IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end...
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-01  Robin Morisset  <rmorisset@apple.com>
2
3         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
4         https://bugs.webkit.org/show_bug.cgi?id=185162
5
6         Reviewed by Filip Pizlo.
7
8         * stress/incomplete-unicode-locale.js: Added.
9         (catch):
10
11 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
12
13         Add SetCallee as DFG-Operation
14         https://bugs.webkit.org/show_bug.cgi?id=184582
15
16         Reviewed by Filip Pizlo.
17
18         Added test that runs into infinite loop without updating the callee and
19         therefore emitting SetCallee in DFG for recursive tail calls.
20
21         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
22         (Foo):
23         (second):
24         (first):
25         (return.closure):
26         (createClosure):
27
28 2018-04-30  Saam Barati  <sbarati@apple.com>
29
30         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
31         https://bugs.webkit.org/show_bug.cgi?id=185149
32         <rdar://problem/39455917>
33
34         Reviewed by Filip Pizlo.
35
36         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
37
38 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
39
40         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
41         https://bugs.webkit.org/show_bug.cgi?id=185126
42
43         Reviewed by Saam Barati.
44         
45         I found this bug by accident when I was writing this test for something else.
46         
47         This change also speeds up other benchmarks of this case that we already had. They are all called
48         the licm-dragons tests.
49
50         * microbenchmarks/licm-dragons-two-structures.js: Added.
51         (foo):
52
53 2018-04-29  Commit Queue  <commit-queue@webkit.org>
54
55         Unreviewed, rolling out r231137.
56         https://bugs.webkit.org/show_bug.cgi?id=185118
57
58         It is breaking Test262 language/expressions/multiplication
59         /order-of-evaluation.js (Requested by caiolima on #webkit).
60
61         Reverted changeset:
62
63         "[ESNext][BigInt] Implement support for "*" operation"
64         https://bugs.webkit.org/show_bug.cgi?id=183721
65         https://trac.webkit.org/changeset/231137
66
67 2018-04-28  Saam Barati  <sbarati@apple.com>
68
69         We don't model regexp effects properly
70         https://bugs.webkit.org/show_bug.cgi?id=185059
71         <rdar://problem/39736150>
72
73         Reviewed by Filip Pizlo.
74
75         * stress/regexp-exec-test-effectful-last-index.js: Added.
76         (assert):
77         (foo):
78         (i.regexLastIndex.toString):
79         (bar):
80
81 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
82
83         Token misspelled "tocken" in error message string
84         https://bugs.webkit.org/show_bug.cgi?id=185030
85
86         Reviewed by Saam Barati.
87
88         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
89         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
90         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
91         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
92         (testSyntaxError.String.raw.v):
93         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
94         (testSyntaxError.String.raw.a):
95
96 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
97
98         [ESNext][BigInt] Implement support for "*" operation
99         https://bugs.webkit.org/show_bug.cgi?id=183721
100
101         Reviewed by Saam Barati.
102
103         * bigIntTests.yaml:
104         * stress/big-int-mul-jit.js: Added.
105         * stress/big-int-mul-to-primitive-precedence.js: Added.
106         * stress/big-int-mul-to-primitive.js: Added.
107         * stress/big-int-mul-type-error.js: Added.
108         * stress/big-int-mul-wrapped-value.js: Added.
109         * stress/big-int-multiplication.js: Added.
110         * stress/big-int-multiply-memory-stress.js: Added.
111
112 2018-04-28  Commit Queue  <commit-queue@webkit.org>
113
114         Unreviewed, rolling out r231131.
115         https://bugs.webkit.org/show_bug.cgi?id=185112
116
117         It is breaking Debug build due to unchecked exception
118         (Requested by caiolima on #webkit).
119
120         Reverted changeset:
121
122         "[ESNext][BigInt] Implement support for "*" operation"
123         https://bugs.webkit.org/show_bug.cgi?id=183721
124         https://trac.webkit.org/changeset/231131
125
126 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
127
128         [ESNext][BigInt] Implement support for "*" operation
129         https://bugs.webkit.org/show_bug.cgi?id=183721
130
131         Reviewed by Saam Barati.
132
133         * bigIntTests.yaml:
134         * stress/big-int-mul-jit.js: Added.
135         * stress/big-int-mul-to-primitive-precedence.js: Added.
136         * stress/big-int-mul-to-primitive.js: Added.
137         * stress/big-int-mul-type-error.js: Added.
138         * stress/big-int-mul-wrapped-value.js: Added.
139         * stress/big-int-multiplication.js: Added.
140         * stress/big-int-multiply-memory-stress.js: Added.
141
142 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
143
144         Unreviewed, rolling out r231086.
145
146         Caused JSC test failures due to an unchecked exception.
147
148         Reverted changeset:
149
150         "[ESNext][BigInt] Implement support for "*" operation"
151         https://bugs.webkit.org/show_bug.cgi?id=183721
152         https://trac.webkit.org/changeset/231086
153
154 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
155
156         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
157
158         * test262.yaml: Mark tests as passing.
159
160 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
161
162         [ESNext][BigInt] Implement support for "*" operation
163         https://bugs.webkit.org/show_bug.cgi?id=183721
164
165         Reviewed by Saam Barati.
166
167         * bigIntTests.yaml:
168         * stress/big-int-mul-jit.js: Added.
169         * stress/big-int-mul-to-primitive-precedence.js: Added.
170         * stress/big-int-mul-to-primitive.js: Added.
171         * stress/big-int-mul-type-error.js: Added.
172         * stress/big-int-mul-wrapped-value.js: Added.
173         * stress/big-int-multiplication.js: Added.
174         * stress/big-int-multiply-memory-stress.js: Added.
175
176 2018-04-25  Robin Morisset  <rmorisset@apple.com>
177
178         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
179         https://bugs.webkit.org/show_bug.cgi?id=184773
180         <rdar://problem/37773612>
181
182         Reviewed by Filip Pizlo.
183
184         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
185         so I decided to add it to the stress tests nonetheless.
186
187         * stress/create-rest-while-having-a-bad-time.js: Added.
188         (f):
189         (g):
190         (h):
191
192 2018-04-25  Keith Miller  <keith_miller@apple.com>
193
194         Add missing scope release to functionProtoFuncToString
195         https://bugs.webkit.org/show_bug.cgi?id=184995
196
197         Reviewed by Saam Barati.
198
199         * stress/function-toString-arrow.js: Added.
200         (async):
201
202 2018-04-24  Keith Miller  <keith_miller@apple.com>
203
204         fromCharCode is missing some exception checks
205         https://bugs.webkit.org/show_bug.cgi?id=184952
206
207         Reviewed by Saam Barati.
208
209         * stress/fromCharCode-exception-check.js: Added.
210         (get catch):
211
212 2018-04-24  Mark Lam  <mark.lam@apple.com>
213
214         Gardening: test fix after r230863.
215         https://bugs.webkit.org/show_bug.cgi?id=184846
216         <rdar://problem/39390672>
217
218         Not reviewed.
219
220         * stress/json-stringified-overflow-2.js:
221         (catch):
222         * stress/json-stringified-overflow.js:
223         (catch):
224
225 2018-04-20  JF Bastien  <jfbastien@apple.com>
226
227         Handle more JSON stringify OOM
228         https://bugs.webkit.org/show_bug.cgi?id=184846
229         <rdar://problem/39390672>
230
231         Reviewed by Mark Lam.
232
233         * stress/json-stringified-overflow-2.js: Added. Same as the one
234         below, but with a bigger input which will trigger a different code
235         path.
236         (catch):
237         * stress/json-stringified-overflow.js: Modify the test to only
238         catch OOM on stringification. not on string creation.
239
240 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
241
242         [WebAssembly][Modules] Import tables in wasm modules
243         https://bugs.webkit.org/show_bug.cgi?id=184738
244
245         Reviewed by JF Bastien.
246
247         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
248         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
249         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
250         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
251         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
252         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
253         * wasm/modules/wasm-imports-wasm-exports.js:
254         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
255         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
256         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
257         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
258
259 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
260
261         [WebAssembly][Modules] Import globals from wasm modules
262         https://bugs.webkit.org/show_bug.cgi?id=184736
263
264         Reviewed by JF Bastien.
265
266         * wasm.yaml:
267         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
268         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
269         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
270         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
271         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
272         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
273         * wasm/modules/wasm-imports-wasm-exports.js:
274         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
275         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
276         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
277         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
278
279 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
280
281         Unreviewed, reland r230697, r230720, and r230724.
282         https://bugs.webkit.org/show_bug.cgi?id=184600
283
284         * wasm.yaml:
285         * wasm/modules/constant.wasm: Added.
286         * wasm/modules/constant.wat: Added.
287         * wasm/modules/default-import-star-error.js: Added.
288         (then):
289         * wasm/modules/default-import-star-error/entry.wasm: Added.
290         * wasm/modules/default-import-star-error/entry.wat: Added.
291         * wasm/modules/default-import-star-error/t0.js: Added.
292         * wasm/modules/default-import-star-error/t1.js: Added.
293         * wasm/modules/default-import-star-error/t2.js: Added.
294         (export.default.Cocoa):
295         * wasm/modules/js-wasm-cycle.js: Added.
296         * wasm/modules/js-wasm-cycle/entry.js: Added.
297         (from.string_appeared_here.export.return42):
298         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
299         * wasm/modules/js-wasm-cycle/sum.wat: Added.
300         * wasm/modules/js-wasm-function-namespace.js: Added.
301         (assert.throws):
302         * wasm/modules/js-wasm-function.js: Added.
303         (assert.throws):
304         * wasm/modules/js-wasm-global-namespace.js: Added.
305         (assert.throws):
306         * wasm/modules/js-wasm-global.js: Added.
307         (assert.throws):
308         * wasm/modules/js-wasm-memory-namespace.js: Added.
309         (assert.throws):
310         * wasm/modules/js-wasm-memory.js: Added.
311         (assert.throws):
312         * wasm/modules/js-wasm-start.js: Added.
313         (then):
314         * wasm/modules/js-wasm-table-namespace.js: Added.
315         (assert.throws):
316         * wasm/modules/js-wasm-table.js: Added.
317         (assert.throws):
318         * wasm/modules/memory.wasm: Added.
319         * wasm/modules/memory.wat: Added.
320         * wasm/modules/run-from-wasm.wasm: Added.
321         * wasm/modules/run-from-wasm.wat: Added.
322         * wasm/modules/run-from-wasm/check.js: Added.
323         (export.check):
324         * wasm/modules/start.wasm: Added.
325         * wasm/modules/start.wat: Added.
326         * wasm/modules/sum.wasm: Added.
327         * wasm/modules/sum.wat: Added.
328         * wasm/modules/table.wasm: Added.
329         * wasm/modules/table.wat: Added.
330         * wasm/modules/wasm-imports-js-exports.js: Added.
331         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
332         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
333         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
334         (export.sum):
335         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
336         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
337         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
338         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
339         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
340         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
341         * wasm/modules/wasm-imports-wasm-exports.js: Added.
342         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
343         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
344         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
345         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
346         * wasm/modules/wasm-js-cycle.js: Added.
347         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
348         * wasm/modules/wasm-js-cycle/entry.wat: Added.
349         * wasm/modules/wasm-js-cycle/sum.js: Added.
350         (from.string_appeared_here.export.sum):
351         * wasm/modules/wasm-wasm-cycle.js: Added.
352         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
353         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
354         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
355         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
356
357 2018-04-17  Commit Queue  <commit-queue@webkit.org>
358
359         Unreviewed, rolling out r230697, r230720, and r230724.
360         https://bugs.webkit.org/show_bug.cgi?id=184717
361
362         These caused multiple failures on the Test262 testers.
363         (Requested by mlewis13 on #webkit).
364
365         Reverted changesets:
366
367         "[WebAssembly][Modules] Prototype wasm import"
368         https://bugs.webkit.org/show_bug.cgi?id=184600
369         https://trac.webkit.org/changeset/230697
370
371         "[WebAssembly][Modules] Implement function import from wasm
372         modules"
373         https://bugs.webkit.org/show_bug.cgi?id=184689
374         https://trac.webkit.org/changeset/230720
375
376         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
377         https://bugs.webkit.org/show_bug.cgi?id=184703
378         https://trac.webkit.org/changeset/230724
379
380 2018-04-17  JF Bastien  <jfbastien@apple.com>
381
382         A put is not an ExistingProperty put when we transition a structure because of an attributes change
383         https://bugs.webkit.org/show_bug.cgi?id=184706
384         <rdar://problem/38871451>
385
386         Reviewed by Saam Barati.
387
388         * stress/put-by-id-direct-strict-transition.js: Added.
389         (const.foo):
390         (j.const.obj.set hello):
391         * stress/put-by-id-direct-transition.js: Added.
392         (const.foo):
393         (j.const.obj.set hello):
394         * stress/put-getter-setter-by-id-strict-transition.js: Added.
395         (const.foo):
396         (j.const.obj.set hello):
397         * stress/put-getter-setter-by-id-transition.js: Added.
398         (const.foo):
399         (j.const.obj.set hello):
400
401 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
402
403         PutStackSinkingPhase should know that KillStack means ConflictingFlush
404         https://bugs.webkit.org/show_bug.cgi?id=184672
405
406         Reviewed by Michael Saboff.
407
408         * stress/sink-put-stack-over-kill-stack.js: Added.
409         (avocado_1):
410         (apricot_0):
411         (__c_0):
412         (banana_2):
413
414 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
415
416         [JSC] Rename runWebAssembly to runWebAssemblySuite
417         https://bugs.webkit.org/show_bug.cgi?id=184703
418
419         Reviewed by JF Bastien.
420
421         And add runWebAssembly as a command to simplely run wasm modules.
422
423         * wasm.yaml:
424
425 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
426
427         [WebAssembly][Modules] Implement function import from wasm modules
428         https://bugs.webkit.org/show_bug.cgi?id=184689
429
430         Reviewed by JF Bastien.
431
432         * wasm.yaml:
433         * wasm/modules/js-wasm-cycle.js: Added.
434         * wasm/modules/js-wasm-cycle/entry.js: Added.
435         (from.string_appeared_here.export.return42):
436         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
437         * wasm/modules/js-wasm-cycle/sum.wat: Added.
438         * wasm/modules/run-from-wasm.wasm: Added.
439         * wasm/modules/run-from-wasm.wat: Added.
440         * wasm/modules/run-from-wasm/check.js: Added.
441         (export.check):
442         * wasm/modules/wasm-imports-js-exports.js: Added.
