baba85f9646f590b164b423532a0e8243374133d
[WebKit-https.git] / JSTests / ChangeLog
1 2018-02-14  Saam Barati  <sbarati@apple.com>
2
3         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
4         https://bugs.webkit.org/show_bug.cgi?id=182801
5
6         Reviewed by Keith Miller.
7
8         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
9
10 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
11
12         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
13         https://bugs.webkit.org/show_bug.cgi?id=182526
14
15         Unreviewed test gardening.
16
17         * stress/activation-sink-default-value-tdz-error.js:
18
19 2018-02-13  Saam Barati  <sbarati@apple.com>
20
21         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
22         https://bugs.webkit.org/show_bug.cgi?id=182755
23         <rdar://problem/37080864>
24
25         Reviewed by Keith Miller.
26
27         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
28         (test1.o.get 10005):
29         (test1):
30         (test2.o.get 1000):
31         (test2):
32
33 2018-02-13  Caitlin Potter  <caitp@igalia.com>
34
35         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
36         https://bugs.webkit.org/show_bug.cgi?id=182717
37
38         Reviewed by Yusuke Suzuki.
39
40         https://github.com/tc39/ecma262/pull/890 imposes a change to template
41         literals, to allow template callsite arrays to be collected when the
42         code containing the tagged template call is collected. This spec change
43         has received concensus and been ratified.
44
45         This change eliminates the eternal map associating template contents
46         with arrays.
47
48         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
49         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
50         * stress/tagged-templates-identity.js:
51         * stress/template-string-tags-eval.js:
52         * test262.yaml:
53
54 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
55
56         Support GetArrayLength on ArrayStorage in the FTL
57         https://bugs.webkit.org/show_bug.cgi?id=182625
58
59         Reviewed by Saam Barati.
60
61         * stress/array-storage-length.js: Added.
62         (shouldBe):
63         (testInBound):
64         (testUncountable):
65         (testSlowPutInBound):
66         (testSlowPutUncountable):
67         * stress/undecided-length.js: Added.
68         (shouldBe):
69         (test2):
70
71 2018-02-12  Saam Barati  <sbarati@apple.com>
72
73         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
74         https://bugs.webkit.org/show_bug.cgi?id=182706
75         <rdar://problem/36833681>
76
77         Reviewed by Filip Pizlo.
78
79         * stress/get-array-length-phantom-new-array-buffer.js: Added.
80         (effects):
81         (foo):
82
83 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
84
85         Don't waste memory for error.stack
86         https://bugs.webkit.org/show_bug.cgi?id=182656
87
88         Reviewed by Saam Barati.
89         
90         Tests the policy.
91
92         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
93         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
94
95 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
96
97         [JSC] Update Test262 to Feb 9 version
98         https://bugs.webkit.org/show_bug.cgi?id=182468
99
100         Reviewed by Saam Barati.
101
102 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
103
104         Unreviewed, fix invalid line terminator in old test262 file part 2
105         https://bugs.webkit.org/show_bug.cgi?id=182468
106
107         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
108
109 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
110
111         Unreviewed, fix invalid line terminator in old test262 file
112         https://bugs.webkit.org/show_bug.cgi?id=182468
113
114         * test262/test/language/literals/regexp/7.8.5-1.js:
115
116 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
117
118         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
119         https://bugs.webkit.org/show_bug.cgi?id=182440
120
121         Reviewed by Darin Adler.
122
123         * stress/array-flatmap.js: Added.
124         (shouldBe):
125         (shouldBeArray):
126         (shouldThrow):
127         (var):
128         * stress/array-flatten.js: Added.
129         (shouldBe):
130         (shouldBeArray):
131         * test262.yaml:
132         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
133         (3.flatMap):
134         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
135
136 2018-02-06  Keith Miller  <keith_miller@apple.com>
137
138         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
139         https://bugs.webkit.org/show_bug.cgi?id=182549
140         <rdar://problem/36189995>
141
142         Reviewed by Saam Barati.
143
144         * stress/var-injection-cache-invalidation.js: Added.
145         (allocateLotsOfThings):
146         (test):
147
148 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
149
150         Unreviewed, follow up for test262 update
151         https://bugs.webkit.org/show_bug.cgi?id=182288
152
153         * test262.yaml:
154
155 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
156
157         Update test262 to Jan 30 version
158         https://bugs.webkit.org/show_bug.cgi?id=182288
159
160         Unreviewed test gardening.
161
162         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
163
164 2018-02-02  Saam Barati  <sbarati@apple.com>
165
166         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
167         https://bugs.webkit.org/show_bug.cgi?id=182368
168         <rdar://problem/36932466>
169
170         Reviewed by Mark Lam.
171
172         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
173         (runNearStackLimit.t):
174         (runNearStackLimit):
175         (try.runNearStackLimit):
176         (catch):
177
178 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
179
180         Update test262 to Jan 30 version
181         https://bugs.webkit.org/show_bug.cgi?id=182288
182
183         Rubber stamped by Saam Barati.
184
185         This patch updates test262 to the latest one, Jan 30 version.
186         Since added and changed files are too many, we cannot create ChangeLog.
187         The following files are changed.
188
189         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
190         including some special line terminators (like u2028, u2029).
191
192         * test262.yaml:
193         * test262/test262-Revision.txt:
194         * test262/*:
195
196 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
197
198         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
199         https://bugs.webkit.org/show_bug.cgi?id=182411
200
201         Reviewed by Carlos Alberto Lopez Perez.
202
203         This is skipped only on arm memory limited platforms. Until recently
204         it was not a problem on MIPS as the butterfly was not initialized. But
205         since r227435, the butterfly is initialized in that test and therefore
206         memory is allocated, and the test typically takes around 512M, which
207         means it generally gets OOM-killed on the MIPS buildbot.
208
209         * mozilla/mozilla-tests.yaml:
210
211 2018-02-01  Mark Lam  <mark.lam@apple.com>
212
213         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
214         https://bugs.webkit.org/show_bug.cgi?id=182419
215         <rdar://problem/37044945>
216
217         Reviewed by Saam Barati.
218
219         * stress/regress-182419.js: Added.
220
221 2018-02-01  Keith Miller  <keith_miller@apple.com>
222
223         Fix crashes due to mishandling custom sections.
224         https://bugs.webkit.org/show_bug.cgi?id=182404
225         <rdar://problem/36935863>
226
227         Reviewed by Saam Barati.
228
229         * wasm/Builder.js:
230         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
231         * wasm/js-api/validate.js:
232         (assert.truthy):
233
234 2018-01-31  Saam Barati  <sbarati@apple.com>
235
236         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
237         https://bugs.webkit.org/show_bug.cgi?id=182074
238         <rdar://problem/36846261>
239
240         Reviewed by Mark Lam.
241
242         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
243         (assert):
244         (let.func):
245         (let.o.foo):
246         (varFunc):
247
248 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
249
250         Unreviewed, update test262 expects
251         https://bugs.webkit.org/show_bug.cgi?id=182232
252
253         * test262.yaml:
254
255 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
256
257         [JSC] Implement trimStart and trimEnd
258         https://bugs.webkit.org/show_bug.cgi?id=182233
259
260         Reviewed by Mark Lam.
261
262         * stress/trim.js: Added.
263         (shouldBe):
264         (startTest):
265         (endTest):
266         (trimTest):
267
268 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
269
270         [JSC] Relax line terminators in String to make JSON subset of JS
271         https://bugs.webkit.org/show_bug.cgi?id=182232
272
273         Reviewed by Keith Miller.
274
275         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
276         * stress/relaxed-line-terminators-in-string.js: Added.
277         (shouldBe):
278
279 2018-01-29  Michael Saboff  <msaboff@apple.com>
280
281         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
282         https://bugs.webkit.org/show_bug.cgi?id=182249
283
284         Reviewed by Keith Miller.
285
286         New regression test.
287
288         * stress/compare-clobber-untypeduse.js: Added.
289
290 2018-01-29  Matt Lewis  <jlewis3@apple.com>
291
292         Unreviewed, rolling out r227725.
293
294         This caused internal failures.
295
296         Reverted changeset:
297
298         "JSC Sampling Profiler: Detect tester and testee when sampling
299         in RegExp JIT"
300         https://bugs.webkit.org/show_bug.cgi?id=152729
301         https://trac.webkit.org/changeset/227725
302
303 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
304
305         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
306         https://bugs.webkit.org/show_bug.cgi?id=152729
307
308         Reviewed by Saam Barati.
309
310         * stress/sampling-profiler-regexp.js: Added.
311         (platformSupportsSamplingProfiler.test):
312         (platformSupportsSamplingProfiler.baz):
313         (platformSupportsSamplingProfiler):
314
315 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
316
317         [DFG][FTL] WeakMap#set should have DFG node
318         https://bugs.webkit.org/show_bug.cgi?id=180015
319
320         Reviewed by Saam Barati.
321
322         * stress/weakmap-set-change-get.js: Added.
323         (shouldBe):
324         (test):
325         * stress/weakmap-set-cse.js: Added.
326         (shouldBe):
327         (test):
328         * stress/weakset-add-change-get.js: Added.
329         (shouldBe):
330         * stress/weakset-add-cse.js: Added.
331         (shouldBe):
332
333 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
334
335         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
336         https://bugs.webkit.org/show_bug.cgi?id=182213
337
338         Reviewed by Mark Lam.
339
340         * stress/int32-min-to-string.js: Added.
341         (shouldBe):
342         (test2):
343         (test4):
344         (test8):
345         (test16):
346         (test32):
347         * stress/zero-to-string.js: Added.
348         (shouldBe):
349         (test2):
350         (test4):
351         (test8):
352         (test16):
353         (test32):
354
355 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
356
357         Add more module scope related tests with code evaluation by string
358         https://bugs.webkit.org/show_bug.cgi?id=181983
359
360         Reviewed by Sam Weinig.
361
362         Add more module scope related tests. When the original tests are landed,
363         we do not have browser integration. This patch adds more module scope tests
364         with dynamically created script evaluation. We add tests with Function
365         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
366
367         * modules/scopes-eval.js: Added.
368         (shouldBe):
369         * modules/scopes.js:
370         (shouldBe):
371
372 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
373
374         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
375
376         * microbenchmarks/array-push-3.js: Removed.
377         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
378         * microbenchmarks/double-to-int32.js: Removed.
379         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
380         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
381         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
382         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
383         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
384         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
385         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
386         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
387         * microbenchmarks/map-constant-key.js: Removed.
388         * microbenchmarks/nested-function-parsing.js: Removed.
389         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
390         * microbenchmarks/spread-large-array.js: Removed.
391         * microbenchmarks/string-add-constant-folding.js: Removed.
392         * microbenchmarks/to-lower-case.js: Removed.
393         * microbenchmarks/undefined-property-access.js: Removed.
394         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
395         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
396         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
397         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
398         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
399         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
400         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
401         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
402         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
403         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
404         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
405         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
406         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
407         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
408         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
409         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
410         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
411         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
412
413 2018-01-23  Robin Morisset  <rmorisset@apple.com>
414
415         Update the argument count in DFGByteCodeParser::handleRecursiveCall
416         https://bugs.webkit.org/show_bug.cgi?id=181739
417         <rdar://problem/36627662>
418
419         Reviewed by Saam Barati.
420
421         * stress/recursive-tail-call-with-different-argument-count.js: Added.
422         (foo):
423         (bar):
424
425 2018-01-22  Michael Saboff  <msaboff@apple.com>
426
427         DFG abstract interpreter needs to properly model effects of some Math ops
428         https://bugs.webkit.org/show_bug.cgi?id=181886
429
430         Reviewed by Saam Barati.
431
432         New regression test.
433
434         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
435         (test):
436
437 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
438
439         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
440         https://bugs.webkit.org/show_bug.cgi?id=181182
441
442         Reviewed by Darin Adler.
443
444         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
445         * stress/big-int-prototype-to-string-exception.js: Added.
446         * stress/big-int-prototype-to-string-wrong-values.js: Added.
447         * stress/number-prototype-to-string-cast-overflow.js: Added.
448         * stress/number-prototype-to-string-exception.js: Added.
449         * stress/number-prototype-to-string-wrong-values.js: Added.
450
451 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
452
453         Disable Atomics when SharedArrayBuffer isn’t enabled
454         https://bugs.webkit.org/show_bug.cgi?id=181572
455
456         Unreviewed test gardening.
457
458         * test262.yaml: Skip tests that fail after this change.
459
460 2018-01-19  Saam Barati  <sbarati@apple.com>
461
462         Kill ArithNegate's ArithProfile assert inside BytecodeParser
463         https://bugs.webkit.org/show_bug.cgi?id=181877
464         <rdar://problem/36630552>
465
466         Reviewed by Mark Lam.
467
468         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
469         (runNearStackLimit):
470         (f1):
471         (f2):
472         (f3):
473         (i.catch):
474         (i.try.runNearStackLimit):
475         (catch):
476
477 2018-01-19  Saam Barati  <sbarati@apple.com>
478
479         Spread's effects are modeled incorrectly both in AI and in Clobberize
480         https://bugs.webkit.org/show_bug.cgi?id=181867
481         <rdar://problem/36290415>
482
483         Reviewed by Michael Saboff.
484
485         * stress/ai-needs-to-model-spreads-effects.js: Added.
486         (try.p.Symbol.iterator):
487         (try.go):
488         (catch):
489         * stress/clobberize-needs-to-model-spread-effects.js: Added.
490         (assert):
491         (foo):
492         (a.Symbol.iterator):
493
494 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
495
496         Unreviewed, reduce count of iteration to fix timing out debug JSC test
497         https://bugs.webkit.org/show_bug.cgi?id=181535
498
499         * stress/inserted-recovery-with-set-last-index.js:
500
501 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
502
503         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
504         https://bugs.webkit.org/show_bug.cgi?id=181535
505
506         Reviewed by Saam Barati.
507
508         * stress/inserted-recovery-with-set-last-index.js: Added.
509         (shouldBe):
510         (foo):
511         * stress/materialize-regexp-at-osr-exit.js: Added.
512         (shouldBe):
513         (test):
514         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
515         (shouldBe):
516         (test):
517         * stress/materialize-regexp-cyclic-regexp.js: Added.
