1 2018-03-26 Filip Pizlo <fpizlo@apple.com>
3 DFG should know that CreateThis can be effectful
4 https://bugs.webkit.org/show_bug.cgi?id=184013
6 Reviewed by Saam Barati.
8 * stress/create-this-property-change.js: Added.
12 * stress/create-this-structure-change-without-cse.js: Added.
16 * stress/create-this-structure-change.js: Added.
21 2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
23 [DFG] Introduces fused compare and jump
24 https://bugs.webkit.org/show_bug.cgi?id=177100
28 * stress/fused-jeq-slow.js: Added.
35 * stress/fused-jeq.js: Added.
42 * stress/fused-jstricteq-slow.js: Added.
49 * stress/fused-jstricteq.js: Added.
57 2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
59 [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
60 https://bugs.webkit.org/show_bug.cgi?id=183559
64 * stress/double-to-string-in-loop-removed.js: Added.
66 * stress/int32-to-string-in-loop-removed.js: Added.
68 * stress/int52-to-string-in-loop-removed.js: Added.
71 2018-03-22 Michael Saboff <msaboff@apple.com>
73 Race Condition in arrayProtoFuncReverse() causes wrong results or crash
74 https://bugs.webkit.org/show_bug.cgi?id=183901
76 Reviewed by Keith Miller.
80 * stress/array-reverse-doesnt-clobber.js: Added.
82 (createArrayOfArrays):
85 2018-03-21 Filip Pizlo <fpizlo@apple.com>
87 ScopedArguments should do poisoning and index masking
88 https://bugs.webkit.org/show_bug.cgi?id=183863
92 Adds another stress test of scoped arguments.
94 * stress/scoped-arguments-test.js: Added.
97 2018-03-20 Saam Barati <sbarati@apple.com>
99 We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
100 https://bugs.webkit.org/show_bug.cgi?id=183795
101 <rdar://problem/38298694>
103 Reviewed by JF Bastien.
105 * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
109 2018-03-16 Yusuke Suzuki <utatane.tea@gmail.com>
111 [DFG][FTL] Add vectorLengthHint for NewArray
112 https://bugs.webkit.org/show_bug.cgi?id=183694
114 Reviewed by Saam Barati.
116 * stress/vector-length-hint-array-constructor.js: Added.
119 * stress/vector-length-hint-new-array.js: Added.
123 2018-03-13 Yusuke Suzuki <utatane.tea@gmail.com>
125 [DFG][FTL] Make ArraySlice(0) code tight
126 https://bugs.webkit.org/show_bug.cgi?id=183590
128 Reviewed by Saam Barati.
130 * stress/array-slice-with-zero.js: Added.
134 * stress/array-slice-zero-args.js: Added.
138 2018-03-14 Caitlin Potter <caitp@igalia.com>
140 [JSC] fix order of evaluation for ClassDefinitionEvaluation
141 https://bugs.webkit.org/show_bug.cgi?id=183523
143 Reviewed by Keith Miller.
145 Computed property names need to be evaluated in source order during class
146 definition evaluation, as it's observable (and specified to work this way).
148 This change improves compatibility with Chromium.
150 * stress/class_elements.js: Added.
152 (test.C.prototype.effect):
154 (test.C.prototype.get effect):
155 (test.C.prototype.set effect):
158 2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com>
160 [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
161 https://bugs.webkit.org/show_bug.cgi?id=183310
163 Reviewed by Filip Pizlo.
165 * stress/ai-create-this-to-new-object-fire.js: Added.
173 * stress/ai-create-this-to-new-object.js: Added.
182 2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com>
184 [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
185 https://bugs.webkit.org/show_bug.cgi?id=181848
187 Reviewed by Sam Weinig.
189 * microbenchmarks/regexp-u-global-es5.js: Added.
191 * microbenchmarks/regexp-u-global-es6.js: Added.
193 * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
197 * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
201 2018-03-07 Dominik Infuehr <dinfuehr@igalia.com>
203 Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
204 https://bugs.webkit.org/show_bug.cgi?id=183334
206 Reviewed by Žan Doberšek.
208 * stress/var-injection-cache-invalidation.js:
210 2018-03-06 Dominik Infuehr <dinfuehr@igalia.com>
212 [ARM] Disable tests that run out of memory
213 https://bugs.webkit.org/show_bug.cgi?id=182699
215 Reviewed by Žan Doberšek.
217 Skip tests that run of of memory. Do not run
218 modules/module-jit-reachability.js without LLInt to prevent
219 running out of executable memory.
222 * modules/module-jit-reachability.js:
223 * stress/has-own-property-name-cache-string-keys.js:
224 * stress/has-own-property-name-cache-symbol-keys.js:
226 2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
228 ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
229 https://bugs.webkit.org/show_bug.cgi?id=183173
231 Reviewed by Saam Barati.
233 * stress/async-arrow-function-in-class-heritage.js: Added.
238 2018-03-01 Saam Barati <sbarati@apple.com>
240 We need to clear cached structures when having a bad time
241 https://bugs.webkit.org/show_bug.cgi?id=183256
242 <rdar://problem/36245022>
244 Reviewed by Mark Lam.
246 * stress/having-a-bad-time-with-derived-arrays.js: Added.
252 2018-02-28 Yusuke Suzuki <utatane.tea@gmail.com>
254 JSC crash with `import("")`
255 https://bugs.webkit.org/show_bug.cgi?id=183175
257 Reviewed by Saam Barati.
259 * stress/import-with-empty-string.js: Added.
261 2018-02-27 Yusuke Suzuki <utatane.tea@gmail.com>
263 Unreviewed, skip FTL tests if FTL is disabled
264 https://bugs.webkit.org/show_bug.cgi?id=183071
266 * stress/has-indexed-property-array-storage-ftl.js:
267 * stress/has-indexed-property-slow-put-array-storage-ftl.js:
269 2018-02-25 Yusuke Suzuki <utatane.tea@gmail.com>
271 [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
272 https://bugs.webkit.org/show_bug.cgi?id=182965
274 Reviewed by Saam Barati.
276 * stress/put-by-val-array-storage.js: Added.
278 (testArrayStorageInBounds):
279 * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
281 (testInt32.createBuiltin):
283 * stress/put-by-val-slow-put-array-storage.js: Added.
285 (testArrayStorageInBounds):
287 2018-02-26 Saam Barati <sbarati@apple.com>
289 validateStackAccess should not validate if the offset is within the stack bounds
290 https://bugs.webkit.org/show_bug.cgi?id=183067
291 <rdar://problem/37749988>
293 Reviewed by Mark Lam.
295 * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
301 2018-02-26 Yusuke Suzuki <utatane.tea@gmail.com>
303 Unreviewed, skip FTL tests if FTL is disabled
304 https://bugs.webkit.org/show_bug.cgi?id=183071
306 * stress/has-indexed-property-array-storage-ftl.js:
307 * stress/has-indexed-property-slow-put-array-storage-ftl.js:
309 2018-02-23 Saam Barati <sbarati@apple.com>
311 Make Number.isInteger an intrinsic
312 https://bugs.webkit.org/show_bug.cgi?id=183088
314 Reviewed by JF Bastien.
316 * stress/number-is-integer-intrinsic.js: Added.
318 2018-02-23 Oleksandr Skachkov <gskachkov@gmail.com>
320 WebAssembly: cache memory address / size on instance
321 https://bugs.webkit.org/show_bug.cgi?id=177305
323 Reviewed by JF Bastien.
325 * wasm/function-tests/memory-reuse.js: Added.
326 (createWasmInstance):
330 (checkWasmInstancesWithSharedMemory):
332 2018-02-23 Yusuke Suzuki <utatane.tea@gmail.com>
334 [JSC] Implement $vm.ftlTrue function for FTL testing
335 https://bugs.webkit.org/show_bug.cgi?id=183071
337 Reviewed by Mark Lam.
339 * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
341 * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
343 * stress/dead-fiat-value-to-int52.js:
345 * stress/dead-osr-entry-value.js:
347 * stress/fiat-value-to-int52-then-exit-not-double.js:
349 * stress/fiat-value-to-int52-then-exit-not-int52.js:
351 * stress/fiat-value-to-int52-then-fail-to-fold.js:
353 * stress/fiat-value-to-int52-then-fold.js:
355 * stress/fiat-value-to-int52.js:
357 * stress/fold-based-on-int32-proof-mul-branch.js:
359 * stress/fold-profiled-call-to-call.js:
361 * stress/fold-to-double-constant-then-exit.js:
363 * stress/fold-to-int52-constant-then-exit.js:
365 * stress/fold-to-primitive-in-cfa.js:
367 * stress/fold-to-primitive-to-identity-in-cfa.js:
369 * stress/has-indexed-property-array-storage-ftl.js: Added.
373 * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
377 * stress/int52-ai-add-then-filter-int32.js:
379 * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
381 * stress/int52-ai-mul-then-filter-int32.js:
383 * stress/int52-ai-neg-then-filter-int32.js:
385 * stress/int52-ai-sub-then-filter-int32.js:
387 * stress/licm-pre-header-cannot-exit-nested.js:
389 * stress/licm-pre-header-cannot-exit.js:
391 * stress/sparse-array-entry-update-144067.js:
392 (useMemoryToTriggerGCs):
393 * stress/test-spec-misc.js:
395 * stress/tricky-array-bounds-checks.js:
398 2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
400 [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
401 https://bugs.webkit.org/show_bug.cgi?id=182792
403 Reviewed by Mark Lam.
405 * stress/has-indexed-property-array-storage.js: Added.
409 * stress/has-indexed-property-slow-put-array-storage.js: Added.
414 2018-02-20 Saam Barati <sbarati@apple.com>
416 DFG::VarargsForwardingPhase should eliminate getting argument length
417 https://bugs.webkit.org/show_bug.cgi?id=182959
419 Reviewed by Keith Miller.
421 * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
423 2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
425 [FTL] Support ArrayPush for ArrayStorage
426 https://bugs.webkit.org/show_bug.cgi?id=182782
428 Reviewed by Saam Barati.
430 Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
432 * stress/array-push-array-storage-beyond-int32.js: Added.
435 * stress/array-push-array-storage.js: Added.
438 * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
441 * stress/array-push-multiple-storage-continuous.js: Added.
445 2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
447 [FTL] Support ArrayPop for ArrayStorage
448 https://bugs.webkit.org/show_bug.cgi?id=182783
450 Reviewed by Saam Barati.
452 * stress/array-pop-array-storage.js: Added.
456 2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
458 [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
459 https://bugs.webkit.org/show_bug.cgi?id=182731
461 Reviewed by Saam Barati.
463 * stress/arrayify-array-storage-array.js: Added.
466 * stress/arrayify-array-storage-non-array.js: Added.
469 * stress/arrayify-array-storage.js: Added.
472 * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
475 * stress/arrayify-slow-put-array-storage.js: Added.
479 2018-02-19 Saam Barati <sbarati@apple.com>
481 Don't use JSFunction's allocation profile when getting the prototype can be effectful
482 https://bugs.webkit.org/show_bug.cgi?id=182942
483 <rdar://problem/37584764>
485 Reviewed by Mark Lam.
487 * stress/get-prototype-create-this-effectful.js: Added.
489 2018-02-16 Saam Barati <sbarati@apple.com>
491 Fix bugs from r228411
492 https://bugs.webkit.org/show_bug.cgi?id=182851
493 <rdar://problem/37577732>
495 Reviewed by JF Bastien.
497 * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
499 2018-02-15 Filip Pizlo <fpizlo@apple.com>
501 Unreviewed, roll out r228366 since it did not progress anything.
503 * stress/gc-error-stack.js: Removed.
504 * stress/no-gc-error-stack.js: Removed.