443         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
444         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
445         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
446         (export.sum):
447         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
448         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
449         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
450         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
451         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
452         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
453         * wasm/modules/wasm-imports-wasm-exports.js: Added.
454         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
455         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
456         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
457         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
458         * wasm/modules/wasm-js-cycle.js: Added.
459         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
460         * wasm/modules/wasm-js-cycle/entry.wat: Added.
461         * wasm/modules/wasm-js-cycle/sum.js: Added.
462         (from.string_appeared_here.export.sum):
463         * wasm/modules/wasm-wasm-cycle.js: Added.
464         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
465         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
466         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
467         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
468
469 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
470
471         [WebAssembly][Modules] Prototype wasm import
472         https://bugs.webkit.org/show_bug.cgi?id=184600
473
474         Reviewed by JF Bastien.
475
476         Add wasm and wat files since module loader want to load wasm files from FS.
477         Currently, importing the other modules from wasm is not supported.
478
479         * wasm.yaml:
480         * wasm/modules/constant.wasm: Added.
481         * wasm/modules/constant.wat: Added.
482         * wasm/modules/js-wasm-function-namespace.js: Added.
483         (assert.throws):
484         * wasm/modules/js-wasm-function.js: Added.
485         (assert.throws):
486         * wasm/modules/js-wasm-global-namespace.js: Added.
487         (assert.throws):
488         * wasm/modules/js-wasm-global.js: Added.
489         (assert.throws):
490         * wasm/modules/js-wasm-memory-namespace.js: Added.
491         (assert.throws):
492         * wasm/modules/js-wasm-memory.js: Added.
493         (assert.throws):
494         * wasm/modules/js-wasm-start.js: Added.
495         (then):
496         * wasm/modules/js-wasm-table-namespace.js: Added.
497         (assert.throws):
498         * wasm/modules/js-wasm-table.js: Added.
499         (assert.throws):
500         * wasm/modules/memory.wasm: Added.
501         * wasm/modules/memory.wat: Added.
502         * wasm/modules/start.wasm: Added.
503         * wasm/modules/start.wat: Added.
504         * wasm/modules/sum.wasm: Added.
505         * wasm/modules/sum.wat: Added.
506         * wasm/modules/table.wasm: Added.
507         * wasm/modules/table.wat: Added.
508
509 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
510
511         Function.prototype.caller shouldn't return generator bodies
512         https://bugs.webkit.org/show_bug.cgi?id=184630
513
514         Reviewed by Yusuke Suzuki.
515
516         * stress/function-caller-async-arrow-function-body.js: Added.
517         * stress/function-caller-async-function-body.js: Added.
518         * stress/function-caller-async-generator-body.js: Added.
519         * stress/function-caller-generator-body.js: Added.
520         * stress/function-caller-generator-method-body.js: Added.
521
522 2018-04-12  Tomas Popela  <tpopela@redhat.com>
523
524         Unreviewed, skip JIT tests if it isn't enabled
525
526         See https://bugs.webkit.org/show_bug.cgi?id=182730.
527
528         * stress/big-int-spec-to-primitive.js:
529         * stress/big-int-spec-to-this.js:
530
531 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
532
533         [ESNext][BigInt] Add support for BigInt in SpeculatedType
534         https://bugs.webkit.org/show_bug.cgi?id=182470
535
536         Reviewed by Saam Barati.
537
538         * stress/big-int-spec-to-primitive.js: Added.
539         * stress/big-int-spec-to-this.js: Added.
540         * stress/big-int-strict-equals-jit.js: Added.
541         * stress/big-int-strict-spec-to-this.js: Added.
542         * stress/big-int-type-of-proven-type.js: Added.
543
544 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
545
546         DFG AI and clobberize should agree with each other
547         https://bugs.webkit.org/show_bug.cgi?id=184440
548
549         Reviewed by Saam Barati.
550         
551         Add tests for all of the bugs I fixed.
552
553         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
554         (foo):
555         * stress/new-typed-array-cse-effects.js: Added.
556         (foo):
557         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
558         (foo.theO):
559         (foo):
560         * stress/string-from-char-code-change-structure-not-dead.js: Added.
561         (foo):
562         (i.valueOf):
563         (weirdValue.valueOf):
564         * stress/string-from-char-code-change-structure.js: Added.
565         (foo):
566         (i.valueOf):
567         (weirdValue.valueOf):
568
569 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
570
571         Fix errant Test262 files CRLF to LF for consistency with the original source
572         https://bugs.webkit.org/show_bug.cgi?id=184425
573
574         Reviewed by Yusuke Suzuki.
575
576         * test262/test/built-ins/Math/acosh/nan-returns.js:
577         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
578         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
579         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
580         * test262/test/built-ins/Math/cbrt/prop-desc.js:
581         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
582         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
583         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
584         * test262/test/built-ins/Math/log2/log2-basicTests.js:
585         * test262/test/built-ins/Math/sign/sign-specialVals.js:
586         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
587         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
588         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
589         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
590
591 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
592
593         Unreviewed, remove incorrect entry in test262.yaml
594         https://bugs.webkit.org/show_bug.cgi?id=184266
595
596         * test262.yaml:
597
598 2018-04-08  Valerie Young  <valerie@bocoup.com>
599
600         [JSC] Update Test262 to April 6 version
601         https://bugs.webkit.org/show_bug.cgi?id=184266
602
603         Rubber stamped by Yusuke Suzuki.
604
605 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
606
607         [JSC] Introduce op_get_by_id_direct
608         https://bugs.webkit.org/show_bug.cgi?id=183970
609
610         Reviewed by Filip Pizlo.
611
612         * stress/generator-prototype-copy.js: Added.
613         (gen):
614         (catch):
615         Adopted JF's tests.
616
617         * stress/generator-type-check.js: Added.
618         (shouldThrow):
619         (foo2):
620         (i.shouldThrow):
621         * stress/get-by-id-direct-getter.js: Added.
622         (shouldBe):
623         (shouldThrow):
624         (obj.get hello):
625         (builtin.createBuiltin):
626         (obj2.get length):
627         * stress/get-by-id-direct.js: Added.
628         (shouldBe):
629         (shouldThrow):
630         (builtin.createBuiltin):
631         * test262.yaml:
632         We fixed long-standing spec compatibility issue.
633         As a result, this patch makes several test262 tests passed!
634
635
636 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         Unreviewed, annotate test with @skip if $memoryLimited
639         https://bugs.webkit.org/show_bug.cgi?id=183894
640
641         * stress/json-stringified-overflow.js:
642
643 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
644
645         Add svn:eol-style to line-terminator-normalisation-CR.js
646         https://bugs.webkit.org/show_bug.cgi?id=184341
647
648         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
649
650 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
651
652         Unreviewed, remove errant LF from existing test262 test for CR line endings.
653
654         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
655
656 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
657
658         Unreviewed, rolling out r230320.
659
660         Revert fix, as the root cause lies elsewhere.
661
662         Reverted changeset:
663
664         "[test262] Mark line-terminator-normalisation-CR.js as a
665         binary file."
666         https://bugs.webkit.org/show_bug.cgi?id=184341
667         https://trac.webkit.org/changeset/230320
668
669 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
670
671         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
672         https://bugs.webkit.org/show_bug.cgi?id=184341
673
674         Reviewed by Yusuke Suzuki.
675
676         This test is all about CR line endings, but `svn-apply` can't deal with them.
677         Treating the file as binary ensures that its contents never are never shown in a diff.
678
679         * .gitattributes: Added.
680
681 2018-04-05  Robin Morisset  <rmorisset@apple.com>
682
683         Fix testcase (missing try/catch).
684         https://bugs.webkit.org/show_bug.cgi?id=183657
685
686         Unreviewed.
687
688         * stress/large-unshift-splice.js
689
690 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
691
692         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
693         https://bugs.webkit.org/show_bug.cgi?id=184319
694
695         Reviewed by Saam Barati.
696
697         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
698         (foo):
699         (bar):
700         * stress/array-push-nan-to-double-array.js: Added.
701         (foo):
702         (bar):
703
704 2018-04-03  Mark Lam  <mark.lam@apple.com>
705
706         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
707         https://bugs.webkit.org/show_bug.cgi?id=184284
708
709         Reviewed by Saam Barati.
710
711         * stress/js-fixed-array-out-of-memory.js:
712
713 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
714
715         JSC crash in JIT code with for-of loop and Array/Set iterators
716         https://bugs.webkit.org/show_bug.cgi?id=183174
717
718         Reviewed by Saam Barati.
719
720         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
721         (foo):
722         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
723         (f):
724
725 2018-03-30  JF Bastien  <jfbastien@apple.com>
726
727         WebAssembly: support DataView compilation
728         https://bugs.webkit.org/show_bug.cgi?id=183342
729
730         Reviewed by Mark Lam.
731
732         Test WebAssembly compilation using a DataView with offset.
733
734         * wasm/regress/183342.js: Added.
735         (attempt.catch):
736
737 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
738
739         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
740         https://bugs.webkit.org/show_bug.cgi?id=184189
741
742         Reviewed by JF Bastien.
743
744         * stress/load-hole-from-scope-into-live-var.js: Added.
745         (result.eval.try.switch):
746         (catch):
747
748 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
749
750         Unreviewed, rolling out r230102.
751
752         Caused assertion failures on JSC bots.
753
754         Reverted changeset:
755
756         "A stack overflow in the parsing of a builtin (called by
757         createExecutable) cause a crash instead of a catchable js
758         exception"
759         https://bugs.webkit.org/show_bug.cgi?id=184074
760         https://trac.webkit.org/changeset/230102
761
762 2018-03-30  Robin Morisset  <rmorisset@apple.com>
763
764         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
765         https://bugs.webkit.org/show_bug.cgi?id=183812
766
767         Reviewed by Keith Miller.
768
769         * stress/inlining-unreachable-non-tail.js: Added.
770         (foo.):
771         (foo):
772
773 2018-03-30  Robin Morisset  <rmorisset@apple.com>
774
775         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
776         https://bugs.webkit.org/show_bug.cgi?id=184074
777         <rdar://problem/37165897>
778
779         Reviewed by Keith Miller.
780
781         * stress/stack-overflow-while-parsing-builtin.js: Added.
782         (f):
783
784 2018-03-30  Robin Morisset  <rmorisset@apple.com>
785
786         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
787         https://bugs.webkit.org/show_bug.cgi?id=183657
788
789         Reviewed by Keith Miller.
790
791         * stress/large-unshift-splice.js: Added.
792         (make_contig_arr):
793
794 2018-03-28  Robin Morisset  <rmorisset@apple.com>
795
796         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
797         https://bugs.webkit.org/show_bug.cgi?id=183894
798
799         Reviewed by Saam Barati.
800
801         * stress/json-stringified-overflow.js: Added.
802         (catch):
803
804 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
805
806         DFG should know that CreateThis can be effectful
807         https://bugs.webkit.org/show_bug.cgi?id=184013
808
809         Reviewed by Saam Barati.
810
811         * stress/create-this-property-change.js: Added.
812         (Foo):
813         (RealBar):
814         (get if):
815         * stress/create-this-structure-change-without-cse.js: Added.
816         (Foo):
817         (RealBar):
818         (get if):
819         * stress/create-this-structure-change.js: Added.
820         (Foo):
821         (RealBar):
822         (get if):
823
824 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
825
826         [DFG] Introduces fused compare and jump
827         https://bugs.webkit.org/show_bug.cgi?id=177100
828
829         Reviewed by Mark Lam.
830
831         * stress/fused-jeq-slow.js: Added.
832         (shouldBe):
833         (testJEQ):
834         (testJNEQB):
835         (testJEQB):
836         (testJNEQF):
837         (testJEQF):
838         * stress/fused-jeq.js: Added.
839         (shouldBe):
840         (testJEQ):
841         (testJNEQB):
842         (testJEQB):
843         (testJNEQF):
844         (testJEQF):
845         * stress/fused-jstricteq-slow.js: Added.
846         (shouldBe):
847         (testJSTRICTEQ):
848         (testJNSTRICTEQB):
849         (testJSTRICTEQB):
850         (testJNSTRICTEQF):
851         (testJSTRICTEQF):
852         * stress/fused-jstricteq.js: Added.
853         (shouldBe):
854         (testJSTRICTEQ):
855         (testJNSTRICTEQB):
856         (testJSTRICTEQB):
857         (testJNSTRICTEQF):
858         (testJSTRICTEQF):
859
860 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
861
862         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
863         https://bugs.webkit.org/show_bug.cgi?id=183559
864
865         Reviewed by Mark Lam.
866
867         * stress/double-to-string-in-loop-removed.js: Added.
868         (test):
869         * stress/int32-to-string-in-loop-removed.js: Added.
870         (test):
871         * stress/int52-to-string-in-loop-removed.js: Added.
872         (test):
873
874 2018-03-22  Michael Saboff  <msaboff@apple.com>
875
876         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
877         https://bugs.webkit.org/show_bug.cgi?id=183901
878
879         Reviewed by Keith Miller.
880
881         New test.
882
883         * stress/array-reverse-doesnt-clobber.js: Added.
884         (testArrayReverse):
885         (createArrayOfArrays):
886         (createArrayStorage):
887
888 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
889
890         ScopedArguments should do poisoning and index masking
891         https://bugs.webkit.org/show_bug.cgi?id=183863
892
893         Reviewed by Mark Lam.
894         
895         Adds another stress test of scoped arguments.
896
897         * stress/scoped-arguments-test.js: Added.
898         (foo):
899
900 2018-03-20  Saam Barati  <sbarati@apple.com>
901
902         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
903         https://bugs.webkit.org/show_bug.cgi?id=183795
904         <rdar://problem/38298694>
905
906         Reviewed by JF Bastien.
907
908         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
909         (foo):
910         (bar):
911
912 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
913
914         [DFG][FTL] Add vectorLengthHint for NewArray
915         https://bugs.webkit.org/show_bug.cgi?id=183694
916
917         Reviewed by Saam Barati.
918
919         * stress/vector-length-hint-array-constructor.js: Added.
920         (shouldBe):
921         (test):
922         * stress/vector-length-hint-new-array.js: Added.
923         (shouldBe):
924         (test):
925
926 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
927
928         [DFG][FTL] Make ArraySlice(0) code tight
929         https://bugs.webkit.org/show_bug.cgi?id=183590
930
931         Reviewed by Saam Barati.
932
933         * stress/array-slice-with-zero.js: Added.
934         (shouldBe):
935         (test):
936         (test2):
937         * stress/array-slice-zero-args.js: Added.
