[Extra zoom mode] Refactor input view controller presentation and dismissal helpers
[WebKit.git] / JSTests / ChangeLog
1 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] Introduces fused compare and jump
4         https://bugs.webkit.org/show_bug.cgi?id=177100
5
6         Reviewed by Mark Lam.
7
8         * stress/fused-jeq-slow.js: Added.
9         (shouldBe):
10         (testJEQ):
11         (testJNEQB):
12         (testJEQB):
13         (testJNEQF):
14         (testJEQF):
15         * stress/fused-jeq.js: Added.
16         (shouldBe):
17         (testJEQ):
18         (testJNEQB):
19         (testJEQB):
20         (testJNEQF):
21         (testJEQF):
22         * stress/fused-jstricteq-slow.js: Added.
23         (shouldBe):
24         (testJSTRICTEQ):
25         (testJNSTRICTEQB):
26         (testJSTRICTEQB):
27         (testJNSTRICTEQF):
28         (testJSTRICTEQF):
29         * stress/fused-jstricteq.js: Added.
30         (shouldBe):
31         (testJSTRICTEQ):
32         (testJNSTRICTEQB):
33         (testJSTRICTEQB):
34         (testJNSTRICTEQF):
35         (testJSTRICTEQF):
36
37 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
38
39         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
40         https://bugs.webkit.org/show_bug.cgi?id=183559
41
42         Reviewed by Mark Lam.
43
44         * stress/double-to-string-in-loop-removed.js: Added.
45         (test):
46         * stress/int32-to-string-in-loop-removed.js: Added.
47         (test):
48         * stress/int52-to-string-in-loop-removed.js: Added.
49         (test):
50
51 2018-03-22  Michael Saboff  <msaboff@apple.com>
52
53         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
54         https://bugs.webkit.org/show_bug.cgi?id=183901
55
56         Reviewed by Keith Miller.
57
58         New test.
59
60         * stress/array-reverse-doesnt-clobber.js: Added.
61         (testArrayReverse):
62         (createArrayOfArrays):
63         (createArrayStorage):
64
65 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
66
67         ScopedArguments should do poisoning and index masking
68         https://bugs.webkit.org/show_bug.cgi?id=183863
69
70         Reviewed by Mark Lam.
71         
72         Adds another stress test of scoped arguments.
73
74         * stress/scoped-arguments-test.js: Added.
75         (foo):
76
77 2018-03-20  Saam Barati  <sbarati@apple.com>
78
79         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
80         https://bugs.webkit.org/show_bug.cgi?id=183795
81         <rdar://problem/38298694>
82
83         Reviewed by JF Bastien.
84
85         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
86         (foo):
87         (bar):
88
89 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
90
91         [DFG][FTL] Add vectorLengthHint for NewArray
92         https://bugs.webkit.org/show_bug.cgi?id=183694
93
94         Reviewed by Saam Barati.
95
96         * stress/vector-length-hint-array-constructor.js: Added.
97         (shouldBe):
98         (test):
99         * stress/vector-length-hint-new-array.js: Added.
100         (shouldBe):
101         (test):
102
103 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
104
105         [DFG][FTL] Make ArraySlice(0) code tight
106         https://bugs.webkit.org/show_bug.cgi?id=183590
107
108         Reviewed by Saam Barati.
109
110         * stress/array-slice-with-zero.js: Added.
111         (shouldBe):
112         (test):
113         (test2):
114         * stress/array-slice-zero-args.js: Added.
115         (shouldBe):
116         (test):
117
118 2018-03-14  Caitlin Potter  <caitp@igalia.com>
119
120         [JSC] fix order of evaluation for ClassDefinitionEvaluation
121         https://bugs.webkit.org/show_bug.cgi?id=183523
122
123         Reviewed by Keith Miller.
124
125         Computed property names need to be evaluated in source order during class
126         definition evaluation, as it's observable (and specified to work this way).
127
128         This change improves compatibility with Chromium.
129
130         * stress/class_elements.js: Added.
131         (test):
132         (test.C.prototype.effect):
133         (test.C.effect):
134         (test.C.prototype.get effect):
135         (test.C.prototype.set effect):
136         (test.C):
137
138 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
139
140         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
141         https://bugs.webkit.org/show_bug.cgi?id=183310
142
143         Reviewed by Filip Pizlo.
144
145         * stress/ai-create-this-to-new-object-fire.js: Added.
146         (assert):
147         (test):
148         (func):
149         (check):
150         (test.body.A):
151         (test.body.B):
152         (test.body):
153         * stress/ai-create-this-to-new-object.js: Added.
154         (assert):
155         (test):
156         (func):
157         (check):
158         (test.body.A):
159         (test.body.B):
160         (test.body):
161
162 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
163
164         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
165         https://bugs.webkit.org/show_bug.cgi?id=181848
166
167         Reviewed by Sam Weinig.
168
169         * microbenchmarks/regexp-u-global-es5.js: Added.
170         (fn):
171         * microbenchmarks/regexp-u-global-es6.js: Added.
172         (fn):
173         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
174         (shouldBe):
175         (test):
176         (i.switch):
177         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
178         (shouldBe):
179         (test):
180
181 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
182
183         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
184         https://bugs.webkit.org/show_bug.cgi?id=183334
185
186         Reviewed by Žan Doberšek.
187
188         * stress/var-injection-cache-invalidation.js:
189
190 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
191
192         [ARM] Disable tests that run out of memory
193         https://bugs.webkit.org/show_bug.cgi?id=182699
194
195         Reviewed by Žan Doberšek.
196
197         Skip tests that run of of memory. Do not run
198         modules/module-jit-reachability.js without LLInt to prevent
199         running out of executable memory.
200
201         * modules.yaml:
202         * modules/module-jit-reachability.js:
203         * stress/has-own-property-name-cache-string-keys.js:
204         * stress/has-own-property-name-cache-symbol-keys.js:
205
206 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
207
208         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
209         https://bugs.webkit.org/show_bug.cgi?id=183173
210
211         Reviewed by Saam Barati.
212
213         * stress/async-arrow-function-in-class-heritage.js: Added.
214         (testSyntax):
215         (testSyntaxError):
216         (SyntaxError):
217
218 2018-03-01  Saam Barati  <sbarati@apple.com>
219
220         We need to clear cached structures when having a bad time
221         https://bugs.webkit.org/show_bug.cgi?id=183256
222         <rdar://problem/36245022>
223
224         Reviewed by Mark Lam.
225
226         * stress/having-a-bad-time-with-derived-arrays.js: Added.
227         (assert):
228         (defineSetter):
229         (iterate):
230         (doSlice):
231
232 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
233
234         JSC crash with `import("")`
235         https://bugs.webkit.org/show_bug.cgi?id=183175
236
237         Reviewed by Saam Barati.
238
239         * stress/import-with-empty-string.js: Added.
240
241 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
242
243         Unreviewed, skip FTL tests if FTL is disabled
244         https://bugs.webkit.org/show_bug.cgi?id=183071
245
246         * stress/has-indexed-property-array-storage-ftl.js:
247         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
248
249 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
250
251         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
252         https://bugs.webkit.org/show_bug.cgi?id=182965
253
254         Reviewed by Saam Barati.
255
256         * stress/put-by-val-array-storage.js: Added.
257         (shouldBe):
258         (testArrayStorageInBounds):
259         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
260         (shouldBe):
261         (testInt32.createBuiltin):
262         (set for):
263         * stress/put-by-val-slow-put-array-storage.js: Added.
264         (shouldBe):
265         (testArrayStorageInBounds):
266
267 2018-02-26  Saam Barati  <sbarati@apple.com>
268
269         validateStackAccess should not validate if the offset is within the stack bounds
270         https://bugs.webkit.org/show_bug.cgi?id=183067
271         <rdar://problem/37749988>
272
273         Reviewed by Mark Lam.
274
275         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
276         (assert):
277         (test.a):
278         (test.b):
279         (test):
280
281 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
282
283         Unreviewed, skip FTL tests if FTL is disabled
284         https://bugs.webkit.org/show_bug.cgi?id=183071
285
286         * stress/has-indexed-property-array-storage-ftl.js:
287         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
288
289 2018-02-23  Saam Barati  <sbarati@apple.com>
290
291         Make Number.isInteger an intrinsic
292         https://bugs.webkit.org/show_bug.cgi?id=183088
293
294         Reviewed by JF Bastien.
295
296         * stress/number-is-integer-intrinsic.js: Added.
297
298 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
299
300         WebAssembly: cache memory address / size on instance
301         https://bugs.webkit.org/show_bug.cgi?id=177305
302
303         Reviewed by JF Bastien.
304
305         * wasm/function-tests/memory-reuse.js: Added.
306         (createWasmInstance):
307         (doCheckTrap):
308         (doMemoryGrow):
309         (doCheck):
310         (checkWasmInstancesWithSharedMemory):
311
312 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
313
314         [JSC] Implement $vm.ftlTrue function for FTL testing
315         https://bugs.webkit.org/show_bug.cgi?id=183071
316
317         Reviewed by Mark Lam.
318
319         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
320         (foo):
321         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
322         (foo):
323         * stress/dead-fiat-value-to-int52.js:
324         (foo):
325         * stress/dead-osr-entry-value.js:
326         (foo):
327         * stress/fiat-value-to-int52-then-exit-not-double.js:
328         (foo):
329         * stress/fiat-value-to-int52-then-exit-not-int52.js:
330         (foo):
331         * stress/fiat-value-to-int52-then-fail-to-fold.js:
332         (foo):
333         * stress/fiat-value-to-int52-then-fold.js:
334         (foo):
335         * stress/fiat-value-to-int52.js:
336         (foo):
337         * stress/fold-based-on-int32-proof-mul-branch.js:
338         (foo):
339         * stress/fold-profiled-call-to-call.js:
340         (foo):
341         * stress/fold-to-double-constant-then-exit.js:
342         (foo):
343         * stress/fold-to-int52-constant-then-exit.js:
344         (foo):
345         * stress/fold-to-primitive-in-cfa.js:
346         (foo):
347         * stress/fold-to-primitive-to-identity-in-cfa.js:
348         (foo):
349         * stress/has-indexed-property-array-storage-ftl.js: Added.
350         (shouldBe):
351         (test1):
352         (test2):
353         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
354         (shouldBe):
355         (test1):
356         (test2):
357         * stress/int52-ai-add-then-filter-int32.js:
358         (foo):
359         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
360         (foo):
361         * stress/int52-ai-mul-then-filter-int32.js:
362         (foo):
363         * stress/int52-ai-neg-then-filter-int32.js:
364         (foo):
365         * stress/int52-ai-sub-then-filter-int32.js:
366         (foo):
367         * stress/licm-pre-header-cannot-exit-nested.js:
368         (foo):
369         * stress/licm-pre-header-cannot-exit.js:
370         (foo):
371         * stress/sparse-array-entry-update-144067.js:
372         (useMemoryToTriggerGCs):
373         * stress/test-spec-misc.js:
374         (foo):
375         * stress/tricky-array-bounds-checks.js:
376         (foo):
377
378 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
379
380         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
381         https://bugs.webkit.org/show_bug.cgi?id=182792
382
383         Reviewed by Mark Lam.
384
385         * stress/has-indexed-property-array-storage.js: Added.
386         (shouldBe):
387         (test1):
388         (test2):
389         * stress/has-indexed-property-slow-put-array-storage.js: Added.
390         (shouldBe):
391         (test1):
392         (test2):
393
394 2018-02-20  Saam Barati  <sbarati@apple.com>
395
396         DFG::VarargsForwardingPhase should eliminate getting argument length
397         https://bugs.webkit.org/show_bug.cgi?id=182959
398
399         Reviewed by Keith Miller.
400
401         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
402
403 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
404
405         [FTL] Support ArrayPush for ArrayStorage
406         https://bugs.webkit.org/show_bug.cgi?id=182782
407
408         Reviewed by Saam Barati.
409
410         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
411
412         * stress/array-push-array-storage-beyond-int32.js: Added.
413         (shouldBe):
414         (test):
415         * stress/array-push-array-storage.js: Added.
416         (shouldBe):
417         (test):
418         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
419         (shouldBe):
420         (test):
421         * stress/array-push-multiple-storage-continuous.js: Added.
422         (shouldBe):
423         (test):
424
425 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
426
427         [FTL] Support ArrayPop for ArrayStorage
428         https://bugs.webkit.org/show_bug.cgi?id=182783
429
430         Reviewed by Saam Barati.
431
432         * stress/array-pop-array-storage.js: Added.
433         (shouldBe):
434         (test):
435
436 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
437
438         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
439         https://bugs.webkit.org/show_bug.cgi?id=182731
440
441         Reviewed by Saam Barati.
442
443         * stress/arrayify-array-storage-array.js: Added.
444         (shouldBe):
445         (testArrayStorage):
446         * stress/arrayify-array-storage-non-array.js: Added.
447         (shouldBe):
448         (testArrayStorage):
449         * stress/arrayify-array-storage.js: Added.
450         (shouldBe):
451         (testArrayStorage):
452         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
453         (shouldBe):
454         (testArrayStorage):
455         * stress/arrayify-slow-put-array-storage.js: Added.
456         (shouldBe):
457         (testArrayStorage):
458
459 2018-02-19  Saam Barati  <sbarati@apple.com>
460
461         Don't use JSFunction's allocation profile when getting the prototype can be effectful
462         https://bugs.webkit.org/show_bug.cgi?id=182942
463         <rdar://problem/37584764>
464
465         Reviewed by Mark Lam.
466
467         * stress/get-prototype-create-this-effectful.js: Added.
468
469 2018-02-16  Saam Barati  <sbarati@apple.com>
470
471         Fix bugs from r228411
472         https://bugs.webkit.org/show_bug.cgi?id=182851
473         <rdar://problem/37577732>
474
475         Reviewed by JF Bastien.
476
477         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
478
479 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
480
481         Unreviewed, roll out r228366 since it did not progress anything.
482
483         * stress/gc-error-stack.js: Removed.
484         * stress/no-gc-error-stack.js: Removed.