506 2018-02-15 Tomas Popela <tpopela@redhat.com>
508 Many stress tests fail with JIT disabled
509 https://bugs.webkit.org/show_bug.cgi?id=182730
511 Reviewed by Saam Barati.
513 These tests are broken by design if the JIT is disabled - they test
514 the return value of numberOfDFGCompiles(), which is always set to
515 1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
517 * stress/arith-abs-on-various-types.js:
518 * stress/arith-abs-to-arith-negate-range-optimizaton.js:
519 * stress/arith-acos-on-various-types.js:
520 * stress/arith-acosh-on-various-types.js:
521 * stress/arith-asin-on-various-types.js:
522 * stress/arith-asinh-on-various-types.js:
523 * stress/arith-atan-on-various-types.js:
524 * stress/arith-atanh-on-various-types.js:
525 * stress/arith-cbrt-on-various-types.js:
526 * stress/arith-ceil-on-various-types.js:
527 * stress/arith-clz32-on-various-types.js:
528 * stress/arith-cos-on-various-types.js:
529 * stress/arith-cosh-on-various-types.js:
530 * stress/arith-expm1-on-various-types.js:
531 * stress/arith-floor-on-various-types.js:
532 * stress/arith-fround-on-various-types.js:
533 * stress/arith-log-on-various-types.js:
534 * stress/arith-log10-on-various-types.js:
535 * stress/arith-log2-on-various-types.js:
536 * stress/arith-negate-on-various-types.js:
537 * stress/arith-round-on-various-types.js:
538 * stress/arith-sin-on-various-types.js:
539 * stress/arith-sinh-on-various-types.js:
540 * stress/arith-sqrt-on-various-types.js:
541 * stress/arith-tan-on-various-types.js:
542 * stress/arith-tanh-on-various-types.js:
543 * stress/arith-trunc-on-various-types.js:
544 * stress/compare-strict-eq-on-various-types.js:
546 2018-02-14 Ryan Haddad <ryanhaddad@apple.com>
548 Skip stress/new-largeish-contiguous-array-with-size.js on arm.
550 Unreviewed test gardening.
552 * stress/new-largeish-contiguous-array-with-size.js:
554 2018-02-14 Saam Barati <sbarati@apple.com>
556 Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
557 https://bugs.webkit.org/show_bug.cgi?id=182801
559 Reviewed by Keith Miller.
561 * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
563 2018-02-14 Ryan Haddad <ryanhaddad@apple.com>
565 Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
566 https://bugs.webkit.org/show_bug.cgi?id=182526
568 Unreviewed test gardening.
570 * stress/activation-sink-default-value-tdz-error.js:
572 2018-02-13 Saam Barati <sbarati@apple.com>
574 putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
575 https://bugs.webkit.org/show_bug.cgi?id=182755
576 <rdar://problem/37080864>
578 Reviewed by Keith Miller.
580 * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
586 2018-02-13 Caitlin Potter <caitp@igalia.com>
588 [JSC] cache TaggedTemplate arrays by callsite rather than by contents
589 https://bugs.webkit.org/show_bug.cgi?id=182717
591 Reviewed by Yusuke Suzuki.
593 https://github.com/tc39/ecma262/pull/890 imposes a change to template
594 literals, to allow template callsite arrays to be collected when the
595 code containing the tagged template call is collected. This spec change
596 has received concensus and been ratified.
598 This change eliminates the eternal map associating template contents
601 * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
602 * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
603 * stress/tagged-templates-identity.js:
604 * stress/template-string-tags-eval.js:
607 2018-02-13 Yusuke Suzuki <utatane.tea@gmail.com>
609 Support GetArrayLength on ArrayStorage in the FTL
610 https://bugs.webkit.org/show_bug.cgi?id=182625
612 Reviewed by Saam Barati.
614 * stress/array-storage-length.js: Added.
618 (testSlowPutInBound):
619 (testSlowPutUncountable):
620 * stress/undecided-length.js: Added.
624 2018-02-12 Saam Barati <sbarati@apple.com>
626 DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
627 https://bugs.webkit.org/show_bug.cgi?id=182706
628 <rdar://problem/36833681>
630 Reviewed by Filip Pizlo.
632 * stress/get-array-length-phantom-new-array-buffer.js: Added.
636 2018-02-09 Filip Pizlo <fpizlo@apple.com>
638 Don't waste memory for error.stack
639 https://bugs.webkit.org/show_bug.cgi?id=182656
641 Reviewed by Saam Barati.
645 * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
646 * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
648 2018-02-08 Yusuke Suzuki <utatane.tea@gmail.com>
650 [JSC] Update Test262 to Feb 9 version
651 https://bugs.webkit.org/show_bug.cgi?id=182468
653 Reviewed by Saam Barati.
655 2018-02-08 Yusuke Suzuki <utatane.tea@gmail.com>
657 Unreviewed, fix invalid line terminator in old test262 file part 2
658 https://bugs.webkit.org/show_bug.cgi?id=182468
660 * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
662 2018-02-08 Yusuke Suzuki <utatane.tea@gmail.com>
664 Unreviewed, fix invalid line terminator in old test262 file
665 https://bugs.webkit.org/show_bug.cgi?id=182468
667 * test262/test/language/literals/regexp/7.8.5-1.js:
669 2018-02-06 Yusuke Suzuki <utatane.tea@gmail.com>
671 [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
672 https://bugs.webkit.org/show_bug.cgi?id=182440
674 Reviewed by Darin Adler.
676 * stress/array-flatmap.js: Added.
681 * stress/array-flatten.js: Added.
685 * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
687 Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
689 2018-02-06 Keith Miller <keith_miller@apple.com>
691 put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
692 https://bugs.webkit.org/show_bug.cgi?id=182549
693 <rdar://problem/36189995>
695 Reviewed by Saam Barati.
697 * stress/var-injection-cache-invalidation.js: Added.
698 (allocateLotsOfThings):
701 2018-02-03 Yusuke Suzuki <utatane.tea@gmail.com>
703 Unreviewed, follow up for test262 update
704 https://bugs.webkit.org/show_bug.cgi?id=182288
708 2018-02-02 Ryan Haddad <ryanhaddad@apple.com>
710 Update test262 to Jan 30 version
711 https://bugs.webkit.org/show_bug.cgi?id=182288
713 Unreviewed test gardening.
715 * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
717 2018-02-02 Saam Barati <sbarati@apple.com>
719 When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
720 https://bugs.webkit.org/show_bug.cgi?id=182368
721 <rdar://problem/36932466>
723 Reviewed by Mark Lam.
725 * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
726 (runNearStackLimit.t):
728 (try.runNearStackLimit):
731 2018-02-02 Yusuke Suzuki <utatane.tea@gmail.com>
733 Update test262 to Jan 30 version
734 https://bugs.webkit.org/show_bug.cgi?id=182288
736 Rubber stamped by Saam Barati.
738 This patch updates test262 to the latest one, Jan 30 version.
739 Since added and changed files are too many, we cannot create ChangeLog.
740 The following files are changed.
742 Several files are intentionally omitted due to merge failures. We should investigate how to merge files
743 including some special line terminators (like u2028, u2029).
746 * test262/test262-Revision.txt:
749 2018-02-02 Guillaume Emont <guijemont@igalia.com>
751 JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
752 https://bugs.webkit.org/show_bug.cgi?id=182411
754 Reviewed by Carlos Alberto Lopez Perez.
756 This is skipped only on arm memory limited platforms. Until recently
757 it was not a problem on MIPS as the butterfly was not initialized. But
758 since r227435, the butterfly is initialized in that test and therefore
759 memory is allocated, and the test typically takes around 512M, which
760 means it generally gets OOM-killed on the MIPS buildbot.
762 * mozilla/mozilla-tests.yaml:
764 2018-02-01 Mark Lam <mark.lam@apple.com>
766 Fix broken bounds check in FTL's compileGetMyArgumentByVal().
767 https://bugs.webkit.org/show_bug.cgi?id=182419
768 <rdar://problem/37044945>
770 Reviewed by Saam Barati.
772 * stress/regress-182419.js: Added.
774 2018-02-01 Keith Miller <keith_miller@apple.com>
776 Fix crashes due to mishandling custom sections.
777 https://bugs.webkit.org/show_bug.cgi?id=182404
778 <rdar://problem/36935863>
780 Reviewed by Saam Barati.
783 (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
784 * wasm/js-api/validate.js:
787 2018-01-31 Saam Barati <sbarati@apple.com>
789 JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
790 https://bugs.webkit.org/show_bug.cgi?id=182074
791 <rdar://problem/36846261>
793 Reviewed by Mark Lam.
795 * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
801 2018-01-30 Yusuke Suzuki <utatane.tea@gmail.com>
803 Unreviewed, update test262 expects
804 https://bugs.webkit.org/show_bug.cgi?id=182232
808 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
810 [JSC] Implement trimStart and trimEnd
811 https://bugs.webkit.org/show_bug.cgi?id=182233
813 Reviewed by Mark Lam.
815 * stress/trim.js: Added.
821 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
823 [JSC] Relax line terminators in String to make JSON subset of JS
824 https://bugs.webkit.org/show_bug.cgi?id=182232
826 Reviewed by Keith Miller.
828 * ChakraCore/test/es5/Lex_u3.baseline-jsc:
829 * stress/relaxed-line-terminators-in-string.js: Added.
832 2018-01-29 Michael Saboff <msaboff@apple.com>
834 REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
835 https://bugs.webkit.org/show_bug.cgi?id=182249
837 Reviewed by Keith Miller.
841 * stress/compare-clobber-untypeduse.js: Added.
843 2018-01-29 Matt Lewis <jlewis3@apple.com>
845 Unreviewed, rolling out r227725.
847 This caused internal failures.
851 "JSC Sampling Profiler: Detect tester and testee when sampling
853 https://bugs.webkit.org/show_bug.cgi?id=152729
854 https://trac.webkit.org/changeset/227725
856 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
858 JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
859 https://bugs.webkit.org/show_bug.cgi?id=152729
861 Reviewed by Saam Barati.
863 * stress/sampling-profiler-regexp.js: Added.
864 (platformSupportsSamplingProfiler.test):
865 (platformSupportsSamplingProfiler.baz):
866 (platformSupportsSamplingProfiler):
868 2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
870 [DFG][FTL] WeakMap#set should have DFG node
871 https://bugs.webkit.org/show_bug.cgi?id=180015
873 Reviewed by Saam Barati.
875 * stress/weakmap-set-change-get.js: Added.
878 * stress/weakmap-set-cse.js: Added.
881 * stress/weakset-add-change-get.js: Added.
883 * stress/weakset-add-cse.js: Added.
886 2018-01-27 Yusuke Suzuki <utatane.tea@gmail.com>
888 DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
889 https://bugs.webkit.org/show_bug.cgi?id=182213
891 Reviewed by Mark Lam.
893 * stress/int32-min-to-string.js: Added.
900 * stress/zero-to-string.js: Added.
908 2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
910 Add more module scope related tests with code evaluation by string
911 https://bugs.webkit.org/show_bug.cgi?id=181983
913 Reviewed by Sam Weinig.
915 Add more module scope related tests. When the original tests are landed,
916 we do not have browser integration. This patch adds more module scope tests
917 with dynamically created script evaluation. We add tests with Function
918 constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
920 * modules/scopes-eval.js: Added.
925 2018-01-23 Filip Pizlo <fpizlo@apple.com>
927 Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
929 * microbenchmarks/array-push-3.js: Removed.
930 * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
931 * microbenchmarks/double-to-int32.js: Removed.
932 * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
933 * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
934 * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
935 * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
936 * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
937 * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
938 * microbenchmarks/ftl-polymorphic-sub.js: Removed.
939 * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
940 * microbenchmarks/map-constant-key.js: Removed.
941 * microbenchmarks/nested-function-parsing.js: Removed.
942 * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
943 * microbenchmarks/spread-large-array.js: Removed.
944 * microbenchmarks/string-add-constant-folding.js: Removed.
945 * microbenchmarks/to-lower-case.js: Removed.
946 * microbenchmarks/undefined-property-access.js: Removed.
947 * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
948 * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
949 * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
950 * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
951 * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
952 * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
953 * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
954 * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
955 * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
956 * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
957 * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
958 * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
959 * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
960 * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
961 * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
962 * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
963 * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
964 * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
966 2018-01-23 Robin Morisset <rmorisset@apple.com>
968 Update the argument count in DFGByteCodeParser::handleRecursiveCall
969 https://bugs.webkit.org/show_bug.cgi?id=181739
970 <rdar://problem/36627662>
972 Reviewed by Saam Barati.
974 * stress/recursive-tail-call-with-different-argument-count.js: Added.
978 2018-01-22 Michael Saboff <msaboff@apple.com>
980 DFG abstract interpreter needs to properly model effects of some Math ops
981 https://bugs.webkit.org/show_bug.cgi?id=181886
983 Reviewed by Saam Barati.
987 * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
990 2018-01-20 Caio Lima <ticaiolima@gmail.com>
992 [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
993 https://bugs.webkit.org/show_bug.cgi?id=181182
995 Reviewed by Darin Adler.
997 * stress/big-int-prototype-to-string-cast-overflow.js: Added.
998 * stress/big-int-prototype-to-string-exception.js: Added.
999 * stress/big-int-prototype-to-string-wrong-values.js: Added.
1000 * stress/number-prototype-to-string-cast-overflow.js: Added.
1001 * stress/number-prototype-to-string-exception.js: Added.
1002 * stress/number-prototype-to-string-wrong-values.js: Added.