938         (shouldBe):
939         (test):
940
941 2018-03-14  Caitlin Potter  <caitp@igalia.com>
942
943         [JSC] fix order of evaluation for ClassDefinitionEvaluation
944         https://bugs.webkit.org/show_bug.cgi?id=183523
945
946         Reviewed by Keith Miller.
947
948         Computed property names need to be evaluated in source order during class
949         definition evaluation, as it's observable (and specified to work this way).
950
951         This change improves compatibility with Chromium.
952
953         * stress/class_elements.js: Added.
954         (test):
955         (test.C.prototype.effect):
956         (test.C.effect):
957         (test.C.prototype.get effect):
958         (test.C.prototype.set effect):
959         (test.C):
960
961 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
962
963         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
964         https://bugs.webkit.org/show_bug.cgi?id=183310
965
966         Reviewed by Filip Pizlo.
967
968         * stress/ai-create-this-to-new-object-fire.js: Added.
969         (assert):
970         (test):
971         (func):
972         (check):
973         (test.body.A):
974         (test.body.B):
975         (test.body):
976         * stress/ai-create-this-to-new-object.js: Added.
977         (assert):
978         (test):
979         (func):
980         (check):
981         (test.body.A):
982         (test.body.B):
983         (test.body):
984
985 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
986
987         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
988         https://bugs.webkit.org/show_bug.cgi?id=181848
989
990         Reviewed by Sam Weinig.
991
992         * microbenchmarks/regexp-u-global-es5.js: Added.
993         (fn):
994         * microbenchmarks/regexp-u-global-es6.js: Added.
995         (fn):
996         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
997         (shouldBe):
998         (test):
999         (i.switch):
1000         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
1001         (shouldBe):
1002         (test):
1003
1004 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1005
1006         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
1007         https://bugs.webkit.org/show_bug.cgi?id=183334
1008
1009         Reviewed by Žan Doberšek.
1010
1011         * stress/var-injection-cache-invalidation.js:
1012
1013 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1014
1015         [ARM] Disable tests that run out of memory
1016         https://bugs.webkit.org/show_bug.cgi?id=182699
1017
1018         Reviewed by Žan Doberšek.
1019
1020         Skip tests that run of of memory. Do not run
1021         modules/module-jit-reachability.js without LLInt to prevent
1022         running out of executable memory.
1023
1024         * modules.yaml:
1025         * modules/module-jit-reachability.js:
1026         * stress/has-own-property-name-cache-string-keys.js:
1027         * stress/has-own-property-name-cache-symbol-keys.js:
1028
1029 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1030
1031         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1032         https://bugs.webkit.org/show_bug.cgi?id=183173
1033
1034         Reviewed by Saam Barati.
1035
1036         * stress/async-arrow-function-in-class-heritage.js: Added.
1037         (testSyntax):
1038         (testSyntaxError):
1039         (SyntaxError):
1040
1041 2018-03-01  Saam Barati  <sbarati@apple.com>
1042
1043         We need to clear cached structures when having a bad time
1044         https://bugs.webkit.org/show_bug.cgi?id=183256
1045         <rdar://problem/36245022>
1046
1047         Reviewed by Mark Lam.
1048
1049         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1050         (assert):
1051         (defineSetter):
1052         (iterate):
1053         (doSlice):
1054
1055 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1056
1057         JSC crash with `import("")`
1058         https://bugs.webkit.org/show_bug.cgi?id=183175
1059
1060         Reviewed by Saam Barati.
1061
1062         * stress/import-with-empty-string.js: Added.
1063
1064 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1065
1066         Unreviewed, skip FTL tests if FTL is disabled
1067         https://bugs.webkit.org/show_bug.cgi?id=183071
1068
1069         * stress/has-indexed-property-array-storage-ftl.js:
1070         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1071
1072 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1073
1074         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1075         https://bugs.webkit.org/show_bug.cgi?id=182965
1076
1077         Reviewed by Saam Barati.
1078
1079         * stress/put-by-val-array-storage.js: Added.
1080         (shouldBe):
1081         (testArrayStorageInBounds):
1082         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1083         (shouldBe):
1084         (testInt32.createBuiltin):
1085         (set for):
1086         * stress/put-by-val-slow-put-array-storage.js: Added.
1087         (shouldBe):
1088         (testArrayStorageInBounds):
1089
1090 2018-02-26  Saam Barati  <sbarati@apple.com>
1091
1092         validateStackAccess should not validate if the offset is within the stack bounds
1093         https://bugs.webkit.org/show_bug.cgi?id=183067
1094         <rdar://problem/37749988>
1095
1096         Reviewed by Mark Lam.
1097
1098         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1099         (assert):
1100         (test.a):
1101         (test.b):
1102         (test):
1103
1104 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1105
1106         Unreviewed, skip FTL tests if FTL is disabled
1107         https://bugs.webkit.org/show_bug.cgi?id=183071
1108
1109         * stress/has-indexed-property-array-storage-ftl.js:
1110         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1111
1112 2018-02-23  Saam Barati  <sbarati@apple.com>
1113
1114         Make Number.isInteger an intrinsic
1115         https://bugs.webkit.org/show_bug.cgi?id=183088
1116
1117         Reviewed by JF Bastien.
1118
1119         * stress/number-is-integer-intrinsic.js: Added.
1120
1121 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1122
1123         WebAssembly: cache memory address / size on instance
1124         https://bugs.webkit.org/show_bug.cgi?id=177305
1125
1126         Reviewed by JF Bastien.
1127
1128         * wasm/function-tests/memory-reuse.js: Added.
1129         (createWasmInstance):
1130         (doCheckTrap):
1131         (doMemoryGrow):
1132         (doCheck):
1133         (checkWasmInstancesWithSharedMemory):
1134
1135 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1136
1137         [JSC] Implement $vm.ftlTrue function for FTL testing
1138         https://bugs.webkit.org/show_bug.cgi?id=183071
1139
1140         Reviewed by Mark Lam.
1141
1142         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1143         (foo):
1144         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1145         (foo):
1146         * stress/dead-fiat-value-to-int52.js:
1147         (foo):
1148         * stress/dead-osr-entry-value.js:
1149         (foo):
1150         * stress/fiat-value-to-int52-then-exit-not-double.js:
1151         (foo):
1152         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1153         (foo):
1154         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1155         (foo):
1156         * stress/fiat-value-to-int52-then-fold.js:
1157         (foo):
1158         * stress/fiat-value-to-int52.js:
1159         (foo):
1160         * stress/fold-based-on-int32-proof-mul-branch.js:
1161         (foo):
1162         * stress/fold-profiled-call-to-call.js:
1163         (foo):
1164         * stress/fold-to-double-constant-then-exit.js:
1165         (foo):
1166         * stress/fold-to-int52-constant-then-exit.js:
1167         (foo):
1168         * stress/fold-to-primitive-in-cfa.js:
1169         (foo):
1170         * stress/fold-to-primitive-to-identity-in-cfa.js:
1171         (foo):
1172         * stress/has-indexed-property-array-storage-ftl.js: Added.
1173         (shouldBe):
1174         (test1):
1175         (test2):
1176         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1177         (shouldBe):
1178         (test1):
1179         (test2):
1180         * stress/int52-ai-add-then-filter-int32.js:
1181         (foo):
1182         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1183         (foo):
1184         * stress/int52-ai-mul-then-filter-int32.js:
1185         (foo):
1186         * stress/int52-ai-neg-then-filter-int32.js:
1187         (foo):
1188         * stress/int52-ai-sub-then-filter-int32.js:
1189         (foo):
1190         * stress/licm-pre-header-cannot-exit-nested.js:
1191         (foo):
1192         * stress/licm-pre-header-cannot-exit.js:
1193         (foo):
1194         * stress/sparse-array-entry-update-144067.js:
1195         (useMemoryToTriggerGCs):
1196         * stress/test-spec-misc.js:
1197         (foo):
1198         * stress/tricky-array-bounds-checks.js:
1199         (foo):
1200
1201 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1202
1203         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1204         https://bugs.webkit.org/show_bug.cgi?id=182792
1205
1206         Reviewed by Mark Lam.
1207
1208         * stress/has-indexed-property-array-storage.js: Added.
1209         (shouldBe):
1210         (test1):
1211         (test2):
1212         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1213         (shouldBe):
1214         (test1):
1215         (test2):
1216
1217 2018-02-20  Saam Barati  <sbarati@apple.com>
1218
1219         DFG::VarargsForwardingPhase should eliminate getting argument length
1220         https://bugs.webkit.org/show_bug.cgi?id=182959
1221
1222         Reviewed by Keith Miller.
1223
1224         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1225
1226 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1227
1228         [FTL] Support ArrayPush for ArrayStorage
1229         https://bugs.webkit.org/show_bug.cgi?id=182782
1230
1231         Reviewed by Saam Barati.
1232
1233         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1234
1235         * stress/array-push-array-storage-beyond-int32.js: Added.
1236         (shouldBe):
1237         (test):
1238         * stress/array-push-array-storage.js: Added.
1239         (shouldBe):
1240         (test):
1241         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1242         (shouldBe):
1243         (test):
1244         * stress/array-push-multiple-storage-continuous.js: Added.
1245         (shouldBe):
1246         (test):
1247
1248 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [FTL] Support ArrayPop for ArrayStorage
1251         https://bugs.webkit.org/show_bug.cgi?id=182783
1252
1253         Reviewed by Saam Barati.
1254
1255         * stress/array-pop-array-storage.js: Added.
1256         (shouldBe):
1257         (test):
1258
1259 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1260
1261         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1262         https://bugs.webkit.org/show_bug.cgi?id=182731
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/arrayify-array-storage-array.js: Added.
1267         (shouldBe):
1268         (testArrayStorage):
1269         * stress/arrayify-array-storage-non-array.js: Added.
1270         (shouldBe):
1271         (testArrayStorage):
1272         * stress/arrayify-array-storage.js: Added.
1273         (shouldBe):
1274         (testArrayStorage):
1275         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1276         (shouldBe):
1277         (testArrayStorage):
1278         * stress/arrayify-slow-put-array-storage.js: Added.
1279         (shouldBe):
1280         (testArrayStorage):
1281
1282 2018-02-19  Saam Barati  <sbarati@apple.com>
1283
1284         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1285         https://bugs.webkit.org/show_bug.cgi?id=182942
1286         <rdar://problem/37584764>
1287
1288         Reviewed by Mark Lam.
1289
1290         * stress/get-prototype-create-this-effectful.js: Added.
1291
1292 2018-02-16  Saam Barati  <sbarati@apple.com>
1293
1294         Fix bugs from r228411
1295         https://bugs.webkit.org/show_bug.cgi?id=182851
1296         <rdar://problem/37577732>
1297
1298         Reviewed by JF Bastien.
1299
1300         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1301
1302 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1303
1304         Unreviewed, roll out r228366 since it did not progress anything.
1305
1306         * stress/gc-error-stack.js: Removed.
1307         * stress/no-gc-error-stack.js: Removed.
1308
1309 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1310
1311         Many stress tests fail with JIT disabled
1312         https://bugs.webkit.org/show_bug.cgi?id=182730
1313
1314         Reviewed by Saam Barati.
1315
1316         These tests are broken by design if the JIT is disabled - they test
1317         the return value of numberOfDFGCompiles(), which is always set to
1318         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1319
1320         * stress/arith-abs-on-various-types.js:
1321         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1322         * stress/arith-acos-on-various-types.js:
1323         * stress/arith-acosh-on-various-types.js:
1324         * stress/arith-asin-on-various-types.js:
1325         * stress/arith-asinh-on-various-types.js:
1326         * stress/arith-atan-on-various-types.js:
1327         * stress/arith-atanh-on-various-types.js:
1328         * stress/arith-cbrt-on-various-types.js:
1329         * stress/arith-ceil-on-various-types.js:
1330         * stress/arith-clz32-on-various-types.js:
1331         * stress/arith-cos-on-various-types.js:
1332         * stress/arith-cosh-on-various-types.js:
1333         * stress/arith-expm1-on-various-types.js:
1334         * stress/arith-floor-on-various-types.js:
1335         * stress/arith-fround-on-various-types.js:
1336         * stress/arith-log-on-various-types.js:
1337         * stress/arith-log10-on-various-types.js:
1338         * stress/arith-log2-on-various-types.js:
1339         * stress/arith-negate-on-various-types.js:
1340         * stress/arith-round-on-various-types.js:
1341         * stress/arith-sin-on-various-types.js:
1342         * stress/arith-sinh-on-various-types.js:
1343         * stress/arith-sqrt-on-various-types.js:
1344         * stress/arith-tan-on-various-types.js:
1345         * stress/arith-tanh-on-various-types.js:
1346         * stress/arith-trunc-on-various-types.js:
1347         * stress/compare-strict-eq-on-various-types.js:
1348
1349 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1350
1351         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1352
1353         Unreviewed test gardening.
1354
1355         * stress/new-largeish-contiguous-array-with-size.js:
1356
1357 2018-02-14  Saam Barati  <sbarati@apple.com>
1358
1359         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1360         https://bugs.webkit.org/show_bug.cgi?id=182801
1361
1362         Reviewed by Keith Miller.
1363
1364         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1365
1366 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1367
1368         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1369         https://bugs.webkit.org/show_bug.cgi?id=182526
1370
1371         Unreviewed test gardening.
1372
1373         * stress/activation-sink-default-value-tdz-error.js:
1374
1375 2018-02-13  Saam Barati  <sbarati@apple.com>
1376
1377         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1378         https://bugs.webkit.org/show_bug.cgi?id=182755
1379         <rdar://problem/37080864>
1380
1381         Reviewed by Keith Miller.
1382
1383         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1384         (test1.o.get 10005):
1385         (test1):
1386         (test2.o.get 1000):
1387         (test2):
1388
1389 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1390
1391         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1392         https://bugs.webkit.org/show_bug.cgi?id=182717
1393
1394         Reviewed by Yusuke Suzuki.
1395
1396         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1397         literals, to allow template callsite arrays to be collected when the
1398         code containing the tagged template call is collected. This spec change
1399         has received concensus and been ratified.
1400
1401         This change eliminates the eternal map associating template contents
1402         with arrays.
1403
1404         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1405         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1406         * stress/tagged-templates-identity.js:
1407         * stress/template-string-tags-eval.js:
1408         * test262.yaml:
1409
1410 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1411
1412         Support GetArrayLength on ArrayStorage in the FTL
1413         https://bugs.webkit.org/show_bug.cgi?id=182625
1414
1415         Reviewed by Saam Barati.
1416
1417         * stress/array-storage-length.js: Added.
1418         (shouldBe):
1419         (testInBound):
1420         (testUncountable):
1421         (testSlowPutInBound):
1422         (testSlowPutUncountable):
1423         * stress/undecided-length.js: Added.
