js: Added.
2715         (shouldBe):
2716         (set return.set has.set has):
2717         * stress/set-untyped-normalize.js: Added.
2718         (shouldBe):
2719         (set return.set has):
2720
2721 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2722
2723         [FTL] Support DeleteById and DeleteByVal
2724         https://bugs.webkit.org/show_bug.cgi?id=180022
2725
2726         Reviewed by Saam Barati.
2727
2728         * stress/delete-by-id.js: Added.
2729         (shouldBe):
2730         (test1):
2731         (test2):
2732         * stress/delete-by-val-ftl.js: Added.
2733         (shouldBe):
2734         (test1):
2735         (test2):
2736
2737 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2738
2739         [DFG] Introduce {Set,Map,WeakMap}Fields
2740         https://bugs.webkit.org/show_bug.cgi?id=179925
2741
2742         Reviewed by Saam Barati.
2743
2744         * stress/map-set-clobber-map-get.js: Added.
2745         (shouldBe):
2746         (test):
2747         * stress/map-set-does-not-clobber-set-has.js: Added.
2748         (shouldBe):
2749         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2750         (shouldBe):
2751         (test):
2752         * stress/set-add-clobber-set-has.js: Added.
2753         (shouldBe):
2754         * stress/set-add-does-not-clobber-map-get.js: Added.
2755         (shouldBe):
2756
2757 2017-11-24  Mark Lam  <mark.lam@apple.com>
2758
2759         Move unsafe jsc shell test functions to the $vm object.
2760         https://bugs.webkit.org/show_bug.cgi?id=179980
2761
2762         Reviewed by Yusuke Suzuki.
2763
2764         * controlFlowProfiler/driver/driver.js:
2765         * controlFlowProfiler/execution-count.js:
2766         * controlFlowProfiler/if-statement.js:
2767         * controlFlowProfiler/loop-statements.js:
2768         * controlFlowProfiler/switch-statements.js:
2769         * controlFlowProfiler/test-jit.js:
2770         * exceptionFuzz/3d-cube.js:
2771         * exceptionFuzz/date-format-xparb.js:
2772         * exceptionFuzz/earley-boyer.js:
2773         * heapProfiler/basic-edges.js:
2774         * heapProfiler/property-edge-types.js:
2775         * microbenchmarks/try-get-by-id-basic.js:
2776         * microbenchmarks/try-get-by-id-polymorphic.js:
2777         * modules/namespace-object-try-get.js:
2778         * stress/argument-count-bytecode.js:
2779         * stress/argument-intrinsic-basic.js:
2780         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2781         * stress/argument-intrinsic-inlining-with-result-escape.js:
2782         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2783         * stress/argument-intrinsic-inlining-with-vararg.js:
2784         * stress/argument-intrinsic-nested-inlining.js:
2785         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2786         * stress/argument-intrinsic-with-stack-write.js:
2787         * stress/arity-mismatch-get-argument.js:
2788         * stress/array-message-passing.js:
2789         * stress/array-push-with-force-exit.js:
2790         * stress/check-dom-with-signature.js:
2791         * stress/check-sub-class.js:
2792         * stress/compare-eq-incomplete-profile.js:
2793         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2794         * stress/do-eval-virtual-call-correctly.js:
2795         * stress/dom-jit-with-poly-proto.js:
2796         * stress/domjit-exception-ic.js:
2797         * stress/domjit-exception.js:
2798         * stress/domjit-getter-complex-with-incorrect-object.js:
2799         * stress/domjit-getter-complex.js:
2800         * stress/domjit-getter-poly.js:
2801         * stress/domjit-getter-proto.js:
2802         * stress/domjit-getter-super-poly.js:
2803         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2804         * stress/domjit-getter-type-check.js:
2805         * stress/domjit-getter.js:
2806         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2807         * stress/for-in-proxy-target-changed-structure.js:
2808         * stress/for-in-proxy.js:
2809         * stress/generational-opaque-roots.js:
2810         * stress/global-const-redeclaration-setting-2.js:
2811         * stress/global-const-redeclaration-setting-3.js:
2812         * stress/global-const-redeclaration-setting-4.js:
2813         * stress/global-const-redeclaration-setting-5.js:
2814         * stress/global-const-redeclaration-setting.js:
2815         * stress/import-basic.js:
2816         * stress/import-from-eval.js:
2817         * stress/import-reject-with-exception.js:
2818         * stress/import-syntax.js:
2819         * stress/impure-get-own-property-slot-inline-cache.js:
2820         * stress/is-constructor.js:
2821         * stress/istypedarrayview-intrinsic.js:
2822         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2823         * stress/jsc-test-functions-should-be-more-robust.js:
2824         * stress/object-toString-with-proxy.js:
2825         * stress/poly-proto-custom-value-and-accessor.js:
2826         * stress/proxy-inline-cache.js:
2827         * stress/re-execute-error-module.js:
2828         * stress/regress-150532.js:
2829         * stress/regress-156992.js:
2830         * stress/regress-179619.js:
2831         * stress/resources/shadow-chicken-support.js:
2832         * stress/runtime-array.js:
2833         * stress/sampling-profiler-microtasks.js:
2834         * stress/shadow-chicken-enabled.js:
2835         * stress/spread-correct-global-object-on-exception.js:
2836         * stress/super-get-by-id.js:
2837         * stress/tailCallForwardArguments.js:
2838         * stress/to-object-intrinsic-boolean-edge.js:
2839         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2840         * stress/to-object-intrinsic-number-edge.js:
2841         * stress/to-object-intrinsic-object-edge.js:
2842         * stress/to-object-intrinsic-string-edge.js:
2843         * stress/to-object-intrinsic-symbol-edge.js:
2844         * stress/to-object-intrinsic.js:
2845         * stress/try-catch-custom-getter-as-get-by-id.js:
2846         * stress/try-get-by-id-poly-proto.js:
2847         * stress/try-get-by-id-should-spill-registers-dfg.js:
2848         * stress/try-get-by-id.js:
2849         * typeProfiler/arrow-functions.js:
2850         * typeProfiler/basic.js:
2851         * typeProfiler/captured.js:
2852         * typeProfiler/classes.js:
2853         * typeProfiler/dfg-jit-optimizations.js:
2854         * typeProfiler/dictionary-mode.js:
2855         * typeProfiler/es6-block-scoping.js:
2856         * typeProfiler/es6-classes.js:
2857         * typeProfiler/inheritance.js:
2858         * typeProfiler/int52-dfg.js:
2859         * typeProfiler/loop.js:
2860         * typeProfiler/optional-fields.js:
2861         * typeProfiler/overflow.js:
2862         * typeProfiler/return.js:
2863         * typeProfiler/symbol.js:
2864         * typeProfiler/weird-prototype-chain.js:
2865
2866 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2867
2868         [DFG][FTL] Support MapSet / SetAdd intrinsics
2869         https://bugs.webkit.org/show_bug.cgi?id=179858
2870
2871         Reviewed by Saam Barati.
2872
2873         * microbenchmarks/map-has-and-set.js: Added.
2874         (test):
2875         * stress/map-set-check-failure.js: Added.
2876         (shouldBe):
2877         (shouldThrow):
2878         (target):
2879         * stress/map-set-cse.js: Added.
2880         (shouldBe):
2881         (test):
2882         * stress/set-add-check-failure.js: Added.
2883         (shouldBe):
2884         (shouldThrow):
2885         (set shouldThrow):
2886         * stress/set-add-cse.js: Added.
2887         (shouldBe):
2888
2889 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         [JSC] Allow poly proto for intrinsic getters
2892         https://bugs.webkit.org/show_bug.cgi?id=179550
2893
2894         Reviewed by Saam Barati.
2895
2896         This change is also tested by existing tests.
2897
2898             1. stress/intrinsic-getter-with-poly-proto.js
2899             2. stress/poly-proto-intrinsic-getter-correctness.js
2900
2901         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2902         (shouldBe):
2903         (makePolyProtoObject.foo.C):
2904         (makePolyProtoObject.foo):
2905         (makePolyProtoObject):
2906         (target):
2907         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2908         (shouldBe):
2909         (makePolyProtoObject.foo.C):
2910         (makePolyProtoObject.foo):
2911         (makePolyProtoObject):
2912         (target):
2913
2914 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2915
2916         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2917         https://bugs.webkit.org/show_bug.cgi?id=179744
2918
2919         Reviewed by Michael Catanzaro.
2920
2921         This test uses too much memory for our buildbots on these platforms
2922         and gets OOM-killed.
2923
2924         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2925         Skip if $memoryLimited and linux.