485
486 2018-02-15  Tomas Popela  <tpopela@redhat.com>
487
488         Many stress tests fail with JIT disabled
489         https://bugs.webkit.org/show_bug.cgi?id=182730
490
491         Reviewed by Saam Barati.
492
493         These tests are broken by design if the JIT is disabled - they test
494         the return value of numberOfDFGCompiles(), which is always set to
495         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
496
497         * stress/arith-abs-on-various-types.js:
498         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
499         * stress/arith-acos-on-various-types.js:
500         * stress/arith-acosh-on-various-types.js:
501         * stress/arith-asin-on-various-types.js:
502         * stress/arith-asinh-on-various-types.js:
503         * stress/arith-atan-on-various-types.js:
504         * stress/arith-atanh-on-various-types.js:
505         * stress/arith-cbrt-on-various-types.js:
506         * stress/arith-ceil-on-various-types.js:
507         * stress/arith-clz32-on-various-types.js:
508         * stress/arith-cos-on-various-types.js:
509         * stress/arith-cosh-on-various-types.js:
510         * stress/arith-expm1-on-various-types.js:
511         * stress/arith-floor-on-various-types.js:
512         * stress/arith-fround-on-various-types.js:
513         * stress/arith-log-on-various-types.js:
514         * stress/arith-log10-on-various-types.js:
515         * stress/arith-log2-on-various-types.js:
516         * stress/arith-negate-on-various-types.js:
517         * stress/arith-round-on-various-types.js:
518         * stress/arith-sin-on-various-types.js:
519         * stress/arith-sinh-on-various-types.js:
520         * stress/arith-sqrt-on-various-types.js:
521         * stress/arith-tan-on-various-types.js:
522         * stress/arith-tanh-on-various-types.js:
523         * stress/arith-trunc-on-various-types.js:
524         * stress/compare-strict-eq-on-various-types.js:
525
526 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
527
528         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
529
530         Unreviewed test gardening.
531
532         * stress/new-largeish-contiguous-array-with-size.js:
533
534 2018-02-14  Saam Barati  <sbarati@apple.com>
535
536         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
537         https://bugs.webkit.org/show_bug.cgi?id=182801
538
539         Reviewed by Keith Miller.
540
541         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
542
543 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
544
545         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
546         https://bugs.webkit.org/show_bug.cgi?id=182526
547
548         Unreviewed test gardening.
549
550         * stress/activation-sink-default-value-tdz-error.js:
551
552 2018-02-13  Saam Barati  <sbarati@apple.com>
553
554         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
555         https://bugs.webkit.org/show_bug.cgi?id=182755
556         <rdar://problem/37080864>
557
558         Reviewed by Keith Miller.
559
560         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
561         (test1.o.get 10005):
562         (test1):
563         (test2.o.get 1000):
564         (test2):
565
566 2018-02-13  Caitlin Potter  <caitp@igalia.com>
567
568         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
569         https://bugs.webkit.org/show_bug.cgi?id=182717
570
571         Reviewed by Yusuke Suzuki.
572
573         https://github.com/tc39/ecma262/pull/890 imposes a change to template
574         literals, to allow template callsite arrays to be collected when the
575         code containing the tagged template call is collected. This spec change
576         has received concensus and been ratified.
577
578         This change eliminates the eternal map associating template contents
579         with arrays.
580
581         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
582         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
583         * stress/tagged-templates-identity.js:
584         * stress/template-string-tags-eval.js:
585         * test262.yaml:
586
587 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
588
589         Support GetArrayLength on ArrayStorage in the FTL
590         https://bugs.webkit.org/show_bug.cgi?id=182625
591
592         Reviewed by Saam Barati.
593
594         * stress/array-storage-length.js: Added.
595         (shouldBe):
596         (testInBound):
597         (testUncountable):
598         (testSlowPutInBound):
599         (testSlowPutUncountable):
600         * stress/undecided-length.js: Added.
601         (shouldBe):
602         (test2):
603
604 2018-02-12  Saam Barati  <sbarati@apple.com>
605
606         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
607         https://bugs.webkit.org/show_bug.cgi?id=182706
608         <rdar://problem/36833681>
609
610         Reviewed by Filip Pizlo.
611
612         * stress/get-array-length-phantom-new-array-buffer.js: Added.
613         (effects):
614         (foo):
615
616 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
617
618         Don't waste memory for error.stack
619         https://bugs.webkit.org/show_bug.cgi?id=182656
620
621         Reviewed by Saam Barati.
622         
623         Tests the policy.
624
625         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
626         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
627
628 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
629
630         [JSC] Update Test262 to Feb 9 version
631         https://bugs.webkit.org/show_bug.cgi?id=182468
632
633         Reviewed by Saam Barati.
634
635 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
636
637         Unreviewed, fix invalid line terminator in old test262 file part 2
638         https://bugs.webkit.org/show_bug.cgi?id=182468
639
640         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
641
642 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
643
644         Unreviewed, fix invalid line terminator in old test262 file
645         https://bugs.webkit.org/show_bug.cgi?id=182468
646
647         * test262/test/language/literals/regexp/7.8.5-1.js:
648
649 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
650
651         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
652         https://bugs.webkit.org/show_bug.cgi?id=182440
653
654         Reviewed by Darin Adler.
655
656         * stress/array-flatmap.js: Added.
657         (shouldBe):
658         (shouldBeArray):
659         (shouldThrow):
660         (var):
661         * stress/array-flatten.js: Added.
662         (shouldBe):
663         (shouldBeArray):
664         * test262.yaml:
665         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
666         (3.flatMap):
667         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
668
669 2018-02-06  Keith Miller  <keith_miller@apple.com>
670
671         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
672         https://bugs.webkit.org/show_bug.cgi?id=182549
673         <rdar://problem/36189995>
674
675         Reviewed by Saam Barati.
676
677         * stress/var-injection-cache-invalidation.js: Added.
678         (allocateLotsOfThings):
679         (test):
680
681 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
682
683         Unreviewed, follow up for test262 update
684         https://bugs.webkit.org/show_bug.cgi?id=182288
685
686         * test262.yaml:
687
688 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
689
690         Update test262 to Jan 30 version
691         https://bugs.webkit.org/show_bug.cgi?id=182288
692
693         Unreviewed test gardening.
694
695         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
696
697 2018-02-02  Saam Barati  <sbarati@apple.com>
698
699         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
700         https://bugs.webkit.org/show_bug.cgi?id=182368
701         <rdar://problem/36932466>
702
703         Reviewed by Mark Lam.
704
705         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
706         (runNearStackLimit.t):
707         (runNearStackLimit):
708         (try.runNearStackLimit):
709         (catch):
710
711 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
712
713         Update test262 to Jan 30 version
714         https://bugs.webkit.org/show_bug.cgi?id=182288
715
716         Rubber stamped by Saam Barati.
717
718         This patch updates test262 to the latest one, Jan 30 version.
719         Since added and changed files are too many, we cannot create ChangeLog.
720         The following files are changed.
721
722         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
723         including some special line terminators (like u2028, u2029).
724
725         * test262.yaml:
726         * test262/test262-Revision.txt:
727         * test262/*:
728
729 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
730
731         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
732         https://bugs.webkit.org/show_bug.cgi?id=182411
733
734         Reviewed by Carlos Alberto Lopez Perez.
735
736         This is skipped only on arm memory limited platforms. Until recently
737         it was not a problem on MIPS as the butterfly was not initialized. But
738         since r227435, the butterfly is initialized in that test and therefore
739         memory is allocated, and the test typically takes around 512M, which
740         means it generally gets OOM-killed on the MIPS buildbot.
741
742         * mozilla/mozilla-tests.yaml:
743
744 2018-02-01  Mark Lam  <mark.lam@apple.com>
745
746         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
747         https://bugs.webkit.org/show_bug.cgi?id=182419
748         <rdar://problem/37044945>
749
750         Reviewed by Saam Barati.
751
752         * stress/regress-182419.js: Added.
753
754 2018-02-01  Keith Miller  <keith_miller@apple.com>
755
756         Fix crashes due to mishandling custom sections.
757         https://bugs.webkit.org/show_bug.cgi?id=182404
758         <rdar://problem/36935863>
759
760         Reviewed by Saam Barati.
761
762         * wasm/Builder.js:
763         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
764         * wasm/js-api/validate.js:
765         (assert.truthy):
766
767 2018-01-31  Saam Barati  <sbarati@apple.com>
768
769         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
770         https://bugs.webkit.org/show_bug.cgi?id=182074
771         <rdar://problem/36846261>
772
773         Reviewed by Mark Lam.
774
775         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
776         (assert):
777         (let.func):
778         (let.o.foo):
779         (varFunc):
780
781 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
782
783         Unreviewed, update test262 expects
784         https://bugs.webkit.org/show_bug.cgi?id=182232
785
786         * test262.yaml:
787
788 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
789
790         [JSC] Implement trimStart and trimEnd
791         https://bugs.webkit.org/show_bug.cgi?id=182233
792
793         Reviewed by Mark Lam.
794
795         * stress/trim.js: Added.
796         (shouldBe):
797         (startTest):
798         (endTest):
799         (trimTest):
800
801 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
802
803         [JSC] Relax line terminators in String to make JSON subset of JS
804         https://bugs.webkit.org/show_bug.cgi?id=182232
805
806         Reviewed by Keith Miller.
807
808         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
809         * stress/relaxed-line-terminators-in-string.js: Added.
810         (shouldBe):
811
812 2018-01-29  Michael Saboff  <msaboff@apple.com>
813
814         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
815         https://bugs.webkit.org/show_bug.cgi?id=182249
816
817         Reviewed by Keith Miller.
818
819         New regression test.
820
821         * stress/compare-clobber-untypeduse.js: Added.
822
823 2018-01-29  Matt Lewis  <jlewis3@apple.com>
824
825         Unreviewed, rolling out r227725.
826
827         This caused internal failures.
828
829         Reverted changeset:
830
831         "JSC Sampling Profiler: Detect tester and testee when sampling
832         in RegExp JIT"
833         https://bugs.webkit.org/show_bug.cgi?id=152729
834         https://trac.webkit.org/changeset/227725
835
836 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
837
838         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
839         https://bugs.webkit.org/show_bug.cgi?id=152729
840
841         Reviewed by Saam Barati.
842
843         * stress/sampling-profiler-regexp.js: Added.
844         (platformSupportsSamplingProfiler.test):
845         (platformSupportsSamplingProfiler.baz):
846         (platformSupportsSamplingProfiler):
847
848 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
849
850         [DFG][FTL] WeakMap#set should have DFG node
851         https://bugs.webkit.org/show_bug.cgi?id=180015
852
853         Reviewed by Saam Barati.
854
855         * stress/weakmap-set-change-get.js: Added.
856         (shouldBe):
857         (test):
858         * stress/weakmap-set-cse.js: Added.
859         (shouldBe):
860         (test):
861         * stress/weakset-add-change-get.js: Added.
862         (shouldBe):
863         * stress/weakset-add-cse.js: Added.
864         (shouldBe):
865
866 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
867
868         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
869         https://bugs.webkit.org/show_bug.cgi?id=182213
870
871         Reviewed by Mark Lam.
872
873         * stress/int32-min-to-string.js: Added.
874         (shouldBe):
875         (test2):
876         (test4):
877         (test8):
878         (test16):
879         (test32):
880         * stress/zero-to-string.js: Added.
881         (shouldBe):
882         (test2):
883         (test4):
884         (test8):
885         (test16):
886         (test32):
887
888 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
889
890         Add more module scope related tests with code evaluation by string
891         https://bugs.webkit.org/show_bug.cgi?id=181983
892
893         Reviewed by Sam Weinig.
894
895         Add more module scope related tests. When the original tests are landed,
896         we do not have browser integration. This patch adds more module scope tests
897         with dynamically created script evaluation. We add tests with Function
898         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
899
900         * modules/scopes-eval.js: Added.
901         (shouldBe):
902         * modules/scopes.js:
903         (shouldBe):
904
905 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
906
907         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
908
909         * microbenchmarks/array-push-3.js: Removed.
910         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
911         * microbenchmarks/double-to-int32.js: Removed.
912         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
913         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
914         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
915         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
916         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
917         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
918         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
919         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
920         * microbenchmarks/map-constant-key.js: Removed.
921         * microbenchmarks/nested-function-parsing.js: Removed.
922         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
923         * microbenchmarks/spread-large-array.js: Removed.
924         * microbenchmarks/string-add-constant-folding.js: Removed.
925         * microbenchmarks/to-lower-case.js: Removed.
926         * microbenchmarks/undefined-property-access.js: Removed.
927         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
928         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
929         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
930         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
931         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
932         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
933         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
934         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
935         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
936         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
937         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
938         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
939         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
940         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
941         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
942         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
943         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
944         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
945
946 2018-01-23  Robin Morisset  <rmorisset@apple.com>
947
948         Update the argument count in DFGByteCodeParser::handleRecursiveCall
949         https://bugs.webkit.org/show_bug.cgi?id=181739
950         <rdar://problem/36627662>
951
952         Reviewed by Saam Barati.
953
954         * stress/recursive-tail-call-with-different-argument-count.js: Added.
955         (foo):
956         (bar):
957
958 2018-01-22  Michael Saboff  <msaboff@apple.com>
959
960         DFG abstract interpreter needs to properly model effects of some Math ops
961         https://bugs.webkit.org/show_bug.cgi?id=181886
962
963         Reviewed by Saam Barati.
964
965         New regression test.
966
967         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
968         (test):
969
970 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
971
972         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
973         https://bugs.webkit.org/show_bug.cgi?id=181182
974
975         Reviewed by Darin Adler.
976
977         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
978         * stress/big-int-prototype-to-string-exception.js: Added.
979         * stress/big-int-prototype-to-string-wrong-values.js: Added.
980         * stress/number-prototype-to-string-cast-overflow.js: Added.
981         * stress/number-prototype-to-string-exception.js: Added.
982         * stress/number-prototype-to-string-wrong-values.js: Added.
983
984 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
985
986         Disable Atomics when SharedArrayBuffer isn’t enabled
987         https://bugs.webkit.org/show_bug.cgi?id=181572
988
989         Unreviewed test gardening.
990
991         * test262.yaml: Skip tests that fail after this change.
992
993 2018-01-19  Saam Barati  <sbarati@apple.com>
994
995         Kill ArithNegate's ArithProfile assert inside BytecodeParser
996         https://bugs.webkit.org/show_bug.cgi?id=181877
997         <rdar://problem/36630552>
998
999         Reviewed by Mark Lam.
1000
1001         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1002         (runNearStackLimit):
1003         (f1):
1004         (f2):
1005         (f3):
1006         (i.catch):
1007         (i.try.runNearStackLimit):
1008         (catch):
1009
1010 2018-01-19  Saam Barati  <sbarati@apple.com>
1011
1012         Spread's effects are modeled incorrectly both in AI and in Clobberize
1013         https://bugs.webkit.org/show_bug.cgi?id=181867
1014         <rdar://problem/36290415>
1015
1016         Reviewed by Michael Saboff.
1017
1018         * stress/ai-needs-to-model-spreads-effects.js: Added.