1424         (shouldBe):
1425         (test2):
1426
1427 2018-02-12  Saam Barati  <sbarati@apple.com>
1428
1429         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1430         https://bugs.webkit.org/show_bug.cgi?id=182706
1431         <rdar://problem/36833681>
1432
1433         Reviewed by Filip Pizlo.
1434
1435         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1436         (effects):
1437         (foo):
1438
1439 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1440
1441         Don't waste memory for error.stack
1442         https://bugs.webkit.org/show_bug.cgi?id=182656
1443
1444         Reviewed by Saam Barati.
1445         
1446         Tests the policy.
1447
1448         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1449         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1450
1451 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1452
1453         [JSC] Update Test262 to Feb 9 version
1454         https://bugs.webkit.org/show_bug.cgi?id=182468
1455
1456         Reviewed by Saam Barati.
1457
1458 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1459
1460         Unreviewed, fix invalid line terminator in old test262 file part 2
1461         https://bugs.webkit.org/show_bug.cgi?id=182468
1462
1463         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1464
1465 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1466
1467         Unreviewed, fix invalid line terminator in old test262 file
1468         https://bugs.webkit.org/show_bug.cgi?id=182468
1469
1470         * test262/test/language/literals/regexp/7.8.5-1.js:
1471
1472 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1473
1474         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1475         https://bugs.webkit.org/show_bug.cgi?id=182440
1476
1477         Reviewed by Darin Adler.
1478
1479         * stress/array-flatmap.js: Added.
1480         (shouldBe):
1481         (shouldBeArray):
1482         (shouldThrow):
1483         (var):
1484         * stress/array-flatten.js: Added.
1485         (shouldBe):
1486         (shouldBeArray):
1487         * test262.yaml:
1488         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1489         (3.flatMap):
1490         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1491
1492 2018-02-06  Keith Miller  <keith_miller@apple.com>
1493
1494         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1495         https://bugs.webkit.org/show_bug.cgi?id=182549
1496         <rdar://problem/36189995>
1497
1498         Reviewed by Saam Barati.
1499
1500         * stress/var-injection-cache-invalidation.js: Added.
1501         (allocateLotsOfThings):
1502         (test):
1503
1504 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1505
1506         Unreviewed, follow up for test262 update
1507         https://bugs.webkit.org/show_bug.cgi?id=182288
1508
1509         * test262.yaml:
1510
1511 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1512
1513         Update test262 to Jan 30 version
1514         https://bugs.webkit.org/show_bug.cgi?id=182288
1515
1516         Unreviewed test gardening.
1517
1518         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1519
1520 2018-02-02  Saam Barati  <sbarati@apple.com>
1521
1522         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1523         https://bugs.webkit.org/show_bug.cgi?id=182368
1524         <rdar://problem/36932466>
1525
1526         Reviewed by Mark Lam.
1527
1528         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1529         (runNearStackLimit.t):
1530         (runNearStackLimit):
1531         (try.runNearStackLimit):
1532         (catch):
1533
1534 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1535
1536         Update test262 to Jan 30 version
1537         https://bugs.webkit.org/show_bug.cgi?id=182288
1538
1539         Rubber stamped by Saam Barati.
1540
1541         This patch updates test262 to the latest one, Jan 30 version.
1542         Since added and changed files are too many, we cannot create ChangeLog.
1543         The following files are changed.
1544
1545         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1546         including some special line terminators (like u2028, u2029).
1547
1548         * test262.yaml:
1549         * test262/test262-Revision.txt:
1550         * test262/*:
1551
1552 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1553
1554         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1555         https://bugs.webkit.org/show_bug.cgi?id=182411
1556
1557         Reviewed by Carlos Alberto Lopez Perez.
1558
1559         This is skipped only on arm memory limited platforms. Until recently
1560         it was not a problem on MIPS as the butterfly was not initialized. But
1561         since r227435, the butterfly is initialized in that test and therefore
1562         memory is allocated, and the test typically takes around 512M, which
1563         means it generally gets OOM-killed on the MIPS buildbot.
1564
1565         * mozilla/mozilla-tests.yaml:
1566
1567 2018-02-01  Mark Lam  <mark.lam@apple.com>
1568
1569         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1570         https://bugs.webkit.org/show_bug.cgi?id=182419
1571         <rdar://problem/37044945>
1572
1573         Reviewed by Saam Barati.
1574
1575         * stress/regress-182419.js: Added.
1576
1577 2018-02-01  Keith Miller  <keith_miller@apple.com>
1578
1579         Fix crashes due to mishandling custom sections.
1580         https://bugs.webkit.org/show_bug.cgi?id=182404
1581         <rdar://problem/36935863>
1582
1583         Reviewed by Saam Barati.
1584
1585         * wasm/Builder.js:
1586         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1587         * wasm/js-api/validate.js:
1588         (assert.truthy):
1589
1590 2018-01-31  Saam Barati  <sbarati@apple.com>
1591
1592         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1593         https://bugs.webkit.org/show_bug.cgi?id=182074
1594         <rdar://problem/36846261>
1595
1596         Reviewed by Mark Lam.
1597
1598         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1599         (assert):
1600         (let.func):
1601         (let.o.foo):
1602         (varFunc):
1603
1604 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1605
1606         Unreviewed, update test262 expects
1607         https://bugs.webkit.org/show_bug.cgi?id=182232
1608
1609         * test262.yaml:
1610
1611 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1612
1613         [JSC] Implement trimStart and trimEnd
1614         https://bugs.webkit.org/show_bug.cgi?id=182233
1615
1616         Reviewed by Mark Lam.
1617
1618         * stress/trim.js: Added.
1619         (shouldBe):
1620         (startTest):
1621         (endTest):
1622         (trimTest):
1623
1624 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1625
1626         [JSC] Relax line terminators in String to make JSON subset of JS
1627         https://bugs.webkit.org/show_bug.cgi?id=182232
1628
1629         Reviewed by Keith Miller.
1630
1631         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1632         * stress/relaxed-line-terminators-in-string.js: Added.
1633         (shouldBe):
1634
1635 2018-01-29  Michael Saboff  <msaboff@apple.com>
1636
1637         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1638         https://bugs.webkit.org/show_bug.cgi?id=182249
1639
1640         Reviewed by Keith Miller.
1641
1642         New regression test.
1643
1644         * stress/compare-clobber-untypeduse.js: Added.
1645
1646 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1647
1648         Unreviewed, rolling out r227725.
1649
1650         This caused internal failures.
1651
1652         Reverted changeset:
1653
1654         "JSC Sampling Profiler: Detect tester and testee when sampling
1655         in RegExp JIT"
1656         https://bugs.webkit.org/show_bug.cgi?id=152729
1657         https://trac.webkit.org/changeset/227725
1658
1659 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1662         https://bugs.webkit.org/show_bug.cgi?id=152729
1663
1664         Reviewed by Saam Barati.
1665
1666         * stress/sampling-profiler-regexp.js: Added.
1667         (platformSupportsSamplingProfiler.test):
1668         (platformSupportsSamplingProfiler.baz):
1669         (platformSupportsSamplingProfiler):
1670
1671 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1672
1673         [DFG][FTL] WeakMap#set should have DFG node
1674         https://bugs.webkit.org/show_bug.cgi?id=180015
1675
1676         Reviewed by Saam Barati.
1677
1678         * stress/weakmap-set-change-get.js: Added.
1679         (shouldBe):
1680         (test):
1681         * stress/weakmap-set-cse.js: Added.
1682         (shouldBe):
1683         (test):
1684         * stress/weakset-add-change-get.js: Added.
1685         (shouldBe):
1686         * stress/weakset-add-cse.js: Added.
1687         (shouldBe):
1688
1689 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1690
1691         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1692         https://bugs.webkit.org/show_bug.cgi?id=182213
1693
1694         Reviewed by Mark Lam.
1695
1696         * stress/int32-min-to-string.js: Added.
1697         (shouldBe):
1698         (test2):
1699         (test4):
1700         (test8):
1701         (test16):
1702         (test32):
1703         * stress/zero-to-string.js: Added.
1704         (shouldBe):
1705         (test2):
1706         (test4):
1707         (test8):
1708         (test16):
1709         (test32):
1710
1711 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1712
1713         Add more module scope related tests with code evaluation by string
1714         https://bugs.webkit.org/show_bug.cgi?id=181983
1715
1716         Reviewed by Sam Weinig.
1717
1718         Add more module scope related tests. When the original tests are landed,
1719         we do not have browser integration. This patch adds more module scope tests
1720         with dynamically created script evaluation. We add tests with Function
1721         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1722
1723         * modules/scopes-eval.js: Added.
1724         (shouldBe):
1725         * modules/scopes.js:
1726         (shouldBe):
1727
1728 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1729
1730         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1731
1732         * microbenchmarks/array-push-3.js: Removed.
1733         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1734         * microbenchmarks/double-to-int32.js: Removed.
1735         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1736         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1737         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1738         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1739         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1740         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1741         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1742         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1743         * microbenchmarks/map-constant-key.js: Removed.
1744         * microbenchmarks/nested-function-parsing.js: Removed.
1745         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1746         * microbenchmarks/spread-large-array.js: Removed.
1747         * microbenchmarks/string-add-constant-folding.js: Removed.
1748         * microbenchmarks/to-lower-case.js: Removed.
1749         * microbenchmarks/undefined-property-access.js: Removed.
1750         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1751         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1752         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1753         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1754         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1755         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1756         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1757         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1758         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1759         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1760         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1761         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1762         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1763         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1764         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1765         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1766         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1767         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1768
1769 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1770
1771         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1772         https://bugs.webkit.org/show_bug.cgi?id=181739
1773         <rdar://problem/36627662>
1774
1775         Reviewed by Saam Barati.
1776
1777         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1778         (foo):
1779         (bar):
1780
1781 2018-01-22  Michael Saboff  <msaboff@apple.com>
1782
1783         DFG abstract interpreter needs to properly model effects of some Math ops
1784         https://bugs.webkit.org/show_bug.cgi?id=181886
1785
1786         Reviewed by Saam Barati.
1787
1788         New regression test.
1789
1790         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1791         (test):
1792
1793 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1794
1795         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1796         https://bugs.webkit.org/show_bug.cgi?id=181182
1797
1798         Reviewed by Darin Adler.
1799
1800         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1801         * stress/big-int-prototype-to-string-exception.js: Added.
1802         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1803         * stress/number-prototype-to-string-cast-overflow.js: Added.
1804         * stress/number-prototype-to-string-exception.js: Added.
1805         * stress/number-prototype-to-string-wrong-values.js: Added.
1806
1807 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1808
1809         Disable Atomics when SharedArrayBuffer isn’t enabled
1810         https://bugs.webkit.org/show_bug.cgi?id=181572
1811
1812         Unreviewed test gardening.
1813
1814         * test262.yaml: Skip tests that fail after this change.
1815
1816 2018-01-19  Saam Barati  <sbarati@apple.com>
1817
1818         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1819         https://bugs.webkit.org/show_bug.cgi?id=181877
1820         <rdar://problem/36630552>
1821
1822         Reviewed by Mark Lam.
1823
1824         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1825         (runNearStackLimit):
1826         (f1):
1827         (f2):
1828         (f3):
1829         (i.catch):
1830         (i.try.runNearStackLimit):
1831         (catch):
1832
1833 2018-01-19  Saam Barati  <sbarati@apple.com>
1834
1835         Spread's effects are modeled incorrectly both in AI and in Clobberize
1836         https://bugs.webkit.org/show_bug.cgi?id=181867
1837         <rdar://problem/36290415>
1838
1839         Reviewed by Michael Saboff.
1840
1841         * stress/ai-needs-to-model-spreads-effects.js: Added.
1842         (try.p.Symbol.iterator):
1843         (try.go):
1844         (catch):
1845         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1846         (assert):
1847         (foo):
1848         (a.Symbol.iterator):
1849
1850 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1851
1852         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1853         https://bugs.webkit.org/show_bug.cgi?id=181535
1854
1855         * stress/inserted-recovery-with-set-last-index.js:
1856
1857 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1858
1859         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1860         https://bugs.webkit.org/show_bug.cgi?id=181535
1861
1862         Reviewed by Saam Barati.
1863
1864         * stress/inserted-recovery-with-set-last-index.js: Added.
1865         (shouldBe):
1866         (foo):
1867         * stress/materialize-regexp-at-osr-exit.js: Added.
1868         (shouldBe):
1869         (test):
1870         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1871         (shouldBe):
1872         (test):
1873         * stress/materialize-regexp-cyclic-regexp.js: Added.
1874         (shouldBe):
1875         (test):
1876         (i.switch):
1877         * stress/materialize-regexp-cyclic.js: Added.
1878         (shouldBe):
1879         (test):
1880         (i.switch):
1881         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1882         (bar):
1883         (foo):
1884         (test):
1885         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1886         (bar):
1887         (foo):
1888         (test):
1889         * stress/materialize-regexp.js: Added.
1890         (shouldBe):
1891         (test):
1892         * stress/phantom-regexp-regexp-exec.js: Added.
1893         (shouldBe):
1894         (test):
1895         * stress/phantom-regexp-string-match.js: Added.
1896         (shouldBe):
1897         (test):
1898         * stress/regexp-last-index-sinking.js: Added.
1899         (shouldBe):
1900         (test):
1901
1902 2018-01-17  Saam Barati  <sbarati@apple.com>
1903
1904         Disable Atomics when SharedArrayBuffer isn’t enabled
1905         https://bugs.webkit.org/show_bug.cgi?id=181572
1906         <rdar://problem/36553206>
1907
1908         Reviewed by Michael Saboff.
1909
1910         * stress/isLockFree.js:
1911
1912 2018-01-17  Saam Barati  <sbarati@apple.com>
1913
1914         DFG::Node::convertToConstant needs to clear the varargs flags
1915         https://bugs.webkit.org/show_bug.cgi?id=181697
1916         <rdar://problem/36497332>
1917
1918         Reviewed by Yusuke Suzuki.
1919
1920         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1921         (doIndexOf):
1922         (bar):
1923         (i.bar):
1924
1925 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1926
1927         Unreviewed, rolling out r226937.
1928
1929         Tests added with this change are failing due to a missing
1930         exception check.