518         (shouldBe):
519         (test):
520         (i.switch):
521         * stress/materialize-regexp-cyclic.js: Added.
522         (shouldBe):
523         (test):
524         (i.switch):
525         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
526         (bar):
527         (foo):
528         (test):
529         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
530         (bar):
531         (foo):
532         (test):
533         * stress/materialize-regexp.js: Added.
534         (shouldBe):
535         (test):
536         * stress/phantom-regexp-regexp-exec.js: Added.
537         (shouldBe):
538         (test):
539         * stress/phantom-regexp-string-match.js: Added.
540         (shouldBe):
541         (test):
542         * stress/regexp-last-index-sinking.js: Added.
543         (shouldBe):
544         (test):
545
546 2018-01-17  Saam Barati  <sbarati@apple.com>
547
548         Disable Atomics when SharedArrayBuffer isn’t enabled
549         https://bugs.webkit.org/show_bug.cgi?id=181572
550         <rdar://problem/36553206>
551
552         Reviewed by Michael Saboff.
553
554         * stress/isLockFree.js:
555
556 2018-01-17  Saam Barati  <sbarati@apple.com>
557
558         DFG::Node::convertToConstant needs to clear the varargs flags
559         https://bugs.webkit.org/show_bug.cgi?id=181697
560         <rdar://problem/36497332>
561
562         Reviewed by Yusuke Suzuki.
563
564         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
565         (doIndexOf):
566         (bar):
567         (i.bar):
568
569 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
570
571         Unreviewed, rolling out r226937.
572
573         Tests added with this change are failing due to a missing
574         exception check.
575
576         Reverted changeset:
577
578         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
579         double to int32_t"
580         https://bugs.webkit.org/show_bug.cgi?id=181182
581         https://trac.webkit.org/changeset/226937
582
583 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
584
585         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
586         https://bugs.webkit.org/show_bug.cgi?id=181182
587
588         Reviewed by Darin Adler.
589
590         * bigIntTests.yaml:
591         * stress/big-int-constructor.js:
592         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
593         (assert):
594         (assertThrowRangeError):
595         * stress/number-prototype-to-string-cast-overflow.js: Added.
596         (assert):
597         (assertThrowRangeError):
598
599 2018-01-12  Saam Barati  <sbarati@apple.com>
600
601         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
602         https://bugs.webkit.org/show_bug.cgi?id=181177
603         <rdar://problem/36205704>
604
605         Reviewed by Yusuke Suzuki.
606
607         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
608         (runNearStackLimit.t):
609         (runNearStackLimit):
610         (test.f):
611         (test):
612
613 2018-01-12  Saam Barati  <sbarati@apple.com>
614
615         Each variant of a polymorphic inlined call should be exitOK at the top of the block
616         https://bugs.webkit.org/show_bug.cgi?id=181562
617         <rdar://problem/36445624>
618
619         Reviewed by Yusuke Suzuki.
620
621         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
622         (f):
623         (foo):
624
625 2018-01-11  Saam Barati  <sbarati@apple.com>
626
627         When inserting Unreachable in byte code parser we need to flush all the right things
628         https://bugs.webkit.org/show_bug.cgi?id=181509
629         <rdar://problem/36423110>
630
631         Reviewed by Mark Lam.
632
633         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
634
635 2018-01-11  Saam Barati  <sbarati@apple.com>
636
637         JITMathIC code in the FTL is wrong when code gets duplicated
638         https://bugs.webkit.org/show_bug.cgi?id=181525
639         <rdar://problem/36351993>
640
641         Reviewed by Michael Saboff and Keith Miller.
642
643         * stress/allow-math-ic-b3-code-duplication.js: Added.
644
645 2018-01-11  Saam Barati  <sbarati@apple.com>
646
647         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
648         https://bugs.webkit.org/show_bug.cgi?id=181508
649
650         Reviewed by Yusuke Suzuki.
651
652         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
653         (assert):
654         (test1.foo):
655         (test1):
656         (test2.foo):
657         (test2):
658
659 2018-01-09  Mark Lam  <mark.lam@apple.com>
660
661         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
662         https://bugs.webkit.org/show_bug.cgi?id=181388
663         <rdar://problem/36349351>
664
665         Reviewed by Saam Barati.
666
667         * stress/regress-181388.js: Added.
668
669 2018-01-08  JF Bastien  <jfbastien@apple.com>
670
671         WebAssembly: mask indexed accesses to Table
672         https://bugs.webkit.org/show_bug.cgi?id=181412
673         <rdar://problem/36363236>
674
675         Reviewed by Saam Barati.
676
677         Update error messages.
678
679         * wasm/js-api/table.js:
680         (assert.throws.WebAssembly.Table.prototype.grow):
681
682 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
683
684         Disable SharedArrayBuffer tests missed in r226386.
685         https://bugs.webkit.org/show_bug.cgi?id=181266
686
687         Unreviewed test gardening.
688
689         * test262.yaml:
690
691 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
692
693         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
694         https://bugs.webkit.org/show_bug.cgi?id=181321
695
696         Reviewed by Saam Barati.
697
698         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
699         (shouldBe):
700         (testFunction):
701         * test262.yaml:
702
703 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
704
705         Unreviewed, attempt to fix test262 after r226386.
706
707         * test262.yaml:
708
709 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
710
711         [DFG] Define defs for MapSet/SetAdd to participate in CSE
712         https://bugs.webkit.org/show_bug.cgi?id=179911
713
714         Reviewed by Saam Barati.
715
716         In addition to these tests, map-set-cse.js and set-add-cse.js work.
717
718         * stress/map-set-change-get.js: Added.
719         (shouldBe):
720         (test):
721         * stress/map-set-create-bucket.js: Added.
722         (shouldBe):
723         (test):
724         * stress/set-add-create-bucket.js: Added.
725         (shouldBe):
726
727 2018-01-03  Michael Saboff  <msaboff@apple.com>
728
729         Disable SharedArrayBuffers from Web API
730         https://bugs.webkit.org/show_bug.cgi?id=181266
731
732         Reviewed by Saam Barati.
733
734         Disabled SharedArrayBuffer tests.
735
736         * stress/SharedArrayBuffer-opt.js:
737         * stress/SharedArrayBuffer.js:
738         * stress/array-buffer-byte-length.js:
739         * stress/atomics-add-uint32.js:
740         * stress/atomics-known-int-use.js:
741         * stress/atomics-neg-zero.js:
742         * stress/atomics-store-return.js:
743         * stress/lars-sab-workers.js:
744         * stress/regress-159779-1.js:
745         * stress/regress-159779-2.js:
746         * stress/regress-170473.js:
747         * test262.yaml:
748
749 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
750
751         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
752         https://bugs.webkit.org/show_bug.cgi?id=181258
753
754         Reviewed by Antonio Gomes.
755
756         * stress/big-int-constructor-gc.js:
757         * stress/big-int-constructor-oom.js:
758
759 2018-01-03  Robin Morisset  <rmorisset@apple.com>
760
761         Inlining of a function that ends in op_unreachable crashes
762         https://bugs.webkit.org/show_bug.cgi?id=181027
763
764         Reviewed by Filip Pizlo.
765
766         * stress/inlining-unreachable.js: Added.
767         (bar):
768         (baz):
769         (i.catch):
770
771 2018-01-02  Saam Barati  <sbarati@apple.com>
772
773         Incorrect assertion inside AccessCase
774         https://bugs.webkit.org/show_bug.cgi?id=181200
775         <rdar://problem/35494754>
776
777         Reviewed by Yusuke Suzuki.
778
779         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
780         (ctor):
781         (theFunc):
782         (run):
783
784 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
785
786         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
787         https://bugs.webkit.org/show_bug.cgi?id=175359
788
789         Reviewed by Yusuke Suzuki.
790
791         * bigIntTests.yaml:
792         * stress/big-int-as-key.js: Added.
793         * stress/big-int-constructor-gc.js: Added.
794         * stress/big-int-constructor-oom.js: Added.
795         * stress/big-int-constructor-properties.js: Added.
796         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
797         * stress/big-int-constructor-prototype.js: Added.
798         * stress/big-int-constructor.js: Added.
799         * stress/big-int-function-apply.js:
800         * stress/big-int-length.js: Added.
801         * stress/big-int-prop-descriptor.js: Added.
802         * stress/big-int-proto-constructor.js: Added.
803         * stress/big-int-proto-name.js: Added.
804         * stress/big-int-prototype-properties.js: Added.
805         * stress/big-int-prototype-proto.js: Added.
806         * stress/big-int-prototype-value-of.js: Added.
807         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
808         * stress/big-int-prototype-to-string-apply.js: Added.
809         * stress/big-int-to-object.js: Added.
810         * stress/big-int-to-string.js: Added.
811
812 2017-12-28  Saam Barati  <sbarati@apple.com>
813
814         Assertion used to determine if something is an async generator is wrong
815         https://bugs.webkit.org/show_bug.cgi?id=181168
816         <rdar://problem/35640560>
817
818         Reviewed by Yusuke Suzuki.
819
820         * stress/async-generator-assertion.js: Added.
821
822 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
823
824         Skip stress/splay-flash-access tests on memory limited platforms
825         https://bugs.webkit.org/show_bug.cgi?id=181086
826
827         Reviewed by Carlos Alberto Lopez Perez.
828
829         These tests use about 185M of memory, and occasionally get OOM-killed
830         on memory limited platforms.
831
832         * stress/splay-flash-access-1ms.js:
833         * stress/splay-flash-access.js:
834
835 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
836
837         Skip slow jsc tests on embedded platforms
838         https://bugs.webkit.org/show_bug.cgi?id=180937
839
840         Reviewed by Carlos Alberto Lopez Perez.
841
842         The tests typeProfiler/deltablue-for-of.js and
843         typeProfiler/getter-richards.js take a very long time in the
844         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
845         thus always timeout. They should be skipped on these platforms.
846
847         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
848         * typeProfiler/getter-richards.js: Skip on arm*/mips.
849
850 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
851
852         [JSC] Do not check isValid() in op_new_regexp
853         https://bugs.webkit.org/show_bug.cgi?id=180970
854
855         Reviewed by Saam Barati.
856
857         * stress/regexp-syntax-error-invalid-flags.js: Added.
858         (shouldThrow):
859
860 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
861
862         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
863         https://bugs.webkit.org/show_bug.cgi?id=180712
864
865         Reviewed by Michael Catanzaro.
866
867         stress/call-apply-exponential-bytecode-size.js crashes if the
868         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
869         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
870         should skip the test on other platforms.
871
872         * stress/call-apply-exponential-bytecode-size.js:
873
874 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
875
876         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
877         https://bugs.webkit.org/show_bug.cgi?id=179762
878
879         Reviewed by Saam Barati.
880
881         * stress/call-varargs-double-new-array-buffer.js: Added.
882         (assert):
883         (bar):
884         (foo):
885         * stress/call-varargs-spread-new-array-buffer.js: Added.
886         (assert):
887         (bar):
888         (foo):
889         * stress/call-varargs-spread-new-array-buffer2.js: Added.
890         (assert):
891         (bar):
892         (foo):
893         * stress/forward-varargs-double-new-array-buffer.js: Added.
894         (assert):
895         (test.baz):
896         (test.bar):
897         (test.foo):
898         (test):
899         * stress/new-array-buffer-sinking-osrexit.js: Added.
900         (target):
901         (test):
902         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
903         (shouldBe):
904         (test):
905         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
906         (shouldBe):
907         (target):
908         (test):
909         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
910         (assert):
911         (test1.bar):
912         (test1.foo):
913         (test1):
914         (test2.bar):
915         (test2.foo):
916         (test3.baz):
917         (test3.bar):
918         (test3.foo):
919         (test4.baz):
920         (test4.bar):
921         (test4.foo):
922         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
923         (assert):
924         (test.baz):
925         (test.bar):
926         (test.foo):
927         (test):
928         * stress/phantom-new-array-buffer-osr-exit.js: Added.
929         (assert):
930         (baz):
931         (bar):
932         (effects):
933         (foo):
934
935 2017-12-14  Saam Barati  <sbarati@apple.com>
936
937         The CleanUp after LICM is erroneously removing a Check
938         https://bugs.webkit.org/show_bug.cgi?id=180852
939         <rdar://problem/36063494>
940
941         Reviewed by Filip Pizlo.
942
943         * stress/dont-run-cleanup-after-licm.js: Added.
944
945 2017-12-14  Michael Saboff  <msaboff@apple.com>
946
947         REGRESSION (r225695): Repro crash on yahoo login page
948         https://bugs.webkit.org/show_bug.cgi?id=180761
949
950         Reviewed by JF Bastien.
951
952         New regression test.
953
954         * stress/regress-180761.js: Added.
955
956 2017-12-13  Keith Miller  <keith_miller@apple.com>
957
958         JSObjects should have a mask for loading indexed properties
959         https://bugs.webkit.org/show_bug.cgi?id=180768
960
961         Reviewed by Mark Lam.
962
963         * stress/int16-put-by-val-in-and-out-of-bounds.js:
964         (test):
965
966 2017-12-13  Saam Barati  <sbarati@apple.com>
967
968         Arrow functions need their own structure because they have different properties than sloppy functions
969         https://bugs.webkit.org/show_bug.cgi?id=180779
970         <rdar://problem/35814591>
971
972         Reviewed by Mark Lam.
973
974         * stress/arrow-function-needs-its-own-structure.js: Added.