1019         (try.p.Symbol.iterator):
1020         (try.go):
1021         (catch):
1022         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1023         (assert):
1024         (foo):
1025         (a.Symbol.iterator):
1026
1027 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1028
1029         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1030         https://bugs.webkit.org/show_bug.cgi?id=181535
1031
1032         * stress/inserted-recovery-with-set-last-index.js:
1033
1034 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1035
1036         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1037         https://bugs.webkit.org/show_bug.cgi?id=181535
1038
1039         Reviewed by Saam Barati.
1040
1041         * stress/inserted-recovery-with-set-last-index.js: Added.
1042         (shouldBe):
1043         (foo):
1044         * stress/materialize-regexp-at-osr-exit.js: Added.
1045         (shouldBe):
1046         (test):
1047         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1048         (shouldBe):
1049         (test):
1050         * stress/materialize-regexp-cyclic-regexp.js: Added.
1051         (shouldBe):
1052         (test):
1053         (i.switch):
1054         * stress/materialize-regexp-cyclic.js: Added.
1055         (shouldBe):
1056         (test):
1057         (i.switch):
1058         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1059         (bar):
1060         (foo):
1061         (test):
1062         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1063         (bar):
1064         (foo):
1065         (test):
1066         * stress/materialize-regexp.js: Added.
1067         (shouldBe):
1068         (test):
1069         * stress/phantom-regexp-regexp-exec.js: Added.
1070         (shouldBe):
1071         (test):
1072         * stress/phantom-regexp-string-match.js: Added.
1073         (shouldBe):
1074         (test):
1075         * stress/regexp-last-index-sinking.js: Added.
1076         (shouldBe):
1077         (test):
1078
1079 2018-01-17  Saam Barati  <sbarati@apple.com>
1080
1081         Disable Atomics when SharedArrayBuffer isn’t enabled
1082         https://bugs.webkit.org/show_bug.cgi?id=181572
1083         <rdar://problem/36553206>
1084
1085         Reviewed by Michael Saboff.
1086
1087         * stress/isLockFree.js:
1088
1089 2018-01-17  Saam Barati  <sbarati@apple.com>
1090
1091         DFG::Node::convertToConstant needs to clear the varargs flags
1092         https://bugs.webkit.org/show_bug.cgi?id=181697
1093         <rdar://problem/36497332>
1094
1095         Reviewed by Yusuke Suzuki.
1096
1097         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1098         (doIndexOf):
1099         (bar):
1100         (i.bar):
1101
1102 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1103
1104         Unreviewed, rolling out r226937.
1105
1106         Tests added with this change are failing due to a missing
1107         exception check.
1108
1109         Reverted changeset:
1110
1111         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1112         double to int32_t"
1113         https://bugs.webkit.org/show_bug.cgi?id=181182
1114         https://trac.webkit.org/changeset/226937
1115
1116 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1117
1118         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1119         https://bugs.webkit.org/show_bug.cgi?id=181182
1120
1121         Reviewed by Darin Adler.
1122
1123         * bigIntTests.yaml:
1124         * stress/big-int-constructor.js:
1125         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1126         (assert):
1127         (assertThrowRangeError):
1128         * stress/number-prototype-to-string-cast-overflow.js: Added.
1129         (assert):
1130         (assertThrowRangeError):
1131
1132 2018-01-12  Saam Barati  <sbarati@apple.com>
1133
1134         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1135         https://bugs.webkit.org/show_bug.cgi?id=181177
1136         <rdar://problem/36205704>
1137
1138         Reviewed by Yusuke Suzuki.
1139
1140         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1141         (runNearStackLimit.t):
1142         (runNearStackLimit):
1143         (test.f):
1144         (test):
1145
1146 2018-01-12  Saam Barati  <sbarati@apple.com>
1147
1148         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1149         https://bugs.webkit.org/show_bug.cgi?id=181562
1150         <rdar://problem/36445624>
1151
1152         Reviewed by Yusuke Suzuki.
1153
1154         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1155         (f):
1156         (foo):
1157
1158 2018-01-11  Saam Barati  <sbarati@apple.com>
1159
1160         When inserting Unreachable in byte code parser we need to flush all the right things
1161         https://bugs.webkit.org/show_bug.cgi?id=181509
1162         <rdar://problem/36423110>
1163
1164         Reviewed by Mark Lam.
1165
1166         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1167
1168 2018-01-11  Saam Barati  <sbarati@apple.com>
1169
1170         JITMathIC code in the FTL is wrong when code gets duplicated
1171         https://bugs.webkit.org/show_bug.cgi?id=181525
1172         <rdar://problem/36351993>
1173
1174         Reviewed by Michael Saboff and Keith Miller.
1175
1176         * stress/allow-math-ic-b3-code-duplication.js: Added.
1177
1178 2018-01-11  Saam Barati  <sbarati@apple.com>
1179
1180         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1181         https://bugs.webkit.org/show_bug.cgi?id=181508
1182
1183         Reviewed by Yusuke Suzuki.
1184
1185         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1186         (assert):
1187         (test1.foo):
1188         (test1):
1189         (test2.foo):
1190         (test2):
1191
1192 2018-01-09  Mark Lam  <mark.lam@apple.com>
1193
1194         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1195         https://bugs.webkit.org/show_bug.cgi?id=181388
1196         <rdar://problem/36349351>
1197
1198         Reviewed by Saam Barati.
1199
1200         * stress/regress-181388.js: Added.
1201
1202 2018-01-08  JF Bastien  <jfbastien@apple.com>
1203
1204         WebAssembly: mask indexed accesses to Table
1205         https://bugs.webkit.org/show_bug.cgi?id=181412
1206         <rdar://problem/36363236>
1207
1208         Reviewed by Saam Barati.
1209
1210         Update error messages.
1211
1212         * wasm/js-api/table.js:
1213         (assert.throws.WebAssembly.Table.prototype.grow):
1214
1215 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1216
1217         Disable SharedArrayBuffer tests missed in r226386.
1218         https://bugs.webkit.org/show_bug.cgi?id=181266
1219
1220         Unreviewed test gardening.
1221
1222         * test262.yaml:
1223
1224 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1225
1226         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1227         https://bugs.webkit.org/show_bug.cgi?id=181321
1228
1229         Reviewed by Saam Barati.
1230
1231         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1232         (shouldBe):
1233         (testFunction):
1234         * test262.yaml:
1235
1236 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1237
1238         Unreviewed, attempt to fix test262 after r226386.
1239
1240         * test262.yaml:
1241
1242 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1243
1244         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1245         https://bugs.webkit.org/show_bug.cgi?id=179911
1246
1247         Reviewed by Saam Barati.
1248
1249         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1250
1251         * stress/map-set-change-get.js: Added.
1252         (shouldBe):
1253         (test):
1254         * stress/map-set-create-bucket.js: Added.
1255         (shouldBe):
1256         (test):
1257         * stress/set-add-create-bucket.js: Added.
1258         (shouldBe):
1259
1260 2018-01-03  Michael Saboff  <msaboff@apple.com>
1261
1262         Disable SharedArrayBuffers from Web API
1263         https://bugs.webkit.org/show_bug.cgi?id=181266
1264
1265         Reviewed by Saam Barati.
1266
1267         Disabled SharedArrayBuffer tests.
1268
1269         * stress/SharedArrayBuffer-opt.js:
1270         * stress/SharedArrayBuffer.js:
1271         * stress/array-buffer-byte-length.js:
1272         * stress/atomics-add-uint32.js:
1273         * stress/atomics-known-int-use.js:
1274         * stress/atomics-neg-zero.js:
1275         * stress/atomics-store-return.js:
1276         * stress/lars-sab-workers.js:
1277         * stress/regress-159779-1.js:
1278         * stress/regress-159779-2.js:
1279         * stress/regress-170473.js:
1280         * test262.yaml:
1281
1282 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1283
1284         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1285         https://bugs.webkit.org/show_bug.cgi?id=181258
1286
1287         Reviewed by Antonio Gomes.
1288
1289         * stress/big-int-constructor-gc.js:
1290         * stress/big-int-constructor-oom.js:
1291
1292 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1293
1294         Inlining of a function that ends in op_unreachable crashes
1295         https://bugs.webkit.org/show_bug.cgi?id=181027
1296
1297         Reviewed by Filip Pizlo.
1298
1299         * stress/inlining-unreachable.js: Added.
1300         (bar):
1301         (baz):
1302         (i.catch):
1303
1304 2018-01-02  Saam Barati  <sbarati@apple.com>
1305
1306         Incorrect assertion inside AccessCase
1307         https://bugs.webkit.org/show_bug.cgi?id=181200
1308         <rdar://problem/35494754>
1309
1310         Reviewed by Yusuke Suzuki.
1311
1312         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1313         (ctor):
1314         (theFunc):
1315         (run):
1316
1317 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1318
1319         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1320         https://bugs.webkit.org/show_bug.cgi?id=175359
1321
1322         Reviewed by Yusuke Suzuki.
1323
1324         * bigIntTests.yaml:
1325         * stress/big-int-as-key.js: Added.
1326         * stress/big-int-constructor-gc.js: Added.
1327         * stress/big-int-constructor-oom.js: Added.
1328         * stress/big-int-constructor-properties.js: Added.
1329         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1330         * stress/big-int-constructor-prototype.js: Added.
1331         * stress/big-int-constructor.js: Added.
1332         * stress/big-int-function-apply.js:
1333         * stress/big-int-length.js: Added.
1334         * stress/big-int-prop-descriptor.js: Added.
1335         * stress/big-int-proto-constructor.js: Added.
1336         * stress/big-int-proto-name.js: Added.
1337         * stress/big-int-prototype-properties.js: Added.
1338         * stress/big-int-prototype-proto.js: Added.
1339         * stress/big-int-prototype-value-of.js: Added.
1340         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1341         * stress/big-int-prototype-to-string-apply.js: Added.
1342         * stress/big-int-to-object.js: Added.
1343         * stress/big-int-to-string.js: Added.
1344
1345 2017-12-28  Saam Barati  <sbarati@apple.com>
1346
1347         Assertion used to determine if something is an async generator is wrong
1348         https://bugs.webkit.org/show_bug.cgi?id=181168
1349         <rdar://problem/35640560>
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * stress/async-generator-assertion.js: Added.
1354
1355 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1356
1357         Skip stress/splay-flash-access tests on memory limited platforms
1358         https://bugs.webkit.org/show_bug.cgi?id=181086
1359
1360         Reviewed by Carlos Alberto Lopez Perez.
1361
1362         These tests use about 185M of memory, and occasionally get OOM-killed
1363         on memory limited platforms.
1364
1365         * stress/splay-flash-access-1ms.js:
1366         * stress/splay-flash-access.js:
1367
1368 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1369
1370         Skip slow jsc tests on embedded platforms
1371         https://bugs.webkit.org/show_bug.cgi?id=180937
1372
1373         Reviewed by Carlos Alberto Lopez Perez.
1374
1375         The tests typeProfiler/deltablue-for-of.js and
1376         typeProfiler/getter-richards.js take a very long time in the
1377         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1378         thus always timeout. They should be skipped on these platforms.
1379
1380         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1381         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1382
1383 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1384
1385         [JSC] Do not check isValid() in op_new_regexp
1386         https://bugs.webkit.org/show_bug.cgi?id=180970
1387
1388         Reviewed by Saam Barati.
1389
1390         * stress/regexp-syntax-error-invalid-flags.js: Added.
1391         (shouldThrow):
1392
1393 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1394
1395         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1396         https://bugs.webkit.org/show_bug.cgi?id=180712
1397
1398         Reviewed by Michael Catanzaro.
1399
1400         stress/call-apply-exponential-bytecode-size.js crashes if the
1401         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1402         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1403         should skip the test on other platforms.
1404
1405         * stress/call-apply-exponential-bytecode-size.js:
1406
1407 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1408
1409         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1410         https://bugs.webkit.org/show_bug.cgi?id=179762
1411
1412         Reviewed by Saam Barati.
1413
1414         * stress/call-varargs-double-new-array-buffer.js: Added.
1415         (assert):
1416         (bar):
1417         (foo):
1418         * stress/call-varargs-spread-new-array-buffer.js: Added.
1419         (assert):
1420         (bar):
1421         (foo):
1422         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1423         (assert):
1424         (bar):
1425         (foo):
1426         * stress/forward-varargs-double-new-array-buffer.js: Added.
1427         (assert):
1428         (test.baz):
1429         (test.bar):
1430         (test.foo):
1431         (test):
1432         * stress/new-array-buffer-sinking-osrexit.js: Added.
1433         (target):
1434         (test):
1435         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1436         (shouldBe):
1437         (test):
1438         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1439         (shouldBe):
1440         (target):
1441         (test):
1442         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1443         (assert):
1444         (test1.bar):
1445         (test1.foo):
1446         (test1):
1447         (test2.bar):
1448         (test2.foo):
1449         (test3.baz):
1450         (test3.bar):
1451         (test3.foo):
1452         (test4.baz):
1453         (test4.bar):
1454         (test4.foo):
1455         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1456         (assert):
1457         (test.baz):
1458         (test.bar):
1459         (test.foo):
1460         (test):
1461         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1462         (assert):
1463         (baz):
1464         (bar):
1465         (effects):
1466         (foo):
1467
1468 2017-12-14  Saam Barati  <sbarati@apple.com>
1469
1470         The CleanUp after LICM is erroneously removing a Check
1471         https://bugs.webkit.org/show_bug.cgi?id=180852
1472         <rdar://problem/36063494>
1473
1474         Reviewed by Filip Pizlo.
1475
1476         * stress/dont-run-cleanup-after-licm.js: Added.
1477
1478 2017-12-14  Michael Saboff  <msaboff@apple.com>
1479
1480         REGRESSION (r225695): Repro crash on yahoo login page
1481         https://bugs.webkit.org/show_bug.cgi?id=180761
1482
1483         Reviewed by JF Bastien.
1484
1485         New regression test.
1486
1487         * stress/regress-180761.js: Added.
