deps: patch V8 to 6.4.388.44

PR-URL: #18687
Refs: v8/v8@6.4.388.42...6.4.388.44
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 388
-#define V8_PATCH_LEVEL 42
+#define V8_PATCH_LEVEL 44
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/objects-inl.h

@@ -2231,16 +2231,18 @@ int Map::NumberOfOwnDescriptors() const {
 
 
 void Map::SetNumberOfOwnDescriptors(int number) {
-  DCHECK(number <= instance_descriptors()->number_of_descriptors());
+  CHECK_LE(static_cast<unsigned>(number),
+           static_cast<unsigned>(kMaxNumberOfDescriptors));
   set_bit_field3(NumberOfOwnDescriptorsBits::update(bit_field3(), number));
 }
 
 int Map::EnumLength() const { return EnumLengthBits::decode(bit_field3()); }
 
 void Map::SetEnumLength(int length) {
   if (length != kInvalidEnumCacheSentinel) {
-    DCHECK_GE(length, 0);
-    DCHECK(length <= NumberOfOwnDescriptors());
+    DCHECK_LE(length, NumberOfOwnDescriptors());
+    CHECK_LE(static_cast<unsigned>(length),
+             static_cast<unsigned>(kMaxNumberOfDescriptors));
   }
   set_bit_field3(EnumLengthBits::update(bit_field3(), length));
 }
@@ -3002,9 +3004,9 @@ int Map::instance_size() const {
 }
 
 void Map::set_instance_size(int value) {
-  DCHECK_EQ(0, value & (kPointerSize - 1));
+  CHECK_EQ(0, value & (kPointerSize - 1));
   value >>= kPointerSizeLog2;
-  DCHECK(0 <= value && value < 256);
+  CHECK_LT(static_cast<unsigned>(value), 256);
   set_instance_size_in_words(value);
 }
 
@@ -3015,8 +3017,7 @@ int Map::inobject_properties_start_or_constructor_function_index() const {
 
 void Map::set_inobject_properties_start_or_constructor_function_index(
     int value) {
-  DCHECK_LE(0, value);
-  DCHECK_LT(value, 256);
+  CHECK_LT(static_cast<unsigned>(value), 256);
   RELAXED_WRITE_BYTE_FIELD(
       this, kInObjectPropertiesStartOrConstructorFunctionIndexOffset,
       static_cast<byte>(value));
@@ -3028,7 +3029,7 @@ int Map::GetInObjectPropertiesStartInWords() const {
 }
 
 void Map::SetInObjectPropertiesStartInWords(int value) {
-  DCHECK(IsJSObjectMap());
+  CHECK(IsJSObjectMap());
   set_inobject_properties_start_or_constructor_function_index(value);
 }
 
@@ -3044,7 +3045,7 @@ int Map::GetConstructorFunctionIndex() const {
 
 
 void Map::SetConstructorFunctionIndex(int value) {
-  DCHECK(IsPrimitiveMap());
+  CHECK(IsPrimitiveMap());
   set_inobject_properties_start_or_constructor_function_index(value);
 }
 
@@ -3153,8 +3154,7 @@ int Map::used_or_unused_instance_size_in_words() const {
 }
 
 void Map::set_used_or_unused_instance_size_in_words(int value) {
-  DCHECK_LE(0, value);
-  DCHECK_LE(value, 255);
+  CHECK_LE(static_cast<unsigned>(value), 255);
   WRITE_BYTE_FIELD(this, kUsedOrUnusedInstanceSizeInWordsOffset,
                    static_cast<byte>(value));
 }
@@ -3172,12 +3172,12 @@ int Map::UsedInstanceSize() const {
 void Map::SetInObjectUnusedPropertyFields(int value) {
   STATIC_ASSERT(JSObject::kFieldsAdded == JSObject::kHeaderSize / kPointerSize);
   if (!IsJSObjectMap()) {
-    DCHECK_EQ(0, value);
+    CHECK_EQ(0, value);
     set_used_or_unused_instance_size_in_words(0);
     DCHECK_EQ(0, UnusedPropertyFields());
     return;
   }
-  DCHECK_LE(0, value);
+  CHECK_LE(0, value);
   DCHECK_LE(value, GetInObjectProperties());
   int used_inobject_properties = GetInObjectProperties() - value;
   set_used_or_unused_instance_size_in_words(
@@ -3187,8 +3187,7 @@ void Map::SetInObjectUnusedPropertyFields(int value) {
 