1004 2018-01-19 Ryan Haddad <ryanhaddad@apple.com>
1006 Disable Atomics when SharedArrayBuffer isn’t enabled
1007 https://bugs.webkit.org/show_bug.cgi?id=181572
1009 Unreviewed test gardening.
1011 * test262.yaml: Skip tests that fail after this change.
1013 2018-01-19 Saam Barati <sbarati@apple.com>
1015 Kill ArithNegate's ArithProfile assert inside BytecodeParser
1016 https://bugs.webkit.org/show_bug.cgi?id=181877
1017 <rdar://problem/36630552>
1019 Reviewed by Mark Lam.
1021 * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1022 (runNearStackLimit):
1027 (i.try.runNearStackLimit):
1030 2018-01-19 Saam Barati <sbarati@apple.com>
1032 Spread's effects are modeled incorrectly both in AI and in Clobberize
1033 https://bugs.webkit.org/show_bug.cgi?id=181867
1034 <rdar://problem/36290415>
1036 Reviewed by Michael Saboff.
1038 * stress/ai-needs-to-model-spreads-effects.js: Added.
1039 (try.p.Symbol.iterator):
1042 * stress/clobberize-needs-to-model-spread-effects.js: Added.
1045 (a.Symbol.iterator):
1047 2018-01-19 Yusuke Suzuki <utatane.tea@gmail.com>
1049 Unreviewed, reduce count of iteration to fix timing out debug JSC test
1050 https://bugs.webkit.org/show_bug.cgi?id=181535
1052 * stress/inserted-recovery-with-set-last-index.js:
1054 2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
1056 [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1057 https://bugs.webkit.org/show_bug.cgi?id=181535
1059 Reviewed by Saam Barati.
1061 * stress/inserted-recovery-with-set-last-index.js: Added.
1064 * stress/materialize-regexp-at-osr-exit.js: Added.
1067 * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1070 * stress/materialize-regexp-cyclic-regexp.js: Added.
1074 * stress/materialize-regexp-cyclic.js: Added.
1078 * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1082 * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1086 * stress/materialize-regexp.js: Added.
1089 * stress/phantom-regexp-regexp-exec.js: Added.
1092 * stress/phantom-regexp-string-match.js: Added.
1095 * stress/regexp-last-index-sinking.js: Added.
1099 2018-01-17 Saam Barati <sbarati@apple.com>
1101 Disable Atomics when SharedArrayBuffer isn’t enabled
1102 https://bugs.webkit.org/show_bug.cgi?id=181572
1103 <rdar://problem/36553206>
1105 Reviewed by Michael Saboff.
1107 * stress/isLockFree.js:
1109 2018-01-17 Saam Barati <sbarati@apple.com>
1111 DFG::Node::convertToConstant needs to clear the varargs flags
1112 https://bugs.webkit.org/show_bug.cgi?id=181697
1113 <rdar://problem/36497332>
1115 Reviewed by Yusuke Suzuki.
1117 * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1122 2018-01-16 Ryan Haddad <ryanhaddad@apple.com>
1124 Unreviewed, rolling out r226937.
1126 Tests added with this change are failing due to a missing
1131 "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1133 https://bugs.webkit.org/show_bug.cgi?id=181182
1134 https://trac.webkit.org/changeset/226937
1136 2018-01-13 Caio Lima <ticaiolima@gmail.com>
1138 [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1139 https://bugs.webkit.org/show_bug.cgi?id=181182
1141 Reviewed by Darin Adler.
1144 * stress/big-int-constructor.js:
1145 * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1147 (assertThrowRangeError):
1148 * stress/number-prototype-to-string-cast-overflow.js: Added.
1150 (assertThrowRangeError):
1152 2018-01-12 Saam Barati <sbarati@apple.com>
1154 CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1155 https://bugs.webkit.org/show_bug.cgi?id=181177
1156 <rdar://problem/36205704>
1158 Reviewed by Yusuke Suzuki.
1160 * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1161 (runNearStackLimit.t):
1162 (runNearStackLimit):
1166 2018-01-12 Saam Barati <sbarati@apple.com>
1168 Each variant of a polymorphic inlined call should be exitOK at the top of the block
1169 https://bugs.webkit.org/show_bug.cgi?id=181562
1170 <rdar://problem/36445624>
1172 Reviewed by Yusuke Suzuki.
1174 * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1178 2018-01-11 Saam Barati <sbarati@apple.com>
1180 When inserting Unreachable in byte code parser we need to flush all the right things
1181 https://bugs.webkit.org/show_bug.cgi?id=181509
1182 <rdar://problem/36423110>
1184 Reviewed by Mark Lam.
1186 * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1188 2018-01-11 Saam Barati <sbarati@apple.com>
1190 JITMathIC code in the FTL is wrong when code gets duplicated
1191 https://bugs.webkit.org/show_bug.cgi?id=181525
1192 <rdar://problem/36351993>
1194 Reviewed by Michael Saboff and Keith Miller.
1196 * stress/allow-math-ic-b3-code-duplication.js: Added.
1198 2018-01-11 Saam Barati <sbarati@apple.com>
1200 Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1201 https://bugs.webkit.org/show_bug.cgi?id=181508
1203 Reviewed by Yusuke Suzuki.
1205 * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1212 2018-01-09 Mark Lam <mark.lam@apple.com>
1214 ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1215 https://bugs.webkit.org/show_bug.cgi?id=181388
1216 <rdar://problem/36349351>
1218 Reviewed by Saam Barati.
1220 * stress/regress-181388.js: Added.
1222 2018-01-08 JF Bastien <jfbastien@apple.com>
1224 WebAssembly: mask indexed accesses to Table
1225 https://bugs.webkit.org/show_bug.cgi?id=181412
1226 <rdar://problem/36363236>
1228 Reviewed by Saam Barati.
1230 Update error messages.
1232 * wasm/js-api/table.js:
1233 (assert.throws.WebAssembly.Table.prototype.grow):
1235 2018-01-08 Ryan Haddad <ryanhaddad@apple.com>
1237 Disable SharedArrayBuffer tests missed in r226386.
1238 https://bugs.webkit.org/show_bug.cgi?id=181266
1240 Unreviewed test gardening.
1244 2018-01-06 Yusuke Suzuki <utatane.tea@gmail.com>
1246 Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1247 https://bugs.webkit.org/show_bug.cgi?id=181321
1249 Reviewed by Saam Barati.
1251 * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1256 2018-01-05 Ryan Haddad <ryanhaddad@apple.com>
1258 Unreviewed, attempt to fix test262 after r226386.
1262 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
1264 [DFG] Define defs for MapSet/SetAdd to participate in CSE
1265 https://bugs.webkit.org/show_bug.cgi?id=179911
1267 Reviewed by Saam Barati.
1269 In addition to these tests, map-set-cse.js and set-add-cse.js work.
1271 * stress/map-set-change-get.js: Added.
1274 * stress/map-set-create-bucket.js: Added.
1277 * stress/set-add-create-bucket.js: Added.
1280 2018-01-03 Michael Saboff <msaboff@apple.com>
1282 Disable SharedArrayBuffers from Web API
1283 https://bugs.webkit.org/show_bug.cgi?id=181266
1285 Reviewed by Saam Barati.
1287 Disabled SharedArrayBuffer tests.
1289 * stress/SharedArrayBuffer-opt.js:
1290 * stress/SharedArrayBuffer.js:
1291 * stress/array-buffer-byte-length.js:
1292 * stress/atomics-add-uint32.js:
1293 * stress/atomics-known-int-use.js:
1294 * stress/atomics-neg-zero.js:
1295 * stress/atomics-store-return.js:
1296 * stress/lars-sab-workers.js:
1297 * stress/regress-159779-1.js:
1298 * stress/regress-159779-2.js:
1299 * stress/regress-170473.js:
1302 2018-01-03 Caio Lima <ticaiolima@gmail.com>
1304 [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1305 https://bugs.webkit.org/show_bug.cgi?id=181258
1307 Reviewed by Antonio Gomes.
1309 * stress/big-int-constructor-gc.js:
1310 * stress/big-int-constructor-oom.js:
1312 2018-01-03 Robin Morisset <rmorisset@apple.com>
1314 Inlining of a function that ends in op_unreachable crashes
1315 https://bugs.webkit.org/show_bug.cgi?id=181027
1317 Reviewed by Filip Pizlo.
1319 * stress/inlining-unreachable.js: Added.
1324 2018-01-02 Saam Barati <sbarati@apple.com>
1326 Incorrect assertion inside AccessCase
1327 https://bugs.webkit.org/show_bug.cgi?id=181200
1328 <rdar://problem/35494754>
1330 Reviewed by Yusuke Suzuki.
1332 * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1337 2018-01-02 Caio Lima <ticaiolima@gmail.com>
1339 [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1340 https://bugs.webkit.org/show_bug.cgi?id=175359
1342 Reviewed by Yusuke Suzuki.
1345 * stress/big-int-as-key.js: Added.
1346 * stress/big-int-constructor-gc.js: Added.
1347 * stress/big-int-constructor-oom.js: Added.
1348 * stress/big-int-constructor-properties.js: Added.
1349 * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1350 * stress/big-int-constructor-prototype.js: Added.
1351 * stress/big-int-constructor.js: Added.
1352 * stress/big-int-function-apply.js:
1353 * stress/big-int-length.js: Added.
1354 * stress/big-int-prop-descriptor.js: Added.
1355 * stress/big-int-proto-constructor.js: Added.
1356 * stress/big-int-proto-name.js: Added.
1357 * stress/big-int-prototype-properties.js: Added.
1358 * stress/big-int-prototype-proto.js: Added.
1359 * stress/big-int-prototype-value-of.js: Added.
1360 * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1361 * stress/big-int-prototype-to-string-apply.js: Added.
1362 * stress/big-int-to-object.js: Added.
1363 * stress/big-int-to-string.js: Added.
1365 2017-12-28 Saam Barati <sbarati@apple.com>
1367 Assertion used to determine if something is an async generator is wrong
1368 https://bugs.webkit.org/show_bug.cgi?id=181168
1369 <rdar://problem/35640560>
1371 Reviewed by Yusuke Suzuki.
1373 * stress/async-generator-assertion.js: Added.
1375 2017-12-21 Guillaume Emont <guijemont@igalia.com>
1377 Skip stress/splay-flash-access tests on memory limited platforms
1378 https://bugs.webkit.org/show_bug.cgi?id=181086
1380 Reviewed by Carlos Alberto Lopez Perez.
1382 These tests use about 185M of memory, and occasionally get OOM-killed
1383 on memory limited platforms.
1385 * stress/splay-flash-access-1ms.js:
1386 * stress/splay-flash-access.js:
1388 2017-12-21 Guillaume Emont <guijemont@igalia.com>
1390 Skip slow jsc tests on embedded platforms
1391 https://bugs.webkit.org/show_bug.cgi?id=180937
1393 Reviewed by Carlos Alberto Lopez Perez.
1395 The tests typeProfiler/deltablue-for-of.js and
1396 typeProfiler/getter-richards.js take a very long time in the
1397 ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1398 thus always timeout. They should be skipped on these platforms.
1400 * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1401 * typeProfiler/getter-richards.js: Skip on arm*/mips.
1403 2017-12-19 Yusuke Suzuki <utatane.tea@gmail.com>
1405 [JSC] Do not check isValid() in op_new_regexp
1406 https://bugs.webkit.org/show_bug.cgi?id=180970
1408 Reviewed by Saam Barati.
1410 * stress/regexp-syntax-error-invalid-flags.js: Added.
1413 2017-12-18 Guillaume Emont <guijemont@igalia.com>
1415 Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1416 https://bugs.webkit.org/show_bug.cgi?id=180712
1418 Reviewed by Michael Catanzaro.
1420 stress/call-apply-exponential-bytecode-size.js crashes if the
1421 ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1422 MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1423 should skip the test on other platforms.
1425 * stress/call-apply-exponential-bytecode-size.js:
1427 2017-12-17 Yusuke Suzuki <utatane.tea@gmail.com>
1429 [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1430 https://bugs.webkit.org/show_bug.cgi?id=179762
1432 Reviewed by Saam Barati.
1434 * stress/call-varargs-double-new-array-buffer.js: Added.
1438 * stress/call-varargs-spread-new-array-buffer.js: Added.
1442 * stress/call-varargs-spread-new-array-buffer2.js: Added.
1446 * stress/forward-varargs-double-new-array-buffer.js: Added.
1452 * stress/new-array-buffer-sinking-osrexit.js: Added.
1455 * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1458 * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1462 * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1475 * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1481 * stress/phantom-new-array-buffer-osr-exit.js: Added.