975         (assert):
976         (readPrototype):
977         (noInline.let.f1):
978         (noInline):
979
980 2017-12-13  Saam Barati  <sbarati@apple.com>
981
982         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
983         https://bugs.webkit.org/show_bug.cgi?id=163579
984         <rdar://problem/35455798>
985
986         Reviewed by Mark Lam.
987
988         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
989         (assert):
990         (test1):
991         (i.test1):
992         (i.test1.C):
993         (i.test1.async.foo):
994         (i.test1.foo):
995         (test2):
996
997 2017-12-13  Saam Barati  <sbarati@apple.com>
998
999         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1000         https://bugs.webkit.org/show_bug.cgi?id=180734
1001         <rdar://problem/35640547>
1002
1003         Reviewed by Yusuke Suzuki.
1004
1005         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1006         (__isPropertyOfType):
1007         (__getProperties):
1008         (__getObjects):
1009         (__getRandomObject):
1010         (theClass.):
1011         (theClass):
1012         (childClass):
1013         (counter.catch):
1014
1015 2017-12-12  Saam Barati  <sbarati@apple.com>
1016
1017         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1018         https://bugs.webkit.org/show_bug.cgi?id=180725
1019         <rdar://problem/35970511>
1020
1021         Reviewed by Michael Saboff.
1022
1023         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1024         (f1):
1025         (f2):
1026         (let.o2.valueOf):
1027
1028 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1029
1030         [JSC] Implement optimized WeakMap and WeakSet
1031         https://bugs.webkit.org/show_bug.cgi?id=179929
1032
1033         Reviewed by Saam Barati.
1034
1035         * microbenchmarks/weak-map-key.js:
1036         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1037         (assert):
1038         (objectKey):
1039         (let.start.Date.now):
1040         * stress/basic-weakmap.js: Added.
1041         (shouldBe):
1042         (test):
1043         * stress/basic-weakset.js: Added.
1044         (shouldBe):
1045         (test.set new):
1046         * stress/weakmap-cse-set-break.js: Added.
1047         (shouldBe):
1048         (test):
1049         * stress/weakmap-cse.js: Added.
1050         (shouldBe):
1051         (test):
1052         * stress/weakmap-gc.js: Added.
1053         (test):
1054         * stress/weakset-cse-add-break.js: Added.
1055         (shouldBe):
1056         (test.set new):
1057         * stress/weakset-cse.js: Added.
1058         (shouldBe):
1059         (test.set new):
1060         * stress/weakset-gc.js: Added.
1061         (test.set add):
1062         (test.set new):
1063         (test):
1064
1065 2017-12-12  Saam Barati  <sbarati@apple.com>
1066
1067         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1068         https://bugs.webkit.org/show_bug.cgi?id=180723
1069         <rdar://problem/35859726>
1070
1071         Reviewed by JF Bastien.
1072
1073         * stress/get-my-argument-by-val-constant-folding.js: Added.
1074         (test):
1075         (catch):
1076
1077 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1078
1079         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1080         https://bugs.webkit.org/show_bug.cgi?id=179000
1081
1082         Reviewed by Darin Adler and Yusuke Suzuki.
1083
1084         * bigIntTests.yaml: Added.
1085         * stress/big-int-literal-line-terminator.js: Added.
1086         * stress/big-int-literals.js: Added.
1087         * stress/big-int-operations-error.js: Added.
1088         * stress/big-int-type-of.js: Added.
1089         * stress/big-int-white-space-trailing-leading.js: Added.
1090         * stress/big-int-function-apply.js: Added.
1091
1092 2017-12-11  Saam Barati  <sbarati@apple.com>
1093
1094         We need to disableCaching() in ErrorInstance when we materialize properties
1095         https://bugs.webkit.org/show_bug.cgi?id=180343
1096         <rdar://problem/35833002>
1097
1098         Reviewed by Mark Lam.
1099
1100         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1101         (assert):
1102         (makeError):
1103         (storeToStack):
1104         (storeToStackAlreadyMaterialized):
1105
1106 2017-12-05  JF Bastien  <jfbastien@apple.com>
1107
1108         WebAssembly: don't eagerly checksum
1109         https://bugs.webkit.org/show_bug.cgi?id=180441
1110         <rdar://problem/35156628>
1111
1112         Reviewed by Saam Barati.
1113
1114         Checksum is now disabled, so tests only have <?> as the module
1115         name.
1116
1117         * wasm/function-tests/nameSection.js:
1118         * wasm/function-tests/stack-overflow.js:
1119         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1120         (assertOverflows.assertThrows):
1121         (assertOverflows):
1122         * wasm/function-tests/stack-trace.js:
1123
1124 2017-12-04  JF Bastien  <jfbastien@apple.com>
1125
1126         Proxy all functions, except the $ objects
1127         https://bugs.webkit.org/show_bug.cgi?id=180375
1128
1129         Reviewed by Saam Barati.
1130
1131         It looks like this test may have broken some executions because I
1132         call some internal objects. Explicitly ignore objects whose name
1133         starts with "$" because it's a bad idea anyways.
1134
1135         * stress/proxy-all-the-parameters.js:
1136         (generateObjects):
1137         (get throw):
1138
1139 2017-12-04  Saam Barati  <sbarati@apple.com>
1140
1141         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1142         https://bugs.webkit.org/show_bug.cgi?id=180366
1143         <rdar://problem/35685877>
1144
1145         Reviewed by Michael Saboff.
1146
1147         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1148         (theParent):
1149         (test1.base.getParentStaticValue):
1150         (test1.base):
1151         (test1.__v_24888.prototype.set prop):
1152         (test1.__v_24888):
1153         (test2.base.getParentStaticValue):
1154         (test2.base):
1155         (test2.__v_24888.prototype.set prop):
1156         (test2.__v_24888):
1157         (test2):
1158
1159 2017-12-01  JF Bastien  <jfbastien@apple.com>
1160
1161         Try proxying all function arguments
1162         https://bugs.webkit.org/show_bug.cgi?id=180306
1163
1164         Reviewed by Saam Barati.
1165
1166         * stress/proxy-all-the-parameters.js: Added.
1167         (isPropertyOfType):
1168         (getProperties):
1169         (generateObjects):
1170         (getObjects):
1171         (getFunctions):
1172         (get throw):
1173         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1174
1175 2017-12-01  JF Bastien  <jfbastien@apple.com>
1176
1177         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1178         https://bugs.webkit.org/show_bug.cgi?id=180297
1179         <rdar://problem/35745556>
1180
1181         Reviewed by Mark Lam.
1182
1183         * stress/math-exceptions.js: Added.
1184         (get try):
1185         (catch):
1186
1187 2017-12-01  JF Bastien  <jfbastien@apple.com>
1188
1189         JavaScriptCore: add test for weird class static getters
1190         https://bugs.webkit.org/show_bug.cgi?id=180281
1191         <rdar://problem/35592139>
1192
1193         Reviewed by Mark Lam.
1194
1195         I fixed a bug for it in r224927 and didn't add a test. Do so.
1196
1197         * stress/class-static-get-weird.js: Added.
1198         (c.prototype.get name):
1199         (c):
1200         (c.prototype.get arguments):
1201         (c.prototype.get caller):
1202         (c.prototype.get length):
1203
1204 2017-12-01  Saam Barati  <sbarati@apple.com>
1205
1206         Having a bad time needs to handle ArrayClass indexing type as well
1207         https://bugs.webkit.org/show_bug.cgi?id=180274
1208         <rdar://problem/35667869>
1209
1210         Reviewed by Keith Miller and Mark Lam.
1211
1212         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1213         (assert):
1214         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1215         (assert):
1216
1217 2017-12-01  JF Bastien  <jfbastien@apple.com>
1218
1219         WebAssembly: restore cached stack limit after out-call
1220         https://bugs.webkit.org/show_bug.cgi?id=179106
1221         <rdar://problem/35337525>
1222
1223         Reviewed by Saam Barati.
1224
1225         * wasm/function-tests/double-instance.js: Added.
1226         (const.imp.boom):
1227         (const.imp.get callAnother):
1228
1229 2017-11-30  JF Bastien  <jfbastien@apple.com>
1230
1231         WebAssembly: improve stack trace
1232         https://bugs.webkit.org/show_bug.cgi?id=179343
1233
1234         Reviewed by Saam Barati.
1235
1236         Update the tests to follow the new format. Notably, SHA1 module
1237         hash is now included in traces, and stubs are properly identified.
1238
1239         * wasm/assert.js: Add an assertion which matches regular expressions.
1240         * wasm/function-tests/nameSection.js:
1241         * wasm/function-tests/stack-overflow.js:
1242         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1243         (assertOverflows.assertThrows.wasm.1):
1244         (assertOverflows.assertThrows.wasm.0):
1245         (assertOverflows.assertThrows):
1246         (assertOverflows):
1247         * wasm/function-tests/stack-trace.js:
1248         (import.Builder.from.string_appeared_here.assert): Deleted.
1249         * wasm/function-tests/trap-after-cross-instance-call.js:
1250         (wasmFrameCountFromError):
1251         * wasm/function-tests/trap-load-2.js:
1252         (wasmFrameCountFromError):
1253         * wasm/function-tests/trap-load.js:
1254         (wasmFrameCountFromError):
1255
1256 2017-11-30  Mark Lam  <mark.lam@apple.com>
1257
1258         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1259         https://bugs.webkit.org/show_bug.cgi?id=180219
1260         <rdar://problem/35696536>
1261
1262         Reviewed by Filip Pizlo.
1263
1264         * stress/regress-180219.js: Added.
1265
1266 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1267
1268         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1269         https://bugs.webkit.org/show_bug.cgi?id=180190
1270
1271         Reviewed by Mark Lam.
1272
1273         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1274         (shouldBe):
1275         (test1):
1276         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1277         (shouldBe):
1278         (test1):
1279         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1280         (shouldBe):
1281         (test1):
1282         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1283         (shouldBe):
1284         (test1):
1285         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1286         (shouldBe):
1287         (test1):
1288         * stress/operation-in-may-have-negative-int32.js: Added.
1289         (shouldBe):
1290         (test2):
1291         * stress/operation-in-negative-int32-cast.js: Added.
1292         (shouldBe):
1293         (test1):
1294
1295 2017-11-28  JF Bastien  <jfbastien@apple.com>
1296
1297         Strict and sloppy functions shouldn't share structure
1298         https://bugs.webkit.org/show_bug.cgi?id=180103
1299         <rdar://problem/35667847>
1300
1301         Reviewed by Saam Barati.
1302
1303         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1304         because the IC was wrong.
1305         (foo):
1306         (bar):
1307         (baz):
1308         (catch):
1309         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1310         in this patch, but may as well test odd strict mode corner cases.
1311         (bar):
1312         (baz):
1313         (catch):
1314         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1315         (foo):
1316         (bar):
1317         (baz):
1318         (catch):
1319         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1320         next file, but with invalidation of the FunctionExecutable's
1321         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1322         slower path.
1323         (foo):
1324         (bar.const.x):
1325         (bar.const.y):
1326         (bar):
1327         (catch):
1328         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1329         strict nesting works correctly.
1330         (foo):
1331         (bar.baz):
1332         (bar):
1333         * stress/strict-function-structure.js: Added. The test used to
1334         assert in objectProtoFuncHasOwnProperty.
1335         (foo):
1336         (bar):
1337         (baz):
1338         * stress/strict-nested-function-structure.js: Added. Nesting.
1339         (foo):
1340         (bar):
1341         (baz.boo):
1342         (baz):
1343
1344 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1345
1346         The recursive tail call optimisation is wrong on closures
1347         https://bugs.webkit.org/show_bug.cgi?id=179835
1348
1349         Reviewed by Saam Barati.
1350
1351         * stress/closure-recursive-tail-call.js: Added.
1352         (makeClosure):
1353
1354 2017-11-27  JF Bastien  <jfbastien@apple.com>
1355
1356         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1357         https://bugs.webkit.org/show_bug.cgi?id=180051
1358         <rdar://problem/35614371>
1359
1360         Reviewed by Saam Barati.
1361
1362         * stress/rest-parameter-negative.js: Added.
1363         (__f_5484):
1364         (catch):
1365         (__f_5485):
1366         (__v_22598.catch):
1367
1368 2017-11-27  Saam Barati  <sbarati@apple.com>
1369
1370         Spread can escape when CreateRest does not
1371         https://bugs.webkit.org/show_bug.cgi?id=180057
1372         <rdar://problem/35676119>
1373
1374         Reviewed by JF Bastien.
1375
1376         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1377         (assert):
1378         (getProperties):
1379         (theFunc):
1380         (let.obj.valueOf):
1381
1382 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1383
1384         [DFG] Add NormalizeMapKey DFG IR
1385         https://bugs.webkit.org/show_bug.cgi?id=179912
1386
1387         Reviewed by Saam Barati.
1388
1389         * stress/map-untyped-normalize-cse.js: Added.
1390         (shouldBe):
1391         (test):
1392         * stress/map-untyped-normalize.js: Added.
1393         (shouldBe):
1394         (test):
1395         * stress/set-untyped-normalize-cse.js: Added.
1396         (shouldBe):
1397         (set return.set has.set has):
1398         * stress/set-untyped-normalize.js: Added.
1399         (shouldBe):
1400         (set return.set has):
1401
1402 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1403
1404         [FTL] Support DeleteById and DeleteByVal
1405         https://bugs.webkit.org/show_bug.cgi?id=180022
1406
1407         Reviewed by Saam Barati.
1408
1409         * stress/delete-by-id.js: Added.
1410         (shouldBe):
1411         (test1):
1412         (test2):
1413         * stress/delete-by-val-ftl.js: Added.
1414         (shouldBe):
1415         (test1):
1416         (test2):
1417
1418 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1419
1420         [DFG] Introduce {Set,Map,WeakMap}Fields
1421         https://bugs.webkit.org/show_bug.cgi?id=179925
1422
1423         Reviewed by Saam Barati.
1424
1425         * stress/map-set-clobber-map-get.js: Added.
1426         (shouldBe):
1427         (test):
1428         * stress/map-set-does-not-clobber-set-has.js: Added.
1429         (shouldBe):
1430         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1431         (shouldBe):
1432         (test):
1433         * stress/set-add-clobber-set-has.js: Added.
1434         (shouldBe):
1435         * stress/set-add-does-not-clobber-map-get.js: Added.