2926
2927 2017-11-17  JF Bastien  <jfbastien@apple.com>
2928
2929         WebAssembly JS API: throw when a promise can't be created
2930         https://bugs.webkit.org/show_bug.cgi?id=179826
2931         <rdar://problem/35455813>
2932
2933         Reviewed by Mark Lam.
2934
2935         Test WebAssembly.{compile,instantiate} where promise creation
2936         fails because of a stack overflow.
2937
2938         * wasm/js-api/promise-stack-overflow.js: Added.
2939         (const.runNearStackLimit.f.const.t):
2940         (async.testCompile):
2941         (async.testInstantiate):
2942
2943 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2944
2945         Unreviewed, mark regress-178385.js as memory exhausting
2946
2947         * stress/regress-178385.js:
2948
2949 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2950
2951         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2952
2953         Unreviewed test gardening.
2954
2955         * test262.yaml:
2956
2957 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2958
2959         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2960         https://bugs.webkit.org/show_bug.cgi?id=179763
2961         <rdar://problem/35550513>
2962
2963         Reviewed by Keith Miller.
2964
2965         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2966
2967         * stress/tdz-this-in-try-catch.js: Added.
2968         (__v_6388):
2969         (__v_6392):
2970
2971 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2972
2973         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2974         https://bugs.webkit.org/show_bug.cgi?id=179594
2975
2976         Reviewed by Saam Barati.
2977
2978         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2979         (shouldBe):
2980         (args):
2981         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2982         (shouldBe):
2983         (args):
2984
2985 2017-11-14  Saam Barati  <sbarati@apple.com>
2986
2987         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2988         https://bugs.webkit.org/show_bug.cgi?id=179639
2989         <rdar://problem/35513018>
2990
2991         Reviewed by JF Bastien.
2992
2993         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2994         (escape):
2995         (i.func):
2996
2997 2017-11-13  Mark Lam  <mark.lam@apple.com>
2998
2999         Add more overflow check book-keeping for MarkedArgumentBuffer.
3000         https://bugs.webkit.org/show_bug.cgi?id=179634
3001         <rdar://problem/35492517>
3002
3003         Reviewed by Saam Barati.
3004
3005         * stress/regress-179634.js: Added.
3006
3007 2017-11-13  Mark Lam  <mark.lam@apple.com>
3008
3009         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3010         https://bugs.webkit.org/show_bug.cgi?id=179619
3011         <rdar://problem/35492518>
3012
3013         Reviewed by Saam Barati.
3014
3015         * stress/regress-179619.js: Added.
3016
3017 2017-11-12  Mark Lam  <mark.lam@apple.com>
3018
3019         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3020         https://bugs.webkit.org/show_bug.cgi?id=179562
3021         <rdar://problem/35467022>
3022
3023         Reviewed by Saam Barati.
3024
3025         * regress-179562.js: Added.
3026
3027 2017-11-08  Saam Barati  <sbarati@apple.com>
3028
3029         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3030         https://bugs.webkit.org/show_bug.cgi?id=177792
3031
3032         Reviewed by Yusuke Suzuki.
3033
3034         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3035         (assert):
3036         (foo.Foo.prototype.ensureX):
3037         (foo.Foo):
3038         (foo):
3039         (access):
3040
3041 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3042
3043         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3044         https://bugs.webkit.org/show_bug.cgi?id=178592
3045
3046         Unreviewed test gardening.
3047
3048         * test262.yaml:
3049
3050 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3051
3052         Turn recursive tail calls into loops
3053         https://bugs.webkit.org/show_bug.cgi?id=176601
3054
3055         Reviewed by Saam Barati.
3056
3057         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3058
3059         Add some simple test that computes factorial in several ways, and other trivial computations.
3060         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3061         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3062         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3063         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3064
3065         * stress/inline-call-to-recursive-tail-call.js: Added.
3066         (factorial.aux):
3067         (factorial):
3068         (factorial2.aux2):
3069         (factorial2.id):
3070         (factorial2):
3071         (factorial3.aux3):
3072         (factorial3):
3073         (aux4):
3074         (factorial4):
3075         (foo):
3076         (auxBar):
3077         (bar):
3078         (test):
3079
3080 2017-11-07  Mark Lam  <mark.lam@apple.com>
3081
3082         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3083         https://bugs.webkit.org/show_bug.cgi?id=179355
3084         <rdar://problem/35263053>
3085
3086         Reviewed by Saam Barati.
3087
3088         * stress/regress-179355.js: Added.