1488 2017-12-14 Saam Barati <sbarati@apple.com>
1490 The CleanUp after LICM is erroneously removing a Check
1491 https://bugs.webkit.org/show_bug.cgi?id=180852
1492 <rdar://problem/36063494>
1494 Reviewed by Filip Pizlo.
1496 * stress/dont-run-cleanup-after-licm.js: Added.
1498 2017-12-14 Michael Saboff <msaboff@apple.com>
1500 REGRESSION (r225695): Repro crash on yahoo login page
1501 https://bugs.webkit.org/show_bug.cgi?id=180761
1503 Reviewed by JF Bastien.
1505 New regression test.
1507 * stress/regress-180761.js: Added.
1509 2017-12-13 Keith Miller <keith_miller@apple.com>
1511 JSObjects should have a mask for loading indexed properties
1512 https://bugs.webkit.org/show_bug.cgi?id=180768
1514 Reviewed by Mark Lam.
1516 * stress/int16-put-by-val-in-and-out-of-bounds.js:
1519 2017-12-13 Saam Barati <sbarati@apple.com>
1521 Arrow functions need their own structure because they have different properties than sloppy functions
1522 https://bugs.webkit.org/show_bug.cgi?id=180779
1523 <rdar://problem/35814591>
1525 Reviewed by Mark Lam.
1527 * stress/arrow-function-needs-its-own-structure.js: Added.
1533 2017-12-13 Saam Barati <sbarati@apple.com>
1535 Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1536 https://bugs.webkit.org/show_bug.cgi?id=163579
1537 <rdar://problem/35455798>
1539 Reviewed by Mark Lam.
1541 * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1546 (i.test1.async.foo):
1550 2017-12-13 Saam Barati <sbarati@apple.com>
1552 TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1553 https://bugs.webkit.org/show_bug.cgi?id=180734
1554 <rdar://problem/35640547>
1556 Reviewed by Yusuke Suzuki.
1558 * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1559 (__isPropertyOfType):
1562 (__getRandomObject):
1568 2017-12-12 Saam Barati <sbarati@apple.com>
1570 We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1571 https://bugs.webkit.org/show_bug.cgi?id=180725
1572 <rdar://problem/35970511>
1574 Reviewed by Michael Saboff.
1576 * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1581 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
1583 [JSC] Implement optimized WeakMap and WeakSet
1584 https://bugs.webkit.org/show_bug.cgi?id=179929
1586 Reviewed by Saam Barati.
1588 * microbenchmarks/weak-map-key.js:
1589 * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1592 (let.start.Date.now):
1593 * stress/basic-weakmap.js: Added.
1596 * stress/basic-weakset.js: Added.
1599 * stress/weakmap-cse-set-break.js: Added.
1602 * stress/weakmap-cse.js: Added.
1605 * stress/weakmap-gc.js: Added.
1607 * stress/weakset-cse-add-break.js: Added.
1610 * stress/weakset-cse.js: Added.
1613 * stress/weakset-gc.js: Added.
1618 2017-12-12 Saam Barati <sbarati@apple.com>
1620 ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1621 https://bugs.webkit.org/show_bug.cgi?id=180723
1622 <rdar://problem/35859726>
1624 Reviewed by JF Bastien.
1626 * stress/get-my-argument-by-val-constant-folding.js: Added.
1630 2017-12-12 Caio Lima <ticaiolima@gmail.com>
1632 [ESNext][BigInt] Implement BigInt literals and JSBigInt
1633 https://bugs.webkit.org/show_bug.cgi?id=179000
1635 Reviewed by Darin Adler and Yusuke Suzuki.
1637 * bigIntTests.yaml: Added.
1638 * stress/big-int-literal-line-terminator.js: Added.
1639 * stress/big-int-literals.js: Added.
1640 * stress/big-int-operations-error.js: Added.
1641 * stress/big-int-type-of.js: Added.
1642 * stress/big-int-white-space-trailing-leading.js: Added.
1643 * stress/big-int-function-apply.js: Added.
1645 2017-12-11 Saam Barati <sbarati@apple.com>
1647 We need to disableCaching() in ErrorInstance when we materialize properties
1648 https://bugs.webkit.org/show_bug.cgi?id=180343
1649 <rdar://problem/35833002>
1651 Reviewed by Mark Lam.
1653 * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1657 (storeToStackAlreadyMaterialized):
1659 2017-12-05 JF Bastien <jfbastien@apple.com>
1661 WebAssembly: don't eagerly checksum
1662 https://bugs.webkit.org/show_bug.cgi?id=180441
1663 <rdar://problem/35156628>
1665 Reviewed by Saam Barati.
1667 Checksum is now disabled, so tests only have <?> as the module
1670 * wasm/function-tests/nameSection.js:
1671 * wasm/function-tests/stack-overflow.js:
1672 (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1673 (assertOverflows.assertThrows):
1675 * wasm/function-tests/stack-trace.js:
1677 2017-12-04 JF Bastien <jfbastien@apple.com>
1679 Proxy all functions, except the $ objects
1680 https://bugs.webkit.org/show_bug.cgi?id=180375
1682 Reviewed by Saam Barati.
1684 It looks like this test may have broken some executions because I
1685 call some internal objects. Explicitly ignore objects whose name
1686 starts with "$" because it's a bad idea anyways.
1688 * stress/proxy-all-the-parameters.js:
1692 2017-12-04 Saam Barati <sbarati@apple.com>
1694 We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1695 https://bugs.webkit.org/show_bug.cgi?id=180366
1696 <rdar://problem/35685877>
1698 Reviewed by Michael Saboff.
1700 * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1702 (test1.base.getParentStaticValue):
1704 (test1.__v_24888.prototype.set prop):
1706 (test2.base.getParentStaticValue):
1708 (test2.__v_24888.prototype.set prop):
1712 2017-12-01 JF Bastien <jfbastien@apple.com>
1714 Try proxying all function arguments
1715 https://bugs.webkit.org/show_bug.cgi?id=180306
1717 Reviewed by Saam Barati.
1719 * stress/proxy-all-the-parameters.js: Added.
1726 (let.o.of.getObjects.let.f.of.getFunctions.catch):
1728 2017-12-01 JF Bastien <jfbastien@apple.com>
1730 JavaScriptCore: missing exception checks in Math functions that take more than one argument
1731 https://bugs.webkit.org/show_bug.cgi?id=180297
1732 <rdar://problem/35745556>
1734 Reviewed by Mark Lam.
1736 * stress/math-exceptions.js: Added.
1740 2017-12-01 JF Bastien <jfbastien@apple.com>
1742 JavaScriptCore: add test for weird class static getters
1743 https://bugs.webkit.org/show_bug.cgi?id=180281
1744 <rdar://problem/35592139>
1746 Reviewed by Mark Lam.
1748 I fixed a bug for it in r224927 and didn't add a test. Do so.
1750 * stress/class-static-get-weird.js: Added.
1751 (c.prototype.get name):
1753 (c.prototype.get arguments):
1754 (c.prototype.get caller):
1755 (c.prototype.get length):
1757 2017-12-01 Saam Barati <sbarati@apple.com>
1759 Having a bad time needs to handle ArrayClass indexing type as well
1760 https://bugs.webkit.org/show_bug.cgi?id=180274
1761 <rdar://problem/35667869>
1763 Reviewed by Keith Miller and Mark Lam.
1765 * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1767 * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1770 2017-12-01 JF Bastien <jfbastien@apple.com>
1772 WebAssembly: restore cached stack limit after out-call
1773 https://bugs.webkit.org/show_bug.cgi?id=179106
1774 <rdar://problem/35337525>
1776 Reviewed by Saam Barati.
1778 * wasm/function-tests/double-instance.js: Added.
1780 (const.imp.get callAnother):
1782 2017-11-30 JF Bastien <jfbastien@apple.com>
1784 WebAssembly: improve stack trace
1785 https://bugs.webkit.org/show_bug.cgi?id=179343
1787 Reviewed by Saam Barati.
1789 Update the tests to follow the new format. Notably, SHA1 module
1790 hash is now included in traces, and stubs are properly identified.
1792 * wasm/assert.js: Add an assertion which matches regular expressions.
1793 * wasm/function-tests/nameSection.js:
1794 * wasm/function-tests/stack-overflow.js:
1795 (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1796 (assertOverflows.assertThrows.wasm.1):
1797 (assertOverflows.assertThrows.wasm.0):
1798 (assertOverflows.assertThrows):
1800 * wasm/function-tests/stack-trace.js:
1801 (import.Builder.from.string_appeared_here.assert): Deleted.
1802 * wasm/function-tests/trap-after-cross-instance-call.js:
1803 (wasmFrameCountFromError):
1804 * wasm/function-tests/trap-load-2.js:
1805 (wasmFrameCountFromError):
1806 * wasm/function-tests/trap-load.js:
1807 (wasmFrameCountFromError):
1809 2017-11-30 Mark Lam <mark.lam@apple.com>
1811 jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1812 https://bugs.webkit.org/show_bug.cgi?id=180219
1813 <rdar://problem/35696536>
1815 Reviewed by Filip Pizlo.
1817 * stress/regress-180219.js: Added.
1819 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
1821 [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1822 https://bugs.webkit.org/show_bug.cgi?id=180190
1824 Reviewed by Mark Lam.
1826 * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1829 * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1832 * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1835 * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1838 * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1841 * stress/operation-in-may-have-negative-int32.js: Added.
1844 * stress/operation-in-negative-int32-cast.js: Added.
1848 2017-11-28 JF Bastien <jfbastien@apple.com>
1850 Strict and sloppy functions shouldn't share structure
1851 https://bugs.webkit.org/show_bug.cgi?id=180103
1852 <rdar://problem/35667847>
1854 Reviewed by Saam Barati.
1856 * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1857 because the IC was wrong.
1862 * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1863 in this patch, but may as well test odd strict mode corner cases.
1867 * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1872 * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1873 next file, but with invalidation of the FunctionExecutable's
1874 singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1881 * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1882 strict nesting works correctly.
1886 * stress/strict-function-structure.js: Added. The test used to
1887 assert in objectProtoFuncHasOwnProperty.
1891 * stress/strict-nested-function-structure.js: Added. Nesting.
1897 2017-11-29 Robin Morisset <rmorisset@apple.com>
1899 The recursive tail call optimisation is wrong on closures
1900 https://bugs.webkit.org/show_bug.cgi?id=179835
1902 Reviewed by Saam Barati.
1904 * stress/closure-recursive-tail-call.js: Added.
1907 2017-11-27 JF Bastien <jfbastien@apple.com>
1909 JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1910 https://bugs.webkit.org/show_bug.cgi?id=180051
1911 <rdar://problem/35614371>
1913 Reviewed by Saam Barati.
1915 * stress/rest-parameter-negative.js: Added.
1921 2017-11-27 Saam Barati <sbarati@apple.com>
1923 Spread can escape when CreateRest does not
1924 https://bugs.webkit.org/show_bug.cgi?id=180057
1925 <rdar://problem/35676119>
1927 Reviewed by JF Bastien.
1929 * stress/spread-escapes-but-create-rest-does-not.js: Added.
1935 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
1937 [DFG] Add NormalizeMapKey DFG IR
1938 https://bugs.webkit.org/show_bug.cgi?id=179912
1940 Reviewed by Saam Barati.
1942 * stress/map-untyped-normalize-cse.js: Added.
1945 * stress/map-untyped-normalize.js: Added.
1948 * stress/set-untyped-normalize-cse.js: Added.
1950 (set return.set has.set has):
1951 * stress/set-untyped-normalize.js: Added.
1953 (set return.set has):
1955 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
1957 [FTL] Support DeleteById and DeleteByVal
1958 https://bugs.webkit.org/show_bug.cgi?id=180022
1960 Reviewed by Saam Barati.
1962 * stress/delete-by-id.js: Added.
1966 * stress/delete-by-val-ftl.js: Added.
1971 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
1973 [DFG] Introduce {Set,Map,WeakMap}Fields
1974 https://bugs.webkit.org/show_bug.cgi?id=179925
1976 Reviewed by Saam Barati.
1978 * stress/map-set-clobber-map-get.js: Added.
1981 * stress/map-set-does-not-clobber-set-has.js: Added.
1983 * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1986 * stress/set-add-clobber-set-has.js: Added.
1988 * stress/set-add-does-not-clobber-map-get.js: Added.