1436         (shouldBe):
1437
1438 2017-11-24  Mark Lam  <mark.lam@apple.com>
1439
1440         Move unsafe jsc shell test functions to the $vm object.
1441         https://bugs.webkit.org/show_bug.cgi?id=179980
1442
1443         Reviewed by Yusuke Suzuki.
1444
1445         * controlFlowProfiler/driver/driver.js:
1446         * controlFlowProfiler/execution-count.js:
1447         * controlFlowProfiler/if-statement.js:
1448         * controlFlowProfiler/loop-statements.js:
1449         * controlFlowProfiler/switch-statements.js:
1450         * controlFlowProfiler/test-jit.js:
1451         * exceptionFuzz/3d-cube.js:
1452         * exceptionFuzz/date-format-xparb.js:
1453         * exceptionFuzz/earley-boyer.js:
1454         * heapProfiler/basic-edges.js:
1455         * heapProfiler/property-edge-types.js:
1456         * microbenchmarks/try-get-by-id-basic.js:
1457         * microbenchmarks/try-get-by-id-polymorphic.js:
1458         * modules/namespace-object-try-get.js:
1459         * stress/argument-count-bytecode.js:
1460         * stress/argument-intrinsic-basic.js:
1461         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1462         * stress/argument-intrinsic-inlining-with-result-escape.js:
1463         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1464         * stress/argument-intrinsic-inlining-with-vararg.js:
1465         * stress/argument-intrinsic-nested-inlining.js:
1466         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1467         * stress/argument-intrinsic-with-stack-write.js:
1468         * stress/arity-mismatch-get-argument.js:
1469         * stress/array-message-passing.js:
1470         * stress/array-push-with-force-exit.js:
1471         * stress/check-dom-with-signature.js:
1472         * stress/check-sub-class.js:
1473         * stress/compare-eq-incomplete-profile.js:
1474         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1475         * stress/do-eval-virtual-call-correctly.js:
1476         * stress/dom-jit-with-poly-proto.js:
1477         * stress/domjit-exception-ic.js:
1478         * stress/domjit-exception.js:
1479         * stress/domjit-getter-complex-with-incorrect-object.js:
1480         * stress/domjit-getter-complex.js:
1481         * stress/domjit-getter-poly.js:
1482         * stress/domjit-getter-proto.js:
1483         * stress/domjit-getter-super-poly.js:
1484         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1485         * stress/domjit-getter-type-check.js:
1486         * stress/domjit-getter.js:
1487         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1488         * stress/for-in-proxy-target-changed-structure.js:
1489         * stress/for-in-proxy.js:
1490         * stress/generational-opaque-roots.js:
1491         * stress/global-const-redeclaration-setting-2.js:
1492         * stress/global-const-redeclaration-setting-3.js:
1493         * stress/global-const-redeclaration-setting-4.js:
1494         * stress/global-const-redeclaration-setting-5.js:
1495         * stress/global-const-redeclaration-setting.js:
1496         * stress/import-basic.js:
1497         * stress/import-from-eval.js:
1498         * stress/import-reject-with-exception.js:
1499         * stress/import-syntax.js:
1500         * stress/impure-get-own-property-slot-inline-cache.js:
1501         * stress/is-constructor.js:
1502         * stress/istypedarrayview-intrinsic.js:
1503         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1504         * stress/jsc-test-functions-should-be-more-robust.js:
1505         * stress/object-toString-with-proxy.js:
1506         * stress/poly-proto-custom-value-and-accessor.js:
1507         * stress/proxy-inline-cache.js:
1508         * stress/re-execute-error-module.js:
1509         * stress/regress-150532.js:
1510         * stress/regress-156992.js:
1511         * stress/regress-179619.js:
1512         * stress/resources/shadow-chicken-support.js:
1513         * stress/runtime-array.js:
1514         * stress/sampling-profiler-microtasks.js:
1515         * stress/shadow-chicken-enabled.js:
1516         * stress/spread-correct-global-object-on-exception.js:
1517         * stress/super-get-by-id.js:
1518         * stress/tailCallForwardArguments.js:
1519         * stress/to-object-intrinsic-boolean-edge.js:
1520         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1521         * stress/to-object-intrinsic-number-edge.js:
1522         * stress/to-object-intrinsic-object-edge.js:
1523         * stress/to-object-intrinsic-string-edge.js:
1524         * stress/to-object-intrinsic-symbol-edge.js:
1525         * stress/to-object-intrinsic.js:
1526         * stress/try-catch-custom-getter-as-get-by-id.js:
1527         * stress/try-get-by-id-poly-proto.js:
1528         * stress/try-get-by-id-should-spill-registers-dfg.js:
1529         * stress/try-get-by-id.js:
1530         * typeProfiler/arrow-functions.js:
1531         * typeProfiler/basic.js:
1532         * typeProfiler/captured.js:
1533         * typeProfiler/classes.js:
1534         * typeProfiler/dfg-jit-optimizations.js:
1535         * typeProfiler/dictionary-mode.js:
1536         * typeProfiler/es6-block-scoping.js:
1537         * typeProfiler/es6-classes.js:
1538         * typeProfiler/inheritance.js:
1539         * typeProfiler/int52-dfg.js:
1540         * typeProfiler/loop.js:
1541         * typeProfiler/optional-fields.js:
1542         * typeProfiler/overflow.js:
1543         * typeProfiler/return.js:
1544         * typeProfiler/symbol.js:
1545         * typeProfiler/weird-prototype-chain.js:
1546
1547 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1548
1549         [DFG][FTL] Support MapSet / SetAdd intrinsics
1550         https://bugs.webkit.org/show_bug.cgi?id=179858
1551
1552         Reviewed by Saam Barati.
1553
1554         * microbenchmarks/map-has-and-set.js: Added.
1555         (test):
1556         * stress/map-set-check-failure.js: Added.
1557         (shouldBe):
1558         (shouldThrow):
1559         (target):
1560         * stress/map-set-cse.js: Added.
1561         (shouldBe):
1562         (test):
1563         * stress/set-add-check-failure.js: Added.
1564         (shouldBe):
1565         (shouldThrow):
1566         (set shouldThrow):
1567         * stress/set-add-cse.js: Added.
1568         (shouldBe):
1569
1570 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1571
1572         [JSC] Allow poly proto for intrinsic getters
1573         https://bugs.webkit.org/show_bug.cgi?id=179550
1574
1575         Reviewed by Saam Barati.
1576
1577         This change is also tested by existing tests.
1578
1579             1. stress/intrinsic-getter-with-poly-proto.js
1580             2. stress/poly-proto-intrinsic-getter-correctness.js
1581
1582         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1583         (shouldBe):
1584         (makePolyProtoObject.foo.C):
1585         (makePolyProtoObject.foo):
1586         (makePolyProtoObject):
1587         (target):
1588         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1589         (shouldBe):
1590         (makePolyProtoObject.foo.C):
1591         (makePolyProtoObject.foo):
1592         (makePolyProtoObject):
1593         (target):
1594
1595 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1596
1597         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1598         https://bugs.webkit.org/show_bug.cgi?id=179744
1599
1600         Reviewed by Michael Catanzaro.
1601
1602         This test uses too much memory for our buildbots on these platforms
1603         and gets OOM-killed.
1604
1605         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1606         Skip if $memoryLimited and linux.
1607
1608 2017-11-17  JF Bastien  <jfbastien@apple.com>
1609
1610         WebAssembly JS API: throw when a promise can't be created
1611         https://bugs.webkit.org/show_bug.cgi?id=179826
1612         <rdar://problem/35455813>
1613
1614         Reviewed by Mark Lam.
1615
1616         Test WebAssembly.{compile,instantiate} where promise creation
1617         fails because of a stack overflow.
1618
1619         * wasm/js-api/promise-stack-overflow.js: Added.
1620         (const.runNearStackLimit.f.const.t):
1621         (async.testCompile):
1622         (async.testInstantiate):
1623
1624 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1625
1626         Unreviewed, mark regress-178385.js as memory exhausting
1627
1628         * stress/regress-178385.js:
1629
1630 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1631
1632         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1633
1634         Unreviewed test gardening.
1635
1636         * test262.yaml:
1637
1638 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1639
1640         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1641         https://bugs.webkit.org/show_bug.cgi?id=179763
1642         <rdar://problem/35550513>
1643
1644         Reviewed by Keith Miller.
1645
1646         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1647
1648         * stress/tdz-this-in-try-catch.js: Added.
1649         (__v_6388):
1650         (__v_6392):
1651
1652 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1653
1654         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1655         https://bugs.webkit.org/show_bug.cgi?id=179594
1656
1657         Reviewed by Saam Barati.
1658
1659         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1660         (shouldBe):
1661         (args):
1662         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1663         (shouldBe):
1664         (args):
1665
1666 2017-11-14  Saam Barati  <sbarati@apple.com>
1667
1668         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1669         https://bugs.webkit.org/show_bug.cgi?id=179639
1670         <rdar://problem/35513018>
1671
1672         Reviewed by JF Bastien.
1673
1674         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1675         (escape):
1676         (i.func):
1677
1678 2017-11-13  Mark Lam  <mark.lam@apple.com>
1679
1680         Add more overflow check book-keeping for MarkedArgumentBuffer.
1681         https://bugs.webkit.org/show_bug.cgi?id=179634
1682         <rdar://problem/35492517>
1683
1684         Reviewed by Saam Barati.
1685
1686         * stress/regress-179634.js: Added.
1687
1688 2017-11-13  Mark Lam  <mark.lam@apple.com>
1689
1690         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1691         https://bugs.webkit.org/show_bug.cgi?id=179619
1692         <rdar://problem/35492518>
1693
1694         Reviewed by Saam Barati.
1695
1696         * stress/regress-179619.js: Added.
1697
1698 2017-11-12  Mark Lam  <mark.lam@apple.com>
1699
1700         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1701         https://bugs.webkit.org/show_bug.cgi?id=179562
1702         <rdar://problem/35467022>
1703
1704         Reviewed by Saam Barati.
1705
1706         * regress-179562.js: Added.
1707
1708 2017-11-08  Saam Barati  <sbarati@apple.com>
1709
1710         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1711         https://bugs.webkit.org/show_bug.cgi?id=177792
1712
1713         Reviewed by Yusuke Suzuki.
1714
1715         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1716         (assert):
1717         (foo.Foo.prototype.ensureX):
1718         (foo.Foo):
1719         (foo):
1720         (access):
1721
1722 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1723
1724         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1725         https://bugs.webkit.org/show_bug.cgi?id=178592
1726
1727         Unreviewed test gardening.
1728
1729         * test262.yaml:
1730
1731 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1732
1733         Turn recursive tail calls into loops
1734         https://bugs.webkit.org/show_bug.cgi?id=176601
1735
1736         Reviewed by Saam Barati.
1737
1738         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1739
1740         Add some simple test that computes factorial in several ways, and other trivial computations.
1741         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1742         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1743         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1744         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1745
1746         * stress/inline-call-to-recursive-tail-call.js: Added.
1747         (factorial.aux):
1748         (factorial):
1749         (factorial2.aux2):
1750         (factorial2.id):
1751         (factorial2):
1752         (factorial3.aux3):
1753         (factorial3):
1754         (aux4):
1755         (factorial4):
1756         (foo):
1757         (auxBar):
1758         (bar):
1759         (test):
1760
1761 2017-11-07  Mark Lam  <mark.lam@apple.com>
1762
1763         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1764         https://bugs.webkit.org/show_bug.cgi?id=179355
1765         <rdar://problem/35263053>
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/regress-179355.js: Added.
1770
1771 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1772
1773         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1774         https://bugs.webkit.org/show_bug.cgi?id=144458
1775
1776         Reviewed by Saam Barati.
1777
1778         * microbenchmarks/dfg-internal-function-call.js: Added.
1779         (target):
1780         * microbenchmarks/dfg-internal-function-construct.js: Added.
1781         (target):
1782         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
1783         (target):
1784         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
1785         (target):
1786         * stress/dfg-internal-function-call.js: Added.
1787         (shouldBe):
1788         (target):
1789         * stress/dfg-internal-function-construct.js: Added.
1790         (shouldBe):
1791         (target):
1792         * stress/internal-function-call.js: Added.
1793         (shouldBe):
1794         * stress/internal-function-construct.js: Added.
1795         (shouldBe):
1796
1797 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
1798
1799         [Win] Skip stress/regress-178385.js.
1800         https://bugs.webkit.org/show_bug.cgi?id=179298
1801
1802         Unreviewed test gardening.
1803
1804         * stress/regress-178385.js:
1805
1806 2017-11-03  Keith Miller  <keith_miller@apple.com>
1807
1808         Add test for ic with side effects
1809         https://bugs.webkit.org/show_bug.cgi?id=179268
1810
1811         Reviewed by Saam Barati.
1812
1813         * stress/put-inline-cache-side-effects.js: Added.
1814         (let.i.of.objs.keys):
1815         (f):
1816
1817 2017-11-03  Mark Lam  <mark.lam@apple.com>
1818
1819         CachedCall (and its clients) needs overflow checks.
1820         https://bugs.webkit.org/show_bug.cgi?id=179185
1821
1822         Reviewed by JF Bastien.
1823
1824         * stress/regress-179185.js: Added.
1825
1826 2017-11-02  Michael Saboff  <msaboff@apple.com>
1827
1828         DFG needs to handle code motion of code in for..in loop bodies
1829         https://bugs.webkit.org/show_bug.cgi?id=179212
1830
1831         Reviewed by Keith Miller.
1832
1833         New regression test.
1834
1835         * stress/for-in-side-effects.js: Added.
1836         (getPrototypeOf):
1837         (reset):
1838         (testWithoutFTL.f):
1839         (testWithoutFTL):
1840         (testWithFTL.f):
1841         (testWithFTL):
1842
1843 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1844
1845         AI does not correctly model the clobber case of ArithClz32
1846         https://bugs.webkit.org/show_bug.cgi?id=179188
1847
1848         Reviewed by Michael Saboff.
1849
1850         * stress/arith-clz32-effects.js: Added.
1851         (foo):
1852         (valueOf):
1853
1854 2017-11-01  Michael Saboff  <msaboff@apple.com>
1855
1856         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1857         https://bugs.webkit.org/show_bug.cgi?id=179140
1858
1859         Reviewed by Saam Barati.
1860
1861         New regression test.
1862
1863         * stress/regress-179140.js: Added.
1864         (testWithoutFTL):
1865         (testWithFTL):
1866
1867 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1868
1869         [JSC] Introduce @toObject
1870         https://bugs.webkit.org/show_bug.cgi?id=178726
1871
1872         Reviewed by Saam Barati.
1873
1874         * stress/array-copywithin.js:
1875         (shouldThrow):
1876         * stress/object-constructor-boolean-edge.js: Added.
1877         (shouldBe):
1878         (test):
1879         * stress/object-constructor-global.js: Added.
1880         (shouldBe):
1881         * stress/object-constructor-null-edge.js: Added.