3089
3090 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3091
3092         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3093         https://bugs.webkit.org/show_bug.cgi?id=144458
3094
3095         Reviewed by Saam Barati.
3096
3097         * microbenchmarks/dfg-internal-function-call.js: Added.
3098         (target):
3099         * microbenchmarks/dfg-internal-function-construct.js: Added.
3100         (target):
3101         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3102         (target):
3103         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3104         (target):
3105         * stress/dfg-internal-function-call.js: Added.
3106         (shouldBe):
3107         (target):
3108         * stress/dfg-internal-function-construct.js: Added.
3109         (shouldBe):
3110         (target):
3111         * stress/internal-function-call.js: Added.
3112         (shouldBe):
3113         * stress/internal-function-construct.js: Added.
3114         (shouldBe):
3115
3116 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3117
3118         [Win] Skip stress/regress-178385.js.
3119         https://bugs.webkit.org/show_bug.cgi?id=179298
3120
3121         Unreviewed test gardening.
3122
3123         * stress/regress-178385.js:
3124
3125 2017-11-03  Keith Miller  <keith_miller@apple.com>
3126
3127         Add test for ic with side effects
3128         https://bugs.webkit.org/show_bug.cgi?id=179268
3129
3130         Reviewed by Saam Barati.
3131
3132         * stress/put-inline-cache-side-effects.js: Added.
3133         (let.i.of.objs.keys):
3134         (f):
3135
3136 2017-11-03  Mark Lam  <mark.lam@apple.com>
3137
3138         CachedCall (and its clients) needs overflow checks.
3139         https://bugs.webkit.org/show_bug.cgi?id=179185
3140
3141         Reviewed by JF Bastien.
3142
3143         * stress/regress-179185.js: Added.
3144
3145 2017-11-02  Michael Saboff  <msaboff@apple.com>
3146
3147         DFG needs to handle code motion of code in for..in loop bodies
3148         https://bugs.webkit.org/show_bug.cgi?id=179212
3149
3150         Reviewed by Keith Miller.
3151
3152         New regression test.
3153
3154         * stress/for-in-side-effects.js: Added.
3155         (getPrototypeOf):
3156         (reset):
3157         (testWithoutFTL.f):
3158         (testWithoutFTL):
3159         (testWithFTL.f):
3160         (testWithFTL):
3161
3162 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3163
3164         AI does not correctly model the clobber case of ArithClz32
3165         https://bugs.webkit.org/show_bug.cgi?id=179188
3166
3167         Reviewed by Michael Saboff.
3168
3169         * stress/arith-clz32-effects.js: Added.
3170         (foo):
3171         (valueOf):
3172
3173 2017-11-01  Michael Saboff  <msaboff@apple.com>
3174
3175         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3176         https://bugs.webkit.org/show_bug.cgi?id=179140
3177
3178         Reviewed by Saam Barati.
3179
3180         New regression test.
3181
3182         * stress/regress-179140.js: Added.
3183         (testWithoutFTL):
3184         (testWithFTL):
3185
3186 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3187
3188         [JSC] Introduce @toObject
3189         https://bugs.webkit.org/show_bug.cgi?id=178726
3190
3191         Reviewed by Saam Barati.
3192
3193         * stress/array-copywithin.js:
3194         (shouldThrow):
3195         * stress/object-constructor-boolean-edge.js: Added.
3196         (shouldBe):
3197         (test):
3198         * stress/object-constructor-global.js: Added.
3199         (shouldBe):
3200         * stress/object-constructor-null-edge.js: Added.
3201         (shouldBe):
3202         (test):
3203         * stress/object-constructor-number-edge.js: Added.
3204         (shouldBe):
3205         (test):
3206         * stress/object-constructor-object-edge.js: Added.
3207         (shouldBe):
3208         (test):
3209         (i.arg):
3210         * stress/object-constructor-string-edge.js: Added.
3211         (shouldBe):
3212         (test):
3213         * stress/object-constructor-symbol-edge.js: Added.
3214         (shouldBe):
3215         (test):
3216         * stress/object-constructor-undefined-edge.js: Added.
3217         (shouldBe):
3218         (test):
3219         * stress/symbol-array-from.js: Added.
3220         (shouldBe):
3221         * stress/to-object-intrinsic-boolean-edge.js: Added.
3222         (shouldBe):
3223         (builtin.createBuiltin):
3224         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3225         (shouldThrow):
3226         * stress/to-object-intrinsic-number-edge.js: Added.
