summaryrefslogtreecommitdiff
path: root/deps
diff options
context:
space:
mode:
authorMyles Borins <mylesborins@google.com>2018-04-13 00:39:44 -0400
committerMyles Borins <mylesborins@google.com>2018-04-16 15:59:39 -0400
commitdaed72f224af5454269362b3d3e3e8d1b80ceb55 (patch)
tree9ee03b5727d29e8881bc37ba6b134377b68d3775 /deps
parentfb2d9df75718dd2707e68063e8d74783e7e19e12 (diff)
downloadnode-new-daed72f224af5454269362b3d3e3e8d1b80ceb55.tar.gz
deps: patch V8 to 6.6.346.24
PR-URL: https://github.com/nodejs/node/pull/19995 Refs: https://github.com/v8/v8/compare/6.6.346.23...6.6.346.24 Reviewed-By: Michaƫl Zasso <targos@protonmail.com> Reviewed-By: Yang Guo <yangguo@chromium.org> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Diffstat (limited to 'deps')
-rw-r--r--deps/v8/include/v8-version.h2
-rw-r--r--deps/v8/src/compiler/js-call-reducer.cc2
-rw-r--r--deps/v8/test/mjsunit/regress/regress-crbug-825045.js14
3 files changed, 16 insertions, 2 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index da78020d07..68d0a35929 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 6
#define V8_MINOR_VERSION 6
#define V8_BUILD_NUMBER 346
-#define V8_PATCH_LEVEL 23
+#define V8_PATCH_LEVEL 24
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/compiler/js-call-reducer.cc b/deps/v8/src/compiler/js-call-reducer.cc
index 12fb14c6fc..f229cdefed 100644
--- a/deps/v8/src/compiler/js-call-reducer.cc
+++ b/deps/v8/src/compiler/js-call-reducer.cc
@@ -419,7 +419,7 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
// runtime otherwise.
Handle<DescriptorArray> descriptors(receiver_map->instance_descriptors(),
isolate());
- if (descriptors->length() < 2) return NoChange();
+ if (descriptors->number_of_descriptors() < 2) return NoChange();
if (descriptors->GetKey(JSFunction::kLengthDescriptorIndex) !=
isolate()->heap()->length_string()) {
return NoChange();
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-825045.js b/deps/v8/test/mjsunit/regress/regress-crbug-825045.js
new file mode 100644
index 0000000000..34af20897a
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-825045.js
@@ -0,0 +1,14 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const obj = new class A extends (async function (){}.constructor) {};
+delete obj.name;
+Number.prototype.__proto__ = obj;
+function foo() { return obj.bind(); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
View Lorry Controller Status