1931
1932         Reverted changeset:
1933
1934         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1935         double to int32_t"
1936         https://bugs.webkit.org/show_bug.cgi?id=181182
1937         https://trac.webkit.org/changeset/226937
1938
1939 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1940
1941         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1942         https://bugs.webkit.org/show_bug.cgi?id=181182
1943
1944         Reviewed by Darin Adler.
1945
1946         * bigIntTests.yaml:
1947         * stress/big-int-constructor.js:
1948         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1949         (assert):
1950         (assertThrowRangeError):
1951         * stress/number-prototype-to-string-cast-overflow.js: Added.
1952         (assert):
1953         (assertThrowRangeError):
1954
1955 2018-01-12  Saam Barati  <sbarati@apple.com>
1956
1957         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1958         https://bugs.webkit.org/show_bug.cgi?id=181177
1959         <rdar://problem/36205704>
1960
1961         Reviewed by Yusuke Suzuki.
1962
1963         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1964         (runNearStackLimit.t):
1965         (runNearStackLimit):
1966         (test.f):
1967         (test):
1968
1969 2018-01-12  Saam Barati  <sbarati@apple.com>
1970
1971         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1972         https://bugs.webkit.org/show_bug.cgi?id=181562
1973         <rdar://problem/36445624>
1974
1975         Reviewed by Yusuke Suzuki.
1976
1977         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1978         (f):
1979         (foo):
1980
1981 2018-01-11  Saam Barati  <sbarati@apple.com>
1982
1983         When inserting Unreachable in byte code parser we need to flush all the right things
1984         https://bugs.webkit.org/show_bug.cgi?id=181509
1985         <rdar://problem/36423110>
1986
1987         Reviewed by Mark Lam.
1988
1989         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1990
1991 2018-01-11  Saam Barati  <sbarati@apple.com>
1992
1993         JITMathIC code in the FTL is wrong when code gets duplicated
1994         https://bugs.webkit.org/show_bug.cgi?id=181525
1995         <rdar://problem/36351993>
1996
1997         Reviewed by Michael Saboff and Keith Miller.
1998
1999         * stress/allow-math-ic-b3-code-duplication.js: Added.
2000
2001 2018-01-11  Saam Barati  <sbarati@apple.com>
2002
2003         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
2004         https://bugs.webkit.org/show_bug.cgi?id=181508
2005
2006         Reviewed by Yusuke Suzuki.
2007
2008         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
2009         (assert):
2010         (test1.foo):
2011         (test1):
2012         (test2.foo):
2013         (test2):
2014
2015 2018-01-09  Mark Lam  <mark.lam@apple.com>
2016
2017         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
2018         https://bugs.webkit.org/show_bug.cgi?id=181388
2019         <rdar://problem/36349351>
2020
2021         Reviewed by Saam Barati.
2022
2023         * stress/regress-181388.js: Added.
2024
2025 2018-01-08  JF Bastien  <jfbastien@apple.com>
2026
2027         WebAssembly: mask indexed accesses to Table
2028         https://bugs.webkit.org/show_bug.cgi?id=181412
2029         <rdar://problem/36363236>
2030
2031         Reviewed by Saam Barati.
2032
2033         Update error messages.
2034
2035         * wasm/js-api/table.js:
2036         (assert.throws.WebAssembly.Table.prototype.grow):
2037
2038 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2039
2040         Disable SharedArrayBuffer tests missed in r226386.
2041         https://bugs.webkit.org/show_bug.cgi?id=181266
2042
2043         Unreviewed test gardening.
2044
2045         * test262.yaml:
2046
2047 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2048
2049         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2050         https://bugs.webkit.org/show_bug.cgi?id=181321
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2055         (shouldBe):
2056         (testFunction):
2057         * test262.yaml:
2058
2059 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2060
2061         Unreviewed, attempt to fix test262 after r226386.
2062
2063         * test262.yaml:
2064
2065 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2066
2067         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2068         https://bugs.webkit.org/show_bug.cgi?id=179911
2069
2070         Reviewed by Saam Barati.
2071
2072         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2073
2074         * stress/map-set-change-get.js: Added.
2075         (shouldBe):
2076         (test):
2077         * stress/map-set-create-bucket.js: Added.
2078         (shouldBe):
2079         (test):
2080         * stress/set-add-create-bucket.js: Added.
2081         (shouldBe):
2082
2083 2018-01-03  Michael Saboff  <msaboff@apple.com>
2084
2085         Disable SharedArrayBuffers from Web API
2086         https://bugs.webkit.org/show_bug.cgi?id=181266
2087
2088         Reviewed by Saam Barati.
2089
2090         Disabled SharedArrayBuffer tests.
2091
2092         * stress/SharedArrayBuffer-opt.js:
2093         * stress/SharedArrayBuffer.js:
2094         * stress/array-buffer-byte-length.js:
2095         * stress/atomics-add-uint32.js:
2096         * stress/atomics-known-int-use.js:
2097         * stress/atomics-neg-zero.js:
2098         * stress/atomics-store-return.js:
2099         * stress/lars-sab-workers.js:
2100         * stress/regress-159779-1.js:
2101         * stress/regress-159779-2.js:
2102         * stress/regress-170473.js:
2103         * test262.yaml:
2104
2105 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2106
2107         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2108         https://bugs.webkit.org/show_bug.cgi?id=181258
2109
2110         Reviewed by Antonio Gomes.
2111
2112         * stress/big-int-constructor-gc.js:
2113         * stress/big-int-constructor-oom.js:
2114
2115 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2116
2117         Inlining of a function that ends in op_unreachable crashes
2118         https://bugs.webkit.org/show_bug.cgi?id=181027
2119
2120         Reviewed by Filip Pizlo.
2121
2122         * stress/inlining-unreachable.js: Added.
2123         (bar):
2124         (baz):
2125         (i.catch):
2126
2127 2018-01-02  Saam Barati  <sbarati@apple.com>
2128
2129         Incorrect assertion inside AccessCase
2130         https://bugs.webkit.org/show_bug.cgi?id=181200
2131         <rdar://problem/35494754>
2132
2133         Reviewed by Yusuke Suzuki.
2134
2135         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2136         (ctor):
2137         (theFunc):
2138         (run):
2139
2140 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2141
2142         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2143         https://bugs.webkit.org/show_bug.cgi?id=175359
2144
2145         Reviewed by Yusuke Suzuki.
2146
2147         * bigIntTests.yaml:
2148         * stress/big-int-as-key.js: Added.
2149         * stress/big-int-constructor-gc.js: Added.
2150         * stress/big-int-constructor-oom.js: Added.
2151         * stress/big-int-constructor-properties.js: Added.
2152         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2153         * stress/big-int-constructor-prototype.js: Added.
2154         * stress/big-int-constructor.js: Added.
2155         * stress/big-int-function-apply.js:
2156         * stress/big-int-length.js: Added.
2157         * stress/big-int-prop-descriptor.js: Added.
2158         * stress/big-int-proto-constructor.js: Added.
2159         * stress/big-int-proto-name.js: Added.
2160         * stress/big-int-prototype-properties.js: Added.
2161         * stress/big-int-prototype-proto.js: Added.
2162         * stress/big-int-prototype-value-of.js: Added.
2163         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2164         * stress/big-int-prototype-to-string-apply.js: Added.
2165         * stress/big-int-to-object.js: Added.
2166         * stress/big-int-to-string.js: Added.
2167
2168 2017-12-28  Saam Barati  <sbarati@apple.com>
2169
2170         Assertion used to determine if something is an async generator is wrong
2171         https://bugs.webkit.org/show_bug.cgi?id=181168
2172         <rdar://problem/35640560>
2173
2174         Reviewed by Yusuke Suzuki.
2175
2176         * stress/async-generator-assertion.js: Added.
2177
2178 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2179
2180         Skip stress/splay-flash-access tests on memory limited platforms
2181         https://bugs.webkit.org/show_bug.cgi?id=181086
2182
2183         Reviewed by Carlos Alberto Lopez Perez.
2184
2185         These tests use about 185M of memory, and occasionally get OOM-killed
2186         on memory limited platforms.
2187
2188         * stress/splay-flash-access-1ms.js:
2189         * stress/splay-flash-access.js:
2190
2191 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2192
2193         Skip slow jsc tests on embedded platforms
2194         https://bugs.webkit.org/show_bug.cgi?id=180937
2195
2196         Reviewed by Carlos Alberto Lopez Perez.
2197
2198         The tests typeProfiler/deltablue-for-of.js and
2199         typeProfiler/getter-richards.js take a very long time in the
2200         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2201         thus always timeout. They should be skipped on these platforms.
2202
2203         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2204         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2205
2206 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2207
2208         [JSC] Do not check isValid() in op_new_regexp
2209         https://bugs.webkit.org/show_bug.cgi?id=180970
2210
2211         Reviewed by Saam Barati.
2212
2213         * stress/regexp-syntax-error-invalid-flags.js: Added.
2214         (shouldThrow):
2215
2216 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2217
2218         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2219         https://bugs.webkit.org/show_bug.cgi?id=180712
2220
2221         Reviewed by Michael Catanzaro.
2222
2223         stress/call-apply-exponential-bytecode-size.js crashes if the
2224         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2225         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2226         should skip the test on other platforms.
2227
2228         * stress/call-apply-exponential-bytecode-size.js:
2229
2230 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2231
2232         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2233         https://bugs.webkit.org/show_bug.cgi?id=179762
2234
2235         Reviewed by Saam Barati.
2236
2237         * stress/call-varargs-double-new-array-buffer.js: Added.
2238         (assert):
2239         (bar):
2240         (foo):
2241         * stress/call-varargs-spread-new-array-buffer.js: Added.
2242         (assert):
2243         (bar):
2244         (foo):
2245         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2246         (assert):
2247         (bar):
2248         (foo):
2249         * stress/forward-varargs-double-new-array-buffer.js: Added.
2250         (assert):
2251         (test.baz):
2252         (test.bar):
2253         (test.foo):
2254         (test):
2255         * stress/new-array-buffer-sinking-osrexit.js: Added.
2256         (target):
2257         (test):
2258         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2259         (shouldBe):
2260         (test):
2261         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2262         (shouldBe):
2263         (target):
2264         (test):
2265         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2266         (assert):
2267         (test1.bar):
2268         (test1.foo):
2269         (test1):
2270         (test2.bar):
2271         (test2.foo):
2272         (test3.baz):
2273         (test3.bar):
2274         (test3.foo):
2275         (test4.baz):
2276         (test4.bar):
2277         (test4.foo):
2278         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2279         (assert):
2280         (test.baz):
2281         (test.bar):
2282         (test.foo):
2283         (test):
2284         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2285         (assert):
2286         (baz):
2287         (bar):
2288         (effects):
2289         (foo):
2290
2291 2017-12-14  Saam Barati  <sbarati@apple.com>
2292
2293         The CleanUp after LICM is erroneously removing a Check
2294         https://bugs.webkit.org/show_bug.cgi?id=180852
2295         <rdar://problem/36063494>
2296
2297         Reviewed by Filip Pizlo.
2298
2299         * stress/dont-run-cleanup-after-licm.js: Added.
2300
2301 2017-12-14  Michael Saboff  <msaboff@apple.com>
2302
2303         REGRESSION (r225695): Repro crash on yahoo login page
2304         https://bugs.webkit.org/show_bug.cgi?id=180761
2305
2306         Reviewed by JF Bastien.
2307
2308         New regression test.
2309
2310         * stress/regress-180761.js: Added.
2311
2312 2017-12-13  Keith Miller  <keith_miller@apple.com>
2313
2314         JSObjects should have a mask for loading indexed properties
2315         https://bugs.webkit.org/show_bug.cgi?id=180768
2316
2317         Reviewed by Mark Lam.
2318
2319         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2320         (test):
2321
2322 2017-12-13  Saam Barati  <sbarati@apple.com>
2323
2324         Arrow functions need their own structure because they have different properties than sloppy functions
2325         https://bugs.webkit.org/show_bug.cgi?id=180779
2326         <rdar://problem/35814591>
2327
2328         Reviewed by Mark Lam.
2329
2330         * stress/arrow-function-needs-its-own-structure.js: Added.
2331         (assert):
2332         (readPrototype):
2333         (noInline.let.f1):
2334         (noInline):
2335
2336 2017-12-13  Saam Barati  <sbarati@apple.com>
2337
2338         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2339         https://bugs.webkit.org/show_bug.cgi?id=163579
2340         <rdar://problem/35455798>
2341
2342         Reviewed by Mark Lam.
2343
2344         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2345         (assert):
2346         (test1):
2347         (i.test1):
2348         (i.test1.C):
2349         (i.test1.async.foo):
2350         (i.test1.foo):
2351         (test2):
2352
2353 2017-12-13  Saam Barati  <sbarati@apple.com>
2354
2355         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2356         https://bugs.webkit.org/show_bug.cgi?id=180734
2357         <rdar://problem/35640547>
2358
2359         Reviewed by Yusuke Suzuki.
2360
2361         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2362         (__isPropertyOfType):
2363         (__getProperties):
2364         (__getObjects):
2365         (__getRandomObject):
2366         (theClass.):
2367         (theClass):
2368         (childClass):
2369         (counter.catch):
2370
2371 2017-12-12  Saam Barati  <sbarati@apple.com>
2372
2373         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2374         https://bugs.webkit.org/show_bug.cgi?id=180725
2375         <rdar://problem/35970511>
2376
2377         Reviewed by Michael Saboff.
2378
2379         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2380         (f1):
2381         (f2):
2382         (let.o2.valueOf):
2383
2384 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2385
2386         [JSC] Implement optimized WeakMap and WeakSet
2387         https://bugs.webkit.org/show_bug.cgi?id=179929
2388
2389         Reviewed by Saam Barati.
2390
2391         * microbenchmarks/weak-map-key.js:
2392         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2393         (assert):
2394         (objectKey):
2395         (let.start.Date.now):
2396         * stress/basic-weakmap.js: Added.
2397         (shouldBe):
2398         (test):
2399         * stress/basic-weakset.js: Added.
2400         (shouldBe):
2401         (test.set new):
2402         * stress/weakmap-cse-set-break.js: Added.
2403         (shouldBe):
2404         (test):
2405         * stress/weakmap-cse.js: Added.
2406         (shouldBe):
2407         (test):
2408         * stress/weakmap-gc.js: Added.
2409         (test):
2410         * stress/weakset-cse-add-break.js: Added.
2411         (shouldBe):
2412         (test.set new):
2413         * stress/weakset-cse.js: Added.
2414         (shouldBe):
2415         (test.set new):
2416         * stress/weakset-gc.js: Added.
2417         (test.set add):
2418         (test.set new):
2419         (test):
2420
2421 2017-12-12  Saam Barati  <sbarati@apple.com>
2422
2423         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2424         https://bugs.webkit.org/show_bug.cgi?id=180723
2425         <rdar://problem/35859726>
2426
2427         Reviewed by JF Bastien.
2428
2429         * stress/get-my-argument-by-val-constant-folding.js: Added.