3227         (shouldBe):
3228         (builtin.createBuiltin):
3229         * stress/to-object-intrinsic-object-edge.js: Added.
3230         (shouldBe):
3231         (builtin.createBuiltin):
3232         (i.arg):
3233         * stress/to-object-intrinsic-string-edge.js: Added.
3234         (shouldBe):
3235         (builtin.createBuiltin):
3236         * stress/to-object-intrinsic-symbol-edge.js: Added.
3237         (shouldBe):
3238         (builtin.createBuiltin):
3239         * stress/to-object-intrinsic.js: Added.
3240         (shouldBe):
3241         (shouldThrow):
3242         (builtin.createBuiltin):
3243
3244 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3245
3246         [DFG][FTL] Introduce StringSlice
3247         https://bugs.webkit.org/show_bug.cgi?id=178934
3248
3249         Reviewed by Saam Barati.
3250
3251         * microbenchmarks/string-slice-empty.js: Added.
3252         (slice):
3253         * microbenchmarks/string-slice-one-char.js: Added.
3254         (slice):
3255         * microbenchmarks/string-slice.js: Added.
3256         (slice):
3257
3258 2017-10-26  Michael Saboff  <msaboff@apple.com>
3259
3260         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3261         https://bugs.webkit.org/show_bug.cgi?id=178890
3262
3263         Reviewed by Keith Miller.
3264
3265         New regression test.
3266
3267         * stress/regress-178890.js: Added.
3268
3269 2017-10-26  Mark Lam  <mark.lam@apple.com>
3270
3271         JSRopeString::RopeBuilder::append() should check for overflows.
3272         https://bugs.webkit.org/show_bug.cgi?id=178385
3273         <rdar://problem/35027468>
3274
3275         Reviewed by Saam Barati.
3276
3277         * stress/regress-178385.js: Added.
3278
3279 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3280
3281         Unreviewed, rolling out r223961.
3282
3283         The change that required this has been rolled out.
3284
3285         Reverted changeset:
3286
3287         "Mark test262.yaml/test262/test/language/statements/try/tco-
3288         catch.js as passing."
3289         https://bugs.webkit.org/show_bug.cgi?id=178592
3290         https://trac.webkit.org/changeset/223961
3291
3292 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3293
3294         Unreviewed, rolling out r223691 and r223729.
3295         https://bugs.webkit.org/show_bug.cgi?id=178834
3296
3297         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3298         by rniwa on #webkit).
3299
3300         Reverted changesets:
3301
3302         "Turn recursive tail calls into loops"
3303         https://bugs.webkit.org/show_bug.cgi?id=176601
3304         https://trac.webkit.org/changeset/223691
3305
3306         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3307         comparison is always false due to limited range of data type
3308         [-Wtype-limits]"
3309         https://bugs.webkit.org/show_bug.cgi?id=178543
3310         https://trac.webkit.org/changeset/223729
3311
3312 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3313
3314         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3315         https://bugs.webkit.org/show_bug.cgi?id=178592
3316
3317         Unreviewed test gardening.
3318
3319         * test262.yaml:
3320
3321 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3322
3323         [FTL] Support NewStringObject
3324         https://bugs.webkit.org/show_bug.cgi?id=178737
3325
3326         Reviewed by Saam Barati.
3327
3328         * stress/new-string-object.js: Added.
3329         (shouldBe):
3330         (test):
3331
3332 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3333
3334         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3335         https://bugs.webkit.org/show_bug.cgi?id=178308
3336
3337         Reviewed by Mark Lam.
3338
3339         * test262.yaml:
3340
3341 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3342
3343         [JSC] Use fastJoin in Array#toString
3344         https://bugs.webkit.org/show_bug.cgi?id=178062
3345
3346         Reviewed by Darin Adler.
3347
3348         * microbenchmarks/contiguous-array-to-string.js: Added.
3349         (target):
3350         * microbenchmarks/double-array-to-string.js: Added.
3351         (target):
3352         * microbenchmarks/int32-array-to-string.js: Added.
3353         (target):
3354
3355 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3356
3357         stress/check-string-ident.js is improperly skipped
3358         https://bugs.webkit.org/show_bug.cgi?id=178642
3359
3360         Reviewed by Saam Barati.
3361
3362         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3363         since it enforces the run-jsc-stress-tests script to still set up the
3364         test to run, despite the skip directive that's used before.