1991 2017-11-24 Mark Lam <mark.lam@apple.com>
1993 Move unsafe jsc shell test functions to the $vm object.
1994 https://bugs.webkit.org/show_bug.cgi?id=179980
1996 Reviewed by Yusuke Suzuki.
1998 * controlFlowProfiler/driver/driver.js:
1999 * controlFlowProfiler/execution-count.js:
2000 * controlFlowProfiler/if-statement.js:
2001 * controlFlowProfiler/loop-statements.js:
2002 * controlFlowProfiler/switch-statements.js:
2003 * controlFlowProfiler/test-jit.js:
2004 * exceptionFuzz/3d-cube.js:
2005 * exceptionFuzz/date-format-xparb.js:
2006 * exceptionFuzz/earley-boyer.js:
2007 * heapProfiler/basic-edges.js:
2008 * heapProfiler/property-edge-types.js:
2009 * microbenchmarks/try-get-by-id-basic.js:
2010 * microbenchmarks/try-get-by-id-polymorphic.js:
2011 * modules/namespace-object-try-get.js:
2012 * stress/argument-count-bytecode.js:
2013 * stress/argument-intrinsic-basic.js:
2014 * stress/argument-intrinsic-inlining-use-caller-arg.js:
2015 * stress/argument-intrinsic-inlining-with-result-escape.js:
2016 * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2017 * stress/argument-intrinsic-inlining-with-vararg.js:
2018 * stress/argument-intrinsic-nested-inlining.js:
2019 * stress/argument-intrinsic-not-convert-to-get-argument.js:
2020 * stress/argument-intrinsic-with-stack-write.js:
2021 * stress/arity-mismatch-get-argument.js:
2022 * stress/array-message-passing.js:
2023 * stress/array-push-with-force-exit.js:
2024 * stress/check-dom-with-signature.js:
2025 * stress/check-sub-class.js:
2026 * stress/compare-eq-incomplete-profile.js:
2027 * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2028 * stress/do-eval-virtual-call-correctly.js:
2029 * stress/dom-jit-with-poly-proto.js:
2030 * stress/domjit-exception-ic.js:
2031 * stress/domjit-exception.js:
2032 * stress/domjit-getter-complex-with-incorrect-object.js:
2033 * stress/domjit-getter-complex.js:
2034 * stress/domjit-getter-poly.js:
2035 * stress/domjit-getter-proto.js:
2036 * stress/domjit-getter-super-poly.js:
2037 * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2038 * stress/domjit-getter-type-check.js:
2039 * stress/domjit-getter.js:
2040 * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2041 * stress/for-in-proxy-target-changed-structure.js:
2042 * stress/for-in-proxy.js:
2043 * stress/generational-opaque-roots.js:
2044 * stress/global-const-redeclaration-setting-2.js:
2045 * stress/global-const-redeclaration-setting-3.js:
2046 * stress/global-const-redeclaration-setting-4.js:
2047 * stress/global-const-redeclaration-setting-5.js:
2048 * stress/global-const-redeclaration-setting.js:
2049 * stress/import-basic.js:
2050 * stress/import-from-eval.js:
2051 * stress/import-reject-with-exception.js:
2052 * stress/import-syntax.js:
2053 * stress/impure-get-own-property-slot-inline-cache.js:
2054 * stress/is-constructor.js:
2055 * stress/istypedarrayview-intrinsic.js:
2056 * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2057 * stress/jsc-test-functions-should-be-more-robust.js:
2058 * stress/object-toString-with-proxy.js:
2059 * stress/poly-proto-custom-value-and-accessor.js:
2060 * stress/proxy-inline-cache.js:
2061 * stress/re-execute-error-module.js:
2062 * stress/regress-150532.js:
2063 * stress/regress-156992.js:
2064 * stress/regress-179619.js:
2065 * stress/resources/shadow-chicken-support.js:
2066 * stress/runtime-array.js:
2067 * stress/sampling-profiler-microtasks.js:
2068 * stress/shadow-chicken-enabled.js:
2069 * stress/spread-correct-global-object-on-exception.js:
2070 * stress/super-get-by-id.js:
2071 * stress/tailCallForwardArguments.js:
2072 * stress/to-object-intrinsic-boolean-edge.js:
2073 * stress/to-object-intrinsic-null-or-undefined-edge.js:
2074 * stress/to-object-intrinsic-number-edge.js:
2075 * stress/to-object-intrinsic-object-edge.js:
2076 * stress/to-object-intrinsic-string-edge.js:
2077 * stress/to-object-intrinsic-symbol-edge.js:
2078 * stress/to-object-intrinsic.js:
2079 * stress/try-catch-custom-getter-as-get-by-id.js:
2080 * stress/try-get-by-id-poly-proto.js:
2081 * stress/try-get-by-id-should-spill-registers-dfg.js:
2082 * stress/try-get-by-id.js:
2083 * typeProfiler/arrow-functions.js:
2084 * typeProfiler/basic.js:
2085 * typeProfiler/captured.js:
2086 * typeProfiler/classes.js:
2087 * typeProfiler/dfg-jit-optimizations.js:
2088 * typeProfiler/dictionary-mode.js:
2089 * typeProfiler/es6-block-scoping.js:
2090 * typeProfiler/es6-classes.js:
2091 * typeProfiler/inheritance.js:
2092 * typeProfiler/int52-dfg.js:
2093 * typeProfiler/loop.js:
2094 * typeProfiler/optional-fields.js:
2095 * typeProfiler/overflow.js:
2096 * typeProfiler/return.js:
2097 * typeProfiler/symbol.js:
2098 * typeProfiler/weird-prototype-chain.js:
2100 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
2102 [DFG][FTL] Support MapSet / SetAdd intrinsics
2103 https://bugs.webkit.org/show_bug.cgi?id=179858
2105 Reviewed by Saam Barati.
2107 * microbenchmarks/map-has-and-set.js: Added.
2109 * stress/map-set-check-failure.js: Added.
2113 * stress/map-set-cse.js: Added.
2116 * stress/set-add-check-failure.js: Added.
2120 * stress/set-add-cse.js: Added.
2123 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
2125 [JSC] Allow poly proto for intrinsic getters
2126 https://bugs.webkit.org/show_bug.cgi?id=179550
2128 Reviewed by Saam Barati.
2130 This change is also tested by existing tests.
2132 1. stress/intrinsic-getter-with-poly-proto.js
2133 2. stress/poly-proto-intrinsic-getter-correctness.js
2135 * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2137 (makePolyProtoObject.foo.C):
2138 (makePolyProtoObject.foo):
2139 (makePolyProtoObject):
2141 * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2143 (makePolyProtoObject.foo.C):
2144 (makePolyProtoObject.foo):
2145 (makePolyProtoObject):
2148 2017-11-20 Guillaume Emont <guijemont@igalia.com>
2150 Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2151 https://bugs.webkit.org/show_bug.cgi?id=179744
2153 Reviewed by Michael Catanzaro.
2155 This test uses too much memory for our buildbots on these platforms
2156 and gets OOM-killed.
2158 * stress/unshiftCountSlowCase-correct-postCapacity.js:
2159 Skip if $memoryLimited and linux.
2161 2017-11-17 JF Bastien <jfbastien@apple.com>
2163 WebAssembly JS API: throw when a promise can't be created
2164 https://bugs.webkit.org/show_bug.cgi?id=179826
2165 <rdar://problem/35455813>
2167 Reviewed by Mark Lam.
2169 Test WebAssembly.{compile,instantiate} where promise creation
2170 fails because of a stack overflow.
2172 * wasm/js-api/promise-stack-overflow.js: Added.
2173 (const.runNearStackLimit.f.const.t):
2174 (async.testCompile):
2175 (async.testInstantiate):
2177 2017-11-16 Yusuke Suzuki <utatane.tea@gmail.com>
2179 Unreviewed, mark regress-178385.js as memory exhausting
2181 * stress/regress-178385.js:
2183 2017-11-16 Ryan Haddad <ryanhaddad@apple.com>
2185 Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2187 Unreviewed test gardening.
2191 2017-11-16 Robin Morisset <rmorisset@apple.com>
2193 REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2194 https://bugs.webkit.org/show_bug.cgi?id=179763
2195 <rdar://problem/35550513>
2197 Reviewed by Keith Miller.
2199 Just adding a slightly cleaned-up version of the original fuzzer-found test.
2201 * stress/tdz-this-in-try-catch.js: Added.
2205 2017-11-14 Yusuke Suzuki <utatane.tea@gmail.com>
2207 [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2208 https://bugs.webkit.org/show_bug.cgi?id=179594
2210 Reviewed by Saam Barati.
2212 * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2215 * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2219 2017-11-14 Saam Barati <sbarati@apple.com>
2221 We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2222 https://bugs.webkit.org/show_bug.cgi?id=179639
2223 <rdar://problem/35513018>
2225 Reviewed by JF Bastien.
2227 * wasm/function-tests/grow-memory-cause-gc.js: Added.
2231 2017-11-13 Mark Lam <mark.lam@apple.com>
2233 Add more overflow check book-keeping for MarkedArgumentBuffer.
2234 https://bugs.webkit.org/show_bug.cgi?id=179634
2235 <rdar://problem/35492517>
2237 Reviewed by Saam Barati.
2239 * stress/regress-179634.js: Added.
2241 2017-11-13 Mark Lam <mark.lam@apple.com>
2243 Make the jsc shell loadGetterFromGetterSetter() function more robust.
2244 https://bugs.webkit.org/show_bug.cgi?id=179619
2245 <rdar://problem/35492518>
2247 Reviewed by Saam Barati.
2249 * stress/regress-179619.js: Added.
2251 2017-11-12 Mark Lam <mark.lam@apple.com>
2253 We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2254 https://bugs.webkit.org/show_bug.cgi?id=179562
2255 <rdar://problem/35467022>
2257 Reviewed by Saam Barati.
2259 * regress-179562.js: Added.
2261 2017-11-08 Saam Barati <sbarati@apple.com>
2263 A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2264 https://bugs.webkit.org/show_bug.cgi?id=177792
2266 Reviewed by Yusuke Suzuki.
2268 * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2270 (foo.Foo.prototype.ensureX):
2275 2017-11-08 Ryan Haddad <ryanhaddad@apple.com>
2277 Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2278 https://bugs.webkit.org/show_bug.cgi?id=178592
2280 Unreviewed test gardening.
2284 2017-11-08 Robin Morisset <rmorisset@apple.com>
2286 Turn recursive tail calls into loops
2287 https://bugs.webkit.org/show_bug.cgi?id=176601
2289 Reviewed by Saam Barati.
2291 Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2293 Add some simple test that computes factorial in several ways, and other trivial computations.
2294 They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2295 Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2296 I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2297 (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2299 * stress/inline-call-to-recursive-tail-call.js: Added.
2314 2017-11-07 Mark Lam <mark.lam@apple.com>
2316 AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2317 https://bugs.webkit.org/show_bug.cgi?id=179355
2318 <rdar://problem/35263053>
2320 Reviewed by Saam Barati.
2322 * stress/regress-179355.js: Added.
2324 2017-11-05 Yusuke Suzuki <utatane.tea@gmail.com>
2326 JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2327 https://bugs.webkit.org/show_bug.cgi?id=144458
2329 Reviewed by Saam Barati.
2331 * microbenchmarks/dfg-internal-function-call.js: Added.
2333 * microbenchmarks/dfg-internal-function-construct.js: Added.
2335 * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2337 * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2339 * stress/dfg-internal-function-call.js: Added.
2342 * stress/dfg-internal-function-construct.js: Added.
2345 * stress/internal-function-call.js: Added.
2347 * stress/internal-function-construct.js: Added.
2350 2017-11-05 Per Arne Vollan <pvollan@apple.com>
2352 [Win] Skip stress/regress-178385.js.
2353 https://bugs.webkit.org/show_bug.cgi?id=179298
2355 Unreviewed test gardening.
2357 * stress/regress-178385.js:
2359 2017-11-03 Keith Miller <keith_miller@apple.com>
2361 Add test for ic with side effects
2362 https://bugs.webkit.org/show_bug.cgi?id=179268
2364 Reviewed by Saam Barati.
2366 * stress/put-inline-cache-side-effects.js: Added.
2367 (let.i.of.objs.keys):
2370 2017-11-03 Mark Lam <mark.lam@apple.com>
2372 CachedCall (and its clients) needs overflow checks.
2373 https://bugs.webkit.org/show_bug.cgi?id=179185
2375 Reviewed by JF Bastien.
2377 * stress/regress-179185.js: Added.
2379 2017-11-02 Michael Saboff <msaboff@apple.com>
2381 DFG needs to handle code motion of code in for..in loop bodies
2382 https://bugs.webkit.org/show_bug.cgi?id=179212
2384 Reviewed by Keith Miller.
2386 New regression test.
2388 * stress/for-in-side-effects.js: Added.