2430         (test):
2431         (catch):
2432
2433 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2434
2435         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2436         https://bugs.webkit.org/show_bug.cgi?id=179000
2437
2438         Reviewed by Darin Adler and Yusuke Suzuki.
2439
2440         * bigIntTests.yaml: Added.
2441         * stress/big-int-literal-line-terminator.js: Added.
2442         * stress/big-int-literals.js: Added.
2443         * stress/big-int-operations-error.js: Added.
2444         * stress/big-int-type-of.js: Added.
2445         * stress/big-int-white-space-trailing-leading.js: Added.
2446         * stress/big-int-function-apply.js: Added.
2447
2448 2017-12-11  Saam Barati  <sbarati@apple.com>
2449
2450         We need to disableCaching() in ErrorInstance when we materialize properties
2451         https://bugs.webkit.org/show_bug.cgi?id=180343
2452         <rdar://problem/35833002>
2453
2454         Reviewed by Mark Lam.
2455
2456         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2457         (assert):
2458         (makeError):
2459         (storeToStack):
2460         (storeToStackAlreadyMaterialized):
2461
2462 2017-12-05  JF Bastien  <jfbastien@apple.com>
2463
2464         WebAssembly: don't eagerly checksum
2465         https://bugs.webkit.org/show_bug.cgi?id=180441
2466         <rdar://problem/35156628>
2467
2468         Reviewed by Saam Barati.
2469
2470         Checksum is now disabled, so tests only have <?> as the module
2471         name.
2472
2473         * wasm/function-tests/nameSection.js:
2474         * wasm/function-tests/stack-overflow.js:
2475         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2476         (assertOverflows.assertThrows):
2477         (assertOverflows):
2478         * wasm/function-tests/stack-trace.js:
2479
2480 2017-12-04  JF Bastien  <jfbastien@apple.com>
2481
2482         Proxy all functions, except the $ objects
2483         https://bugs.webkit.org/show_bug.cgi?id=180375
2484
2485         Reviewed by Saam Barati.
2486
2487         It looks like this test may have broken some executions because I
2488         call some internal objects. Explicitly ignore objects whose name
2489         starts with "$" because it's a bad idea anyways.
2490
2491         * stress/proxy-all-the-parameters.js:
2492         (generateObjects):
2493         (get throw):
2494
2495 2017-12-04  Saam Barati  <sbarati@apple.com>
2496
2497         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2498         https://bugs.webkit.org/show_bug.cgi?id=180366
2499         <rdar://problem/35685877>
2500
2501         Reviewed by Michael Saboff.
2502
2503         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2504         (theParent):
2505         (test1.base.getParentStaticValue):
2506         (test1.base):
2507         (test1.__v_24888.prototype.set prop):
2508         (test1.__v_24888):
2509         (test2.base.getParentStaticValue):
2510         (test2.base):
2511         (test2.__v_24888.prototype.set prop):
2512         (test2.__v_24888):
2513         (test2):
2514
2515 2017-12-01  JF Bastien  <jfbastien@apple.com>
2516
2517         Try proxying all function arguments
2518         https://bugs.webkit.org/show_bug.cgi?id=180306
2519
2520         Reviewed by Saam Barati.
2521
2522         * stress/proxy-all-the-parameters.js: Added.
2523         (isPropertyOfType):
2524         (getProperties):
2525         (generateObjects):
2526         (getObjects):
2527         (getFunctions):
2528         (get throw):
2529         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2530
2531 2017-12-01  JF Bastien  <jfbastien@apple.com>
2532
2533         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2534         https://bugs.webkit.org/show_bug.cgi?id=180297
2535         <rdar://problem/35745556>
2536
2537         Reviewed by Mark Lam.
2538
2539         * stress/math-exceptions.js: Added.
2540         (get try):
2541         (catch):
2542
2543 2017-12-01  JF Bastien  <jfbastien@apple.com>
2544
2545         JavaScriptCore: add test for weird class static getters
2546         https://bugs.webkit.org/show_bug.cgi?id=180281
2547         <rdar://problem/35592139>
2548
2549         Reviewed by Mark Lam.
2550
2551         I fixed a bug for it in r224927 and didn't add a test. Do so.
2552
2553         * stress/class-static-get-weird.js: Added.
2554         (c.prototype.get name):
2555         (c):
2556         (c.prototype.get arguments):
2557         (c.prototype.get caller):
2558         (c.prototype.get length):
2559
2560 2017-12-01  Saam Barati  <sbarati@apple.com>
2561
2562         Having a bad time needs to handle ArrayClass indexing type as well
2563         https://bugs.webkit.org/show_bug.cgi?id=180274
2564         <rdar://problem/35667869>
2565
2566         Reviewed by Keith Miller and Mark Lam.
2567
2568         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2569         (assert):
2570         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2571         (assert):
2572
2573 2017-12-01  JF Bastien  <jfbastien@apple.com>
2574
2575         WebAssembly: restore cached stack limit after out-call
2576         https://bugs.webkit.org/show_bug.cgi?id=179106
2577         <rdar://problem/35337525>
2578
2579         Reviewed by Saam Barati.
2580
2581         * wasm/function-tests/double-instance.js: Added.
2582         (const.imp.boom):
2583         (const.imp.get callAnother):
2584
2585 2017-11-30  JF Bastien  <jfbastien@apple.com>
2586
2587         WebAssembly: improve stack trace
2588         https://bugs.webkit.org/show_bug.cgi?id=179343
2589
2590         Reviewed by Saam Barati.
2591
2592         Update the tests to follow the new format. Notably, SHA1 module
2593         hash is now included in traces, and stubs are properly identified.
2594
2595         * wasm/assert.js: Add an assertion which matches regular expressions.
2596         * wasm/function-tests/nameSection.js:
2597         * wasm/function-tests/stack-overflow.js:
2598         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2599         (assertOverflows.assertThrows.wasm.1):
2600         (assertOverflows.assertThrows.wasm.0):
2601         (assertOverflows.assertThrows):
2602         (assertOverflows):
2603         * wasm/function-tests/stack-trace.js:
2604         (import.Builder.from.string_appeared_here.assert): Deleted.
2605         * wasm/function-tests/trap-after-cross-instance-call.js:
2606         (wasmFrameCountFromError):
2607         * wasm/function-tests/trap-load-2.js:
2608         (wasmFrameCountFromError):
2609         * wasm/function-tests/trap-load.js:
2610         (wasmFrameCountFromError):
2611
2612 2017-11-30  Mark Lam  <mark.lam@apple.com>
2613
2614         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2615         https://bugs.webkit.org/show_bug.cgi?id=180219
2616         <rdar://problem/35696536>
2617
2618         Reviewed by Filip Pizlo.
2619
2620         * stress/regress-180219.js: Added.
2621
2622 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2623
2624         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2625         https://bugs.webkit.org/show_bug.cgi?id=180190
2626
2627         Reviewed by Mark Lam.
2628
2629         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2630         (shouldBe):
2631         (test1):
2632         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2633         (shouldBe):
2634         (test1):
2635         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2636         (shouldBe):
2637         (test1):
2638         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2639         (shouldBe):
2640         (test1):
2641         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2642         (shouldBe):
2643         (test1):
2644         * stress/operation-in-may-have-negative-int32.js: Added.
2645         (shouldBe):
2646         (test2):
2647         * stress/operation-in-negative-int32-cast.js: Added.
2648         (shouldBe):
2649         (test1):
2650
2651 2017-11-28  JF Bastien  <jfbastien@apple.com>
2652
2653         Strict and sloppy functions shouldn't share structure
2654         https://bugs.webkit.org/show_bug.cgi?id=180103
2655         <rdar://problem/35667847>
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2660         because the IC was wrong.
2661         (foo):
2662         (bar):
2663         (baz):
2664         (catch):
2665         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2666         in this patch, but may as well test odd strict mode corner cases.
2667         (bar):
2668         (baz):
2669         (catch):
2670         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2671         (foo):
2672         (bar):
2673         (baz):
2674         (catch):
2675         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2676         next file, but with invalidation of the FunctionExecutable's
2677         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2678         slower path.
2679         (foo):
2680         (bar.const.x):
2681         (bar.const.y):
2682         (bar):
2683         (catch):
2684         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2685         strict nesting works correctly.
2686         (foo):
2687         (bar.baz):
2688         (bar):
2689         * stress/strict-function-structure.js: Added. The test used to
2690         assert in objectProtoFuncHasOwnProperty.
2691         (foo):
2692         (bar):
2693         (baz):
2694         * stress/strict-nested-function-structure.js: Added. Nesting.
2695         (foo):
2696         (bar):
2697         (baz.boo):
2698         (baz):
2699
2700 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2701
2702         The recursive tail call optimisation is wrong on closures
2703         https://bugs.webkit.org/show_bug.cgi?id=179835
2704
2705         Reviewed by Saam Barati.
2706
2707         * stress/closure-recursive-tail-call.js: Added.
2708         (makeClosure):
2709
2710 2017-11-27  JF Bastien  <jfbastien@apple.com>
2711
2712         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2713         https://bugs.webkit.org/show_bug.cgi?id=180051
2714         <rdar://problem/35614371>
2715
2716         Reviewed by Saam Barati.
2717
2718         * stress/rest-parameter-negative.js: Added.
2719         (__f_5484):
2720         (catch):
2721         (__f_5485):
2722         (__v_22598.catch):
2723
2724 2017-11-27  Saam Barati  <sbarati@apple.com>
2725
2726         Spread can escape when CreateRest does not
2727         https://bugs.webkit.org/show_bug.cgi?id=180057
2728         <rdar://problem/35676119>
2729
2730         Reviewed by JF Bastien.
2731
2732         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2733         (assert):
2734         (getProperties):
2735         (theFunc):
2736         (let.obj.valueOf):
2737
2738 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2739
2740         [DFG] Add NormalizeMapKey DFG IR
2741         https://bugs.webkit.org/show_bug.cgi?id=179912
2742
2743         Reviewed by Saam Barati.
2744
2745         * stress/map-untyped-normalize-cse.js: Added.
2746         (shouldBe):
2747         (test):
2748         * stress/map-untyped-normalize.js: Added.
2749         (shouldBe):
2750         (test):
2751         * stress/set-untyped-normalize-cse.js: Added.
2752         (shouldBe):
2753         (set return.set has.set has):
2754         * stress/set-untyped-normalize.js: Added.
2755         (shouldBe):
2756         (set return.set has):
2757
2758 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2759
2760         [FTL] Support DeleteById and DeleteByVal
2761         https://bugs.webkit.org/show_bug.cgi?id=180022
2762
2763         Reviewed by Saam Barati.
2764
2765         * stress/delete-by-id.js: Added.
2766         (shouldBe):
2767         (test1):
2768         (test2):
2769         * stress/delete-by-val-ftl.js: Added.
2770         (shouldBe):
2771         (test1):
2772         (test2):
2773
2774 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2775
2776         [DFG] Introduce {Set,Map,WeakMap}Fields
2777         https://bugs.webkit.org/show_bug.cgi?id=179925
2778
2779         Reviewed by Saam Barati.
2780
2781         * stress/map-set-clobber-map-get.js: Added.
2782         (shouldBe):
2783         (test):
2784         * stress/map-set-does-not-clobber-set-has.js: Added.
2785         (shouldBe):
2786         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2787         (shouldBe):
2788         (test):
2789         * stress/set-add-clobber-set-has.js: Added.
2790         (shouldBe):
2791         * stress/set-add-does-not-clobber-map-get.js: Added.
2792         (shouldBe):