3365
3366 2017-10-20  Mark Lam  <mark.lam@apple.com>
3367
3368         Add a test case for r214334.
3369         https://bugs.webkit.org/show_bug.cgi?id=169941
3370         <rdar://problem/31221258>
3371
3372         Reviewed by JF Bastien.
3373
3374         * stress/regress-169941.js: Added.
3375
3376 2017-10-19  JF Bastien  <jfbastien@apple.com>
3377
3378         WebAssembly: no VM / JS version of everything but Instance
3379         https://bugs.webkit.org/show_bug.cgi?id=177473
3380
3381         Reviewed by Filip Pizlo, Saam Barati.
3382
3383         - Exceeding max on memory growth now returns a range error as per
3384         spec. This is a (very minor) breaking change: it used to throw OOM
3385         error. Update the corresponding test.
3386
3387         * wasm/js-api/memory-grow.js:
3388         (assertEq):
3389         * wasm/js-api/table.js:
3390         (assert.throws):
3391
3392 2017-10-19  Mark Lam  <mark.lam@apple.com>
3393
3394         Stringifier::appendStringifiedValue() is missing an exception check.
3395         https://bugs.webkit.org/show_bug.cgi?id=178386
3396         <rdar://problem/35027610>
3397
3398         Reviewed by Saam Barati.
3399
3400         * stress/regress-178386.js: Added.
3401
3402 2017-10-19  Michael Saboff  <msaboff@apple.com>
3403
3404         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3405         https://bugs.webkit.org/show_bug.cgi?id=178521
3406
3407         Reviewed by JF Bastien.
3408
3409         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3410         now passes with the current version (5.0) of the Emoji spec.
3411
3412 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3413
3414         Turn recursive tail calls into loops
3415         https://bugs.webkit.org/show_bug.cgi?id=176601
3416
3417         Reviewed by Saam Barati.
3418
3419         Add some simple test that computes factorial in several ways, and other trivial computations.
3420         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3421         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3422         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3423         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3424
3425         * stress/inline-call-to-recursive-tail-call.js: Added.
3426         (factorial.aux):
3427         (factorial):
3428         (factorial2.aux):
3429         (factorial2.id):
3430         (factorial2):
3431         (factorial3.aux):
3432         (factorial3):
3433         (aux):
3434         (factorial4):
3435         (test):
3436
3437 2017-10-18  Mark Lam  <mark.lam@apple.com>
3438
3439         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3440         https://bugs.webkit.org/show_bug.cgi?id=177600
3441         <rdar://problem/34710985>
3442
3443         Reviewed by Saam Barati.
3444
3445         * stress/regress-177600.js: Added.
3446
3447 2017-10-18  Mark Lam  <mark.lam@apple.com>
3448
3449         The compiler should always register a structure when it adds its transitionWatchPointSet.
3450         https://bugs.webkit.org/show_bug.cgi?id=178420
3451         <rdar://problem/34814024>
3452
3453         Reviewed by Saam Barati and Filip Pizlo.
3454
3455         * stress/regress-178420.js: Added.
3456         (new.Array.10000.map):
3457
3458 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3459
3460         [JSC] __proto__ getter should be fast
3461         https://bugs.webkit.org/show_bug.cgi?id=178067
3462
3463         Reviewed by Saam Barati.
3464
3465         * stress/dfg-object-proto-accessor.js: Added.
3466         (shouldBe):
3467         (shouldThrow):
3468         (target):
3469         * stress/dfg-object-proto-getter.js: Added.
3470         (shouldBe):
3471         (shouldThrow):
3472         (target):
3473         * stress/dfg-object-prototype-of.js: Added.
3474         (shouldBe):
3475         (shouldThrow):
3476         (target):
3477         * stress/dfg-reflect-get-prototype-of.js: Added.
3478         (shouldBe):
3479         (shouldThrow):
3480         (target):
3481         * stress/intrinsic-getter-with-poly-proto.js: Added.
3482         (shouldBe):
3483         (makePolyProtoObject.foo.C):
3484         (makePolyProtoObject.foo):
3485         (makePolyProtoObject):
3486         (target):
3487         * stress/object-get-prototype-of-filtered.js: Added.
3488         (shouldBe):
3489         (shouldThrow):
3490         (target):
3491         (i.Cocoa):
3492         * stress/object-get-prototype-of-mono-proto.js: Added.