1882         (shouldBe):
1883         (test):
1884         * stress/object-constructor-number-edge.js: Added.
1885         (shouldBe):
1886         (test):
1887         * stress/object-constructor-object-edge.js: Added.
1888         (shouldBe):
1889         (test):
1890         (i.arg):
1891         * stress/object-constructor-string-edge.js: Added.
1892         (shouldBe):
1893         (test):
1894         * stress/object-constructor-symbol-edge.js: Added.
1895         (shouldBe):
1896         (test):
1897         * stress/object-constructor-undefined-edge.js: Added.
1898         (shouldBe):
1899         (test):
1900         * stress/symbol-array-from.js: Added.
1901         (shouldBe):
1902         * stress/to-object-intrinsic-boolean-edge.js: Added.
1903         (shouldBe):
1904         (builtin.createBuiltin):
1905         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
1906         (shouldThrow):
1907         * stress/to-object-intrinsic-number-edge.js: Added.
1908         (shouldBe):
1909         (builtin.createBuiltin):
1910         * stress/to-object-intrinsic-object-edge.js: Added.
1911         (shouldBe):
1912         (builtin.createBuiltin):
1913         (i.arg):
1914         * stress/to-object-intrinsic-string-edge.js: Added.
1915         (shouldBe):
1916         (builtin.createBuiltin):
1917         * stress/to-object-intrinsic-symbol-edge.js: Added.
1918         (shouldBe):
1919         (builtin.createBuiltin):
1920         * stress/to-object-intrinsic.js: Added.
1921         (shouldBe):
1922         (shouldThrow):
1923         (builtin.createBuiltin):
1924
1925 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1926
1927         [DFG][FTL] Introduce StringSlice
1928         https://bugs.webkit.org/show_bug.cgi?id=178934
1929
1930         Reviewed by Saam Barati.
1931
1932         * microbenchmarks/string-slice-empty.js: Added.
1933         (slice):
1934         * microbenchmarks/string-slice-one-char.js: Added.
1935         (slice):
1936         * microbenchmarks/string-slice.js: Added.
1937         (slice):
1938
1939 2017-10-26  Michael Saboff  <msaboff@apple.com>
1940
1941         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1942         https://bugs.webkit.org/show_bug.cgi?id=178890
1943
1944         Reviewed by Keith Miller.
1945
1946         New regression test.
1947
1948         * stress/regress-178890.js: Added.
1949
1950 2017-10-26  Mark Lam  <mark.lam@apple.com>
1951
1952         JSRopeString::RopeBuilder::append() should check for overflows.
1953         https://bugs.webkit.org/show_bug.cgi?id=178385
1954         <rdar://problem/35027468>
1955
1956         Reviewed by Saam Barati.
1957
1958         * stress/regress-178385.js: Added.
1959
1960 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
1961
1962         Unreviewed, rolling out r223961.
1963
1964         The change that required this has been rolled out.
1965
1966         Reverted changeset:
1967
1968         "Mark test262.yaml/test262/test/language/statements/try/tco-
1969         catch.js as passing."
1970         https://bugs.webkit.org/show_bug.cgi?id=178592
1971         https://trac.webkit.org/changeset/223961
1972
1973 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1974
1975         Unreviewed, rolling out r223691 and r223729.
1976         https://bugs.webkit.org/show_bug.cgi?id=178834
1977
1978         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1979         by rniwa on #webkit).
1980
1981         Reverted changesets:
1982
1983         "Turn recursive tail calls into loops"
1984         https://bugs.webkit.org/show_bug.cgi?id=176601
1985         https://trac.webkit.org/changeset/223691
1986
1987         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1988         comparison is always false due to limited range of data type
1989         [-Wtype-limits]"
1990         https://bugs.webkit.org/show_bug.cgi?id=178543
1991         https://trac.webkit.org/changeset/223729
1992
1993 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
1994
1995         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1996         https://bugs.webkit.org/show_bug.cgi?id=178592
1997
1998         Unreviewed test gardening.
1999
2000         * test262.yaml:
2001
2002 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2003
2004         [FTL] Support NewStringObject
2005         https://bugs.webkit.org/show_bug.cgi?id=178737
2006
2007         Reviewed by Saam Barati.
2008
2009         * stress/new-string-object.js: Added.
2010         (shouldBe):
2011         (test):
2012
2013 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2014
2015         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2016         https://bugs.webkit.org/show_bug.cgi?id=178308
2017
2018         Reviewed by Mark Lam.
2019
2020         * test262.yaml:
2021
2022 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2023
2024         [JSC] Use fastJoin in Array#toString
2025         https://bugs.webkit.org/show_bug.cgi?id=178062
2026
2027         Reviewed by Darin Adler.
2028
2029         * microbenchmarks/contiguous-array-to-string.js: Added.
2030         (target):
2031         * microbenchmarks/double-array-to-string.js: Added.
2032         (target):
2033         * microbenchmarks/int32-array-to-string.js: Added.
2034         (target):
2035
2036 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2037
2038         stress/check-string-ident.js is improperly skipped
2039         https://bugs.webkit.org/show_bug.cgi?id=178642
2040
2041         Reviewed by Saam Barati.
2042
2043         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2044         since it enforces the run-jsc-stress-tests script to still set up the
2045         test to run, despite the skip directive that's used before.
2046
2047 2017-10-20  Mark Lam  <mark.lam@apple.com>
2048
2049         Add a test case for r214334.
2050         https://bugs.webkit.org/show_bug.cgi?id=169941
2051         <rdar://problem/31221258>
2052
2053         Reviewed by JF Bastien.
2054
2055         * stress/regress-169941.js: Added.
2056
2057 2017-10-19  JF Bastien  <jfbastien@apple.com>
2058
2059         WebAssembly: no VM / JS version of everything but Instance
2060         https://bugs.webkit.org/show_bug.cgi?id=177473
2061
2062         Reviewed by Filip Pizlo, Saam Barati.
2063
2064         - Exceeding max on memory growth now returns a range error as per
2065         spec. This is a (very minor) breaking change: it used to throw OOM
2066         error. Update the corresponding test.
2067
2068         * wasm/js-api/memory-grow.js:
2069         (assertEq):
2070         * wasm/js-api/table.js:
2071         (assert.throws):
2072
2073 2017-10-19  Mark Lam  <mark.lam@apple.com>
2074
2075         Stringifier::appendStringifiedValue() is missing an exception check.
2076         https://bugs.webkit.org/show_bug.cgi?id=178386
2077         <rdar://problem/35027610>
2078
2079         Reviewed by Saam Barati.
2080
2081         * stress/regress-178386.js: Added.
2082
2083 2017-10-19  Michael Saboff  <msaboff@apple.com>
2084
2085         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2086         https://bugs.webkit.org/show_bug.cgi?id=178521
2087
2088         Reviewed by JF Bastien.
2089
2090         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2091         now passes with the current version (5.0) of the Emoji spec.
2092
2093 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2094
2095         Turn recursive tail calls into loops
2096         https://bugs.webkit.org/show_bug.cgi?id=176601
2097
2098         Reviewed by Saam Barati.
2099
2100         Add some simple test that computes factorial in several ways, and other trivial computations.
2101         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2102         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2103         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2104         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2105
2106         * stress/inline-call-to-recursive-tail-call.js: Added.
2107         (factorial.aux):
2108         (factorial):
2109         (factorial2.aux):
2110         (factorial2.id):
2111         (factorial2):
2112         (factorial3.aux):
2113         (factorial3):
2114         (aux):
2115         (factorial4):
2116         (test):
2117
2118 2017-10-18  Mark Lam  <mark.lam@apple.com>
2119
2120         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2121         https://bugs.webkit.org/show_bug.cgi?id=177600
2122         <rdar://problem/34710985>
2123
2124         Reviewed by Saam Barati.
2125
2126         * stress/regress-177600.js: Added.
2127
2128 2017-10-18  Mark Lam  <mark.lam@apple.com>
2129
2130         The compiler should always register a structure when it adds its transitionWatchPointSet.
2131         https://bugs.webkit.org/show_bug.cgi?id=178420
2132         <rdar://problem/34814024>
2133
2134         Reviewed by Saam Barati and Filip Pizlo.
2135
2136         * stress/regress-178420.js: Added.
2137         (new.Array.10000.map):
2138
2139 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2140
2141         [JSC] __proto__ getter should be fast
2142         https://bugs.webkit.org/show_bug.cgi?id=178067
2143
2144         Reviewed by Saam Barati.
2145
2146         * stress/dfg-object-proto-accessor.js: Added.
2147         (shouldBe):
2148         (shouldThrow):
2149         (target):
2150         * stress/dfg-object-proto-getter.js: Added.
2151         (shouldBe):
2152         (shouldThrow):
2153         (target):
2154         * stress/dfg-object-prototype-of.js: Added.
2155         (shouldBe):
2156         (shouldThrow):
2157         (target):
2158         * stress/dfg-reflect-get-prototype-of.js: Added.
2159         (shouldBe):
2160         (shouldThrow):
2161         (target):
2162         * stress/intrinsic-getter-with-poly-proto.js: Added.
2163         (shouldBe):
2164         (makePolyProtoObject.foo.C):
2165         (makePolyProtoObject.foo):
2166         (makePolyProtoObject):
2167         (target):
2168         * stress/object-get-prototype-of-filtered.js: Added.
2169         (shouldBe):
2170         (shouldThrow):
2171         (target):
2172         (i.Cocoa):
2173         * stress/object-get-prototype-of-mono-proto.js: Added.
2174         (shouldBe):
2175         (makePolyProtoObject.foo.C):
2176         (makePolyProtoObject.foo):
2177         (makePolyProtoObject):
2178         (target):
2179         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2180         (shouldBe):
2181         (makePolyProtoObject.foo.C):
2182         (makePolyProtoObject.foo):
2183         (makePolyProtoObject):
2184         (target):
2185         * stress/object-get-prototype-of-poly-proto.js: Added.
2186         (shouldBe):
2187         (makePolyProtoObject.foo.C):
2188         (makePolyProtoObject.foo):
2189         (makePolyProtoObject):
2190         (target):
2191         * stress/object-proto-getter-filtered.js: Added.
2192         (shouldBe):
2193         (shouldThrow):
2194         (target):
2195         (i.Cocoa):
2196         * stress/object-proto-getter-poly-mono-proto.js: Added.
2197         (shouldBe):
2198         (makePolyProtoObject.foo.C):
2199         (makePolyProtoObject.foo):
2200         (makePolyProtoObject):
2201         (target):
2202         * stress/object-proto-getter-poly-proto.js: Added.
2203         (shouldBe):
2204         (makePolyProtoObject.foo.C):
2205         (makePolyProtoObject.foo):
2206         (makePolyProtoObject):
2207         (target):
2208         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2209         * stress/string-proto.js: Added.
2210         (shouldBe):
2211         (target):
2212
2213 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2214
2215         Unreviewed, rolling out r223523.
2216
2217         A test for this change is failing on debug JSC bots.
2218
2219         Reverted changeset:
2220
2221         "[JSC] __proto__ getter should be fast"
2222         https://bugs.webkit.org/show_bug.cgi?id=178067
2223         https://trac.webkit.org/changeset/223523
2224
2225 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2226
2227         [JSC] __proto__ getter should be fast
2228         https://bugs.webkit.org/show_bug.cgi?id=178067
2229
2230         Reviewed by Saam Barati.
2231
2232         * stress/dfg-object-proto-accessor.js: Added.
2233         (shouldBe):
2234         (shouldThrow):
2235         (target):
2236         * stress/dfg-object-proto-getter.js: Added.
2237         (shouldBe):
2238         (shouldThrow):
2239         (target):
2240         * stress/dfg-object-prototype-of.js: Added.
2241         (shouldBe):
2242         (shouldThrow):
2243         (target):
2244         * stress/dfg-reflect-get-prototype-of.js: Added.
2245         (shouldBe):
2246         (shouldThrow):
2247         (target):
2248         * stress/object-get-prototype-of-filtered.js: Added.
2249         (shouldBe):
2250         (shouldThrow):
2251         (target):
2252         (i.Cocoa):
2253         * stress/object-get-prototype-of-mono-proto.js: Added.
2254         (shouldBe):
2255         (makePolyProtoObject.foo.C):
2256         (makePolyProtoObject.foo):
2257         (makePolyProtoObject):
2258         (target):
2259         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2260         (shouldBe):
2261         (makePolyProtoObject.foo.C):
2262         (makePolyProtoObject.foo):
2263         (makePolyProtoObject):
2264         (target):
2265         * stress/object-get-prototype-of-poly-proto.js: Added.
2266         (shouldBe):
2267         (makePolyProtoObject.foo.C):
2268         (makePolyProtoObject.foo):
2269         (makePolyProtoObject):
2270         (target):
2271         * stress/object-proto-getter-filtered.js: Added.
2272         (shouldBe):
2273         (shouldThrow):
2274         (target):
2275         (i.Cocoa):
2276         * stress/object-proto-getter-poly-mono-proto.js: Added.
2277         (shouldBe):
2278         (makePolyProtoObject.foo.C):
2279         (makePolyProtoObject.foo):
2280         (makePolyProtoObject):
2281         (target):
2282         * stress/object-proto-getter-poly-proto.js: Added.
2283         (shouldBe):
2284         (makePolyProtoObject.foo.C):
2285         (makePolyProtoObject.foo):
2286         (makePolyProtoObject):
2287         (target):
2288         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2289         * stress/string-proto.js: Added.
2290         (shouldBe):
2291         (target):
2292
2293 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2294
2295         Reland "Add Above/Below comparisons for UInt32 patterns"
2296         https://bugs.webkit.org/show_bug.cgi?id=177281
2297
2298         Reviewed by Saam Barati.
2299
2300         * stress/uint32-comparison-jump.js: Added.
2301         (shouldBe):
2302         (above):
2303         (aboveOrEqual):
2304         (below):
2305         (belowOrEqual):
2306         (notAbove):
2307         (notAboveOrEqual):
2308         (notBelow):
2309         (notBelowOrEqual):
2310         * stress/uint32-comparison.js: Added.