1488
1489 2017-12-13  Keith Miller  <keith_miller@apple.com>
1490
1491         JSObjects should have a mask for loading indexed properties
1492         https://bugs.webkit.org/show_bug.cgi?id=180768
1493
1494         Reviewed by Mark Lam.
1495
1496         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1497         (test):
1498
1499 2017-12-13  Saam Barati  <sbarati@apple.com>
1500
1501         Arrow functions need their own structure because they have different properties than sloppy functions
1502         https://bugs.webkit.org/show_bug.cgi?id=180779
1503         <rdar://problem/35814591>
1504
1505         Reviewed by Mark Lam.
1506
1507         * stress/arrow-function-needs-its-own-structure.js: Added.
1508         (assert):
1509         (readPrototype):
1510         (noInline.let.f1):
1511         (noInline):
1512
1513 2017-12-13  Saam Barati  <sbarati@apple.com>
1514
1515         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1516         https://bugs.webkit.org/show_bug.cgi?id=163579
1517         <rdar://problem/35455798>
1518
1519         Reviewed by Mark Lam.
1520
1521         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1522         (assert):
1523         (test1):
1524         (i.test1):
1525         (i.test1.C):
1526         (i.test1.async.foo):
1527         (i.test1.foo):
1528         (test2):
1529
1530 2017-12-13  Saam Barati  <sbarati@apple.com>
1531
1532         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1533         https://bugs.webkit.org/show_bug.cgi?id=180734
1534         <rdar://problem/35640547>
1535
1536         Reviewed by Yusuke Suzuki.
1537
1538         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1539         (__isPropertyOfType):
1540         (__getProperties):
1541         (__getObjects):
1542         (__getRandomObject):
1543         (theClass.):
1544         (theClass):
1545         (childClass):
1546         (counter.catch):
1547
1548 2017-12-12  Saam Barati  <sbarati@apple.com>
1549
1550         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1551         https://bugs.webkit.org/show_bug.cgi?id=180725
1552         <rdar://problem/35970511>
1553
1554         Reviewed by Michael Saboff.
1555
1556         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1557         (f1):
1558         (f2):
1559         (let.o2.valueOf):
1560
1561 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1562
1563         [JSC] Implement optimized WeakMap and WeakSet
1564         https://bugs.webkit.org/show_bug.cgi?id=179929
1565
1566         Reviewed by Saam Barati.
1567
1568         * microbenchmarks/weak-map-key.js:
1569         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1570         (assert):
1571         (objectKey):
1572         (let.start.Date.now):
1573         * stress/basic-weakmap.js: Added.
1574         (shouldBe):
1575         (test):
1576         * stress/basic-weakset.js: Added.
1577         (shouldBe):
1578         (test.set new):
1579         * stress/weakmap-cse-set-break.js: Added.
1580         (shouldBe):
1581         (test):
1582         * stress/weakmap-cse.js: Added.
1583         (shouldBe):
1584         (test):
1585         * stress/weakmap-gc.js: Added.
1586         (test):
1587         * stress/weakset-cse-add-break.js: Added.
1588         (shouldBe):
1589         (test.set new):
1590         * stress/weakset-cse.js: Added.
1591         (shouldBe):
1592         (test.set new):
1593         * stress/weakset-gc.js: Added.
1594         (test.set add):
1595         (test.set new):
1596         (test):
1597
1598 2017-12-12  Saam Barati  <sbarati@apple.com>
1599
1600         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1601         https://bugs.webkit.org/show_bug.cgi?id=180723
1602         <rdar://problem/35859726>
1603
1604         Reviewed by JF Bastien.
1605
1606         * stress/get-my-argument-by-val-constant-folding.js: Added.
1607         (test):
1608         (catch):
1609
1610 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1611
1612         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1613         https://bugs.webkit.org/show_bug.cgi?id=179000
1614
1615         Reviewed by Darin Adler and Yusuke Suzuki.
1616
1617         * bigIntTests.yaml: Added.
1618         * stress/big-int-literal-line-terminator.js: Added.
1619         * stress/big-int-literals.js: Added.
1620         * stress/big-int-operations-error.js: Added.
1621         * stress/big-int-type-of.js: Added.
1622         * stress/big-int-white-space-trailing-leading.js: Added.
1623         * stress/big-int-function-apply.js: Added.
1624
1625 2017-12-11  Saam Barati  <sbarati@apple.com>
1626
1627         We need to disableCaching() in ErrorInstance when we materialize properties
1628         https://bugs.webkit.org/show_bug.cgi?id=180343
1629         <rdar://problem/35833002>
1630
1631         Reviewed by Mark Lam.
1632
1633         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1634         (assert):
1635         (makeError):
1636         (storeToStack):
1637         (storeToStackAlreadyMaterialized):
1638
1639 2017-12-05  JF Bastien  <jfbastien@apple.com>
1640
1641         WebAssembly: don't eagerly checksum
1642         https://bugs.webkit.org/show_bug.cgi?id=180441
1643         <rdar://problem/35156628>
1644
1645         Reviewed by Saam Barati.
1646
1647         Checksum is now disabled, so tests only have <?> as the module
1648         name.
1649
1650         * wasm/function-tests/nameSection.js:
1651         * wasm/function-tests/stack-overflow.js:
1652         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1653         (assertOverflows.assertThrows):
1654         (assertOverflows):
1655         * wasm/function-tests/stack-trace.js:
1656
1657 2017-12-04  JF Bastien  <jfbastien@apple.com>
1658
1659         Proxy all functions, except the $ objects
1660         https://bugs.webkit.org/show_bug.cgi?id=180375
1661
1662         Reviewed by Saam Barati.
1663
1664         It looks like this test may have broken some executions because I
1665         call some internal objects. Explicitly ignore objects whose name
1666         starts with "$" because it's a bad idea anyways.
1667
1668         * stress/proxy-all-the-parameters.js:
1669         (generateObjects):
1670         (get throw):
1671
1672 2017-12-04  Saam Barati  <sbarati@apple.com>
1673
1674         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1675         https://bugs.webkit.org/show_bug.cgi?id=180366
1676         <rdar://problem/35685877>
1677
1678         Reviewed by Michael Saboff.
1679
1680         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1681         (theParent):
1682         (test1.base.getParentStaticValue):
1683         (test1.base):
1684         (test1.__v_24888.prototype.set prop):
1685         (test1.__v_24888):
1686         (test2.base.getParentStaticValue):
1687         (test2.base):
1688         (test2.__v_24888.prototype.set prop):
1689         (test2.__v_24888):
1690         (test2):
1691
1692 2017-12-01  JF Bastien  <jfbastien@apple.com>
1693
1694         Try proxying all function arguments
1695         https://bugs.webkit.org/show_bug.cgi?id=180306
1696
1697         Reviewed by Saam Barati.
1698
1699         * stress/proxy-all-the-parameters.js: Added.
1700         (isPropertyOfType):
1701         (getProperties):
1702         (generateObjects):
1703         (getObjects):
1704         (getFunctions):
1705         (get throw):
1706         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1707
1708 2017-12-01  JF Bastien  <jfbastien@apple.com>
1709
1710         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1711         https://bugs.webkit.org/show_bug.cgi?id=180297
1712         <rdar://problem/35745556>
1713
1714         Reviewed by Mark Lam.
1715
1716         * stress/math-exceptions.js: Added.
1717         (get try):
1718         (catch):
1719
1720 2017-12-01  JF Bastien  <jfbastien@apple.com>
1721
1722         JavaScriptCore: add test for weird class static getters
1723         https://bugs.webkit.org/show_bug.cgi?id=180281
1724         <rdar://problem/35592139>
1725
1726         Reviewed by Mark Lam.
1727
1728         I fixed a bug for it in r224927 and didn't add a test. Do so.
1729
1730         * stress/class-static-get-weird.js: Added.
1731         (c.prototype.get name):
1732         (c):
1733         (c.prototype.get arguments):
1734         (c.prototype.get caller):
1735         (c.prototype.get length):
1736
1737 2017-12-01  Saam Barati  <sbarati@apple.com>
1738
1739         Having a bad time needs to handle ArrayClass indexing type as well
1740         https://bugs.webkit.org/show_bug.cgi?id=180274
1741         <rdar://problem/35667869>
1742
1743         Reviewed by Keith Miller and Mark Lam.
1744
1745         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1746         (assert):
1747         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1748         (assert):
1749
1750 2017-12-01  JF Bastien  <jfbastien@apple.com>
1751
1752         WebAssembly: restore cached stack limit after out-call
1753         https://bugs.webkit.org/show_bug.cgi?id=179106
1754         <rdar://problem/35337525>
1755
1756         Reviewed by Saam Barati.
1757
1758         * wasm/function-tests/double-instance.js: Added.
1759         (const.imp.boom):
1760         (const.imp.get callAnother):
1761
1762 2017-11-30  JF Bastien  <jfbastien@apple.com>
1763
1764         WebAssembly: improve stack trace
1765         https://bugs.webkit.org/show_bug.cgi?id=179343
1766
1767         Reviewed by Saam Barati.
1768
1769         Update the tests to follow the new format. Notably, SHA1 module
1770         hash is now included in traces, and stubs are properly identified.
1771
1772         * wasm/assert.js: Add an assertion which matches regular expressions.
1773         * wasm/function-tests/nameSection.js:
1774         * wasm/function-tests/stack-overflow.js:
1775         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1776         (assertOverflows.assertThrows.wasm.1):
1777         (assertOverflows.assertThrows.wasm.0):
1778         (assertOverflows.assertThrows):
1779         (assertOverflows):
1780         * wasm/function-tests/stack-trace.js:
1781         (import.Builder.from.string_appeared_here.assert): Deleted.
1782         * wasm/function-tests/trap-after-cross-instance-call.js:
1783         (wasmFrameCountFromError):
1784         * wasm/function-tests/trap-load-2.js:
1785         (wasmFrameCountFromError):
1786         * wasm/function-tests/trap-load.js:
1787         (wasmFrameCountFromError):
1788
1789 2017-11-30  Mark Lam  <mark.lam@apple.com>
1790
1791         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1792         https://bugs.webkit.org/show_bug.cgi?id=180219
1793         <rdar://problem/35696536>
1794
1795         Reviewed by Filip Pizlo.
1796
1797         * stress/regress-180219.js: Added.
1798
1799 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1800
1801         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1802         https://bugs.webkit.org/show_bug.cgi?id=180190
1803
1804         Reviewed by Mark Lam.
1805
1806         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1807         (shouldBe):
1808         (test1):
1809         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1810         (shouldBe):
1811         (test1):
1812         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1813         (shouldBe):
1814         (test1):
1815         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1816         (shouldBe):
1817         (test1):
1818         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1819         (shouldBe):
1820         (test1):
1821         * stress/operation-in-may-have-negative-int32.js: Added.
1822         (shouldBe):
1823         (test2):
1824         * stress/operation-in-negative-int32-cast.js: Added.
1825         (shouldBe):
1826         (test1):
1827
1828 2017-11-28  JF Bastien  <jfbastien@apple.com>
1829
1830         Strict and sloppy functions shouldn't share structure
1831         https://bugs.webkit.org/show_bug.cgi?id=180103
1832         <rdar://problem/35667847>
1833
1834         Reviewed by Saam Barati.
1835
1836         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1837         because the IC was wrong.
1838         (foo):
1839         (bar):
1840         (baz):
1841         (catch):
1842         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1843         in this patch, but may as well test odd strict mode corner cases.
1844         (bar):
1845         (baz):
1846         (catch):
1847         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1848         (foo):
1849         (bar):
1850         (baz):
1851         (catch):
1852         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1853         next file, but with invalidation of the FunctionExecutable's
1854         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1855         slower path.
1856         (foo):
1857         (bar.const.x):
1858         (bar.const.y):
1859         (bar):
1860         (catch):
1861         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1862         strict nesting works correctly.
1863         (foo):
1864         (bar.baz):
1865         (bar):
1866         * stress/strict-function-structure.js: Added. The test used to
1867         assert in objectProtoFuncHasOwnProperty.
1868         (foo):
1869         (bar):
1870         (baz):
1871         * stress/strict-nested-function-structure.js: Added. Nesting.
1872         (foo):
1873         (bar):
1874         (baz.boo):
1875         (baz):
1876
1877 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1878
1879         The recursive tail call optimisation is wrong on closures
1880         https://bugs.webkit.org/show_bug.cgi?id=179835
1881
1882         Reviewed by Saam Barati.
1883
1884         * stress/closure-recursive-tail-call.js: Added.
1885         (makeClosure):
1886
1887 2017-11-27  JF Bastien  <jfbastien@apple.com>
1888
1889         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1890         https://bugs.webkit.org/show_bug.cgi?id=180051
1891         <rdar://problem/35614371>
1892
1893         Reviewed by Saam Barati.
1894
1895         * stress/rest-parameter-negative.js: Added.
1896         (__f_5484):
1897         (catch):
1898         (__f_5485):
1899         (__v_22598.catch):
1900
1901 2017-11-27  Saam Barati  <sbarati@apple.com>
1902
1903         Spread can escape when CreateRest does not
1904         https://bugs.webkit.org/show_bug.cgi?id=180057
1905         <rdar://problem/35676119>
1906
1907         Reviewed by JF Bastien.
1908
1909         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1910         (assert):
1911         (getProperties):
1912         (theFunc):
1913         (let.obj.valueOf):
1914
1915 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1916
1917         [DFG] Add NormalizeMapKey DFG IR
1918         https://bugs.webkit.org/show_bug.cgi?id=179912
1919
1920         Reviewed by Saam Barati.
1921
1922         * stress/map-untyped-normalize-cse.js: Added.
1923         (shouldBe):
1924         (test):
1925         * stress/map-untyped-normalize.js: Added.
1926         (shouldBe):
1927         (test):
1928         * stress/set-untyped-normalize-cse.js: Added.
1929         (shouldBe):
1930         (set return.set has.set has):
1931         * stress/set-untyped-normalize.js: Added.
1932         (shouldBe):
1933         (set return.set has):
1934
1935 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1936
1937         [FTL] Support DeleteById and DeleteByVal
1938         https://bugs.webkit.org/show_bug.cgi?id=180022
1939
1940         Reviewed by Saam Barati.
1941
1942         * stress/delete-by-id.js: Added.
1943         (shouldBe):
1944         (test1):
1945         (test2):
1946         * stress/delete-by-val-ftl.js: Added.
1947         (shouldBe):
1948         (test1):
1949         (test2):
1950
1951 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1952
1953         [DFG] Introduce {Set,Map,WeakMap}Fields
1954         https://bugs.webkit.org/show_bug.cgi?id=179925
1955
1956         Reviewed by Saam Barati.
1957
1958         * stress/map-set-clobber-map-get.js: Added.