2396 2017-11-02 Filip Pizlo <fpizlo@apple.com>
2398 AI does not correctly model the clobber case of ArithClz32
2399 https://bugs.webkit.org/show_bug.cgi?id=179188
2401 Reviewed by Michael Saboff.
2403 * stress/arith-clz32-effects.js: Added.
2407 2017-11-01 Michael Saboff <msaboff@apple.com>
2409 Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2410 https://bugs.webkit.org/show_bug.cgi?id=179140
2412 Reviewed by Saam Barati.
2414 New regression test.
2416 * stress/regress-179140.js: Added.
2420 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
2422 [JSC] Introduce @toObject
2423 https://bugs.webkit.org/show_bug.cgi?id=178726
2425 Reviewed by Saam Barati.
2427 * stress/array-copywithin.js:
2429 * stress/object-constructor-boolean-edge.js: Added.
2432 * stress/object-constructor-global.js: Added.
2434 * stress/object-constructor-null-edge.js: Added.
2437 * stress/object-constructor-number-edge.js: Added.
2440 * stress/object-constructor-object-edge.js: Added.
2444 * stress/object-constructor-string-edge.js: Added.
2447 * stress/object-constructor-symbol-edge.js: Added.
2450 * stress/object-constructor-undefined-edge.js: Added.
2453 * stress/symbol-array-from.js: Added.
2455 * stress/to-object-intrinsic-boolean-edge.js: Added.
2457 (builtin.createBuiltin):
2458 * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2460 * stress/to-object-intrinsic-number-edge.js: Added.
2462 (builtin.createBuiltin):
2463 * stress/to-object-intrinsic-object-edge.js: Added.
2465 (builtin.createBuiltin):
2467 * stress/to-object-intrinsic-string-edge.js: Added.
2469 (builtin.createBuiltin):
2470 * stress/to-object-intrinsic-symbol-edge.js: Added.
2472 (builtin.createBuiltin):
2473 * stress/to-object-intrinsic.js: Added.
2476 (builtin.createBuiltin):
2478 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
2480 [DFG][FTL] Introduce StringSlice
2481 https://bugs.webkit.org/show_bug.cgi?id=178934
2483 Reviewed by Saam Barati.
2485 * microbenchmarks/string-slice-empty.js: Added.
2487 * microbenchmarks/string-slice-one-char.js: Added.
2489 * microbenchmarks/string-slice.js: Added.
2492 2017-10-26 Michael Saboff <msaboff@apple.com>
2494 REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2495 https://bugs.webkit.org/show_bug.cgi?id=178890
2497 Reviewed by Keith Miller.
2499 New regression test.
2501 * stress/regress-178890.js: Added.
2503 2017-10-26 Mark Lam <mark.lam@apple.com>
2505 JSRopeString::RopeBuilder::append() should check for overflows.
2506 https://bugs.webkit.org/show_bug.cgi?id=178385
2507 <rdar://problem/35027468>
2509 Reviewed by Saam Barati.
2511 * stress/regress-178385.js: Added.
2513 2017-10-26 Ryan Haddad <ryanhaddad@apple.com>
2515 Unreviewed, rolling out r223961.
2517 The change that required this has been rolled out.
2521 "Mark test262.yaml/test262/test/language/statements/try/tco-
2522 catch.js as passing."
2523 https://bugs.webkit.org/show_bug.cgi?id=178592
2524 https://trac.webkit.org/changeset/223961
2526 2017-10-25 Commit Queue <commit-queue@webkit.org>
2528 Unreviewed, rolling out r223691 and r223729.
2529 https://bugs.webkit.org/show_bug.cgi?id=178834
2531 Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2532 by rniwa on #webkit).
2534 Reverted changesets:
2536 "Turn recursive tail calls into loops"
2537 https://bugs.webkit.org/show_bug.cgi?id=176601
2538 https://trac.webkit.org/changeset/223691
2540 "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2541 comparison is always false due to limited range of data type
2543 https://bugs.webkit.org/show_bug.cgi?id=178543
2544 https://trac.webkit.org/changeset/223729
2546 2017-10-25 Ryan Haddad <ryanhaddad@apple.com>
2548 Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2549 https://bugs.webkit.org/show_bug.cgi?id=178592
2551 Unreviewed test gardening.
2555 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
2557 [FTL] Support NewStringObject
2558 https://bugs.webkit.org/show_bug.cgi?id=178737
2560 Reviewed by Saam Barati.
2562 * stress/new-string-object.js: Added.
2566 2017-10-15 Yusuke Suzuki <utatane.tea@gmail.com>
2568 [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2569 https://bugs.webkit.org/show_bug.cgi?id=178308
2571 Reviewed by Mark Lam.
2575 2017-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
2577 [JSC] Use fastJoin in Array#toString
2578 https://bugs.webkit.org/show_bug.cgi?id=178062
2580 Reviewed by Darin Adler.
2582 * microbenchmarks/contiguous-array-to-string.js: Added.
2584 * microbenchmarks/double-array-to-string.js: Added.
2586 * microbenchmarks/int32-array-to-string.js: Added.
2589 2017-10-22 Zan Dobersek <zdobersek@igalia.com>
2591 stress/check-string-ident.js is improperly skipped
2592 https://bugs.webkit.org/show_bug.cgi?id=178642
2594 Reviewed by Saam Barati.
2596 * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2597 since it enforces the run-jsc-stress-tests script to still set up the
2598 test to run, despite the skip directive that's used before.
2600 2017-10-20 Mark Lam <mark.lam@apple.com>
2602 Add a test case for r214334.
2603 https://bugs.webkit.org/show_bug.cgi?id=169941
2604 <rdar://problem/31221258>
2606 Reviewed by JF Bastien.
2608 * stress/regress-169941.js: Added.
2610 2017-10-19 JF Bastien <jfbastien@apple.com>
2612 WebAssembly: no VM / JS version of everything but Instance
2613 https://bugs.webkit.org/show_bug.cgi?id=177473
2615 Reviewed by Filip Pizlo, Saam Barati.
2617 - Exceeding max on memory growth now returns a range error as per
2618 spec. This is a (very minor) breaking change: it used to throw OOM
2619 error. Update the corresponding test.
2621 * wasm/js-api/memory-grow.js:
2623 * wasm/js-api/table.js:
2626 2017-10-19 Mark Lam <mark.lam@apple.com>
2628 Stringifier::appendStringifiedValue() is missing an exception check.
2629 https://bugs.webkit.org/show_bug.cgi?id=178386
2630 <rdar://problem/35027610>
2632 Reviewed by Saam Barati.
2634 * stress/regress-178386.js: Added.
2636 2017-10-19 Michael Saboff <msaboff@apple.com>
2638 Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2639 https://bugs.webkit.org/show_bug.cgi?id=178521
2641 Reviewed by JF Bastien.
2643 * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2644 now passes with the current version (5.0) of the Emoji spec.
2646 2017-10-19 Robin Morisset <rmorisset@apple.com>
2648 Turn recursive tail calls into loops
2649 https://bugs.webkit.org/show_bug.cgi?id=176601
2651 Reviewed by Saam Barati.
2653 Add some simple test that computes factorial in several ways, and other trivial computations.
2654 They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2655 Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2656 I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2657 (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2659 * stress/inline-call-to-recursive-tail-call.js: Added.
2671 2017-10-18 Mark Lam <mark.lam@apple.com>
2673 RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2674 https://bugs.webkit.org/show_bug.cgi?id=177600
2675 <rdar://problem/34710985>
2677 Reviewed by Saam Barati.
2679 * stress/regress-177600.js: Added.
2681 2017-10-18 Mark Lam <mark.lam@apple.com>
2683 The compiler should always register a structure when it adds its transitionWatchPointSet.
2684 https://bugs.webkit.org/show_bug.cgi?id=178420
2685 <rdar://problem/34814024>
2687 Reviewed by Saam Barati and Filip Pizlo.
2689 * stress/regress-178420.js: Added.
2690 (new.Array.10000.map):
2692 2017-10-18 Yusuke Suzuki <utatane.tea@gmail.com>
2694 [JSC] __proto__ getter should be fast
2695 https://bugs.webkit.org/show_bug.cgi?id=178067
2697 Reviewed by Saam Barati.
2699 * stress/dfg-object-proto-accessor.js: Added.
2703 * stress/dfg-object-proto-getter.js: Added.
2707 * stress/dfg-object-prototype-of.js: Added.
2711 * stress/dfg-reflect-get-prototype-of.js: Added.
2715 * stress/intrinsic-getter-with-poly-proto.js: Added.
2717 (makePolyProtoObject.foo.C):
2718 (makePolyProtoObject.foo):
2719 (makePolyProtoObject):
2721 * stress/object-get-prototype-of-filtered.js: Added.
2726 * stress/object-get-prototype-of-mono-proto.js: Added.
2728 (makePolyProtoObject.foo.C):
2729 (makePolyProtoObject.foo):
2730 (makePolyProtoObject):
2732 * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2734 (makePolyProtoObject.foo.C):
2735 (makePolyProtoObject.foo):
2736 (makePolyProtoObject):
2738 * stress/object-get-prototype-of-poly-proto.js: Added.
2740 (makePolyProtoObject.foo.C):
2741 (makePolyProtoObject.foo):
2742 (makePolyProtoObject):
2744 * stress/object-proto-getter-filtered.js: Added.
2749 * stress/object-proto-getter-poly-mono-proto.js: Added.
2751 (makePolyProtoObject.foo.C):
2752 (makePolyProtoObject.foo):
2753 (makePolyProtoObject):
2755 * stress/object-proto-getter-poly-proto.js: Added.
2757 (makePolyProtoObject.foo.C):
2758 (makePolyProtoObject.foo):
2759 (makePolyProtoObject):
2761 * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2762 * stress/string-proto.js: Added.
2766 2017-10-17 Ryan Haddad <ryanhaddad@apple.com>
2768 Unreviewed, rolling out r223523.
2770 A test for this change is failing on debug JSC bots.
2774 "[JSC] __proto__ getter should be fast"
2775 https://bugs.webkit.org/show_bug.cgi?id=178067
2776 https://trac.webkit.org/changeset/223523
2778 2017-10-10 Yusuke Suzuki <utatane.tea@gmail.com>
2780 [JSC] __proto__ getter should be fast
2781 https://bugs.webkit.org/show_bug.cgi?id=178067
2783 Reviewed by Saam Barati.
2785 * stress/dfg-object-proto-accessor.js: Added.
2789 * stress/dfg-object-proto-getter.js: Added.
2793 * stress/dfg-object-prototype-of.js: Added.
2797 * stress/dfg-reflect-get-prototype-of.js: Added.
2801 * stress/object-get-prototype-of-filtered.js: Added.
2806 * stress/object-get-prototype-of-mono-proto.js: Added.
2808 (makePolyProtoObject.foo.C):
2809 (makePolyProtoObject.foo):
2810 (makePolyProtoObject):
2812 * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2814 (makePolyProtoObject.foo.C):
2815 (makePolyProtoObject.foo):
2816 (makePolyProtoObject):
2818 * stress/object-get-prototype-of-poly-proto.js: Added.
2820 (makePolyProtoObject.foo.C):
2821 (makePolyProtoObject.foo):
2822 (makePolyProtoObject):
2824 * stress/object-proto-getter-filtered.js: Added.
2829 * stress/object-proto-getter-poly-mono-proto.js: Added.
2831 (makePolyProtoObject.foo.C):
2832 (makePolyProtoObject.foo):
2833 (makePolyProtoObject):
2835 * stress/object-proto-getter-poly-proto.js: Added.
2837 (makePolyProtoObject.foo.C):
2838 (makePolyProtoObject.foo):
2839 (makePolyProtoObject):
2841 * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2842 * stress/string-proto.js: Added.
2846 2017-10-14 Yusuke Suzuki <utatane.tea@gmail.com>
2848 Reland "Add Above/Below comparisons for UInt32 patterns"
2849 https://bugs.webkit.org/show_bug.cgi?id=177281
2851 Reviewed by Saam Barati.
2853 * stress/uint32-comparison-jump.js: Added.
2863 * stress/uint32-comparison.js: Added.
2874 2017-10-12 Yusuke Suzuki <utatane.tea@gmail.com>
2876 WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2877 https://bugs.webkit.org/show_bug.cgi?id=178210
2879 Reviewed by Saam Barati.
2881 * wasm/function-tests/trap-from-start-async.js:
2882 (async.StartTrapsAsync):
2883 * wasm/function-tests/trap-from-start.js:
2885 * wasm/js-api/web-assembly-function.js:
2886 (assert.eq.Object.getPrototypeOf):
2887 * wasm/js-api/wrapper-function.js:
2888 (return.new.WebAssembly.Module):
2889 (assert.throws.makeInstance): Deleted.