2793
2794 2017-11-24  Mark Lam  <mark.lam@apple.com>
2795
2796         Move unsafe jsc shell test functions to the $vm object.
2797         https://bugs.webkit.org/show_bug.cgi?id=179980
2798
2799         Reviewed by Yusuke Suzuki.
2800
2801         * controlFlowProfiler/driver/driver.js:
2802         * controlFlowProfiler/execution-count.js:
2803         * controlFlowProfiler/if-statement.js:
2804         * controlFlowProfiler/loop-statements.js:
2805         * controlFlowProfiler/switch-statements.js:
2806         * controlFlowProfiler/test-jit.js:
2807         * exceptionFuzz/3d-cube.js:
2808         * exceptionFuzz/date-format-xparb.js:
2809         * exceptionFuzz/earley-boyer.js:
2810         * heapProfiler/basic-edges.js:
2811         * heapProfiler/property-edge-types.js:
2812         * microbenchmarks/try-get-by-id-basic.js:
2813         * microbenchmarks/try-get-by-id-polymorphic.js:
2814         * modules/namespace-object-try-get.js:
2815         * stress/argument-count-bytecode.js:
2816         * stress/argument-intrinsic-basic.js:
2817         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2818         * stress/argument-intrinsic-inlining-with-result-escape.js:
2819         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2820         * stress/argument-intrinsic-inlining-with-vararg.js:
2821         * stress/argument-intrinsic-nested-inlining.js:
2822         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2823         * stress/argument-intrinsic-with-stack-write.js:
2824         * stress/arity-mismatch-get-argument.js:
2825         * stress/array-message-passing.js:
2826         * stress/array-push-with-force-exit.js:
2827         * stress/check-dom-with-signature.js:
2828         * stress/check-sub-class.js:
2829         * stress/compare-eq-incomplete-profile.js:
2830         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2831         * stress/do-eval-virtual-call-correctly.js:
2832         * stress/dom-jit-with-poly-proto.js:
2833         * stress/domjit-exception-ic.js:
2834         * stress/domjit-exception.js:
2835         * stress/domjit-getter-complex-with-incorrect-object.js:
2836         * stress/domjit-getter-complex.js:
2837         * stress/domjit-getter-poly.js:
2838         * stress/domjit-getter-proto.js:
2839         * stress/domjit-getter-super-poly.js:
2840         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2841         * stress/domjit-getter-type-check.js:
2842         * stress/domjit-getter.js:
2843         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2844         * stress/for-in-proxy-target-changed-structure.js:
2845         * stress/for-in-proxy.js:
2846         * stress/generational-opaque-roots.js:
2847         * stress/global-const-redeclaration-setting-2.js:
2848         * stress/global-const-redeclaration-setting-3.js:
2849         * stress/global-const-redeclaration-setting-4.js:
2850         * stress/global-const-redeclaration-setting-5.js:
2851         * stress/global-const-redeclaration-setting.js:
2852         * stress/import-basic.js:
2853         * stress/import-from-eval.js:
2854         * stress/import-reject-with-exception.js:
2855         * stress/import-syntax.js:
2856         * stress/impure-get-own-property-slot-inline-cache.js:
2857         * stress/is-constructor.js:
2858         * stress/istypedarrayview-intrinsic.js:
2859         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2860         * stress/jsc-test-functions-should-be-more-robust.js:
2861         * stress/object-toString-with-proxy.js:
2862         * stress/poly-proto-custom-value-and-accessor.js:
2863         * stress/proxy-inline-cache.js:
2864         * stress/re-execute-error-module.js:
2865         * stress/regress-150532.js:
2866         * stress/regress-156992.js:
2867         * stress/regress-179619.js:
2868         * stress/resources/shadow-chicken-support.js:
2869         * stress/runtime-array.js:
2870         * stress/sampling-profiler-microtasks.js:
2871         * stress/shadow-chicken-enabled.js:
2872         * stress/spread-correct-global-object-on-exception.js:
2873         * stress/super-get-by-id.js:
2874         * stress/tailCallForwardArguments.js:
2875         * stress/to-object-intrinsic-boolean-edge.js:
2876         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2877         * stress/to-object-intrinsic-number-edge.js:
2878         * stress/to-object-intrinsic-object-edge.js:
2879         * stress/to-object-intrinsic-string-edge.js:
2880         * stress/to-object-intrinsic-symbol-edge.js:
2881         * stress/to-object-intrinsic.js:
2882         * stress/try-catch-custom-getter-as-get-by-id.js:
2883         * stress/try-get-by-id-poly-proto.js:
2884         * stress/try-get-by-id-should-spill-registers-dfg.js:
2885         * stress/try-get-by-id.js:
2886         * typeProfiler/arrow-functions.js:
2887         * typeProfiler/basic.js:
2888         * typeProfiler/captured.js:
2889         * typeProfiler/classes.js:
2890         * typeProfiler/dfg-jit-optimizations.js:
2891         * typeProfiler/dictionary-mode.js:
2892         * typeProfiler/es6-block-scoping.js:
2893         * typeProfiler/es6-classes.js:
2894         * typeProfiler/inheritance.js:
2895         * typeProfiler/int52-dfg.js:
2896         * typeProfiler/loop.js:
2897         * typeProfiler/optional-fields.js:
2898         * typeProfiler/overflow.js:
2899         * typeProfiler/return.js:
2900         * typeProfiler/symbol.js:
2901         * typeProfiler/weird-prototype-chain.js:
2902
2903 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2904
2905         [DFG][FTL] Support MapSet / SetAdd intrinsics
2906         https://bugs.webkit.org/show_bug.cgi?id=179858
2907
2908         Reviewed by Saam Barati.
2909
2910         * microbenchmarks/map-has-and-set.js: Added.
2911         (test):
2912         * stress/map-set-check-failure.js: Added.
2913         (shouldBe):
2914         (shouldThrow):
2915         (target):
2916         * stress/map-set-cse.js: Added.
2917         (shouldBe):
2918         (test):
2919         * stress/set-add-check-failure.js: Added.
2920         (shouldBe):
2921         (shouldThrow):
2922         (set shouldThrow):
2923         * stress/set-add-cse.js: Added.
2924         (shouldBe):
2925
2926 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2927
2928         [JSC] Allow poly proto for intrinsic getters
2929         https://bugs.webkit.org/show_bug.cgi?id=179550
2930
2931         Reviewed by Saam Barati.
2932
2933         This change is also tested by existing tests.
2934
2935             1. stress/intrinsic-getter-with-poly-proto.js
2936             2. stress/poly-proto-intrinsic-getter-correctness.js
2937
2938         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2939         (shouldBe):
2940         (makePolyProtoObject.foo.C):
2941         (makePolyProtoObject.foo):
2942         (makePolyProtoObject):
2943         (target):
2944         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2945         (shouldBe):
2946         (makePolyProtoObject.foo.C):
2947         (makePolyProtoObject.foo):
2948         (makePolyProtoObject):
2949         (target):
2950
2951 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2952
2953         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2954         https://bugs.webkit.org/show_bug.cgi?id=179744
2955
2956         Reviewed by Michael Catanzaro.
2957
2958         This test uses too much memory for our buildbots on these platforms
2959         and gets OOM-killed.
2960
2961         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2962         Skip if $memoryLimited and linux.
2963
2964 2017-11-17  JF Bastien  <jfbastien@apple.com>
2965
2966         WebAssembly JS API: throw when a promise can't be created
2967         https://bugs.webkit.org/show_bug.cgi?id=179826
2968         <rdar://problem/35455813>
2969
2970         Reviewed by Mark Lam.
2971
2972         Test WebAssembly.{compile,instantiate} where promise creation
2973         fails because of a stack overflow.
2974
2975         * wasm/js-api/promise-stack-overflow.js: Added.
2976         (const.runNearStackLimit.f.const.t):
2977         (async.testCompile):
2978         (async.testInstantiate):
2979
2980 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2981
2982         Unreviewed, mark regress-178385.js as memory exhausting
2983
2984         * stress/regress-178385.js:
2985
2986 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2987
2988         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2989
2990         Unreviewed test gardening.
2991
2992         * test262.yaml:
2993
2994 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2995
2996         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2997         https://bugs.webkit.org/show_bug.cgi?id=179763
2998         <rdar://problem/35550513>
2999
3000         Reviewed by Keith Miller.
3001
3002         Just adding a slightly cleaned-up version of the original fuzzer-found test.
3003
3004         * stress/tdz-this-in-try-catch.js: Added.
3005         (__v_6388):
3006         (__v_6392):
3007
3008 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3009
3010         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3011         https://bugs.webkit.org/show_bug.cgi?id=179594
3012
3013         Reviewed by Saam Barati.
3014
3015         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
3016         (shouldBe):
3017         (args):
3018         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
3019         (shouldBe):
3020         (args):
3021
3022 2017-11-14  Saam Barati  <sbarati@apple.com>
3023
3024         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3025         https://bugs.webkit.org/show_bug.cgi?id=179639
3026         <rdar://problem/35513018>
3027
3028         Reviewed by JF Bastien.
3029
3030         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3031         (escape):
3032         (i.func):
3033
3034 2017-11-13  Mark Lam  <mark.lam@apple.com>
3035
3036         Add more overflow check book-keeping for MarkedArgumentBuffer.
3037         https://bugs.webkit.org/show_bug.cgi?id=179634
3038         <rdar://problem/35492517>
3039
3040         Reviewed by Saam Barati.
3041
3042         * stress/regress-179634.js: Added.
3043
3044 2017-11-13  Mark Lam  <mark.lam@apple.com>
3045
3046         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3047         https://bugs.webkit.org/show_bug.cgi?id=179619
3048         <rdar://problem/35492518>
3049
3050         Reviewed by Saam Barati.
3051
3052         * stress/regress-179619.js: Added.
3053
3054 2017-11-12  Mark Lam  <mark.lam@apple.com>
3055
3056         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3057         https://bugs.webkit.org/show_bug.cgi?id=179562
3058         <rdar://problem/35467022>
3059
3060         Reviewed by Saam Barati.
3061
3062         * regress-179562.js: Added.
3063
3064 2017-11-08  Saam Barati  <sbarati@apple.com>
3065
3066         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3067         https://bugs.webkit.org/show_bug.cgi?id=177792
3068
3069         Reviewed by Yusuke Suzuki.
3070
3071         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3072         (assert):
3073         (foo.Foo.prototype.ensureX):
3074         (foo.Foo):
3075         (foo):
3076         (access):
3077
3078 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3079
3080         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3081         https://bugs.webkit.org/show_bug.cgi?id=178592
3082
3083         Unreviewed test gardening.
3084
3085         * test262.yaml:
3086
3087 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3088
3089         Turn recursive tail calls into loops
3090         https://bugs.webkit.org/show_bug.cgi?id=176601
3091
3092         Reviewed by Saam Barati.
3093
3094         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3095
3096         Add some simple test that computes factorial in several ways, and other trivial computations.
3097         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3098         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3099         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3100         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3101
3102         * stress/inline-call-to-recursive-tail-call.js: Added.
3103         (factorial.aux):
3104         (factorial):
3105         (factorial2.aux2):
3106         (factorial2.id):
3107         (factorial2):
3108         (factorial3.aux3):
3109         (factorial3):
3110         (aux4):
3111         (factorial4):
3112         (foo):
3113         (auxBar):
3114         (bar):
3115         (test):
3116
3117 2017-11-07  Mark Lam  <mark.lam@apple.com>
3118
3119         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3120         https://bugs.webkit.org/show_bug.cgi?id=179355
3121         <rdar://problem/35263053>
3122
3123         Reviewed by Saam Barati.
3124
3125         * stress/regress-179355.js: Added.
3126
3127 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3128
3129         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3130         https://bugs.webkit.org/show_bug.cgi?id=144458
3131
3132         Reviewed by Saam Barati.
3133
3134         * microbenchmarks/dfg-internal-function-call.js: Added.
3135         (target):
3136         * microbenchmarks/dfg-internal-function-construct.js: Added.
3137         (target):
3138         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3139         (target):
3140         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3141         (target):
3142         * stress/dfg-internal-function-call.js: Added.
3143         (shouldBe):
3144         (target):
3145         * stress/dfg-internal-function-construct.js: Added.
3146         (shouldBe):
3147         (target):
3148         * stress/internal-function-call.js: Added.
3149         (shouldBe):
3150         * stress/internal-function-construct.js: Added.
3151         (shouldBe):
3152
3153 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3154
3155         [Win] Skip stress/regress-178385.js.
3156         https://bugs.webkit.org/show_bug.cgi?id=179298
3157
3158         Unreviewed test gardening.
3159
3160         * stress/regress-178385.js:
3161
3162 2017-11-03  Keith Miller  <keith_miller@apple.com>
3163
3164         Add test for ic with side effects
3165         https://bugs.webkit.org/show_bug.cgi?id=179268
3166
3167         Reviewed by Saam Barati.
3168
3169         * stress/put-inline-cache-side-effects.js: Added.
3170         (let.i.of.objs.keys):
3171         (f):
3172
3173 2017-11-03  Mark Lam  <mark.lam@apple.com>
3174
3175         CachedCall (and its clients) needs overflow checks.
3176         https://bugs.webkit.org/show_bug.cgi?id=179185
3177
3178         Reviewed by JF Bastien.
3179
3180         * stress/regress-179185.js: Added.
3181
3182 2017-11-02  Michael Saboff  <msaboff@apple.com>
3183
3184         DFG needs to handle code motion of code in for..in loop bodies
3185         https://bugs.webkit.org/show_bug.cgi?id=179212
3186
3187         Reviewed by Keith Miller.
3188
3189         New regression test.
3190
3191         * stress/for-in-side-effects.js: Added.
3192         (getPrototypeOf):
3193         (reset):
3194         (testWithoutFTL.f):
3195         (testWithoutFTL):
3196         (testWithFTL.f):
3197         (testWithFTL):
3198
3199 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3200
3201         AI does not correctly model the clobber case of ArithClz32
3202         https://bugs.webkit.org/show_bug.cgi?id=179188
3203
3204         Reviewed by Michael Saboff.
3205
3206         * stress/arith-clz32-effects.js: Added.
3207         (foo):
3208         (valueOf):
3209
3210 2017-11-01  Michael Saboff  <msaboff@apple.com>
3211
3212         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3213         https://bugs.webkit.org/show_bug.cgi?id=179140
3214
3215         Reviewed by Saam Barati.
3216
3217         New regression test.
3218
3219         * stress/regress-179140.js: Added.
3220         (testWithoutFTL):
3221         (testWithFTL):
3222
3223 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3224
3225         [JSC] Introduce @toObject
3226         https://bugs.webkit.org/show_bug.cgi?id=178726
3227
3228         Reviewed by Saam Barati.
3229
3230         * stress/array-copywithin.js:
3231         (shouldThrow):
3232         * stress/object-constructor-boolean-edge.js: Added.
3233         (shouldBe):
3234         (test):
3235         * stress/object-constructor-global.js: Added.
3236         (shouldBe):
3237         * stress/object-constructor-null-edge.js: Added.
3238         (shouldBe):
3239         (test):
3240         * stress/object-constructor-number-edge.js: Added.
3241         (shouldBe):
3242         (test):
3243         * stress/object-constructor-object-edge.js: Added.
3244         (shouldBe):
3245         (test):
3246         (i.arg):
3247         * stress/object-constructor-string-edge.js: Added.
3248         (shouldBe):
3249         (test):
3250         * stress/object-constructor-symbol-edge.js: Added.
3251         (shouldBe):
3252         (test):
3253         * stress/object-constructor-undefined-edge.js: Added.
3254         (shouldBe):
3255         (test):
3256         * stress/symbol-array-from.js: Added.
3257         (shouldBe):
3258         * stress/to-object-intrinsic-boolean-edge.js: Added.
3259         (shouldBe):
3260         (builtin.createBuiltin):
3261         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3262         (shouldThrow):
3263         * stress/to-object-intrinsic-number-edge.js: Added.
3264         (shouldBe):
3265         (builtin.createBuiltin):
3266         * stress/to-object-intrinsic-object-edge.js: Added.
3267         (shouldBe):
3268         (builtin.createBuiltin):
3269         (i.arg):
3270         * stress/to-object-intrinsic-string-edge.js: Added.
3271         (shouldBe):
3272         (builtin.createBuiltin):
3273         * stress/to-object-intrinsic-symbol-edge.js: Added.
3274         (shouldBe):
3275         (builtin.createBuiltin):
3276         * stress/to-object-intrinsic.js: Added.
3277         (shouldBe):
3278         (shouldThrow):
3279         (builtin.createBuiltin):
3280
3281 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3282
3283         [DFG][FTL] Introduce StringSlice
3284         https://bugs.webkit.org/show_bug.cgi?id=178934
3285
3286         Reviewed by Saam Barati.
3287
3288         * microbenchmarks/string-slice-empty.js: Added.
3289         (slice):
3290         * microbenchmarks/string-slice-one-char.js: Added.
3291         (slice):
3292         * microbenchmarks/string-slice.js: Added.
3293         (slice):
3294
3295 2017-10-26  Michael Saboff  <msaboff@apple.com>
3296
3297         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3298         https://bugs.webkit.org/show_bug.cgi?id=178890
3299
3300         Reviewed by Keith Miller.
3301
3302         New regression test.
3303
3304         * stress/regress-178890.js: Added.