 void Map::SetOutOfObjectUnusedPropertyFields(int value) {
   STATIC_ASSERT(JSObject::kFieldsAdded == JSObject::kHeaderSize / kPointerSize);
-  DCHECK_LE(0, value);
-  DCHECK_LT(value, JSObject::kFieldsAdded);
+  CHECK_LT(static_cast<unsigned>(value), JSObject::kFieldsAdded);
   // For out of object properties "used_instance_size_in_words" byte encodes
   // the slack in the property array.
   set_used_or_unused_instance_size_in_words(value);
@@ -3227,8 +3226,8 @@ void Map::AccountAddedOutOfObjectPropertyField(int unused_in_property_array) {
   if (unused_in_property_array < 0) {
     unused_in_property_array += JSObject::kFieldsAdded;
   }
-  DCHECK_GE(unused_in_property_array, 0);
-  DCHECK_LT(unused_in_property_array, JSObject::kFieldsAdded);
+  CHECK_LT(static_cast<unsigned>(unused_in_property_array),
+           JSObject::kFieldsAdded);
   set_used_or_unused_instance_size_in_words(unused_in_property_array);
   DCHECK_EQ(unused_in_property_array, UnusedPropertyFields());
 }
@@ -3358,7 +3357,7 @@ bool Map::should_be_fast_prototype_map() const {
 }
 
 void Map::set_elements_kind(ElementsKind elements_kind) {
-  DCHECK_LT(static_cast<int>(elements_kind), kElementsKindCount);
+  CHECK_LT(static_cast<int>(elements_kind), kElementsKindCount);
   DCHECK_LE(kElementsKindCount, 1 << Map::ElementsKindBits::kSize);
   set_bit_field2(Map::ElementsKindBits::update(bit_field2(), elements_kind));
   DCHECK(this->elements_kind() == elements_kind);
@@ -3700,19 +3699,19 @@ Object* Map::prototype_info() const {
 
 
 void Map::set_prototype_info(Object* value, WriteBarrierMode mode) {
-  DCHECK(is_prototype_map());
+  CHECK(is_prototype_map());
   WRITE_FIELD(this, Map::kTransitionsOrPrototypeInfoOffset, value);
   CONDITIONAL_WRITE_BARRIER(
       GetHeap(), this, Map::kTransitionsOrPrototypeInfoOffset, value, mode);
 }
 
 
 void Map::SetBackPointer(Object* value, WriteBarrierMode mode) {
-  DCHECK(instance_type() >= FIRST_JS_RECEIVER_TYPE);
-  DCHECK(value->IsMap());
-  DCHECK(GetBackPointer()->IsUndefined(GetIsolate()));
-  DCHECK(!value->IsMap() ||
-         Map::cast(value)->GetConstructor() == constructor_or_backpointer());
+  CHECK_GE(instance_type(), FIRST_JS_RECEIVER_TYPE);
+  CHECK(value->IsMap());
+  CHECK(GetBackPointer()->IsUndefined(GetIsolate()));
+  CHECK_IMPLIES(value->IsMap(), Map::cast(value)->GetConstructor() ==
+                                    constructor_or_backpointer());
   set_constructor_or_backpointer(value, mode);
 }
 
@@ -3743,7 +3742,7 @@ FunctionTemplateInfo* Map::GetFunctionTemplateInfo() const {
 
 void Map::SetConstructor(Object* constructor, WriteBarrierMode mode) {
   // Never overwrite a back pointer with a constructor.
-  DCHECK(!constructor_or_backpointer()->IsMap());
+  CHECK(!constructor_or_backpointer()->IsMap());
   set_constructor_or_backpointer(constructor, mode);
 }
 

deps/v8/src/objects.cc

@@ -13014,14 +13014,19 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
                           constructor_initial_map->UnusedPropertyFields();
       int instance_size;
       int in_object_properties;
-      CalculateInstanceSizeForDerivedClass(function, instance_type,
-                                           embedder_fields, &instance_size,
-                                           &in_object_properties);
+      bool success = CalculateInstanceSizeForDerivedClass(
+          function, instance_type, embedder_fields, &instance_size,
+          &in_object_properties);
 