2311         (shouldBe):
2312         (above):
2313         (aboveOrEqual):
2314         (below):
2315         (belowOrEqual):
2316         (aboveTest):
2317         (aboveOrEqualTest):
2318         (belowTest):
2319         (belowOrEqualTest):
2320
2321 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2322
2323         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2324         https://bugs.webkit.org/show_bug.cgi?id=178210
2325
2326         Reviewed by Saam Barati.
2327
2328         * wasm/function-tests/trap-from-start-async.js:
2329         (async.StartTrapsAsync):
2330         * wasm/function-tests/trap-from-start.js:
2331         (StartTraps):
2332         * wasm/js-api/web-assembly-function.js:
2333         (assert.eq.Object.getPrototypeOf):
2334         * wasm/js-api/wrapper-function.js:
2335         (return.new.WebAssembly.Module):
2336         (assert.throws.makeInstance): Deleted.
2337         (assert.throws.Bar): Deleted.
2338         (assert.throws): Deleted.
2339
2340 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2341
2342         Enable gigacage on iOS
2343         https://bugs.webkit.org/show_bug.cgi?id=177586
2344
2345         Reviewed by JF Bastien.
2346         
2347         Add tests for when Gigacage gets runtime disabled.
2348
2349         * stress/disable-gigacage-arrays.js: Added.
2350         (foo):
2351         * stress/disable-gigacage-strings.js: Added.
2352         (foo):
2353         * stress/disable-gigacage-typed-arrays.js: Added.
2354         (foo):
2355
2356 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2357
2358         import.meta should not be assignable
2359         https://bugs.webkit.org/show_bug.cgi?id=178202
2360
2361         Reviewed by Saam Barati.
2362
2363         * modules/import-meta-assignment.js: Added.
2364         (shouldThrow):
2365         (SyntaxError.import.meta.can.shouldThrow):
2366
2367 2017-10-11  Saam Barati  <sbarati@apple.com>
2368
2369         Unreviewed. Actually skip certain type profiler tests in debug.
2370
2371         * typeProfiler.yaml:
2372         * typeProfiler/deltablue-for-of.js:
2373         * typeProfiler/getter-richards.js:
2374
2375 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2376
2377         Unreviewed, rolling out r223113 and r223121.
2378         https://bugs.webkit.org/show_bug.cgi?id=178182
2379
2380         Reintroduced 20% regression on Kraken (Requested by rniwa on
2381         #webkit).
2382
2383         Reverted changesets:
2384
2385         "Enable gigacage on iOS"
2386         https://bugs.webkit.org/show_bug.cgi?id=177586
2387         https://trac.webkit.org/changeset/223113
2388
2389         "Use one virtual allocation for all gigacages and their
2390         runways"
2391         https://bugs.webkit.org/show_bug.cgi?id=178050
2392         https://trac.webkit.org/changeset/223121
2393
2394 2017-10-11  Michael Saboff  <msaboff@apple.com>
2395
2396         Disable test262 named capture group tests with direct unicode names and with references before definitions
2397         https://bugs.webkit.org/show_bug.cgi?id=178177
2398
2399         Reviewed by Keith Miller.
2400
2401         Bugs to track fixing these test are:
2402         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2403             "Add support in named capture group identifiers for direct surrogate pairs"
2404         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2405             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2406
2407         * test262.yaml:
2408
2409 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2410
2411         Object properties are undefined in super.call() but not in this.call()
2412         https://bugs.webkit.org/show_bug.cgi?id=177230
2413
2414         Reviewed by Saam Barati.
2415
2416         * stress/super-call-function-subclass.js: Added.
2417         (assert):
2418         (A.prototype.t):
2419         (A):
2420         * stress/super-dot-call-and-apply.js: Added.
2421         (assert):
2422         (A):
2423         (A.prototype.call):
2424         (A.prototype.apply):
2425         (B.prototype.testSuper):
2426         (B):
2427         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2428         (D.prototype.testSuper):
2429         (D):
2430
2431 2017-10-10  Saam Barati  <sbarati@apple.com>
2432
2433         The prototype cache should be aware of the Executable it generates a Structure for
2434         https://bugs.webkit.org/show_bug.cgi?id=177907
2435
2436         Reviewed by Filip Pizlo.
2437
2438         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2439         (assert):
2440         (foo.C):
2441         (foo):
2442         (bar.C):
2443         (bar):
2444         (access):
2445         (makeLongChain):
2446         (accessY):
2447
2448 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2449
2450         `async` should be able to be used as an imported binding name
2451         https://bugs.webkit.org/show_bug.cgi?id=176573
2452
2453         Reviewed by Saam Barati.
2454
2455         * modules/import-default-async.js: Added.
2456         * modules/import-named-async-as.js: Added.
2457         * modules/import-named-async.js: Added.
2458         * modules/import-named-async/target.js: Added.
2459         * modules/import-namespace-async.js: Added.
2460         * test262.yaml:
2461
2462 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2463
2464         Enable gigacage on iOS
2465         https://bugs.webkit.org/show_bug.cgi?id=177586
2466
2467         Reviewed by JF Bastien.
2468         
2469         Add tests for when Gigacage gets runtime disabled.
2470
2471         * stress/disable-gigacage-arrays.js: Added.
2472         (foo):
2473         * stress/disable-gigacage-strings.js: Added.
2474         (foo):
2475         * stress/disable-gigacage-typed-arrays.js: Added.
2476         (foo):
2477
2478 2017-10-09  Michael Saboff  <msaboff@apple.com>
2479
2480         Implement RegExp Unicode property escapes
2481         https://bugs.webkit.org/show_bug.cgi?id=172069
2482
2483         Reviewed by JF Bastien.
2484
2485         Enabled Unicode Property tests.
2486
2487         * test262.yaml:
2488
2489 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2490
2491         Unreviewed, rolling out r223015 and r223025.
2492         https://bugs.webkit.org/show_bug.cgi?id=178093
2493
2494         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2495         #webkit).
2496
2497         Reverted changesets:
2498
2499         "Enable gigacage on iOS"
2500         https://bugs.webkit.org/show_bug.cgi?id=177586
2501         http://trac.webkit.org/changeset/223015
2502
2503         "Unreviewed, disable Gigacage on ARM64 Linux"
2504         https://bugs.webkit.org/show_bug.cgi?id=177586
2505         http://trac.webkit.org/changeset/223025
2506
2507 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2508
2509         Update expectations for test262 tests that pass after r223043.
2510         https://bugs.webkit.org/show_bug.cgi?id=176685
2511
2512         Unreviewed test gardening.
2513
2514         * test262.yaml:
2515
2516 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2517
2518         Unreviewed, rolling out r223022.
2519
2520         This change introduced 18 test262 failures.
2521
2522         Reverted changeset:
2523
2524         "`async` should be able to be used as an imported binding
2525         name"
2526         https://bugs.webkit.org/show_bug.cgi?id=176573
2527         http://trac.webkit.org/changeset/223022
2528
2529 2017-10-09  Saam Barati  <sbarati@apple.com>
2530
2531         3 poly-proto JSC tests timing out on debug after r222827
2532         https://bugs.webkit.org/show_bug.cgi?id=177880
2533         <rdar://problem/34817122>
2534
2535         Unreviewed.
2536
2537         I'm skipping these type profiler tests on debug since they are long running.
2538
2539         * typeProfiler/deltablue-for-of.js:
2540         * typeProfiler/getter-richards.js:
2541
2542 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2543
2544         Safari 10 /11 problem with if (!await get(something)).
2545         https://bugs.webkit.org/show_bug.cgi?id=176685
2546
2547         Reviewed by Saam Barati.
2548
2549         * stress/async-await-basic.js:
2550         (awaitEpression.async):
2551         * stress/async-await-syntax.js:
2552         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2553         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2554
2555 2017-10-08  Saam Barati  <sbarati@apple.com>
2556
2557         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2558
2559         * typeProfiler/deltablue-for-of.js:
2560         * typeProfiler/getter-richards.js:
2561
2562 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2563
2564         `async` should be able to be used as an imported binding name
2565         https://bugs.webkit.org/show_bug.cgi?id=176573
2566
2567         Reviewed by Darin Adler.
2568
2569         * modules/import-default-async.js: Added.
2570         * modules/import-named-async-as.js: Added.
2571         * modules/import-named-async.js: Added.
2572         * modules/import-named-async/target.js: Added.
2573         * modules/import-namespace-async.js: Added.
2574
2575 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2576
2577         Enable gigacage on iOS
2578         https://bugs.webkit.org/show_bug.cgi?id=177586
2579
2580         Reviewed by JF Bastien.
2581         
2582         Add tests for when Gigacage gets runtime disabled.
2583
2584         * stress/disable-gigacage-arrays.js: Added.
2585         (foo):
2586         * stress/disable-gigacage-strings.js: Added.
2587         (foo):
2588         * stress/disable-gigacage-typed-arrays.js: Added.
2589         (foo):
2590
2591 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2592
2593         Unreviewed, rolling out r222791 and r222873.
2594         https://bugs.webkit.org/show_bug.cgi?id=178031
2595
2596         Caused crashes with workers/wasm LayoutTests (Requested by
2597         ryanhaddad on #webkit).
2598
2599         Reverted changesets:
2600
2601         "WebAssembly: no VM / JS version of everything but Instance"
2602         https://bugs.webkit.org/show_bug.cgi?id=177473
2603         http://trac.webkit.org/changeset/222791
2604
2605         "WebAssembly: address no VM / JS follow-ups"
2606         https://bugs.webkit.org/show_bug.cgi?id=177887
2607         http://trac.webkit.org/changeset/222873
2608
2609 2017-10-05  Saam Barati  <sbarati@apple.com>
2610
2611         Make sure all prototypes under poly proto get added into the VM's prototype map
2612         https://bugs.webkit.org/show_bug.cgi?id=177909
2613
2614         Reviewed by Keith Miller.
2615
2616         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2617         (assert):
2618         (foo.C):
2619         (foo):
2620         (set x):
2621
2622 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2623
2624         [JSC] Introduce import.meta
2625         https://bugs.webkit.org/show_bug.cgi?id=177703
2626
2627         Reviewed by Filip Pizlo.
2628
2629         * modules/import-meta-syntax.js: Added.
2630         (shouldThrow):
2631         (shouldNotThrow):
2632         * modules/import-meta.js: Added.
2633         * modules/import-meta/cocoa.js: Added.
2634         * modules/resources/assert.js:
2635         (export.shouldNotThrow):
2636         * stress/import-syntax.js:
2637
2638 2017-10-04  Saam Barati  <sbarati@apple.com>
2639
2640         Make pertinent AccessCases watch the poly proto watchpoint
2641         https://bugs.webkit.org/show_bug.cgi?id=177765
2642
2643         Reviewed by Keith Miller.
2644
2645         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2646         (assert):
2647         (foo.C):
2648         (foo):
2649         (validate):
2650         * stress/poly-proto-clear-stub.js: Added.
2651         (assert):
2652         (foo.C):
2653         (foo):
2654
2655 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2656
2657         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2658
2659         Unreviewed test gardening.
2660
2661         * test262.yaml:
2662
2663 2017-10-04  Saam Barati  <sbarati@apple.com>
2664
2665         3 poly-proto JSC tests timing out on debug after r222827
2666         https://bugs.webkit.org/show_bug.cgi?id=177880
2667
2668         Rubber stamped by Mark Lam.
2669
2670         * microbenchmarks/poly-proto-access.js:
2671         * typeProfiler/deltablue-for-of.js:
2672         * typeProfiler/getter-richards.js:
2673
2674 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2675
2676         Unreviewed, marking tco-catch.js as a failure after test262 update
2677         https://bugs.webkit.org/show_bug.cgi?id=177859
2678
2679         * test262.yaml:
2680
2681 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2682
2683         Unreviewed, marking one async iterator test262 test failed
2684         https://bugs.webkit.org/show_bug.cgi?id=177859
2685
2686         * test262.yaml:
2687
2688 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2689
2690         [Test262] Update Test262 to Oct 4 version
2691         https://bugs.webkit.org/show_bug.cgi?id=177859
2692
2693         Reviewed by Sam Weinig.
2694
2695         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2696         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2697
2698         * test262.yaml:
2699         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2700         (checkSequence):
2701         * test262/harness/typeCoercion.js:
2702         (testCoercibleToIndexZero):
2703         (testCoercibleToIndexOne):
2704         (testCoercibleToIndexFromIndex):
2705         (testNotCoercibleToIndex.testPrimitiveValue):
2706         (testNotCoercibleToInteger):
2707         (testCoercibleToBigIntZero.testPrimitiveValue):
2708         (testCoercibleToBigIntZero):
2709         (testCoercibleToBigIntOne.testPrimitiveValue):
2710         (testCoercibleToBigIntOne):
2711         (testPrimitiveValue):
2712         (testCoercibleToBigIntFromBigInt):
2713         (testNotCoercibleToBigInt.testPrimitiveValue):
2714         (testNotCoercibleToBigInt.testStringValue):
2715         (testNotCoercibleToBigInt):
2716         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2717         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2718         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2719         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2720         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2721         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2722         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2723         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2724         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2725         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2726         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2727         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2728         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2729         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2730         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2731         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2732         (testCoercibleToBigIntZero):
2733         (testCoercibleToBigIntOne):
2734         (testNotCoercibleToBigInt):
2735         (MyError): Deleted.
2736         (valueOf): Deleted.
2737         (toString): Deleted.
2738         (Symbol.toPrimitive): Deleted.
2739         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2740         (testCoercibleToIndexZero):
2741         (testCoercibleToIndexOne):
2742         (testNotCoercibleToIndex):
2743         (MyError): Deleted.
2744         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2745         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2746         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2747         (BigInt.asIntN.valueOf): Deleted.
2748         (BigInt.asIntN.toString): Deleted.