1959         (shouldBe):
1960         (test):
1961         * stress/map-set-does-not-clobber-set-has.js: Added.
1962         (shouldBe):
1963         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1964         (shouldBe):
1965         (test):
1966         * stress/set-add-clobber-set-has.js: Added.
1967         (shouldBe):
1968         * stress/set-add-does-not-clobber-map-get.js: Added.
1969         (shouldBe):
1970
1971 2017-11-24  Mark Lam  <mark.lam@apple.com>
1972
1973         Move unsafe jsc shell test functions to the $vm object.
1974         https://bugs.webkit.org/show_bug.cgi?id=179980
1975
1976         Reviewed by Yusuke Suzuki.
1977
1978         * controlFlowProfiler/driver/driver.js:
1979         * controlFlowProfiler/execution-count.js:
1980         * controlFlowProfiler/if-statement.js:
1981         * controlFlowProfiler/loop-statements.js:
1982         * controlFlowProfiler/switch-statements.js:
1983         * controlFlowProfiler/test-jit.js:
1984         * exceptionFuzz/3d-cube.js:
1985         * exceptionFuzz/date-format-xparb.js:
1986         * exceptionFuzz/earley-boyer.js:
1987         * heapProfiler/basic-edges.js:
1988         * heapProfiler/property-edge-types.js:
1989         * microbenchmarks/try-get-by-id-basic.js:
1990         * microbenchmarks/try-get-by-id-polymorphic.js:
1991         * modules/namespace-object-try-get.js:
1992         * stress/argument-count-bytecode.js:
1993         * stress/argument-intrinsic-basic.js:
1994         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1995         * stress/argument-intrinsic-inlining-with-result-escape.js:
1996         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1997         * stress/argument-intrinsic-inlining-with-vararg.js:
1998         * stress/argument-intrinsic-nested-inlining.js:
1999         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2000         * stress/argument-intrinsic-with-stack-write.js:
2001         * stress/arity-mismatch-get-argument.js:
2002         * stress/array-message-passing.js:
2003         * stress/array-push-with-force-exit.js:
2004         * stress/check-dom-with-signature.js:
2005         * stress/check-sub-class.js:
2006         * stress/compare-eq-incomplete-profile.js:
2007         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2008         * stress/do-eval-virtual-call-correctly.js:
2009         * stress/dom-jit-with-poly-proto.js:
2010         * stress/domjit-exception-ic.js:
2011         * stress/domjit-exception.js:
2012         * stress/domjit-getter-complex-with-incorrect-object.js:
2013         * stress/domjit-getter-complex.js:
2014         * stress/domjit-getter-poly.js:
2015         * stress/domjit-getter-proto.js:
2016         * stress/domjit-getter-super-poly.js:
2017         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2018         * stress/domjit-getter-type-check.js:
2019         * stress/domjit-getter.js:
2020         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2021         * stress/for-in-proxy-target-changed-structure.js:
2022         * stress/for-in-proxy.js:
2023         * stress/generational-opaque-roots.js:
2024         * stress/global-const-redeclaration-setting-2.js:
2025         * stress/global-const-redeclaration-setting-3.js:
2026         * stress/global-const-redeclaration-setting-4.js:
2027         * stress/global-const-redeclaration-setting-5.js:
2028         * stress/global-const-redeclaration-setting.js:
2029         * stress/import-basic.js:
2030         * stress/import-from-eval.js:
2031         * stress/import-reject-with-exception.js:
2032         * stress/import-syntax.js:
2033         * stress/impure-get-own-property-slot-inline-cache.js:
2034         * stress/is-constructor.js:
2035         * stress/istypedarrayview-intrinsic.js:
2036         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2037         * stress/jsc-test-functions-should-be-more-robust.js:
2038         * stress/object-toString-with-proxy.js:
2039         * stress/poly-proto-custom-value-and-accessor.js:
2040         * stress/proxy-inline-cache.js:
2041         * stress/re-execute-error-module.js:
2042         * stress/regress-150532.js:
2043         * stress/regress-156992.js:
2044         * stress/regress-179619.js:
2045         * stress/resources/shadow-chicken-support.js:
2046         * stress/runtime-array.js:
2047         * stress/sampling-profiler-microtasks.js:
2048         * stress/shadow-chicken-enabled.js:
2049         * stress/spread-correct-global-object-on-exception.js:
2050         * stress/super-get-by-id.js:
2051         * stress/tailCallForwardArguments.js:
2052         * stress/to-object-intrinsic-boolean-edge.js:
2053         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2054         * stress/to-object-intrinsic-number-edge.js:
2055         * stress/to-object-intrinsic-object-edge.js:
2056         * stress/to-object-intrinsic-string-edge.js:
2057         * stress/to-object-intrinsic-symbol-edge.js:
2058         * stress/to-object-intrinsic.js:
2059         * stress/try-catch-custom-getter-as-get-by-id.js:
2060         * stress/try-get-by-id-poly-proto.js:
2061         * stress/try-get-by-id-should-spill-registers-dfg.js:
2062         * stress/try-get-by-id.js:
2063         * typeProfiler/arrow-functions.js:
2064         * typeProfiler/basic.js:
2065         * typeProfiler/captured.js:
2066         * typeProfiler/classes.js:
2067         * typeProfiler/dfg-jit-optimizations.js:
2068         * typeProfiler/dictionary-mode.js:
2069         * typeProfiler/es6-block-scoping.js:
2070         * typeProfiler/es6-classes.js:
2071         * typeProfiler/inheritance.js:
2072         * typeProfiler/int52-dfg.js:
2073         * typeProfiler/loop.js:
2074         * typeProfiler/optional-fields.js:
2075         * typeProfiler/overflow.js:
2076         * typeProfiler/return.js:
2077         * typeProfiler/symbol.js:
2078         * typeProfiler/weird-prototype-chain.js:
2079
2080 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2081
2082         [DFG][FTL] Support MapSet / SetAdd intrinsics
2083         https://bugs.webkit.org/show_bug.cgi?id=179858
2084
2085         Reviewed by Saam Barati.
2086
2087         * microbenchmarks/map-has-and-set.js: Added.
2088         (test):
2089         * stress/map-set-check-failure.js: Added.
2090         (shouldBe):
2091         (shouldThrow):
2092         (target):
2093         * stress/map-set-cse.js: Added.
2094         (shouldBe):
2095         (test):
2096         * stress/set-add-check-failure.js: Added.
2097         (shouldBe):
2098         (shouldThrow):
2099         (set shouldThrow):
2100         * stress/set-add-cse.js: Added.
2101         (shouldBe):
2102
2103 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2104
2105         [JSC] Allow poly proto for intrinsic getters
2106         https://bugs.webkit.org/show_bug.cgi?id=179550
2107
2108         Reviewed by Saam Barati.
2109
2110         This change is also tested by existing tests.
2111
2112             1. stress/intrinsic-getter-with-poly-proto.js
2113             2. stress/poly-proto-intrinsic-getter-correctness.js
2114
2115         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2116         (shouldBe):
2117         (makePolyProtoObject.foo.C):
2118         (makePolyProtoObject.foo):
2119         (makePolyProtoObject):
2120         (target):
2121         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2122         (shouldBe):
2123         (makePolyProtoObject.foo.C):
2124         (makePolyProtoObject.foo):
2125         (makePolyProtoObject):
2126         (target):
2127
2128 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2129
2130         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2131         https://bugs.webkit.org/show_bug.cgi?id=179744
2132
2133         Reviewed by Michael Catanzaro.
2134
2135         This test uses too much memory for our buildbots on these platforms
2136         and gets OOM-killed.
2137
2138         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2139         Skip if $memoryLimited and linux.
2140
2141 2017-11-17  JF Bastien  <jfbastien@apple.com>
2142
2143         WebAssembly JS API: throw when a promise can't be created
2144         https://bugs.webkit.org/show_bug.cgi?id=179826
2145         <rdar://problem/35455813>
2146
2147         Reviewed by Mark Lam.
2148
2149         Test WebAssembly.{compile,instantiate} where promise creation
2150         fails because of a stack overflow.
2151
2152         * wasm/js-api/promise-stack-overflow.js: Added.
2153         (const.runNearStackLimit.f.const.t):
2154         (async.testCompile):
2155         (async.testInstantiate):
2156
2157 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2158
2159         Unreviewed, mark regress-178385.js as memory exhausting
2160
2161         * stress/regress-178385.js:
2162
2163 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2164
2165         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2166
2167         Unreviewed test gardening.
2168
2169         * test262.yaml:
2170
2171 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2172
2173         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2174         https://bugs.webkit.org/show_bug.cgi?id=179763
2175         <rdar://problem/35550513>
2176
2177         Reviewed by Keith Miller.
2178
2179         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2180
2181         * stress/tdz-this-in-try-catch.js: Added.
2182         (__v_6388):
2183         (__v_6392):
2184
2185 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2186
2187         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2188         https://bugs.webkit.org/show_bug.cgi?id=179594
2189
2190         Reviewed by Saam Barati.
2191
2192         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2193         (shouldBe):
2194         (args):
2195         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2196         (shouldBe):
2197         (args):
2198
2199 2017-11-14  Saam Barati  <sbarati@apple.com>
2200
2201         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2202         https://bugs.webkit.org/show_bug.cgi?id=179639
2203         <rdar://problem/35513018>
2204
2205         Reviewed by JF Bastien.
2206
2207         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2208         (escape):
2209         (i.func):
2210
2211 2017-11-13  Mark Lam  <mark.lam@apple.com>
2212
2213         Add more overflow check book-keeping for MarkedArgumentBuffer.
2214         https://bugs.webkit.org/show_bug.cgi?id=179634
2215         <rdar://problem/35492517>
2216
2217         Reviewed by Saam Barati.
2218
2219         * stress/regress-179634.js: Added.
2220
2221 2017-11-13  Mark Lam  <mark.lam@apple.com>
2222
2223         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2224         https://bugs.webkit.org/show_bug.cgi?id=179619
2225         <rdar://problem/35492518>
2226
2227         Reviewed by Saam Barati.
2228
2229         * stress/regress-179619.js: Added.
2230
2231 2017-11-12  Mark Lam  <mark.lam@apple.com>
2232
2233         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2234         https://bugs.webkit.org/show_bug.cgi?id=179562
2235         <rdar://problem/35467022>
2236
2237         Reviewed by Saam Barati.
2238
2239         * regress-179562.js: Added.
2240
2241 2017-11-08  Saam Barati  <sbarati@apple.com>
2242
2243         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2244         https://bugs.webkit.org/show_bug.cgi?id=177792
2245
2246         Reviewed by Yusuke Suzuki.
2247
2248         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2249         (assert):
2250         (foo.Foo.prototype.ensureX):
2251         (foo.Foo):
2252         (foo):
2253         (access):
2254
2255 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2256
2257         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2258         https://bugs.webkit.org/show_bug.cgi?id=178592
2259
2260         Unreviewed test gardening.
2261
2262         * test262.yaml:
2263
2264 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2265
2266         Turn recursive tail calls into loops
2267         https://bugs.webkit.org/show_bug.cgi?id=176601
2268
2269         Reviewed by Saam Barati.
2270
2271         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2272
2273         Add some simple test that computes factorial in several ways, and other trivial computations.
2274         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2275         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2276         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2277         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2278
2279         * stress/inline-call-to-recursive-tail-call.js: Added.
2280         (factorial.aux):
2281         (factorial):
2282         (factorial2.aux2):
2283         (factorial2.id):
2284         (factorial2):
2285         (factorial3.aux3):
2286         (factorial3):
2287         (aux4):
2288         (factorial4):
2289         (foo):
2290         (auxBar):
2291         (bar):
2292         (test):
2293
2294 2017-11-07  Mark Lam  <mark.lam@apple.com>
2295
2296         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2297         https://bugs.webkit.org/show_bug.cgi?id=179355
2298         <rdar://problem/35263053>
2299
2300         Reviewed by Saam Barati.
2301
2302         * stress/regress-179355.js: Added.
2303
2304 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2305
2306         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2307         https://bugs.webkit.org/show_bug.cgi?id=144458
2308
2309         Reviewed by Saam Barati.
2310
2311         * microbenchmarks/dfg-internal-function-call.js: Added.
2312         (target):
2313         * microbenchmarks/dfg-internal-function-construct.js: Added.
2314         (target):
2315         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2316         (target):
2317         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2318         (target):
2319         * stress/dfg-internal-function-call.js: Added.
2320         (shouldBe):
2321         (target):
2322         * stress/dfg-internal-function-construct.js: Added.
2323         (shouldBe):
2324         (target):
2325         * stress/internal-function-call.js: Added.
2326         (shouldBe):
2327         * stress/internal-function-construct.js: Added.
2328         (shouldBe):
2329
2330 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2331
2332         [Win] Skip stress/regress-178385.js.
2333         https://bugs.webkit.org/show_bug.cgi?id=179298
2334
2335         Unreviewed test gardening.
2336
2337         * stress/regress-178385.js:
2338
2339 2017-11-03  Keith Miller  <keith_miller@apple.com>
2340
2341         Add test for ic with side effects
2342         https://bugs.webkit.org/show_bug.cgi?id=179268
2343
2344         Reviewed by Saam Barati.
2345
2346         * stress/put-inline-cache-side-effects.js: Added.
2347         (let.i.of.objs.keys):
2348         (f):
2349
2350 2017-11-03  Mark Lam  <mark.lam@apple.com>
2351
2352         CachedCall (and its clients) needs overflow checks.
2353         https://bugs.webkit.org/show_bug.cgi?id=179185
2354
2355         Reviewed by JF Bastien.
2356
2357         * stress/regress-179185.js: Added.
2358
2359 2017-11-02  Michael Saboff  <msaboff@apple.com>
2360
2361         DFG needs to handle code motion of code in for..in loop bodies
2362         https://bugs.webkit.org/show_bug.cgi?id=179212
2363
2364         Reviewed by Keith Miller.
2365
2366         New regression test.
2367
2368         * stress/for-in-side-effects.js: Added.
2369         (getPrototypeOf):
2370         (reset):
2371         (testWithoutFTL.f):
2372         (testWithoutFTL):
2373         (testWithFTL.f):
2374         (testWithFTL):
2375
2376 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2377
2378         AI does not correctly model the clobber case of ArithClz32
2379         https://bugs.webkit.org/show_bug.cgi?id=179188
2380
2381         Reviewed by Michael Saboff.
2382
2383         * stress/arith-clz32-effects.js: Added.