       int unused_property_fields = in_object_properties - pre_allocated;
-      Handle<Map> map =
-          Map::CopyInitialMap(constructor_initial_map, instance_size,
-                              in_object_properties, unused_property_fields);
+
+      Handle<Map> map;
+      if (success) {
+        map = Map::CopyInitialMap(constructor_initial_map, instance_size,
+                                  in_object_properties, unused_property_fields);
+      } else {
+        map = Map::CopyInitialMap(constructor_initial_map);
+      }
       map->set_new_target_is_base(false);
 
       JSFunction::SetInitialMap(function, map, prototype);
@@ -13726,12 +13731,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
                           requested_embedder_fields;
 }
 
-void JSFunction::CalculateInstanceSizeForDerivedClass(
+// static
+bool JSFunction::CalculateInstanceSizeForDerivedClass(
     Handle<JSFunction> function, InstanceType instance_type,
     int requested_embedder_fields, int* instance_size,
     int* in_object_properties) {
   Isolate* isolate = function->GetIsolate();
   int expected_nof_properties = 0;
+  bool result = true;
   for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
        !iter.IsAtEnd(); iter.Advance()) {
     Handle<JSReceiver> current =
@@ -13745,6 +13752,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
         Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
       DCHECK(shared->is_compiled());
       expected_nof_properties += shared->expected_nof_properties();
+    } else if (!shared->is_compiled()) {
+      // In case there was a compilation error for the constructor we will
+      // throw an error during instantiation. Hence we directly return 0;
+      result = false;
+      break;
     }
     if (!IsDerivedConstructor(shared->kind())) {
       break;
@@ -13753,6 +13765,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
   CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
                               expected_nof_properties, instance_size,
                               in_object_properties);
+  return result;
 }
 
 

deps/v8/src/objects.h

@@ -4082,7 +4082,7 @@ class JSFunction: public JSObject {
   DECL_CAST(JSFunction)
 
   // Calculate the instance size and in-object properties count.
-  static void CalculateInstanceSizeForDerivedClass(
+  static bool CalculateInstanceSizeForDerivedClass(
       Handle<JSFunction> function, InstanceType instance_type,
       int requested_embedder_fields, int* instance_size,
       int* in_object_properties);

deps/v8/src/profiler/heap-snapshot-generator.cc

@@ -1113,8 +1113,6 @@ void V8HeapExplorer::ExtractMapReferences(int entry, Map* map) {
                          constructor_or_backpointer,
                          Map::kConstructorOrBackPointerOffset);
   } else {
-    DCHECK(constructor_or_backpointer->IsJSFunction() ||
-           constructor_or_backpointer->IsNull(map->GetIsolate()));
     SetInternalReference(map, entry, "constructor", constructor_or_backpointer,
                          Map::kConstructorOrBackPointerOffset);
   }

deps/v8/test/cctest/test-heap-profiler.cc

@@ -3184,3 +3184,14 @@ TEST(SamplingHeapProfilerSampleDuringDeopt) {
   CHECK(profile);
   heap_profiler->StopSamplingHeapProfiler();
 }
+
+TEST(HeapSnapshotPrototypeNotJSReceiver) {
+  LocalContext env;
+  v8::HandleScope scope(env->GetIsolate());
+  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
+  CompileRun(
+      "function object() {}"
+      "object.prototype = 42;");
+  const v8::HeapSnapshot* snapshot = heap_profiler->TakeHeapSnapshot();
+  CHECK(ValidateSnapshot(snapshot));
+}

deps/v8/test/mjsunit/regress/regress-crbug-806388.js

@@ -0,0 +1,20 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc
+
+class Derived extends Array {
+    constructor(a) {
+      // Syntax Error.
+      const a = 1;
+    }
+}
+
+// Derived is not a subclass of RegExp
+let o = Reflect.construct(RegExp, [], Derived);
+o.lastIndex = 0x1234;
+%HeapObjectVerify(o);
+
+gc();
+%HeapObjectVerify(o);