2749         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2750         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2751         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2752         (testCoercibleToBigIntZero):
2753         (testCoercibleToBigIntOne):
2754         (testNotCoercibleToBigInt):
2755         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
2756         (testCoercibleToIndexZero):
2757         (testCoercibleToIndexOne):
2758         (testNotCoercibleToIndex):
2759         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
2760         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
2761         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
2762         (bits.valueOf):
2763         (bigint.valueOf):
2764         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
2765         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
2766         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
2767         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
2768         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
2769         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
2770         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
2771         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
2772         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
2773         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
2774         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
2775         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
2776         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
2777         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
2778         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
2779         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
2780         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
2781         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
2782         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
2783         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
2784         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
2785         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
2786         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
2787         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
2788         (replacer):
2789         (BigInt.prototype.toJSON):
2790         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
2791         (replacer):
2792         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
2793         (BigInt.prototype.toJSON):
2794         * test262/test/built-ins/JSON/stringify/bigint.js:
2795         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
2796         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
2797         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
2798         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
2799         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
2800         * test262/test/built-ins/Object/proto-from-ctor.js:
2801         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
2802         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
2803         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
2804         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
2805         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
2806         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
2807         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
2808         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
2809         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
2810         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
2811         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
2812         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
2813         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
2814         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
2815         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
2816         * test262/test/built-ins/Proxy/get-fn-realm.js:
2817         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
2818         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
2819         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
2820         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
2821         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
2822         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
2823         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
2824         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
2825         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
2826         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
2827         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
2828         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
2829         (i6.replace):
2830         (i6b.replace):
2831         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
2832         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
2833         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
2834         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
2835         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
2836         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
2837         * test262/test/built-ins/RegExp/u180e.js: Added.
2838         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
2839         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
2840         * test262/test/built-ins/String/proto-from-ctor-realm.js:
2841         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
2842         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
2843         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
2844         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
2845         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
2846         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
2847         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
2848         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
2849         * test262/test/built-ins/String/prototype/endsWith/length.js:
2850         * test262/test/built-ins/String/prototype/endsWith/name.js:
2851         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
2852         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
2853         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
2854         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
2855         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
2856         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
2857         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
2858         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
2859         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
2860         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
2861         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
2862         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
2863         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
2864         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
2865         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
2866         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
2867         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
2868         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
2869         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
2870         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
2871         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
2872         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
2873         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
2874         * test262/test/built-ins/String/prototype/includes/includes.js:
2875         * test262/test/built-ins/String/prototype/includes/length.js:
2876         * test262/test/built-ins/String/prototype/includes/name.js:
2877         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
2878         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
2879         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
2880         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
2881         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
2882         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
2883         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
2884         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
2885         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
2886         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
2887         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
2888         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
2889         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
2890         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
2891         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
2892         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
2893         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
2894         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
2895         * test262/test/built-ins/String/prototype/trim/u180e.js:
2896         * test262/test/built-ins/Symbol/for/cross-realm.js:
2897         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
2898         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
2899         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
2900         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
2901         * test262/test/built-ins/Symbol/match/cross-realm.js:
2902         * test262/test/built-ins/Symbol/replace/cross-realm.js:
2903         * test262/test/built-ins/Symbol/search/cross-realm.js:
2904         * test262/test/built-ins/Symbol/species/cross-realm.js:
2905         * test262/test/built-ins/Symbol/split/cross-realm.js:
2906         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
2907         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
2908         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
2909         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
2910         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
2911         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
2912         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
2913         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
2914         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
2915         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
2916         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
2917         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
2918         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
2919         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
2920         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
2921         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
2922         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
2923         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
2924         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
2925         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
2926         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
2927         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
2928         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
2929         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
2930         * test262/test/language/comments/mongolian-vowel-separator-single.js:
2931         * test262/test/language/eval-code/indirect/realm.js:
2932         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
2933         (o.get z):
2934         (o.get a):
2935         * test262/test/language/expressions/call/eval-realm-indirect.js:
2936         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
2937         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
2938         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
2939         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
2940         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
2941         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
2942         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
2943         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
2944         * test262/test/language/expressions/greater-than/bigint-and-number.js:
2945         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
2946         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
2947         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
2948         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
2949         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
2950         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
2951         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
2952         * test262/test/language/expressions/less-than/bigint-and-number.js:
2953         * test262/test/language/expressions/new/non-ctor-err-realm.js:
2954         * test262/test/language/expressions/super/realm.js:
2955         * test262/test/language/expressions/tagged-template/cache-realm.js:
2956         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
2957         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
2958         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
2959         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
2960         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
2961         * test262/test/language/literals/string/mongolian-vowel-separator.js:
2962         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
2963         (o.get z):
2964         (o.get a):
2965         * test262/test/language/statements/for-of/iterator-next-reference.js:
2966         (next):
2967         (iterator.next): Deleted.
2968         (x.of.iterable.): Deleted.
2969         (x.of.iterable.get return): Deleted.
2970         (x.of.iterable.iterator.next): Deleted.
2971         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
2972         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
2973         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
2974         * test262/test/language/white-space/mongolian-vowel-separator.js:
2975         * test262/test262-Revision.txt:
2976
2977 2017-10-03  Saam Barati  <sbarati@apple.com>
2978
2979         Implement polymorphic prototypes
2980         https://bugs.webkit.org/show_bug.cgi?id=176391
2981
2982         Reviewed by Filip Pizlo.
2983
2984         * microbenchmarks/poly-proto-access.js: Added.
2985         (assert):
2986         (foo.C):
2987         (foo.C.prototype.get bar):
2988         (foo):
2989         (bar):
2990         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
2991         (assert):
2992         (makePolyProtoObject.foo.C):
2993         (makePolyProtoObject.foo):
2994         (makePolyProtoObject):
2995         (performSet):
2996         * microbenchmarks/poly-proto-setter-speed.js: Added.
2997         (assert):
2998         (makePolyProtoObject.foo.C):
2999         (makePolyProtoObject.foo.C.prototype.set p):
3000         (makePolyProtoObject.foo):
3001         (makePolyProtoObject):
3002         (performSet):
3003         * stress/constructor-with-return.js:
3004         (i.tests.forEach.Constructor):
3005         (i.tests.forEach):
3006         (tests.forEach.Constructor): Deleted.
3007         (tests.forEach): Deleted.
3008         * stress/dom-jit-with-poly-proto.js: Added.
3009         (assert):
3010         (makePolyProtoObject.foo.C):
3011         (makePolyProtoObject.foo):
3012         (makePolyProtoObject):
3013         (validate):
3014         * stress/poly-proto-custom-value-and-accessor.js: Added.
3015         (assert):
3016         (makePolyProtoObject.foo.C):
3017         (makePolyProtoObject.foo):
3018         (makePolyProtoObject):
3019         (items.forEach):
3020         (set get for):
3021         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3022         (assert):
3023         (makePolyProtoObject.foo.C):
3024         (makePolyProtoObject.foo):
3025         (makePolyProtoObject):
3026         (foo):
3027         * stress/poly-proto-miss.js: Added.
3028         (makePolyProtoInstanceWithNullPrototype.foo.C):
3029         (makePolyProtoInstanceWithNullPrototype.foo):
3030         (makePolyProtoInstanceWithNullPrototype):
3031         (assert):
3032         (validate):
3033         * stress/poly-proto-op-in-caching.js: Added.
3034         (assert):
3035         (makePolyProtoObject.foo.C):
3036         (makePolyProtoObject.foo):
3037         (makePolyProtoObject):
3038         (validate):
3039         (validate2):
3040         * stress/poly-proto-put-transition.js: Added.
3041         (assert):
3042         (makePolyProtoObject.foo.C):
3043         (makePolyProtoObject.foo):
3044         (makePolyProtoObject):
3045         (performSet):
3046         (i.obj.__proto__.set p):
3047         * stress/poly-proto-set-prototype.js: Added.
3048         (assert):
3049         (let.alternateProto.get x):
3050         (let.alternateProto2.get y):
3051         (let.alternateProto2.get x):
3052         (foo.C):
3053         (foo):
3054         (validate):
3055         * stress/poly-proto-setter.js: Added.
3056         (assert):
3057         (makePolyProtoObject.foo.C):
3058         (makePolyProtoObject.foo.C.prototype.set p):
3059         (makePolyProtoObject.foo.C.prototype.get p):
3060         (makePolyProtoObject.foo):
3061         (makePolyProtoObject):
3062         (performSet):
3063         * stress/poly-proto-using-inheritance.js: Added.
3064         (assert):
3065         (foo.C):
3066         (foo.C.prototype.get baz):
3067         (foo):
3068         (bar.C):
3069         (bar):
3070         (validate):
3071         * stress/primitive-poly-proto.js: Added.
3072         (makePolyProtoInstance.foo.C):
3073         (makePolyProtoInstance.foo):
3074         (makePolyProtoInstance):
3075         (assert):
3076         (validate):
3077         * stress/prototype-is-not-js-object.js: Added.
3078         (foo.bar):
3079         (foo):
3080         (assert):
3081         (validate):
3082         * stress/try-get-by-id-poly-proto.js: Added.
3083         (assert):
3084         (makePolyProtoObject.foo.C):
3085         (makePolyProtoObject.foo):
3086         (makePolyProtoObject):
3087         (tryGetByIdText):
3088         (x.__proto__.get bar):
3089         (validate):
3090         * typeProfiler/overflow.js:
3091
3092 2017-10-03  JF Bastien  <jfbastien@apple.com>
3093
3094         WebAssembly: no VM / JS version of everything but Instance
3095         https://bugs.webkit.org/show_bug.cgi?id=177473
3096
3097         Reviewed by Filip Pizlo.
3098
3099         - Exceeding max on memory growth now returns a range error as per
3100         spec. This is a (very minor) breaking change: it used to throw OOM
3101         error. Update the corresponding test.
3102
3103         * wasm/js-api/memory-grow.js:
3104         (assertEq):
3105         * wasm/js-api/table.js:
3106         (assert.throws):
3107
3108 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3109
3110         Skip JSC test stress/regress-159779-2.js on debug.
3111         https://bugs.webkit.org/show_bug.cgi?id=177204
3112
3113         Unreviewed test gardening.
3114
3115         * stress/regress-159779-2.js:
3116
3117 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3118
3119         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3120         https://bugs.webkit.org/show_bug.cgi?id=175642
3121
3122         Reviewed by Darin Adler.
3123
3124         * ChakraCore/test/Function/apply3.baseline-jsc:
3125
3126 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3127
3128         Unreviewed, rolling out r222564.
3129         https://bugs.webkit.org/show_bug.cgi?id=177720
3130
3131         "It regressed JetStream by 2% on iOS caused by a 50%
3132         regression on the bigfib subtest" (Requested by saamyjoon on
3133         #webkit).
3134
3135         Reverted changeset:
3136
3137         "Add Above/Below comparisons for UInt32 patterns"
3138         https://bugs.webkit.org/show_bug.cgi?id=177281
3139         http://trac.webkit.org/changeset/222564
3140
3141 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3142
3143         [DFG] Support ArrayPush with multiple args
3144         https://bugs.webkit.org/show_bug.cgi?id=175823
3145
3146         Reviewed by Saam Barati.
3147
3148         * microbenchmarks/array-push-0.js: Added.
3149         (arrayPush0):
3150         * microbenchmarks/array-push-1.js: Added.
3151         (arrayPush1):
3152         * microbenchmarks/array-push-2.js: Added.
3153         (arrayPush2):
3154         * microbenchmarks/array-push-3.js: Added.
3155         (arrayPush3):
3156         * stress/array-push-multiple-contiguous.js: Added.
3157         (shouldBe):
3158         (test):
3159         * stress/array-push-multiple-double-nan.js: Added.
3160         (shouldBe):
3161         (test):
3162         * stress/array-push-multiple-double.js: Added.
3163         (shouldBe):
3164         (test):
3165         * stress/array-push-multiple-int32.js: Added.
3166         (shouldBe):
3167         (test):
3168         * stress/array-push-multiple-many-contiguous.js: Added.
3169         (shouldBe):
3170         (test):
3171         * stress/array-push-multiple-many-double.js: Added.
3172         (shouldBe):
3173         (test):
3174         * stress/array-push-multiple-many-int32.js: Added.
3175         (shouldBe):
3176         (test):
3177         * stress/array-push-multiple-many-storage.js: Added.
3178         (shouldBe):
3179         (test):
3180         * stress/array-push-multiple-storage.js: Added.
3181         (shouldBe):
3182         (test):
3183         * stress/array-push-with-force-exit.js: Added.
3184         (target.createBuiltin):
3185
3186 2017-09-29  Saam Barati  <sbarati@apple.com>
3187
3188         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3189         https://bugs.webkit.org/show_bug.cgi?id=177639
3190
3191         Reviewed by Geoffrey Garen.
3192
3193         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3194         (assert):
3195         (Class):
3196         (items.forEach):
3197         (set get for):
3198
3199 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3200
3201         Unreviewed, rolling out r222563, r222565, and r222581.
3202         https://bugs.webkit.org/show_bug.cgi?id=177675
3203
3204         "It causes a crash when playing youtube videos" (Requested by
3205         saamyjoon on #webkit).
3206
3207         Reverted changesets:
3208
3209         "[DFG] Support ArrayPush with multiple args"
3210         https://bugs.webkit.org/show_bug.cgi?id=175823
3211         http://trac.webkit.org/changeset/222563
3212
3213         "Unreviewed, build fix after r222563"
3214         https://bugs.webkit.org/show_bug.cgi?id=175823
3215         http://trac.webkit.org/changeset/222565
3216
3217         "Unreviewed, fix x86 breaking due to exhausted registers"
3218         https://bugs.webkit.org/show_bug.cgi?id=175823
3219         http://trac.webkit.org/changeset/222581
3220
3221 2017-09-28  Mark Lam  <mark.lam@apple.com>
3222
3223         test262: Unexpected passes after r222617 and r222618.
3224         https://bugs.webkit.org/show_bug.cgi?id=177622
3225         <rdar://problem/34725960>
3226
3227         Reviewed by Saam Barati.
3228
3229         Update test262.yaml for tests that are now passing.
3230
3231         * test262.yaml:
3232
3233 2017-09-27  Michael Saboff  <msaboff@apple.com>
3234
3235         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3236         https://bugs.webkit.org/show_bug.cgi?id=177570
3237
3238         Reviewed by Filip Pizlo.
3239
3240         New regression test.
3241
3242         * stress/regress-177570.js: Added.