3493         (shouldBe):
3494         (makePolyProtoObject.foo.C):
3495         (makePolyProtoObject.foo):
3496         (makePolyProtoObject):
3497         (target):
3498         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3499         (shouldBe):
3500         (makePolyProtoObject.foo.C):
3501         (makePolyProtoObject.foo):
3502         (makePolyProtoObject):
3503         (target):
3504         * stress/object-get-prototype-of-poly-proto.js: Added.
3505         (shouldBe):
3506         (makePolyProtoObject.foo.C):
3507         (makePolyProtoObject.foo):
3508         (makePolyProtoObject):
3509         (target):
3510         * stress/object-proto-getter-filtered.js: Added.
3511         (shouldBe):
3512         (shouldThrow):
3513         (target):
3514         (i.Cocoa):
3515         * stress/object-proto-getter-poly-mono-proto.js: Added.
3516         (shouldBe):
3517         (makePolyProtoObject.foo.C):
3518         (makePolyProtoObject.foo):
3519         (makePolyProtoObject):
3520         (target):
3521         * stress/object-proto-getter-poly-proto.js: Added.
3522         (shouldBe):
3523         (makePolyProtoObject.foo.C):
3524         (makePolyProtoObject.foo):
3525         (makePolyProtoObject):
3526         (target):
3527         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3528         * stress/string-proto.js: Added.
3529         (shouldBe):
3530         (target):
3531
3532 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3533
3534         Unreviewed, rolling out r223523.
3535
3536         A test for this change is failing on debug JSC bots.
3537
3538         Reverted changeset:
3539
3540         "[JSC] __proto__ getter should be fast"
3541         https://bugs.webkit.org/show_bug.cgi?id=178067
3542         https://trac.webkit.org/changeset/223523
3543
3544 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3545
3546         [JSC] __proto__ getter should be fast
3547         https://bugs.webkit.org/show_bug.cgi?id=178067
3548
3549         Reviewed by Saam Barati.
3550
3551         * stress/dfg-object-proto-accessor.js: Added.
3552         (shouldBe):
3553         (shouldThrow):
3554         (target):
3555         * stress/dfg-object-proto-getter.js: Added.
3556         (shouldBe):
3557         (shouldThrow):
3558         (target):
3559         * stress/dfg-object-prototype-of.js: Added.
3560         (shouldBe):
3561         (shouldThrow):
3562         (target):
3563         * stress/dfg-reflect-get-prototype-of.js: Added.
3564         (shouldBe):
3565         (shouldThrow):
3566         (target):
3567         * stress/object-get-prototype-of-filtered.js: Added.
3568         (shouldBe):
3569         (shouldThrow):
3570         (target):
3571         (i.Cocoa):
3572         * stress/object-get-prototype-of-mono-proto.js: Added.
3573         (shouldBe):
3574         (makePolyProtoObject.foo.C):
3575         (makePolyProtoObject.foo):
3576         (makePolyProtoObject):
3577         (target):
3578         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3579         (shouldBe):
3580         (makePolyProtoObject.foo.C):
3581         (makePolyProtoObject.foo):
3582         (makePolyProtoObject):
3583         (target):
3584         * stress/object-get-prototype-of-poly-proto.js: Added.
3585         (shouldBe):
3586         (makePolyProtoObject.foo.C):
3587         (makePolyProtoObject.foo):
3588         (makePolyProtoObject):
3589         (target):
3590         * stress/object-proto-getter-filtered.js: Added.
3591         (shouldBe):
3592         (shouldThrow):
3593         (target):
3594         (i.Cocoa):
3595         * stress/object-proto-getter-poly-mono-proto.js: Added.
3596         (shouldBe):
3597         (makePolyProtoObject.foo.C):
3598         (makePolyProtoObject.foo):
3599         (makePolyProtoObject):
3600         (target):
3601         * stress/object-proto-getter-poly-proto.js: Added.
3602         (shouldBe):
3603         (makePolyProtoObject.foo.C):
3604         (makePolyProtoObject.foo):
3605         (makePolyProtoObject):
3606         (target):
3607         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3608         * stress/string-proto.js: Added.
3609         (shouldBe):
3610         (target):
3611
3612 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3613
3614         Reland "Add Above/Below comparisons for UInt32 patterns"
3615         https://bugs.webkit.org/show_bug.cgi?id=177281
3616
3617         Reviewed by Saam Barati.
3618
3619         * stress/uint32-comparison-jump.js: Added.