3305
3306 2017-10-26  Mark Lam  <mark.lam@apple.com>
3307
3308         JSRopeString::RopeBuilder::append() should check for overflows.
3309         https://bugs.webkit.org/show_bug.cgi?id=178385
3310         <rdar://problem/35027468>
3311
3312         Reviewed by Saam Barati.
3313
3314         * stress/regress-178385.js: Added.
3315
3316 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3317
3318         Unreviewed, rolling out r223961.
3319
3320         The change that required this has been rolled out.
3321
3322         Reverted changeset:
3323
3324         "Mark test262.yaml/test262/test/language/statements/try/tco-
3325         catch.js as passing."
3326         https://bugs.webkit.org/show_bug.cgi?id=178592
3327         https://trac.webkit.org/changeset/223961
3328
3329 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3330
3331         Unreviewed, rolling out r223691 and r223729.
3332         https://bugs.webkit.org/show_bug.cgi?id=178834
3333
3334         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3335         by rniwa on #webkit).
3336
3337         Reverted changesets:
3338
3339         "Turn recursive tail calls into loops"
3340         https://bugs.webkit.org/show_bug.cgi?id=176601
3341         https://trac.webkit.org/changeset/223691
3342
3343         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3344         comparison is always false due to limited range of data type
3345         [-Wtype-limits]"
3346         https://bugs.webkit.org/show_bug.cgi?id=178543
3347         https://trac.webkit.org/changeset/223729
3348
3349 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3350
3351         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3352         https://bugs.webkit.org/show_bug.cgi?id=178592
3353
3354         Unreviewed test gardening.
3355
3356         * test262.yaml:
3357
3358 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3359
3360         [FTL] Support NewStringObject
3361         https://bugs.webkit.org/show_bug.cgi?id=178737
3362
3363         Reviewed by Saam Barati.
3364
3365         * stress/new-string-object.js: Added.
3366         (shouldBe):
3367         (test):
3368
3369 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3370
3371         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3372         https://bugs.webkit.org/show_bug.cgi?id=178308
3373
3374         Reviewed by Mark Lam.
3375
3376         * test262.yaml:
3377
3378 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3379
3380         [JSC] Use fastJoin in Array#toString
3381         https://bugs.webkit.org/show_bug.cgi?id=178062
3382
3383         Reviewed by Darin Adler.
3384
3385         * microbenchmarks/contiguous-array-to-string.js: Added.
3386         (target):
3387         * microbenchmarks/double-array-to-string.js: Added.
3388         (target):
3389         * microbenchmarks/int32-array-to-string.js: Added.
3390         (target):
3391
3392 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3393
3394         stress/check-string-ident.js is improperly skipped
3395         https://bugs.webkit.org/show_bug.cgi?id=178642
3396
3397         Reviewed by Saam Barati.
3398
3399         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3400         since it enforces the run-jsc-stress-tests script to still set up the
3401         test to run, despite the skip directive that's used before.
3402
3403 2017-10-20  Mark Lam  <mark.lam@apple.com>
3404
3405         Add a test case for r214334.
3406         https://bugs.webkit.org/show_bug.cgi?id=169941
3407         <rdar://problem/31221258>
3408
3409         Reviewed by JF Bastien.
3410
3411         * stress/regress-169941.js: Added.
3412
3413 2017-10-19  JF Bastien  <jfbastien@apple.com>
3414
3415         WebAssembly: no VM / JS version of everything but Instance
3416         https://bugs.webkit.org/show_bug.cgi?id=177473
3417
3418         Reviewed by Filip Pizlo, Saam Barati.
3419
3420         - Exceeding max on memory growth now returns a range error as per
3421         spec. This is a (very minor) breaking change: it used to throw OOM
3422         error. Update the corresponding test.
3423
3424         * wasm/js-api/memory-grow.js:
3425         (assertEq):
3426         * wasm/js-api/table.js:
3427         (assert.throws):
3428
3429 2017-10-19  Mark Lam  <mark.lam@apple.com>
3430
3431         Stringifier::appendStringifiedValue() is missing an exception check.
3432         https://bugs.webkit.org/show_bug.cgi?id=178386
3433         <rdar://problem/35027610>
3434
3435         Reviewed by Saam Barati.
3436
3437         * stress/regress-178386.js: Added.
3438
3439 2017-10-19  Michael Saboff  <msaboff@apple.com>
3440
3441         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3442         https://bugs.webkit.org/show_bug.cgi?id=178521
3443
3444         Reviewed by JF Bastien.
3445
3446         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3447         now passes with the current version (5.0) of the Emoji spec.
3448
3449 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3450
3451         Turn recursive tail calls into loops
3452         https://bugs.webkit.org/show_bug.cgi?id=176601
3453
3454         Reviewed by Saam Barati.
3455
3456         Add some simple test that computes factorial in several ways, and other trivial computations.
3457         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3458         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3459         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3460         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3461
3462         * stress/inline-call-to-recursive-tail-call.js: Added.
3463         (factorial.aux):
3464         (factorial):
3465         (factorial2.aux):
3466         (factorial2.id):
3467         (factorial2):
3468         (factorial3.aux):
3469         (factorial3):
3470         (aux):
3471         (factorial4):
3472         (test):
3473
3474 2017-10-18  Mark Lam  <mark.lam@apple.com>
3475
3476         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3477         https://bugs.webkit.org/show_bug.cgi?id=177600
3478         <rdar://problem/34710985>
3479
3480         Reviewed by Saam Barati.
3481
3482         * stress/regress-177600.js: Added.
3483
3484 2017-10-18  Mark Lam  <mark.lam@apple.com>
3485
3486         The compiler should always register a structure when it adds its transitionWatchPointSet.
3487         https://bugs.webkit.org/show_bug.cgi?id=178420
3488         <rdar://problem/34814024>
3489
3490         Reviewed by Saam Barati and Filip Pizlo.
3491
3492         * stress/regress-178420.js: Added.
3493         (new.Array.10000.map):
3494
3495 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3496
3497         [JSC] __proto__ getter should be fast
3498         https://bugs.webkit.org/show_bug.cgi?id=178067
3499
3500         Reviewed by Saam Barati.
3501
3502         * stress/dfg-object-proto-accessor.js: Added.
3503         (shouldBe):
3504         (shouldThrow):
3505         (target):
3506         * stress/dfg-object-proto-getter.js: Added.
3507         (shouldBe):
3508         (shouldThrow):
3509         (target):
3510         * stress/dfg-object-prototype-of.js: Added.
3511         (shouldBe):
3512         (shouldThrow):
3513         (target):
3514         * stress/dfg-reflect-get-prototype-of.js: Added.
3515         (shouldBe):
3516         (shouldThrow):
3517         (target):
3518         * stress/intrinsic-getter-with-poly-proto.js: Added.
3519         (shouldBe):
3520         (makePolyProtoObject.foo.C):
3521         (makePolyProtoObject.foo):
3522         (makePolyProtoObject):
3523         (target):
3524         * stress/object-get-prototype-of-filtered.js: Added.
3525         (shouldBe):
3526         (shouldThrow):
3527         (target):
3528         (i.Cocoa):
3529         * stress/object-get-prototype-of-mono-proto.js: Added.
3530         (shouldBe):
3531         (makePolyProtoObject.foo.C):
3532         (makePolyProtoObject.foo):
3533         (makePolyProtoObject):
3534         (target):
3535         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3536         (shouldBe):
3537         (makePolyProtoObject.foo.C):
3538         (makePolyProtoObject.foo):
3539         (makePolyProtoObject):
3540         (target):
3541         * stress/object-get-prototype-of-poly-proto.js: Added.
3542         (shouldBe):
3543         (makePolyProtoObject.foo.C):
3544         (makePolyProtoObject.foo):
3545         (makePolyProtoObject):
3546         (target):
3547         * stress/object-proto-getter-filtered.js: Added.
3548         (shouldBe):
3549         (shouldThrow):
3550         (target):
3551         (i.Cocoa):
3552         * stress/object-proto-getter-poly-mono-proto.js: Added.
3553         (shouldBe):
3554         (makePolyProtoObject.foo.C):
3555         (makePolyProtoObject.foo):
3556         (makePolyProtoObject):
3557         (target):
3558         * stress/object-proto-getter-poly-proto.js: Added.
3559         (shouldBe):
3560         (makePolyProtoObject.foo.C):
3561         (makePolyProtoObject.foo):
3562         (makePolyProtoObject):
3563         (target):
3564         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3565         * stress/string-proto.js: Added.
3566         (shouldBe):
3567         (target):
3568
3569 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3570
3571         Unreviewed, rolling out r223523.
3572
3573         A test for this change is failing on debug JSC bots.
3574
3575         Reverted changeset:
3576
3577         "[JSC] __proto__ getter should be fast"
3578         https://bugs.webkit.org/show_bug.cgi?id=178067
3579         https://trac.webkit.org/changeset/223523
3580
3581 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3582
3583         [JSC] __proto__ getter should be fast
3584         https://bugs.webkit.org/show_bug.cgi?id=178067
3585
3586         Reviewed by Saam Barati.
3587
3588         * stress/dfg-object-proto-accessor.js: Added.
3589         (shouldBe):
3590         (shouldThrow):
3591         (target):
3592         * stress/dfg-object-proto-getter.js: Added.
3593         (shouldBe):
3594         (shouldThrow):
3595         (target):
3596         * stress/dfg-object-prototype-of.js: Added.
3597         (shouldBe):
3598         (shouldThrow):
3599         (target):
3600         * stress/dfg-reflect-get-prototype-of.js: Added.
3601         (shouldBe):
3602         (shouldThrow):
3603         (target):
3604         * stress/object-get-prototype-of-filtered.js: Added.
3605         (shouldBe):
3606         (shouldThrow):
3607         (target):
3608         (i.Cocoa):
3609         * stress/object-get-prototype-of-mono-proto.js: Added.
3610         (shouldBe):
3611         (makePolyProtoObject.foo.C):
3612         (makePolyProtoObject.foo):
3613         (makePolyProtoObject):
3614         (target):
3615         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3616         (shouldBe):
3617         (makePolyProtoObject.foo.C):
3618         (makePolyProtoObject.foo):
3619         (makePolyProtoObject):
3620         (target):
3621         * stress/object-get-prototype-of-poly-proto.js: Added.
3622         (shouldBe):
3623         (makePolyProtoObject.foo.C):
3624         (makePolyProtoObject.foo):
3625         (makePolyProtoObject):
3626         (target):
3627         * stress/object-proto-getter-filtered.js: Added.
3628         (shouldBe):
3629         (shouldThrow):
3630         (target):
3631         (i.Cocoa):
3632         * stress/object-proto-getter-poly-mono-proto.js: Added.
3633         (shouldBe):
3634         (makePolyProtoObject.foo.C):
3635         (makePolyProtoObject.foo):
3636         (makePolyProtoObject):
3637         (target):
3638         * stress/object-proto-getter-poly-proto.js: Added.
3639         (shouldBe):
3640         (makePolyProtoObject.foo.C):
3641         (makePolyProtoObject.foo):
3642         (makePolyProtoObject):
3643         (target):
3644         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3645         * stress/string-proto.js: Added.
3646         (shouldBe):
3647         (target):
3648
3649 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3650
3651         Reland "Add Above/Below comparisons for UInt32 patterns"
3652         https://bugs.webkit.org/show_bug.cgi?id=177281
3653
3654         Reviewed by Saam Barati.
3655
3656         * stress/uint32-comparison-jump.js: Added.
3657         (shouldBe):
3658         (above):
3659         (aboveOrEqual):
3660         (below):
3661         (belowOrEqual):
3662         (notAbove):
3663         (notAboveOrEqual):
3664         (notBelow):
3665         (notBelowOrEqual):
3666         * stress/uint32-comparison.js: Added.
3667         (shouldBe):
3668         (above):
3669         (aboveOrEqual):
3670         (below):
3671         (belowOrEqual):
3672         (aboveTest):
3673         (aboveOrEqualTest):
3674         (belowTest):
3675         (belowOrEqualTest):
3676
3677 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3678
3679         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3680         https://bugs.webkit.org/show_bug.cgi?id=178210
3681
3682         Reviewed by Saam Barati.
3683
3684         * wasm/function-tests/trap-from-start-async.js:
3685         (async.StartTrapsAsync):
3686         * wasm/function-tests/trap-from-start.js:
3687         (StartTraps):
3688         * wasm/js-api/web-assembly-function.js:
3689         (assert.eq.Object.getPrototypeOf):
3690         * wasm/js-api/wrapper-function.js:
3691         (return.new.WebAssembly.Module):
3692         (assert.throws.makeInstance): Deleted.
3693         (assert.throws.Bar): Deleted.
3694         (assert.throws): Deleted.
3695
3696 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3697
3698         Enable gigacage on iOS
3699         https://bugs.webkit.org/show_bug.cgi?id=177586
3700
3701         Reviewed by JF Bastien.
3702         
3703         Add tests for when Gigacage gets runtime disabled.
3704
3705         * stress/disable-gigacage-arrays.js: Added.
3706         (foo):
3707         * stress/disable-gigacage-strings.js: Added.
3708         (foo):
3709         * stress/disable-gigacage-typed-arrays.js: Added.
3710         (foo):
3711
3712 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3713
3714         import.meta should not be assignable
3715         https://bugs.webkit.org/show_bug.cgi?id=178202
3716
3717         Reviewed by Saam Barati.
3718
3719         * modules/import-meta-assignment.js: Added.
3720         (shouldThrow):
3721         (SyntaxError.import.meta.can.shouldThrow):
3722
3723 2017-10-11  Saam Barati  <sbarati@apple.com>
3724
3725         Unreviewed. Actually skip certain type profiler tests in debug.
3726
3727         * typeProfiler.yaml:
3728         * typeProfiler/deltablue-for-of.js:
3729         * typeProfiler/getter-richards.js:
3730
3731 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3732
3733         Unreviewed, rolling out r223113 and r223121.
3734         https://bugs.webkit.org/show_bug.cgi?id=178182
3735
3736         Reintroduced 20% regression on Kraken (Requested by rniwa on
3737         #webkit).
3738
3739         Reverted changesets:
3740
3741         "Enable gigacage on iOS"
3742         https://bugs.webkit.org/show_bug.cgi?id=177586
3743         https://trac.webkit.org/changeset/223113
3744
3745         "Use one virtual allocation for all gigacages and their
3746         runways"
3747         https://bugs.webkit.org/show_bug.cgi?id=178050
3748         https://trac.webkit.org/changeset/223121
3749
3750 2017-10-11  Michael Saboff  <msaboff@apple.com>
3751
3752         Disable test262 named capture group tests with direct unicode names and with references before definitions