2384         (foo):
2385         (valueOf):
2386
2387 2017-11-01  Michael Saboff  <msaboff@apple.com>
2388
2389         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2390         https://bugs.webkit.org/show_bug.cgi?id=179140
2391
2392         Reviewed by Saam Barati.
2393
2394         New regression test.
2395
2396         * stress/regress-179140.js: Added.
2397         (testWithoutFTL):
2398         (testWithFTL):
2399
2400 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2401
2402         [JSC] Introduce @toObject
2403         https://bugs.webkit.org/show_bug.cgi?id=178726
2404
2405         Reviewed by Saam Barati.
2406
2407         * stress/array-copywithin.js:
2408         (shouldThrow):
2409         * stress/object-constructor-boolean-edge.js: Added.
2410         (shouldBe):
2411         (test):
2412         * stress/object-constructor-global.js: Added.
2413         (shouldBe):
2414         * stress/object-constructor-null-edge.js: Added.
2415         (shouldBe):
2416         (test):
2417         * stress/object-constructor-number-edge.js: Added.
2418         (shouldBe):
2419         (test):
2420         * stress/object-constructor-object-edge.js: Added.
2421         (shouldBe):
2422         (test):
2423         (i.arg):
2424         * stress/object-constructor-string-edge.js: Added.
2425         (shouldBe):
2426         (test):
2427         * stress/object-constructor-symbol-edge.js: Added.
2428         (shouldBe):
2429         (test):
2430         * stress/object-constructor-undefined-edge.js: Added.
2431         (shouldBe):
2432         (test):
2433         * stress/symbol-array-from.js: Added.
2434         (shouldBe):
2435         * stress/to-object-intrinsic-boolean-edge.js: Added.
2436         (shouldBe):
2437         (builtin.createBuiltin):
2438         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2439         (shouldThrow):
2440         * stress/to-object-intrinsic-number-edge.js: Added.
2441         (shouldBe):
2442         (builtin.createBuiltin):
2443         * stress/to-object-intrinsic-object-edge.js: Added.
2444         (shouldBe):
2445         (builtin.createBuiltin):
2446         (i.arg):
2447         * stress/to-object-intrinsic-string-edge.js: Added.
2448         (shouldBe):
2449         (builtin.createBuiltin):
2450         * stress/to-object-intrinsic-symbol-edge.js: Added.
2451         (shouldBe):
2452         (builtin.createBuiltin):
2453         * stress/to-object-intrinsic.js: Added.
2454         (shouldBe):
2455         (shouldThrow):
2456         (builtin.createBuiltin):
2457
2458 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2459
2460         [DFG][FTL] Introduce StringSlice
2461         https://bugs.webkit.org/show_bug.cgi?id=178934
2462
2463         Reviewed by Saam Barati.
2464
2465         * microbenchmarks/string-slice-empty.js: Added.
2466         (slice):
2467         * microbenchmarks/string-slice-one-char.js: Added.
2468         (slice):
2469         * microbenchmarks/string-slice.js: Added.
2470         (slice):
2471
2472 2017-10-26  Michael Saboff  <msaboff@apple.com>
2473
2474         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2475         https://bugs.webkit.org/show_bug.cgi?id=178890
2476
2477         Reviewed by Keith Miller.
2478
2479         New regression test.
2480
2481         * stress/regress-178890.js: Added.
2482
2483 2017-10-26  Mark Lam  <mark.lam@apple.com>
2484
2485         JSRopeString::RopeBuilder::append() should check for overflows.
2486         https://bugs.webkit.org/show_bug.cgi?id=178385
2487         <rdar://problem/35027468>
2488
2489         Reviewed by Saam Barati.
2490
2491         * stress/regress-178385.js: Added.
2492
2493 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2494
2495         Unreviewed, rolling out r223961.
2496
2497         The change that required this has been rolled out.
2498
2499         Reverted changeset:
2500
2501         "Mark test262.yaml/test262/test/language/statements/try/tco-
2502         catch.js as passing."
2503         https://bugs.webkit.org/show_bug.cgi?id=178592
2504         https://trac.webkit.org/changeset/223961
2505
2506 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2507
2508         Unreviewed, rolling out r223691 and r223729.
2509         https://bugs.webkit.org/show_bug.cgi?id=178834
2510
2511         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2512         by rniwa on #webkit).
2513
2514         Reverted changesets:
2515
2516         "Turn recursive tail calls into loops"
2517         https://bugs.webkit.org/show_bug.cgi?id=176601
2518         https://trac.webkit.org/changeset/223691
2519
2520         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2521         comparison is always false due to limited range of data type
2522         [-Wtype-limits]"
2523         https://bugs.webkit.org/show_bug.cgi?id=178543
2524         https://trac.webkit.org/changeset/223729
2525
2526 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2527
2528         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2529         https://bugs.webkit.org/show_bug.cgi?id=178592
2530
2531         Unreviewed test gardening.
2532
2533         * test262.yaml:
2534
2535 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [FTL] Support NewStringObject
2538         https://bugs.webkit.org/show_bug.cgi?id=178737
2539
2540         Reviewed by Saam Barati.
2541
2542         * stress/new-string-object.js: Added.
2543         (shouldBe):
2544         (test):
2545
2546 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2547
2548         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2549         https://bugs.webkit.org/show_bug.cgi?id=178308
2550
2551         Reviewed by Mark Lam.
2552
2553         * test262.yaml:
2554
2555 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2556
2557         [JSC] Use fastJoin in Array#toString
2558         https://bugs.webkit.org/show_bug.cgi?id=178062
2559
2560         Reviewed by Darin Adler.
2561
2562         * microbenchmarks/contiguous-array-to-string.js: Added.
2563         (target):
2564         * microbenchmarks/double-array-to-string.js: Added.
2565         (target):
2566         * microbenchmarks/int32-array-to-string.js: Added.
2567         (target):
2568
2569 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2570
2571         stress/check-string-ident.js is improperly skipped
2572         https://bugs.webkit.org/show_bug.cgi?id=178642
2573
2574         Reviewed by Saam Barati.
2575
2576         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2577         since it enforces the run-jsc-stress-tests script to still set up the
2578         test to run, despite the skip directive that's used before.
2579
2580 2017-10-20  Mark Lam  <mark.lam@apple.com>
2581
2582         Add a test case for r214334.
2583         https://bugs.webkit.org/show_bug.cgi?id=169941
2584         <rdar://problem/31221258>
2585
2586         Reviewed by JF Bastien.
2587
2588         * stress/regress-169941.js: Added.
2589
2590 2017-10-19  JF Bastien  <jfbastien@apple.com>
2591
2592         WebAssembly: no VM / JS version of everything but Instance
2593         https://bugs.webkit.org/show_bug.cgi?id=177473
2594
2595         Reviewed by Filip Pizlo, Saam Barati.
2596
2597         - Exceeding max on memory growth now returns a range error as per
2598         spec. This is a (very minor) breaking change: it used to throw OOM
2599         error. Update the corresponding test.
2600
2601         * wasm/js-api/memory-grow.js:
2602         (assertEq):
2603         * wasm/js-api/table.js:
2604         (assert.throws):
2605
2606 2017-10-19  Mark Lam  <mark.lam@apple.com>
2607
2608         Stringifier::appendStringifiedValue() is missing an exception check.
2609         https://bugs.webkit.org/show_bug.cgi?id=178386
2610         <rdar://problem/35027610>
2611
2612         Reviewed by Saam Barati.
2613
2614         * stress/regress-178386.js: Added.
2615
2616 2017-10-19  Michael Saboff  <msaboff@apple.com>
2617
2618         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2619         https://bugs.webkit.org/show_bug.cgi?id=178521
2620
2621         Reviewed by JF Bastien.
2622
2623         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2624         now passes with the current version (5.0) of the Emoji spec.
2625
2626 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2627
2628         Turn recursive tail calls into loops
2629         https://bugs.webkit.org/show_bug.cgi?id=176601
2630
2631         Reviewed by Saam Barati.
2632
2633         Add some simple test that computes factorial in several ways, and other trivial computations.
2634         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2635         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2636         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2637         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2638
2639         * stress/inline-call-to-recursive-tail-call.js: Added.
2640         (factorial.aux):
2641         (factorial):
2642         (factorial2.aux):
2643         (factorial2.id):
2644         (factorial2):
2645         (factorial3.aux):
2646         (factorial3):
2647         (aux):
2648         (factorial4):
2649         (test):
2650
2651 2017-10-18  Mark Lam  <mark.lam@apple.com>
2652
2653         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2654         https://bugs.webkit.org/show_bug.cgi?id=177600
2655         <rdar://problem/34710985>
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/regress-177600.js: Added.
2660
2661 2017-10-18  Mark Lam  <mark.lam@apple.com>
2662
2663         The compiler should always register a structure when it adds its transitionWatchPointSet.
2664         https://bugs.webkit.org/show_bug.cgi?id=178420
2665         <rdar://problem/34814024>
2666
2667         Reviewed by Saam Barati and Filip Pizlo.
2668
2669         * stress/regress-178420.js: Added.
2670         (new.Array.10000.map):
2671
2672 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2673
2674         [JSC] __proto__ getter should be fast
2675         https://bugs.webkit.org/show_bug.cgi?id=178067
2676
2677         Reviewed by Saam Barati.
2678
2679         * stress/dfg-object-proto-accessor.js: Added.
2680         (shouldBe):
2681         (shouldThrow):
2682         (target):
2683         * stress/dfg-object-proto-getter.js: Added.
2684         (shouldBe):
2685         (shouldThrow):
2686         (target):
2687         * stress/dfg-object-prototype-of.js: Added.
2688         (shouldBe):
2689         (shouldThrow):
2690         (target):
2691         * stress/dfg-reflect-get-prototype-of.js: Added.
2692         (shouldBe):
2693         (shouldThrow):
2694         (target):
2695         * stress/intrinsic-getter-with-poly-proto.js: Added.
2696         (shouldBe):
2697         (makePolyProtoObject.foo.C):
2698         (makePolyProtoObject.foo):
2699         (makePolyProtoObject):
2700         (target):
2701         * stress/object-get-prototype-of-filtered.js: Added.
2702         (shouldBe):
2703         (shouldThrow):
2704         (target):
2705         (i.Cocoa):
2706         * stress/object-get-prototype-of-mono-proto.js: Added.
2707         (shouldBe):
2708         (makePolyProtoObject.foo.C):
2709         (makePolyProtoObject.foo):
2710         (makePolyProtoObject):
2711         (target):
2712         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2713         (shouldBe):
2714         (makePolyProtoObject.foo.C):
2715         (makePolyProtoObject.foo):
2716         (makePolyProtoObject):
2717         (target):
2718         * stress/object-get-prototype-of-poly-proto.js: Added.
2719         (shouldBe):
2720         (makePolyProtoObject.foo.C):
2721         (makePolyProtoObject.foo):
2722         (makePolyProtoObject):
2723         (target):
2724         * stress/object-proto-getter-filtered.js: Added.
2725         (shouldBe):
2726         (shouldThrow):
2727         (target):
2728         (i.Cocoa):
2729         * stress/object-proto-getter-poly-mono-proto.js: Added.
2730         (shouldBe):
2731         (makePolyProtoObject.foo.C):
2732         (makePolyProtoObject.foo):
2733         (makePolyProtoObject):
2734         (target):
2735         * stress/object-proto-getter-poly-proto.js: Added.
2736         (shouldBe):
2737         (makePolyProtoObject.foo.C):
2738         (makePolyProtoObject.foo):
2739         (makePolyProtoObject):
2740         (target):
2741         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2742         * stress/string-proto.js: Added.
2743         (shouldBe):
2744         (target):
2745
2746 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2747
2748         Unreviewed, rolling out r223523.
2749
2750         A test for this change is failing on debug JSC bots.
2751
2752         Reverted changeset:
2753
2754         "[JSC] __proto__ getter should be fast"
2755         https://bugs.webkit.org/show_bug.cgi?id=178067
2756         https://trac.webkit.org/changeset/223523
2757
2758 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2759
2760         [JSC] __proto__ getter should be fast
2761         https://bugs.webkit.org/show_bug.cgi?id=178067
2762
2763         Reviewed by Saam Barati.
2764
2765         * stress/dfg-object-proto-accessor.js: Added.
2766         (shouldBe):
2767         (shouldThrow):
2768         (target):
2769         * stress/dfg-object-proto-getter.js: Added.
2770         (shouldBe):
2771         (shouldThrow):
2772         (target):
2773         * stress/dfg-object-prototype-of.js: Added.
2774         (shouldBe):
2775         (shouldThrow):
2776         (target):
2777         * stress/dfg-reflect-get-prototype-of.js: Added.
2778         (shouldBe):
2779         (shouldThrow):
2780         (target):
2781         * stress/object-get-prototype-of-filtered.js: Added.
2782         (shouldBe):
2783         (shouldThrow):
2784         (target):
2785         (i.Cocoa):
2786         * stress/object-get-prototype-of-mono-proto.js: Added.
2787         (shouldBe):
2788         (makePolyProtoObject.foo.C):
2789         (makePolyProtoObject.foo):
2790         (makePolyProtoObject):
2791         (target):
2792         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2793         (shouldBe):
2794         (makePolyProtoObject.foo.C):
2795         (makePolyProtoObject.foo):
2796         (makePolyProtoObject):
2797         (target):
2798         * stress/object-get-prototype-of-poly-proto.js: Added.
2799         (shouldBe):
2800         (makePolyProtoObject.foo.C):
2801         (makePolyProtoObject.foo):
2802         (makePolyProtoObject):
2803         (target):
2804         * stress/object-proto-getter-filtered.js: Added.
2805         (shouldBe):
2806         (shouldThrow):
2807         (target):
2808         (i.Cocoa):
2809         * stress/object-proto-getter-poly-mono-proto.js: Added.
2810         (shouldBe):
2811         (makePolyProtoObject.foo.C):
2812         (makePolyProtoObject.foo):
2813         (makePolyProtoObject):
2814         (target):
2815         * stress/object-proto-getter-poly-proto.js: Added.
2816         (shouldBe):
2817         (makePolyProtoObject.foo.C):
2818         (makePolyProtoObject.foo):
2819         (makePolyProtoObject):
2820         (target):
2821         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2822         * stress/string-proto.js: Added.