3620         (shouldBe):
3621         (above):
3622         (aboveOrEqual):
3623         (below):
3624         (belowOrEqual):
3625         (notAbove):
3626         (notAboveOrEqual):
3627         (notBelow):
3628         (notBelowOrEqual):
3629         * stress/uint32-comparison.js: Added.
3630         (shouldBe):
3631         (above):
3632         (aboveOrEqual):
3633         (below):
3634         (belowOrEqual):
3635         (aboveTest):
3636         (aboveOrEqualTest):
3637         (belowTest):
3638         (belowOrEqualTest):
3639
3640 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3641
3642         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3643         https://bugs.webkit.org/show_bug.cgi?id=178210
3644
3645         Reviewed by Saam Barati.
3646
3647         * wasm/function-tests/trap-from-start-async.js:
3648         (async.StartTrapsAsync):
3649         * wasm/function-tests/trap-from-start.js:
3650         (StartTraps):
3651         * wasm/js-api/web-assembly-function.js:
3652         (assert.eq.Object.getPrototypeOf):
3653         * wasm/js-api/wrapper-function.js:
3654         (return.new.WebAssembly.Module):
3655         (assert.throws.makeInstance): Deleted.
3656         (assert.throws.Bar): Deleted.
3657         (assert.throws): Deleted.
3658
3659 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3660
3661         Enable gigacage on iOS
3662         https://bugs.webkit.org/show_bug.cgi?id=177586
3663
3664         Reviewed by JF Bastien.
3665         
3666         Add tests for when Gigacage gets runtime disabled.
3667
3668         * stress/disable-gigacage-arrays.js: Added.
3669         (foo):
3670         * stress/disable-gigacage-strings.js: Added.
3671         (foo):
3672         * stress/disable-gigacage-typed-arrays.js: Added.
3673         (foo):
3674
3675 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3676
3677         import.meta should not be assignable
3678         https://bugs.webkit.org/show_bug.cgi?id=178202
3679
3680         Reviewed by Saam Barati.
3681
3682         * modules/import-meta-assignment.js: Added.
3683         (shouldThrow):
3684         (SyntaxError.import.meta.can.shouldThrow):
3685
3686 2017-10-11  Saam Barati  <sbarati@apple.com>
3687
3688         Unreviewed. Actually skip certain type profiler tests in debug.
3689
3690         * typeProfiler.yaml:
3691         * typeProfiler/deltablue-for-of.js:
3692         * typeProfiler/getter-richards.js:
3693
3694 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3695
3696         Unreviewed, rolling out r223113 and r223121.
3697         https://bugs.webkit.org/show_bug.cgi?id=178182
3698
3699         Reintroduced 20% regression on Kraken (Requested by rniwa on
3700         #webkit).
3701
3702         Reverted changesets:
3703
3704         "Enable gigacage on iOS"
3705         https://bugs.webkit.org/show_bug.cgi?id=177586
3706         https://trac.webkit.org/changeset/223113
3707
3708         "Use one virtual allocation for all gigacages and their
3709         runways"
3710         https://bugs.webkit.org/show_bug.cgi?id=178050
3711         https://trac.webkit.org/changeset/223121
3712
3713 2017-10-11  Michael Saboff  <msaboff@apple.com>
3714
3715         Disable test262 named capture group tests with direct unicode names and with references before definitions
3716         https://bugs.webkit.org/show_bug.cgi?id=178177
3717
3718         Reviewed by Keith Miller.
3719
3720         Bugs to track fixing these test are:
3721         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3722             "Add support in named capture group identifiers for direct surrogate pairs"
3723         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3724             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3725
3726         * test262.yaml:
3727
3728 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3729
3730         Object properties are undefined in super.call() but not in this.call()
3731         https://bugs.webkit.org/show_bug.cgi?id=177230
3732
3733         Reviewed by Saam Barati.
3734
3735         * stress/super-call-function-subclass.js: Added.
3736         (assert):
3737         (A.prototype.t):
3738         (A):
3739         * stress/super-dot-call-and-apply.js: Added.
3740         (assert):
3741         (A):
3742         (A.prototype.call):
3743         (A.prototype.apply):
3744         (B.prototype.testSuper):
3745         (B):
3746         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3747         (D.prototype.testSuper):
3748         (D):
3749
3750 2017-10-10  Saam Barati  <sbarati@apple.com>
3751