2890 (assert.throws.Bar): Deleted.
2891 (assert.throws): Deleted.
2893 2017-09-29 Filip Pizlo <fpizlo@apple.com>
2895 Enable gigacage on iOS
2896 https://bugs.webkit.org/show_bug.cgi?id=177586
2898 Reviewed by JF Bastien.
2900 Add tests for when Gigacage gets runtime disabled.
2902 * stress/disable-gigacage-arrays.js: Added.
2904 * stress/disable-gigacage-strings.js: Added.
2906 * stress/disable-gigacage-typed-arrays.js: Added.
2909 2017-10-11 Yusuke Suzuki <utatane.tea@gmail.com>
2911 import.meta should not be assignable
2912 https://bugs.webkit.org/show_bug.cgi?id=178202
2914 Reviewed by Saam Barati.
2916 * modules/import-meta-assignment.js: Added.
2918 (SyntaxError.import.meta.can.shouldThrow):
2920 2017-10-11 Saam Barati <sbarati@apple.com>
2922 Unreviewed. Actually skip certain type profiler tests in debug.
2924 * typeProfiler.yaml:
2925 * typeProfiler/deltablue-for-of.js:
2926 * typeProfiler/getter-richards.js:
2928 2017-10-11 Commit Queue <commit-queue@webkit.org>
2930 Unreviewed, rolling out r223113 and r223121.
2931 https://bugs.webkit.org/show_bug.cgi?id=178182
2933 Reintroduced 20% regression on Kraken (Requested by rniwa on
2936 Reverted changesets:
2938 "Enable gigacage on iOS"
2939 https://bugs.webkit.org/show_bug.cgi?id=177586
2940 https://trac.webkit.org/changeset/223113
2942 "Use one virtual allocation for all gigacages and their
2944 https://bugs.webkit.org/show_bug.cgi?id=178050
2945 https://trac.webkit.org/changeset/223121
2947 2017-10-11 Michael Saboff <msaboff@apple.com>
2949 Disable test262 named capture group tests with direct unicode names and with references before definitions
2950 https://bugs.webkit.org/show_bug.cgi?id=178177
2952 Reviewed by Keith Miller.
2954 Bugs to track fixing these test are:
2955 https://bugs.webkit.org/show_bug.cgi?id=178174 -
2956 "Add support in named capture group identifiers for direct surrogate pairs"
2957 https://bugs.webkit.org/show_bug.cgi?id=178175 -
2958 "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2962 2017-10-11 Caio Lima <ticaiolima@gmail.com>
2964 Object properties are undefined in super.call() but not in this.call()
2965 https://bugs.webkit.org/show_bug.cgi?id=177230
2967 Reviewed by Saam Barati.
2969 * stress/super-call-function-subclass.js: Added.
2973 * stress/super-dot-call-and-apply.js: Added.
2977 (A.prototype.apply):
2978 (B.prototype.testSuper):
2980 (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2981 (D.prototype.testSuper):
2984 2017-10-10 Saam Barati <sbarati@apple.com>
2986 The prototype cache should be aware of the Executable it generates a Structure for
2987 https://bugs.webkit.org/show_bug.cgi?id=177907
2989 Reviewed by Filip Pizlo.
2991 * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3001 2017-10-09 Yusuke Suzuki <utatane.tea@gmail.com>
3003 `async` should be able to be used as an imported binding name
3004 https://bugs.webkit.org/show_bug.cgi?id=176573
3006 Reviewed by Saam Barati.
3008 * modules/import-default-async.js: Added.
3009 * modules/import-named-async-as.js: Added.
3010 * modules/import-named-async.js: Added.
3011 * modules/import-named-async/target.js: Added.
3012 * modules/import-namespace-async.js: Added.
3015 2017-09-29 Filip Pizlo <fpizlo@apple.com>
3017 Enable gigacage on iOS
3018 https://bugs.webkit.org/show_bug.cgi?id=177586
3020 Reviewed by JF Bastien.
3022 Add tests for when Gigacage gets runtime disabled.
3024 * stress/disable-gigacage-arrays.js: Added.
3026 * stress/disable-gigacage-strings.js: Added.
3028 * stress/disable-gigacage-typed-arrays.js: Added.
3031 2017-10-09 Michael Saboff <msaboff@apple.com>
3033 Implement RegExp Unicode property escapes
3034 https://bugs.webkit.org/show_bug.cgi?id=172069
3036 Reviewed by JF Bastien.
3038 Enabled Unicode Property tests.
3042 2017-10-09 Commit Queue <commit-queue@webkit.org>
3044 Unreviewed, rolling out r223015 and r223025.
3045 https://bugs.webkit.org/show_bug.cgi?id=178093
3047 Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3050 Reverted changesets:
3052 "Enable gigacage on iOS"
3053 https://bugs.webkit.org/show_bug.cgi?id=177586
3054 http://trac.webkit.org/changeset/223015
3056 "Unreviewed, disable Gigacage on ARM64 Linux"
3057 https://bugs.webkit.org/show_bug.cgi?id=177586
3058 http://trac.webkit.org/changeset/223025
3060 2017-10-09 Ryan Haddad <ryanhaddad@apple.com>
3062 Update expectations for test262 tests that pass after r223043.
3063 https://bugs.webkit.org/show_bug.cgi?id=176685
3065 Unreviewed test gardening.
3069 2017-10-09 Ryan Haddad <ryanhaddad@apple.com>
3071 Unreviewed, rolling out r223022.
3073 This change introduced 18 test262 failures.
3077 "`async` should be able to be used as an imported binding
3079 https://bugs.webkit.org/show_bug.cgi?id=176573
3080 http://trac.webkit.org/changeset/223022
3082 2017-10-09 Saam Barati <sbarati@apple.com>
3084 3 poly-proto JSC tests timing out on debug after r222827
3085 https://bugs.webkit.org/show_bug.cgi?id=177880
3086 <rdar://problem/34817122>
3090 I'm skipping these type profiler tests on debug since they are long running.
3092 * typeProfiler/deltablue-for-of.js:
3093 * typeProfiler/getter-richards.js:
3095 2017-10-09 Oleksandr Skachkov <gskachkov@gmail.com>
3097 Safari 10 /11 problem with if (!await get(something)).
3098 https://bugs.webkit.org/show_bug.cgi?id=176685
3100 Reviewed by Saam Barati.
3102 * stress/async-await-basic.js:
3103 (awaitEpression.async):
3104 * stress/async-await-syntax.js:
3105 (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3106 (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3108 2017-10-08 Saam Barati <sbarati@apple.com>
3110 Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3112 * typeProfiler/deltablue-for-of.js:
3113 * typeProfiler/getter-richards.js:
3115 2017-10-07 Yusuke Suzuki <utatane.tea@gmail.com>
3117 `async` should be able to be used as an imported binding name
3118 https://bugs.webkit.org/show_bug.cgi?id=176573
3120 Reviewed by Darin Adler.
3122 * modules/import-default-async.js: Added.
3123 * modules/import-named-async-as.js: Added.
3124 * modules/import-named-async.js: Added.
3125 * modules/import-named-async/target.js: Added.
3126 * modules/import-namespace-async.js: Added.
3128 2017-09-29 Filip Pizlo <fpizlo@apple.com>
3130 Enable gigacage on iOS
3131 https://bugs.webkit.org/show_bug.cgi?id=177586
3133 Reviewed by JF Bastien.
3135 Add tests for when Gigacage gets runtime disabled.
3137 * stress/disable-gigacage-arrays.js: Added.
3139 * stress/disable-gigacage-strings.js: Added.
3141 * stress/disable-gigacage-typed-arrays.js: Added.
3144 2017-10-06 Commit Queue <commit-queue@webkit.org>
3146 Unreviewed, rolling out r222791 and r222873.
3147 https://bugs.webkit.org/show_bug.cgi?id=178031
3149 Caused crashes with workers/wasm LayoutTests (Requested by
3150 ryanhaddad on #webkit).
3152 Reverted changesets:
3154 "WebAssembly: no VM / JS version of everything but Instance"
3155 https://bugs.webkit.org/show_bug.cgi?id=177473
3156 http://trac.webkit.org/changeset/222791
3158 "WebAssembly: address no VM / JS follow-ups"
3159 https://bugs.webkit.org/show_bug.cgi?id=177887
3160 http://trac.webkit.org/changeset/222873
3162 2017-10-05 Saam Barati <sbarati@apple.com>
3164 Make sure all prototypes under poly proto get added into the VM's prototype map
3165 https://bugs.webkit.org/show_bug.cgi?id=177909
3167 Reviewed by Keith Miller.
3169 * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3175 2017-09-30 Yusuke Suzuki <utatane.tea@gmail.com>
3177 [JSC] Introduce import.meta
3178 https://bugs.webkit.org/show_bug.cgi?id=177703
3180 Reviewed by Filip Pizlo.
3182 * modules/import-meta-syntax.js: Added.
3185 * modules/import-meta.js: Added.
3186 * modules/import-meta/cocoa.js: Added.
3187 * modules/resources/assert.js:
3188 (export.shouldNotThrow):
3189 * stress/import-syntax.js:
3191 2017-10-04 Saam Barati <sbarati@apple.com>
3193 Make pertinent AccessCases watch the poly proto watchpoint
3194 https://bugs.webkit.org/show_bug.cgi?id=177765
3196 Reviewed by Keith Miller.
3198 * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3203 * stress/poly-proto-clear-stub.js: Added.
3208 2017-10-04 Ryan Haddad <ryanhaddad@apple.com>
3210 Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3212 Unreviewed test gardening.
3216 2017-10-04 Saam Barati <sbarati@apple.com>
3218 3 poly-proto JSC tests timing out on debug after r222827
3219 https://bugs.webkit.org/show_bug.cgi?id=177880
3221 Rubber stamped by Mark Lam.
3223 * microbenchmarks/poly-proto-access.js:
3224 * typeProfiler/deltablue-for-of.js:
3225 * typeProfiler/getter-richards.js:
3227 2017-10-04 Joseph Pecoraro <pecoraro@apple.com>
3229 Unreviewed, marking tco-catch.js as a failure after test262 update
3230 https://bugs.webkit.org/show_bug.cgi?id=177859
3234 2017-10-04 Yusuke Suzuki <utatane.tea@gmail.com>
3236 Unreviewed, marking one async iterator test262 test failed
3237 https://bugs.webkit.org/show_bug.cgi?id=177859
3241 2017-10-04 Yusuke Suzuki <utatane.tea@gmail.com>
3243 [Test262] Update Test262 to Oct 4 version
3244 https://bugs.webkit.org/show_bug.cgi?id=177859
3246 Reviewed by Sam Weinig.
3248 Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3249 we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3252 * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3254 * test262/harness/typeCoercion.js:
3255 (testCoercibleToIndexZero):
3256 (testCoercibleToIndexOne):
3257 (testCoercibleToIndexFromIndex):
3258 (testNotCoercibleToIndex.testPrimitiveValue):
3259 (testNotCoercibleToInteger):
3260 (testCoercibleToBigIntZero.testPrimitiveValue):
3261 (testCoercibleToBigIntZero):
3262 (testCoercibleToBigIntOne.testPrimitiveValue):
3263 (testCoercibleToBigIntOne):
3264 (testPrimitiveValue):
3265 (testCoercibleToBigIntFromBigInt):
3266 (testNotCoercibleToBigInt.testPrimitiveValue):
3267 (testNotCoercibleToBigInt.testStringValue):
3268 (testNotCoercibleToBigInt):
3269 * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3270 * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3271 * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3272 * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3273 * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3274 * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3275 * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3276 * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3277 * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3278 * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3279 * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3280 * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3281 * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3282 * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3283 * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3284 * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3285 (testCoercibleToBigIntZero):
3286 (testCoercibleToBigIntOne):
3287 (testNotCoercibleToBigInt):
3290 (toString): Deleted.
3291 (Symbol.toPrimitive): Deleted.
3292 * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3293 (testCoercibleToIndexZero):
3294 (testCoercibleToIndexOne):
3295 (testNotCoercibleToIndex):
3297 (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3298 (assert.sameValue.BigInt.asIntN.toString): Deleted.
3299 (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3300 (BigInt.asIntN.valueOf): Deleted.
3301 (BigInt.asIntN.toString): Deleted.