2823         (shouldBe):
2824         (target):
2825
2826 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2827
2828         Reland "Add Above/Below comparisons for UInt32 patterns"
2829         https://bugs.webkit.org/show_bug.cgi?id=177281
2830
2831         Reviewed by Saam Barati.
2832
2833         * stress/uint32-comparison-jump.js: Added.
2834         (shouldBe):
2835         (above):
2836         (aboveOrEqual):
2837         (below):
2838         (belowOrEqual):
2839         (notAbove):
2840         (notAboveOrEqual):
2841         (notBelow):
2842         (notBelowOrEqual):
2843         * stress/uint32-comparison.js: Added.
2844         (shouldBe):
2845         (above):
2846         (aboveOrEqual):
2847         (below):
2848         (belowOrEqual):
2849         (aboveTest):
2850         (aboveOrEqualTest):
2851         (belowTest):
2852         (belowOrEqualTest):
2853
2854 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2855
2856         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2857         https://bugs.webkit.org/show_bug.cgi?id=178210
2858
2859         Reviewed by Saam Barati.
2860
2861         * wasm/function-tests/trap-from-start-async.js:
2862         (async.StartTrapsAsync):
2863         * wasm/function-tests/trap-from-start.js:
2864         (StartTraps):
2865         * wasm/js-api/web-assembly-function.js:
2866         (assert.eq.Object.getPrototypeOf):
2867         * wasm/js-api/wrapper-function.js:
2868         (return.new.WebAssembly.Module):
2869         (assert.throws.makeInstance): Deleted.
2870         (assert.throws.Bar): Deleted.
2871         (assert.throws): Deleted.
2872
2873 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2874
2875         Enable gigacage on iOS
2876         https://bugs.webkit.org/show_bug.cgi?id=177586
2877
2878         Reviewed by JF Bastien.
2879         
2880         Add tests for when Gigacage gets runtime disabled.
2881
2882         * stress/disable-gigacage-arrays.js: Added.
2883         (foo):
2884         * stress/disable-gigacage-strings.js: Added.
2885         (foo):
2886         * stress/disable-gigacage-typed-arrays.js: Added.
2887         (foo):
2888
2889 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         import.meta should not be assignable
2892         https://bugs.webkit.org/show_bug.cgi?id=178202
2893
2894         Reviewed by Saam Barati.
2895
2896         * modules/import-meta-assignment.js: Added.
2897         (shouldThrow):
2898         (SyntaxError.import.meta.can.shouldThrow):
2899
2900 2017-10-11  Saam Barati  <sbarati@apple.com>
2901
2902         Unreviewed. Actually skip certain type profiler tests in debug.
2903
2904         * typeProfiler.yaml:
2905         * typeProfiler/deltablue-for-of.js:
2906         * typeProfiler/getter-richards.js:
2907
2908 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2909
2910         Unreviewed, rolling out r223113 and r223121.
2911         https://bugs.webkit.org/show_bug.cgi?id=178182
2912
2913         Reintroduced 20% regression on Kraken (Requested by rniwa on
2914         #webkit).
2915
2916         Reverted changesets:
2917
2918         "Enable gigacage on iOS"
2919         https://bugs.webkit.org/show_bug.cgi?id=177586
2920         https://trac.webkit.org/changeset/223113
2921
2922         "Use one virtual allocation for all gigacages and their
2923         runways"
2924         https://bugs.webkit.org/show_bug.cgi?id=178050
2925         https://trac.webkit.org/changeset/223121
2926
2927 2017-10-11  Michael Saboff  <msaboff@apple.com>
2928
2929         Disable test262 named capture group tests with direct unicode names and with references before definitions
2930         https://bugs.webkit.org/show_bug.cgi?id=178177
2931
2932         Reviewed by Keith Miller.
2933
2934         Bugs to track fixing these test are:
2935         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2936             "Add support in named capture group identifiers for direct surrogate pairs"
2937         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2938             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2939
2940         * test262.yaml:
2941
2942 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2943
2944         Object properties are undefined in super.call() but not in this.call()
2945         https://bugs.webkit.org/show_bug.cgi?id=177230
2946
2947         Reviewed by Saam Barati.
2948
2949         * stress/super-call-function-subclass.js: Added.
2950         (assert):
2951         (A.prototype.t):
2952         (A):
2953         * stress/super-dot-call-and-apply.js: Added.
2954         (assert):
2955         (A):
2956         (A.prototype.call):
2957         (A.prototype.apply):
2958         (B.prototype.testSuper):
2959         (B):
2960         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2961         (D.prototype.testSuper):
2962         (D):
2963
2964 2017-10-10  Saam Barati  <sbarati@apple.com>
2965
2966         The prototype cache should be aware of the Executable it generates a Structure for
2967         https://bugs.webkit.org/show_bug.cgi?id=177907
2968
2969         Reviewed by Filip Pizlo.
2970
2971         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2972         (assert):
2973         (foo.C):
2974         (foo):
2975         (bar.C):
2976         (bar):
2977         (access):
2978         (makeLongChain):
2979         (accessY):
2980
2981 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2982
2983         `async` should be able to be used as an imported binding name
2984         https://bugs.webkit.org/show_bug.cgi?id=176573
2985
2986         Reviewed by Saam Barati.
2987
2988         * modules/import-default-async.js: Added.
2989         * modules/import-named-async-as.js: Added.
2990         * modules/import-named-async.js: Added.
2991         * modules/import-named-async/target.js: Added.
2992         * modules/import-namespace-async.js: Added.
2993         * test262.yaml:
2994
2995 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2996
2997         Enable gigacage on iOS
2998         https://bugs.webkit.org/show_bug.cgi?id=177586
2999
3000         Reviewed by JF Bastien.
3001         
3002         Add tests for when Gigacage gets runtime disabled.
3003
3004         * stress/disable-gigacage-arrays.js: Added.
3005         (foo):
3006         * stress/disable-gigacage-strings.js: Added.
3007         (foo):
3008         * stress/disable-gigacage-typed-arrays.js: Added.
3009         (foo):
3010
3011 2017-10-09  Michael Saboff  <msaboff@apple.com>
3012
3013         Implement RegExp Unicode property escapes
3014         https://bugs.webkit.org/show_bug.cgi?id=172069
3015
3016         Reviewed by JF Bastien.
3017
3018         Enabled Unicode Property tests.
3019
3020         * test262.yaml:
3021
3022 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3023
3024         Unreviewed, rolling out r223015 and r223025.
3025         https://bugs.webkit.org/show_bug.cgi?id=178093
3026
3027         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3028         #webkit).
3029
3030         Reverted changesets:
3031
3032         "Enable gigacage on iOS"
3033         https://bugs.webkit.org/show_bug.cgi?id=177586
3034         http://trac.webkit.org/changeset/223015
3035
3036         "Unreviewed, disable Gigacage on ARM64 Linux"
3037         https://bugs.webkit.org/show_bug.cgi?id=177586
3038         http://trac.webkit.org/changeset/223025
3039
3040 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3041
3042         Update expectations for test262 tests that pass after r223043.
3043         https://bugs.webkit.org/show_bug.cgi?id=176685
3044
3045         Unreviewed test gardening.
3046
3047         * test262.yaml:
3048
3049 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3050
3051         Unreviewed, rolling out r223022.
3052
3053         This change introduced 18 test262 failures.
3054
3055         Reverted changeset:
3056
3057         "`async` should be able to be used as an imported binding
3058         name"
3059         https://bugs.webkit.org/show_bug.cgi?id=176573
3060         http://trac.webkit.org/changeset/223022
3061
3062 2017-10-09  Saam Barati  <sbarati@apple.com>
3063
3064         3 poly-proto JSC tests timing out on debug after r222827
3065         https://bugs.webkit.org/show_bug.cgi?id=177880
3066         <rdar://problem/34817122>
3067
3068         Unreviewed.
3069
3070         I'm skipping these type profiler tests on debug since they are long running.
3071
3072         * typeProfiler/deltablue-for-of.js:
3073         * typeProfiler/getter-richards.js:
3074
3075 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3076
3077         Safari 10 /11 problem with if (!await get(something)).
3078         https://bugs.webkit.org/show_bug.cgi?id=176685
3079
3080         Reviewed by Saam Barati.
3081
3082         * stress/async-await-basic.js:
3083         (awaitEpression.async):
3084         * stress/async-await-syntax.js:
3085         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3086         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3087
3088 2017-10-08  Saam Barati  <sbarati@apple.com>
3089
3090         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3091
3092         * typeProfiler/deltablue-for-of.js:
3093         * typeProfiler/getter-richards.js:
3094
3095 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3096
3097         `async` should be able to be used as an imported binding name
3098         https://bugs.webkit.org/show_bug.cgi?id=176573
3099
3100         Reviewed by Darin Adler.
3101
3102         * modules/import-default-async.js: Added.
3103         * modules/import-named-async-as.js: Added.
3104         * modules/import-named-async.js: Added.
3105         * modules/import-named-async/target.js: Added.
3106         * modules/import-namespace-async.js: Added.
3107
3108 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3109
3110         Enable gigacage on iOS
3111         https://bugs.webkit.org/show_bug.cgi?id=177586
3112
3113         Reviewed by JF Bastien.
3114         
3115         Add tests for when Gigacage gets runtime disabled.
3116
3117         * stress/disable-gigacage-arrays.js: Added.
3118         (foo):
3119         * stress/disable-gigacage-strings.js: Added.
3120         (foo):
3121         * stress/disable-gigacage-typed-arrays.js: Added.
3122         (foo):
3123
3124 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3125
3126         Unreviewed, rolling out r222791 and r222873.
3127         https://bugs.webkit.org/show_bug.cgi?id=178031
3128
3129         Caused crashes with workers/wasm LayoutTests (Requested by
3130         ryanhaddad on #webkit).
3131
3132         Reverted changesets:
3133
3134         "WebAssembly: no VM / JS version of everything but Instance"
3135         https://bugs.webkit.org/show_bug.cgi?id=177473
3136         http://trac.webkit.org/changeset/222791
3137
3138         "WebAssembly: address no VM / JS follow-ups"
3139         https://bugs.webkit.org/show_bug.cgi?id=177887
3140         http://trac.webkit.org/changeset/222873
3141
3142 2017-10-05  Saam Barati  <sbarati@apple.com>
3143
3144         Make sure all prototypes under poly proto get added into the VM's prototype map
3145         https://bugs.webkit.org/show_bug.cgi?id=177909
3146
3147         Reviewed by Keith Miller.
3148
3149         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3150         (assert):
3151         (foo.C):
3152         (foo):
3153         (set x):
3154
3155 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3156
3157         [JSC] Introduce import.meta
3158         https://bugs.webkit.org/show_bug.cgi?id=177703
3159
3160         Reviewed by Filip Pizlo.
3161
3162         * modules/import-meta-syntax.js: Added.
3163         (shouldThrow):
3164         (shouldNotThrow):
3165         * modules/import-meta.js: Added.
3166         * modules/import-meta/cocoa.js: Added.
3167         * modules/resources/assert.js:
3168         (export.shouldNotThrow):
3169         * stress/import-syntax.js:
3170
3171 2017-10-04  Saam Barati  <sbarati@apple.com>
3172
3173         Make pertinent AccessCases watch the poly proto watchpoint
3174         https://bugs.webkit.org/show_bug.cgi?id=177765
3175
3176         Reviewed by Keith Miller.
3177
3178         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3179         (assert):
3180         (foo.C):
3181         (foo):
3182         (validate):
3183         * stress/poly-proto-clear-stub.js: Added.
3184         (assert):
3185         (foo.C):
3186         (foo):
3187
3188 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3189
3190         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3191
3192         Unreviewed test gardening.
3193
3194         * test262.yaml:
3195
3196 2017-10-04  Saam Barati  <sbarati@apple.com>
3197
3198         3 poly-proto JSC tests timing out on debug after r222827
3199         https://bugs.webkit.org/show_bug.cgi?id=177880
3200
3201         Rubber stamped by Mark Lam.
3202
3203         * microbenchmarks/poly-proto-access.js:
3204         * typeProfiler/deltablue-for-of.js:
3205         * typeProfiler/getter-richards.js:
3206
3207 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3208
3209         Unreviewed, marking tco-catch.js as a failure after test262 update
3210         https://bugs.webkit.org/show_bug.cgi?id=177859
3211
3212         * test262.yaml:
3213
3214 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3215
3216         Unreviewed, marking one async iterator test262 test failed
3217         https://bugs.webkit.org/show_bug.cgi?id=177859
3218
3219         * test262.yaml:
3220
3221 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3222
3223         [Test262] Update Test262 to Oct 4 version
3224         https://bugs.webkit.org/show_bug.cgi?id=177859
3225
3226         Reviewed by Sam Weinig.
3227
3228         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3229         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3230
3231         * test262.yaml:
3232         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3233         (checkSequence):
3234         * test262/harness/typeCoercion.js:
3235         (testCoercibleToIndexZero):
3236         (testCoercibleToIndexOne):
3237         (testCoercibleToIndexFromIndex):
3238         (testNotCoercibleToIndex.testPrimitiveValue):
3239         (testNotCoercibleToInteger):
3240         (testCoercibleToBigIntZero.testPrimitiveValue):
3241         (testCoercibleToBigIntZero):
3242         (testCoercibleToBigIntOne.testPrimitiveValue):
3243         (testCoercibleToBigIntOne):
3244         (testPrimitiveValue):
3245         (testCoercibleToBigIntFromBigInt):
3246         (testNotCoercibleToBigInt.testPrimitiveValue):
3247         (testNotCoercibleToBigInt.testStringValue):
3248         (testNotCoercibleToBigInt):
3249         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3250         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3251         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3252         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3253         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3254         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3255         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3256         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3257         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3258         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3259         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3260         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3261         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3262         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3263         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3264         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3265         (testCoercibleToBigIntZero):
3266         (testCoercibleToBigIntOne):
3267         (testNotCoercibleToBigInt):
3268         (MyError): Deleted.
3269         (valueOf): Deleted.
3270         (toString): Deleted.
3271         (Symbol.toPrimitive): Deleted.
3272         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3273         (testCoercibleToIndexZero):
3274         (testCoercibleToIndexOne):
3275         (testNotCoercibleToIndex):
3276         (MyError): Deleted.
3277         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3278         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3279         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3280         (BigInt.asIntN.valueOf): Deleted.
3281         (BigInt.asIntN.toString): Deleted.