3243
3244 2017-09-28  Michael Saboff  <msaboff@apple.com>
3245
3246         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3247         https://bugs.webkit.org/show_bug.cgi?id=177423
3248
3249         Reviewed by Mark Lam.
3250
3251         Updated regression test.
3252
3253         * stress/regress-177423.js:
3254         (catch):
3255
3256 2017-09-27  Mark Lam  <mark.lam@apple.com>
3257
3258         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3259         https://bugs.webkit.org/show_bug.cgi?id=177584
3260         <rdar://problem/34463903>
3261
3262         Reviewed by Saam Barati.
3263
3264         * stress/regress-177584.js: Added.
3265         (assertEqual):
3266         (Array.prototype.Symbol.species):
3267
3268 2017-09-27  Saam Barati  <sbarati@apple.com>
3269
3270         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3271         https://bugs.webkit.org/show_bug.cgi?id=177523
3272
3273         Reviewed by Mark Lam.
3274
3275         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3276         (assert):
3277         (Test):
3278         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3279         (addMethods):
3280         (i.Test.prototype.propName):
3281
3282 2017-09-27  Mark Lam  <mark.lam@apple.com>
3283
3284         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3285         https://bugs.webkit.org/show_bug.cgi?id=177423
3286         <rdar://problem/34621320>
3287
3288         Reviewed by Keith Miller.
3289
3290         * stress/regress-177423.js: Added.
3291
3292 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3293
3294         Add Above/Below comparisons for UInt32 patterns
3295         https://bugs.webkit.org/show_bug.cgi?id=177281
3296
3297         Reviewed by Saam Barati.
3298
3299         * stress/uint32-comparison-jump.js: Added.
3300         (shouldBe):
3301         (above):
3302         (aboveOrEqual):
3303         (below):
3304         (belowOrEqual):
3305         (notAbove):
3306         (notAboveOrEqual):
3307         (notBelow):
3308         (notBelowOrEqual):
3309         * stress/uint32-comparison.js: Added.
3310         (shouldBe):
3311         (above):
3312         (aboveOrEqual):
3313         (below):
3314         (belowOrEqual):
3315         (aboveTest):
3316         (aboveOrEqualTest):
3317         (belowTest):
3318         (belowOrEqualTest):
3319
3320 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3321
3322         [DFG] Support ArrayPush with multiple args
3323         https://bugs.webkit.org/show_bug.cgi?id=175823
3324
3325         Reviewed by Saam Barati.
3326
3327         * microbenchmarks/array-push-0.js: Added.
3328         (arrayPush0):
3329         * microbenchmarks/array-push-1.js: Added.
3330         (arrayPush1):
3331         * microbenchmarks/array-push-2.js: Added.
3332         (arrayPush2):
3333         * microbenchmarks/array-push-3.js: Added.
3334         (arrayPush3):
3335         * stress/array-push-multiple-contiguous.js: Added.
3336         (shouldBe):
3337         (test):
3338         * stress/array-push-multiple-double-nan.js: Added.
3339         (shouldBe):
3340         (test):
3341         * stress/array-push-multiple-double.js: Added.
3342         (shouldBe):
3343         (test):
3344         * stress/array-push-multiple-int32.js: Added.
3345         (shouldBe):
3346         (test):
3347         * stress/array-push-multiple-many-contiguous.js: Added.
3348         (shouldBe):
3349         (test):
3350         * stress/array-push-multiple-many-double.js: Added.
3351         (shouldBe):
3352         (test):
3353         * stress/array-push-multiple-many-int32.js: Added.
3354         (shouldBe):
3355         (test):
3356         * stress/array-push-multiple-many-storage.js: Added.
3357         (shouldBe):
3358         (test):
3359         * stress/array-push-multiple-storage.js: Added.
3360         (shouldBe):
3361         (test):
3362
3363 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3364
3365         Unreviewed, rolling out r222518.
3366         https://bugs.webkit.org/show_bug.cgi?id=177507
3367
3368         Break the High Sierra build (Requested by yusukesuzuki on
3369         #webkit).
3370
3371         Reverted changeset:
3372
3373         "Add Above/Below comparisons for UInt32 patterns"
3374         https://bugs.webkit.org/show_bug.cgi?id=177281
3375         http://trac.webkit.org/changeset/222518
3376
3377 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3378
3379         Add Above/Below comparisons for UInt32 patterns
3380         https://bugs.webkit.org/show_bug.cgi?id=177281
3381
3382         Reviewed by Saam Barati.
3383
3384         * stress/uint32-comparison-jump.js: Added.
3385         (shouldBe):
3386         (above):
3387         (aboveOrEqual):
3388         (below):
3389         (belowOrEqual):
3390         (notAbove):
3391         (notAboveOrEqual):
3392         (notBelow):
3393         (notBelowOrEqual):
3394         * stress/uint32-comparison.js: Added.
3395         (shouldBe):
3396         (above):
3397         (aboveOrEqual):
3398         (below):
3399         (belowOrEqual):
3400         (aboveTest):
3401         (aboveOrEqualTest):
3402         (belowTest):
3403         (belowOrEqualTest):
3404
3405 2017-09-23  Keith Miller  <keith_miller@apple.com>
3406
3407         Fix infinite looping test262 test
3408         https://bugs.webkit.org/show_bug.cgi?id=177412
3409
3410         Reviewed by Yusuke Suzuki.
3411
3412         This test was poorly designed since failing it would cause the vm
3413         to inifinite loop. I've fixed it locally and will fix it on github pending
3414         the results of next weeks tc39 meeting.
3415
3416         * test262.yaml:
3417         * test262/test/language/statements/for-of/iterator-next-reference.js:
3418
3419 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3420
3421         test262: $.agent became $262.agent in test262 update
3422         https://bugs.webkit.org/show_bug.cgi?id=177407
3423
3424         Reviewed by Yusuke Suzuki.
3425
3426         * test262.yaml:
3427         ~320 tests pass now that we correctly make $262 available.
3428
3429 2017-09-22  Keith Miller  <keith_miller@apple.com>
3430
3431         Speculatively change iteration protocall to use the same next function
3432         https://bugs.webkit.org/show_bug.cgi?id=175653
3433
3434         Reviewed by Saam Barati.
3435
3436         Change test to match the new iteration behavior.
3437
3438         * stress/spread-optimized-properly.js:
3439
3440 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3441
3442         [DFG][FTL] Profile array vector length for array allocation
3443         https://bugs.webkit.org/show_bug.cgi?id=177051
3444
3445         Reviewed by Saam Barati.
3446
3447         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3448         (target):
3449
3450 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3451
3452         Unreviewed, rolling out r222380.
3453         https://bugs.webkit.org/show_bug.cgi?id=177352
3454
3455         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3456         #webkit).
3457
3458         Reverted changeset:
3459
3460         "[DFG][FTL] Profile array vector length for array allocation"
3461         https://bugs.webkit.org/show_bug.cgi?id=177051
3462         http://trac.webkit.org/changeset/222380
3463
3464 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3465
3466         [DFG][FTL] Profile array vector length for array allocation
3467         https://bugs.webkit.org/show_bug.cgi?id=177051
3468
3469         Reviewed by Saam Barati.
3470
3471         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3472         (target):
3473
3474 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3475
3476         Skip new hanging test262 tests.
3477         https://bugs.webkit.org/show_bug.cgi?id=177326
3478
3479         Unreviewed test gardening.
3480
3481         * test262.yaml:
3482
3483 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3484
3485         Mark 6 test262 tests as passing.
3486         https://bugs.webkit.org/show_bug.cgi?id=177307
3487
3488         Unreviewed test gardening.
3489
3490         * test262.yaml:
3491
3492 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3493
3494         Unreviewed follow-up to r222311.
3495
3496         * test262/harness/sta.js:
3497         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3498         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3499         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3500         * test262/test/built-ins/Array/from/elements-added-after.js:
3501         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3502         * test262/test/built-ins/Array/from/elements-updated-after.js:
3503         * test262/test/built-ins/Array/from/from-array.js:
3504         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3505         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3506         * test262/test/built-ins/Array/from/source-array-boundary.js:
3507         * test262/test/built-ins/Array/from/source-object-constructor.js:
3508         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3509         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3510         * test262/test/built-ins/Array/from/source-object-length.js:
3511         * test262/test/built-ins/Array/from/source-object-missing.js:
3512         * test262/test/built-ins/Array/from/source-object-without.js:
3513         * test262/test/built-ins/Array/from/this-null.js:
3514         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3515         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3516         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3517         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3518         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3519         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3520         * test262/test/language/literals/string/7.8.4-1gs.js:
3521         Fix some files that I failed to update when I applied my patch.
3522
3523 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3524
3525         Update test262 tests
3526         https://bugs.webkit.org/show_bug.cgi?id=177220
3527
3528         Reviewed by Saam Barati and Yusuke Suzuki.
3529
3530         * test262.yaml:
3531         * test262/test262-Revision.txt:
3532         New rebaselined expectations for all tests.
3533
3534         * test262/*:
3535         Updated.
3536
3537 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3538
3539         [DFG] Remove ToThis more aggressively
3540         https://bugs.webkit.org/show_bug.cgi?id=177056
3541
3542         Reviewed by Saam Barati.
3543
3544         * stress/generator-with-this-strict.js: Added.
3545         (shouldBe):
3546         (generator):
3547         (target):
3548         * stress/generator-with-this.js: Added.
3549         (shouldBe):
3550         (generator):
3551         (target):
3552
3553 2017-09-17  Michael Saboff  <msaboff@apple.com>
3554
3555         https://bugs.webkit.org/show_bug.cgi?id=177038
3556         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3557
3558         Reviewed by JF Bastien.
3559
3560         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3561         as it dies using too much memory.
3562
3563 2017-09-15  Saam Barati  <sbarati@apple.com>
3564
3565         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3566         https://bugs.webkit.org/show_bug.cgi?id=176981
3567
3568         Reviewed by Yusuke Suzuki.
3569
3570         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3571         (assert):
3572         (verify):
3573         (func):
3574         (const.bar.createBuiltin):
3575
3576 2017-09-14  Saam Barati  <sbarati@apple.com>
3577
3578         It should be valid to exit before each set when doing arity fixup when inlining
3579         https://bugs.webkit.org/show_bug.cgi?id=176948
3580
3581         Reviewed by Keith Miller.
3582
3583         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3584         (baz):
3585         (bar):
3586         (foo):
3587
3588 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3589
3590         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3591         https://bugs.webkit.org/show_bug.cgi?id=176867
3592
3593         Reviewed by Sam Weinig.
3594
3595         * microbenchmarks/object-get-own-property-symbols.js: Added.
3596         (test):
3597
3598 2017-09-13  Mark Lam  <mark.lam@apple.com>
3599
3600         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3601         https://bugs.webkit.org/show_bug.cgi?id=176888
3602         <rdar://problem/34381832>
3603
3604         Not reviewed.
3605
3606         * stress/op_mod-ConstVar.js:
3607         * stress/op_mod-VarConst.js:
3608         * stress/op_mod-VarVar.js:
3609
3610 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3611
3612         Skip 3 op_mod tests on Debug JSC bots.
3613         https://bugs.webkit.org/show_bug.cgi?id=176630
3614
3615         Unreviewed test gardening.
3616
3617         * stress/op_mod-ConstVar.js:
3618         * stress/op_mod-VarConst.js:
3619         * stress/op_mod-VarVar.js:
3620
3621 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3622
3623         [JSC] Fix Array allocation in Object.keys
3624         https://bugs.webkit.org/show_bug.cgi?id=176826
3625
3626         Reviewed by Saam Barati.
3627
3628         * stress/object-own-property-keys.js: Added.
3629         (shouldBe):
3630
3631 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3632
3633         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3634         https://bugs.webkit.org/show_bug.cgi?id=176010
3635
3636         Reviewed by Filip Pizlo.
3637
3638         * microbenchmarks/weak-map-key.js: Added.
3639         (assert):
3640         (objectKey):
3641         (let.start.Date.now):
3642
3643 2017-09-12  Mark Lam  <mark.lam@apple.com>
3644
3645         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3646         https://bugs.webkit.org/show_bug.cgi?id=176630
3647
3648         Reviewed by JF Bastien.
3649
3650         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3651         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3652         a speculative fix for the bots that are seeing these fail.
3653
3654         I also undid the skipping of the op_mod tests for debug builds.
3655
3656         * stress/op_div-ConstVar.js:
3657         * stress/op_div-VarConst.js:
3658         * stress/op_div-VarVar.js:
3659         * stress/op_mod-ConstVar.js:
3660         * stress/op_mod-VarConst.js:
3661         * stress/op_mod-VarVar.js:
3662
3663 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3664
3665         Skip stress/value-to-boolean.js on Debug bots.
3666         https://bugs.webkit.org/show_bug.cgi?id=176787
3667
3668         Unreviewed test gardening.
3669
3670         * stress/value-to-boolean.js:
3671
3672 2017-09-11  Mark Lam  <mark.lam@apple.com>
3673
3674         Change test expectation for test262/test/language/statements/try/tco-catch.js
3675         https://bugs.webkit.org/show_bug.cgi?id=176749
3676
3677         Rubber stamped by Keith Miller.
3678
3679         It's been failing since at least r221821.  I'm changing the test expectation to
3680         fail to green the bots while I investigate some more.
3681
3682         * test262.yaml:
3683
3684 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3685
3686         Unreviewed, rolling out r221854.
3687
3688         The test added with this change fails on 32-bit JSC bots.
3689
3690         Reverted changeset:
3691
3692         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3693         https://bugs.webkit.org/show_bug.cgi?id=176010
3694         http://trac.webkit.org/changeset/221854
3695
3696 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3697
3698         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3699         https://bugs.webkit.org/show_bug.cgi?id=176010
3700
3701         Reviewed by Filip Pizlo.
3702
3703         * microbenchmarks/weak-map-key.js: Added.
3704         (assert):
3705         (objectKey):
3706         (let.start.Date.now):
3707
3708 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3709
3710         [JSC] Optimize Object.keys by using careful array allocation
3711         https://bugs.webkit.org/show_bug.cgi?id=176654
3712
3713         Reviewed by Darin Adler.
3714
3715         * microbenchmarks/object-keys.js: Added.
3716         (test):
3717
3718 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3719
3720         Error should compute .stack and friends lazily
3721         https://bugs.webkit.org/show_bug.cgi?id=176645
3722
3723         Reviewed by Saam Barati.
3724
3725         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
3726         * microbenchmarks/new-error.js: Added.