3302 * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3303 * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3304 * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3305 (testCoercibleToBigIntZero):
3306 (testCoercibleToBigIntOne):
3307 (testNotCoercibleToBigInt):
3308 * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3309 (testCoercibleToIndexZero):
3310 (testCoercibleToIndexOne):
3311 (testNotCoercibleToIndex):
3312 * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3313 * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3314 * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3317 * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3318 * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3319 * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3320 * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3321 * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3322 * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3323 * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3324 * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3325 * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3326 * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3327 * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3328 * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3329 * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3330 * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3331 * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3332 * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3333 * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3334 * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3335 * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3336 * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3337 * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3338 * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3339 * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3340 * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3342 (BigInt.prototype.toJSON):
3343 * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3345 * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3346 (BigInt.prototype.toJSON):
3347 * test262/test/built-ins/JSON/stringify/bigint.js:
3348 * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3349 * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3350 * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3351 * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3352 * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3353 * test262/test/built-ins/Object/proto-from-ctor.js:
3354 * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3355 * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3356 * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3357 * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3358 * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3359 * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3360 * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3361 * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3362 * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3363 * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3364 * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3365 * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3366 * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3367 * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3368 * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3369 * test262/test/built-ins/Proxy/get-fn-realm.js:
3370 * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3371 * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3372 * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3373 * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3374 * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3375 * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3376 * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3377 * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3378 * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3379 * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3380 * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3381 * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3384 * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3385 * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3386 * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3387 * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3388 * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3389 * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3390 * test262/test/built-ins/RegExp/u180e.js: Added.
3391 * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3392 * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3393 * test262/test/built-ins/String/proto-from-ctor-realm.js:
3394 * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3395 * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3396 * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3397 * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3398 * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3399 * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3400 * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3401 * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3402 * test262/test/built-ins/String/prototype/endsWith/length.js:
3403 * test262/test/built-ins/String/prototype/endsWith/name.js:
3404 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3405 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3406 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3407 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3408 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3409 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3410 * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3411 * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3412 * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3413 * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3414 * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3415 * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3416 * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3417 * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3418 * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3419 * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3420 * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3421 * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3422 * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3423 * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3424 * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3425 * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3426 * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3427 * test262/test/built-ins/String/prototype/includes/includes.js:
3428 * test262/test/built-ins/String/prototype/includes/length.js:
3429 * test262/test/built-ins/String/prototype/includes/name.js:
3430 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3431 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3432 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3433 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3434 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3435 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3436 * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3437 * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3438 * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3439 * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3440 * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3441 * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3442 * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3443 * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3444 * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3445 * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3446 * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3447 * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3448 * test262/test/built-ins/String/prototype/trim/u180e.js:
3449 * test262/test/built-ins/Symbol/for/cross-realm.js:
3450 * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3451 * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3452 * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3453 * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3454 * test262/test/built-ins/Symbol/match/cross-realm.js:
3455 * test262/test/built-ins/Symbol/replace/cross-realm.js:
3456 * test262/test/built-ins/Symbol/search/cross-realm.js:
3457 * test262/test/built-ins/Symbol/species/cross-realm.js:
3458 * test262/test/built-ins/Symbol/split/cross-realm.js:
3459 * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3460 * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3461 * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3462 * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3463 * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3464 * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3465 * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3466 * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3467 * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3468 * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3469 * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3470 * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3471 * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3472 * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3473 * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3474 * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3475 * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3476 * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3477 * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3478 * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3479 * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3480 * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3481 * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3482 * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3483 * test262/test/language/comments/mongolian-vowel-separator-single.js:
3484 * test262/test/language/eval-code/indirect/realm.js:
3485 * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3488 * test262/test/language/expressions/call/eval-realm-indirect.js:
3489 * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3490 * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3491 * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3492 * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3493 * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3494 * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3495 * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3496 * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3497 * test262/test/language/expressions/greater-than/bigint-and-number.js:
3498 * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3499 * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3500 * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3501 * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3502 * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3503 * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3504 * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3505 * test262/test/language/expressions/less-than/bigint-and-number.js:
3506 * test262/test/language/expressions/new/non-ctor-err-realm.js:
3507 * test262/test/language/expressions/super/realm.js:
3508 * test262/test/language/expressions/tagged-template/cache-realm.js:
3509 * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3510 * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3511 * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3512 * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3513 * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3514 * test262/test/language/literals/string/mongolian-vowel-separator.js:
3515 * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3518 * test262/test/language/statements/for-of/iterator-next-reference.js:
3520 (iterator.next): Deleted.
3521 (x.of.iterable.): Deleted.
3522 (x.of.iterable.get return): Deleted.
3523 (x.of.iterable.iterator.next): Deleted.
3524 * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3525 * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3526 * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3527 * test262/test/language/white-space/mongolian-vowel-separator.js:
3528 * test262/test262-Revision.txt:
3530 2017-10-03 Saam Barati <sbarati@apple.com>
3532 Implement polymorphic prototypes
3533 https://bugs.webkit.org/show_bug.cgi?id=176391
3535 Reviewed by Filip Pizlo.
3537 * microbenchmarks/poly-proto-access.js: Added.
3540 (foo.C.prototype.get bar):
3543 * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3545 (makePolyProtoObject.foo.C):
3546 (makePolyProtoObject.foo):
3547 (makePolyProtoObject):
3549 * microbenchmarks/poly-proto-setter-speed.js: Added.
3551 (makePolyProtoObject.foo.C):
3552 (makePolyProtoObject.foo.C.prototype.set p):
3553 (makePolyProtoObject.foo):
3554 (makePolyProtoObject):
3556 * stress/constructor-with-return.js:
3557 (i.tests.forEach.Constructor):
3559 (tests.forEach.Constructor): Deleted.
3560 (tests.forEach): Deleted.
3561 * stress/dom-jit-with-poly-proto.js: Added.
3563 (makePolyProtoObject.foo.C):
3564 (makePolyProtoObject.foo):
3565 (makePolyProtoObject):
3567 * stress/poly-proto-custom-value-and-accessor.js: Added.
3569 (makePolyProtoObject.foo.C):
3570 (makePolyProtoObject.foo):
3571 (makePolyProtoObject):
3574 * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3576 (makePolyProtoObject.foo.C):
3577 (makePolyProtoObject.foo):
3578 (makePolyProtoObject):
3580 * stress/poly-proto-miss.js: Added.
3581 (makePolyProtoInstanceWithNullPrototype.foo.C):
3582 (makePolyProtoInstanceWithNullPrototype.foo):
3583 (makePolyProtoInstanceWithNullPrototype):
3586 * stress/poly-proto-op-in-caching.js: Added.
3588 (makePolyProtoObject.foo.C):
3589 (makePolyProtoObject.foo):
3590 (makePolyProtoObject):
3593 * stress/poly-proto-put-transition.js: Added.
3595 (makePolyProtoObject.foo.C):
3596 (makePolyProtoObject.foo):
3597 (makePolyProtoObject):
3599 (i.obj.__proto__.set p):
3600 * stress/poly-proto-set-prototype.js: Added.
3602 (let.alternateProto.get x):
3603 (let.alternateProto2.get y):
3604 (let.alternateProto2.get x):
3608 * stress/poly-proto-setter.js: Added.
3610 (makePolyProtoObject.foo.C):
3611 (makePolyProtoObject.foo.C.prototype.set p):
3612 (makePolyProtoObject.foo.C.prototype.get p):
3613 (makePolyProtoObject.foo):
3614 (makePolyProtoObject):
3616 * stress/poly-proto-using-inheritance.js: Added.
3619 (foo.C.prototype.get baz):
3624 * stress/primitive-poly-proto.js: Added.
3625 (makePolyProtoInstance.foo.C):
3626 (makePolyProtoInstance.foo):
3627 (makePolyProtoInstance):
3630 * stress/prototype-is-not-js-object.js: Added.
3635 * stress/try-get-by-id-poly-proto.js: Added.
3637 (makePolyProtoObject.foo.C):
3638 (makePolyProtoObject.foo):
3639 (makePolyProtoObject):
3641 (x.__proto__.get bar):
3643 * typeProfiler/overflow.js:
3645 2017-10-03 JF Bastien <jfbastien@apple.com>
3647 WebAssembly: no VM / JS version of everything but Instance
3648 https://bugs.webkit.org/show_bug.cgi?id=177473
3650 Reviewed by Filip Pizlo.
3652 - Exceeding max on memory growth now returns a range error as per
3653 spec. This is a (very minor) breaking change: it used to throw OOM
3654 error. Update the corresponding test.
3656 * wasm/js-api/memory-grow.js:
3658 * wasm/js-api/table.js:
3661 2017-10-03 Ryan Haddad <ryanhaddad@apple.com>
3663 Skip JSC test stress/regress-159779-2.js on debug.
3664 https://bugs.webkit.org/show_bug.cgi?id=177204
3666 Unreviewed test gardening.
3668 * stress/regress-159779-2.js:
3670 2017-10-02 Caio Lima <ticaiolima@gmail.com>
3672 ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3673 https://bugs.webkit.org/show_bug.cgi?id=175642
3675 Reviewed by Darin Adler.
3677 * ChakraCore/test/Function/apply3.baseline-jsc:
3679 2017-10-01 Commit Queue <commit-queue@webkit.org>
3681 Unreviewed, rolling out r222564.
3682 https://bugs.webkit.org/show_bug.cgi?id=177720
3684 "It regressed JetStream by 2% on iOS caused by a 50%
3685 regression on the bigfib subtest" (Requested by saamyjoon on
3690 "Add Above/Below comparisons for UInt32 patterns"
3691 https://bugs.webkit.org/show_bug.cgi?id=177281
3692 http://trac.webkit.org/changeset/222564
3694 2017-09-29 Yusuke Suzuki <utatane.tea@gmail.com>
3696 [DFG] Support ArrayPush with multiple args
3697 https://bugs.webkit.org/show_bug.cgi?id=175823
3699 Reviewed by Saam Barati.
3701 * microbenchmarks/array-push-0.js: Added.
3703 * microbenchmarks/array-push-1.js: Added.
3705 * microbenchmarks/array-push-2.js: Added.
3707 * microbenchmarks/array-push-3.js: Added.
3709 * stress/array-push-multiple-contiguous.js: Added.
3712 * stress/array-push-multiple-double-nan.js: Added.
3715 * stress/array-push-multiple-double.js: Added.
3718 * stress/array-push-multiple-int32.js: Added.
3721 * stress/array-push-multiple-many-contiguous.js: Added.
3724 * stress/array-push-multiple-many-double.js: Added.
3727 * stress/array-push-multiple-many-int32.js: Added.
3730 * stress/array-push-multiple-many-storage.js: Added.
3733 * stress/array-push-multiple-storage.js: Added.
3736 * stress/array-push-with-force-exit.js: Added.
3737 (target.createBuiltin):
3739 2017-09-29 Saam Barati <sbarati@apple.com>
3741 Custom GetterSetterAccessCase does not use the correct slotBase when making call
3742 https://bugs.webkit.org/show_bug.cgi?id=177639
3744 Reviewed by Geoffrey Garen.
3746 * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3752 2017-09-29 Commit Queue <commit-queue@webkit.org>
3754 Unreviewed, rolling out r222563, r222565, and r222581.
3755 https://bugs.webkit.org/show_bug.cgi?id=177675
3757 "It causes a crash when playing youtube videos" (Requested by
3758 saamyjoon on #webkit).
3760 Reverted changesets:
3762 "[DFG] Support ArrayPush with multiple args"
3763 https://bugs.webkit.org/show_bug.cgi?id=175823
3764 http://trac.webkit.org/changeset/222563
3766 "Unreviewed, build fix after r222563"
3767 https://bugs.webkit.org/show_bug.cgi?id=175823
3768 http://trac.webkit.org/changeset/222565
3770 "Unreviewed, fix x86 breaking due to exhausted registers"
3771 https://bugs.webkit.org/show_bug.cgi?id=175823
3772 http://trac.webkit.org/changeset/222581
3774 2017-09-28 Mark Lam <mark.lam@apple.com>
3776 test262: Unexpected passes after r222617 and r222618.
3777 https://bugs.webkit.org/show_bug.cgi?id=177622
3778 <rdar://problem/34725960>
3780 Reviewed by Saam Barati.
3782 Update test262.yaml for tests that are now passing.
3786 2017-09-27 Michael Saboff <msaboff@apple.com>
3788 REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3789 https://bugs.webkit.org/show_bug.cgi?id=177570
3791 Reviewed by Filip Pizlo.
3793 New regression test.
3795 * stress/regress-177570.js: Added.
3797 2017-09-28 Michael Saboff <msaboff@apple.com>
3799 Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3800 https://bugs.webkit.org/show_bug.cgi?id=177423
3802 Reviewed by Mark Lam.
3804 Updated regression test.
3806 * stress/regress-177423.js:
git://git.webkit.org / WebKit.git / blob