3282         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3283         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3284         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3285         (testCoercibleToBigIntZero):
3286         (testCoercibleToBigIntOne):
3287         (testNotCoercibleToBigInt):
3288         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3289         (testCoercibleToIndexZero):
3290         (testCoercibleToIndexOne):
3291         (testNotCoercibleToIndex):
3292         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3293         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3294         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3295         (bits.valueOf):
3296         (bigint.valueOf):
3297         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3298         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3299         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3300         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3301         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3302         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3303         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3304         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3305         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3306         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3307         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3308         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3309         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3310         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3311         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3312         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3313         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3314         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3315         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3316         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3317         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3318         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3319         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3320         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3321         (replacer):
3322         (BigInt.prototype.toJSON):
3323         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3324         (replacer):
3325         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3326         (BigInt.prototype.toJSON):
3327         * test262/test/built-ins/JSON/stringify/bigint.js:
3328         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3329         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3330         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3331         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3332         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3333         * test262/test/built-ins/Object/proto-from-ctor.js:
3334         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3335         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3336         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3337         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3338         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3339         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3340         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3341         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3342         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3343         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3344         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3345         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3346         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3347         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3348         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3349         * test262/test/built-ins/Proxy/get-fn-realm.js:
3350         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3351         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3352         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3353         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3354         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3355         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3356         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3357         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3358         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3359         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3360         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3361         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3362         (i6.replace):
3363         (i6b.replace):
3364         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3365         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3366         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3367         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3368         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3369         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3370         * test262/test/built-ins/RegExp/u180e.js: Added.
3371         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3372         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3373         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3374         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3375         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3376         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3377         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3378         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3379         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3380         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3381         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3382         * test262/test/built-ins/String/prototype/endsWith/length.js:
3383         * test262/test/built-ins/String/prototype/endsWith/name.js:
3384         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3385         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3386         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3387         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3388         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3389         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3390         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3391         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3392         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3393         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3394         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3395         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3396         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3397         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3398         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3399         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3400         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3401         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3402         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3403         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3404         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3405         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3406         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3407         * test262/test/built-ins/String/prototype/includes/includes.js:
3408         * test262/test/built-ins/String/prototype/includes/length.js:
3409         * test262/test/built-ins/String/prototype/includes/name.js:
3410         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3411         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3412         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3413         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3414         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3415         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3416         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3417         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3418         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3419         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3420         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3421         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3422         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3423         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3424         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3425         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3426         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3427         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3428         * test262/test/built-ins/String/prototype/trim/u180e.js:
3429         * test262/test/built-ins/Symbol/for/cross-realm.js:
3430         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3431         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3432         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3433         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3434         * test262/test/built-ins/Symbol/match/cross-realm.js:
3435         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3436         * test262/test/built-ins/Symbol/search/cross-realm.js:
3437         * test262/test/built-ins/Symbol/species/cross-realm.js:
3438         * test262/test/built-ins/Symbol/split/cross-realm.js:
3439         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3440         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3441         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3442         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3443         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3444         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3445         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3446         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3447         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3448         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3449         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3450         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3451         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3452         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3453         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3454         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3455         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3456         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3457         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3458         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3459         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3460         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3461         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3462         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3463         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3464         * test262/test/language/eval-code/indirect/realm.js:
3465         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3466         (o.get z):
3467         (o.get a):
3468         * test262/test/language/expressions/call/eval-realm-indirect.js:
3469         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3470         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3471         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3472         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3473         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3474         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3475         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3476         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3477         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3478         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3479         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3480         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3481         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3482         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3483         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3484         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3485         * test262/test/language/expressions/less-than/bigint-and-number.js:
3486         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3487         * test262/test/language/expressions/super/realm.js:
3488         * test262/test/language/expressions/tagged-template/cache-realm.js:
3489         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3490         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3491         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3492         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3493         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3494         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3495         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3496         (o.get z):
3497         (o.get a):
3498         * test262/test/language/statements/for-of/iterator-next-reference.js:
3499         (next):
3500         (iterator.next): Deleted.
3501         (x.of.iterable.): Deleted.
3502         (x.of.iterable.get return): Deleted.
3503         (x.of.iterable.iterator.next): Deleted.
3504         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3505         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3506         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3507         * test262/test/language/white-space/mongolian-vowel-separator.js:
3508         * test262/test262-Revision.txt:
3509
3510 2017-10-03  Saam Barati  <sbarati@apple.com>
3511
3512         Implement polymorphic prototypes
3513         https://bugs.webkit.org/show_bug.cgi?id=176391
3514
3515         Reviewed by Filip Pizlo.
3516
3517         * microbenchmarks/poly-proto-access.js: Added.
3518         (assert):
3519         (foo.C):
3520         (foo.C.prototype.get bar):
3521         (foo):
3522         (bar):
3523         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3524         (assert):
3525         (makePolyProtoObject.foo.C):
3526         (makePolyProtoObject.foo):
3527         (makePolyProtoObject):
3528         (performSet):
3529         * microbenchmarks/poly-proto-setter-speed.js: Added.
3530         (assert):
3531         (makePolyProtoObject.foo.C):
3532         (makePolyProtoObject.foo.C.prototype.set p):
3533         (makePolyProtoObject.foo):
3534         (makePolyProtoObject):
3535         (performSet):
3536         * stress/constructor-with-return.js:
3537         (i.tests.forEach.Constructor):
3538         (i.tests.forEach):
3539         (tests.forEach.Constructor): Deleted.
3540         (tests.forEach): Deleted.
3541         * stress/dom-jit-with-poly-proto.js: Added.
3542         (assert):
3543         (makePolyProtoObject.foo.C):
3544         (makePolyProtoObject.foo):
3545         (makePolyProtoObject):
3546         (validate):
3547         * stress/poly-proto-custom-value-and-accessor.js: Added.
3548         (assert):
3549         (makePolyProtoObject.foo.C):
3550         (makePolyProtoObject.foo):
3551         (makePolyProtoObject):
3552         (items.forEach):
3553         (set get for):
3554         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3555         (assert):
3556         (makePolyProtoObject.foo.C):
3557         (makePolyProtoObject.foo):
3558         (makePolyProtoObject):
3559         (foo):
3560         * stress/poly-proto-miss.js: Added.
3561         (makePolyProtoInstanceWithNullPrototype.foo.C):
3562         (makePolyProtoInstanceWithNullPrototype.foo):
3563         (makePolyProtoInstanceWithNullPrototype):
3564         (assert):
3565         (validate):
3566         * stress/poly-proto-op-in-caching.js: Added.
3567         (assert):
3568         (makePolyProtoObject.foo.C):
3569         (makePolyProtoObject.foo):
3570         (makePolyProtoObject):
3571         (validate):
3572         (validate2):
3573         * stress/poly-proto-put-transition.js: Added.
3574         (assert):
3575         (makePolyProtoObject.foo.C):
3576         (makePolyProtoObject.foo):
3577         (makePolyProtoObject):
3578         (performSet):
3579         (i.obj.__proto__.set p):
3580         * stress/poly-proto-set-prototype.js: Added.
3581         (assert):
3582         (let.alternateProto.get x):
3583         (let.alternateProto2.get y):
3584         (let.alternateProto2.get x):
3585         (foo.C):
3586         (foo):
3587         (validate):
3588         * stress/poly-proto-setter.js: Added.
3589         (assert):
3590         (makePolyProtoObject.foo.C):
3591         (makePolyProtoObject.foo.C.prototype.set p):
3592         (makePolyProtoObject.foo.C.prototype.get p):
3593         (makePolyProtoObject.foo):
3594         (makePolyProtoObject):
3595         (performSet):
3596         * stress/poly-proto-using-inheritance.js: Added.
3597         (assert):
3598         (foo.C):
3599         (foo.C.prototype.get baz):
3600         (foo):
3601         (bar.C):
3602         (bar):
3603         (validate):
3604         * stress/primitive-poly-proto.js: Added.
3605         (makePolyProtoInstance.foo.C):
3606         (makePolyProtoInstance.foo):
3607         (makePolyProtoInstance):
3608         (assert):
3609         (validate):
3610         * stress/prototype-is-not-js-object.js: Added.
3611         (foo.bar):
3612         (foo):
3613         (assert):
3614         (validate):
3615         * stress/try-get-by-id-poly-proto.js: Added.
3616         (assert):
3617         (makePolyProtoObject.foo.C):
3618         (makePolyProtoObject.foo):
3619         (makePolyProtoObject):
3620         (tryGetByIdText):
3621         (x.__proto__.get bar):
3622         (validate):
3623         * typeProfiler/overflow.js:
3624
3625 2017-10-03  JF Bastien  <jfbastien@apple.com>
3626
3627         WebAssembly: no VM / JS version of everything but Instance
3628         https://bugs.webkit.org/show_bug.cgi?id=177473
3629
3630         Reviewed by Filip Pizlo.
3631
3632         - Exceeding max on memory growth now returns a range error as per
3633         spec. This is a (very minor) breaking change: it used to throw OOM
3634         error. Update the corresponding test.
3635
3636         * wasm/js-api/memory-grow.js:
3637         (assertEq):
3638         * wasm/js-api/table.js:
3639         (assert.throws):
3640
3641 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3642
3643         Skip JSC test stress/regress-159779-2.js on debug.
3644         https://bugs.webkit.org/show_bug.cgi?id=177204
3645
3646         Unreviewed test gardening.
3647
3648         * stress/regress-159779-2.js:
3649
3650 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3651
3652         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3653         https://bugs.webkit.org/show_bug.cgi?id=175642
3654
3655         Reviewed by Darin Adler.
3656
3657         * ChakraCore/test/Function/apply3.baseline-jsc:
3658
3659 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3660
3661         Unreviewed, rolling out r222564.
3662         https://bugs.webkit.org/show_bug.cgi?id=177720
3663
3664         "It regressed JetStream by 2% on iOS caused by a 50%
3665         regression on the bigfib subtest" (Requested by saamyjoon on
3666         #webkit).
3667
3668         Reverted changeset:
3669
3670         "Add Above/Below comparisons for UInt32 patterns"
3671         https://bugs.webkit.org/show_bug.cgi?id=177281
3672         http://trac.webkit.org/changeset/222564
3673
3674 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3675
3676         [DFG] Support ArrayPush with multiple args
3677         https://bugs.webkit.org/show_bug.cgi?id=175823
3678
3679         Reviewed by Saam Barati.
3680
3681         * microbenchmarks/array-push-0.js: Added.
3682         (arrayPush0):
3683         * microbenchmarks/array-push-1.js: Added.
3684         (arrayPush1):
3685         * microbenchmarks/array-push-2.js: Added.
3686         (arrayPush2):
3687         * microbenchmarks/array-push-3.js: Added.
3688         (arrayPush3):
3689         * stress/array-push-multiple-contiguous.js: Added.
3690         (shouldBe):
3691         (test):
3692         * stress/array-push-multiple-double-nan.js: Added.
3693         (shouldBe):
3694         (test):
3695         * stress/array-push-multiple-double.js: Added.
3696         (shouldBe):
3697         (test):
3698         * stress/array-push-multiple-int32.js: Added.
3699         (shouldBe):
3700         (test):
3701         * stress/array-push-multiple-many-contiguous.js: Added.
3702         (shouldBe):
3703         (test):
3704         * stress/array-push-multiple-many-double.js: Added.
3705         (shouldBe):
3706         (test):
3707         * stress/array-push-multiple-many-int32.js: Added.
3708         (shouldBe):
3709         (test):
3710         * stress/array-push-multiple-many-storage.js: Added.
3711         (shouldBe):
3712         (test):
3713         * stress/array-push-multiple-storage.js: Added.
3714         (shouldBe):
3715         (test):
3716         * stress/array-push-with-force-exit.js: Added.
3717         (target.createBuiltin):
3718
3719 2017-09-29  Saam Barati  <sbarati@apple.com>
3720
3721         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3722         https://bugs.webkit.org/show_bug.cgi?id=177639
3723
3724         Reviewed by Geoffrey Garen.
3725
3726         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3727         (assert):
3728         (Class):
3729         (items.forEach):
3730         (set get for):
3731
3732 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3733
3734         Unreviewed, rolling out r222563, r222565, and r222581.
3735         https://bugs.webkit.org/show_bug.cgi?id=177675
3736
3737         "It causes a crash when playing youtube videos" (Requested by
3738         saamyjoon on #webkit).
3739
3740         Reverted changesets:
3741
3742         "[DFG] Support ArrayPush with multiple args"
3743         https://bugs.webkit.org/show_bug.cgi?id=175823
3744         http://trac.webkit.org/changeset/222563
3745
3746         "Unreviewed, build fix after r222563"
3747         https://bugs.webkit.org/show_bug.cgi?id=175823
3748         http://trac.webkit.org/changeset/222565
3749
3750         "Unreviewed, fix x86 breaking due to exhausted registers"
3751         https://bugs.webkit.org/show_bug.cgi?id=175823
3752         http://trac.webkit.org/changeset/222581
3753
3754 2017-09-28  Mark Lam  <mark.lam@apple.com>
3755
3756         test262: Unexpected passes after r222617 and r222618.
3757         https://bugs.webkit.org/show_bug.cgi?id=177622
3758         <rdar://problem/34725960>
3759
3760         Reviewed by Saam Barati.
3761
3762         Update test262.yaml for tests that are now passing.
3763
3764         * test262.yaml:
3765
3766 2017-09-27  Michael Saboff  <msaboff@apple.com>
3767
3768         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3769         https://bugs.webkit.org/show_bug.cgi?id=177570
3770
3771         Reviewed by Filip Pizlo.
3772
3773         New regression test.
3774
3775         * stress/regress-177570.js: Added.
3776
3777 2017-09-28  Michael Saboff  <msaboff@apple.com>
3778
3779         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3780         https://bugs.webkit.org/show_bug.cgi?id=177423
3781
3782         Reviewed by Mark Lam.
3783
3784         Updated regression test.
3785
3786         * stress/regress-177423.js:
3787         (catch):
3788
3789 2017-09-27  Mark Lam  <mark.lam@apple.com>
3790
3791         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3792         https://bugs.webkit.org/show_bug.cgi?id=177584
3793         <rdar://problem/34463903>
3794
3795         Reviewed by Saam Barati.
3796
3797         * stress/regress-177584.js: Added.
3798         (assertEqual):
3799         (Array.prototype.Symbol.species):
3800
3801 2017-09-27  Saam Barati  <sbarati@apple.com>
3802
3803         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3804         https://bugs.webkit.org/show_bug.cgi?id=177523
3805
3806         Reviewed by Mark Lam.