diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index fa65ee2ccc50be..1f314518f5e1b3 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 414 -#define V8_PATCH_LEVEL 58 +#define V8_PATCH_LEVEL 59 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc index b2b23c1f68f216..25bf0650245626 100644 --- a/deps/v8/src/objects.cc +++ b/deps/v8/src/objects.cc @@ -13056,14 +13056,19 @@ MaybeHandle JSFunction::GetDerivedMap(Isolate* isolate, constructor_initial_map->unused_property_fields(); int instance_size; int in_object_properties; - CalculateInstanceSizeForDerivedClass(function, instance_type, - embedder_fields, &instance_size, - &in_object_properties); + bool success = CalculateInstanceSizeForDerivedClass( + function, instance_type, embedder_fields, &instance_size, + &in_object_properties); int unused_property_fields = in_object_properties - pre_allocated; - Handle map = - Map::CopyInitialMap(constructor_initial_map, instance_size, - in_object_properties, unused_property_fields); + + Handle map; + if (success) { + map = Map::CopyInitialMap(constructor_initial_map, instance_size, + in_object_properties, unused_property_fields); + } else { + map = Map::CopyInitialMap(constructor_initial_map); + } map->set_new_target_is_base(false); JSFunction::SetInitialMap(function, map, prototype); @@ -13789,12 +13794,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type, requested_embedder_fields; } -void JSFunction::CalculateInstanceSizeForDerivedClass( +// static +bool JSFunction::CalculateInstanceSizeForDerivedClass( Handle function, InstanceType instance_type, int requested_embedder_fields, int* instance_size, int* in_object_properties) { Isolate* isolate = function->GetIsolate(); int expected_nof_properties = 0; + bool result = true; for (PrototypeIterator iter(isolate, function, kStartAtReceiver); !iter.IsAtEnd(); iter.Advance()) { Handle current = @@ -13808,6 +13815,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass( Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) { DCHECK(shared->is_compiled()); expected_nof_properties += shared->expected_nof_properties(); + } else if (!shared->is_compiled()) { + // In case there was a compilation error for the constructor we will + // throw an error during instantiation. Hence we directly return 0; + result = false; + break; } if (!IsDerivedConstructor(shared->kind())) { break; @@ -13816,6 +13828,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass( CalculateInstanceSizeHelper(instance_type, requested_embedder_fields, expected_nof_properties, instance_size, in_object_properties); + return result; } diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index 00a8d0da02220e..fa11d4d39fc3fb 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -5003,7 +5003,7 @@ class JSFunction: public JSObject { DECL_CAST(JSFunction) // Calculate the instance size and in-object properties count. - static void CalculateInstanceSizeForDerivedClass( + static bool CalculateInstanceSizeForDerivedClass( Handle function, InstanceType instance_type, int requested_embedder_fields, int* instance_size, int* in_object_properties); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-806388.js b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js new file mode 100644 index 00000000000000..b55b50107ec977 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js @@ -0,0 +1,20 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc + +class Derived extends Array { + constructor(a) { + // Syntax Error. + const a = 1; + } +} + +// Derived is not a subclass of RegExp +let o = Reflect.construct(RegExp, [], Derived); +o.lastIndex = 0x1234; +%HeapObjectVerify(o); + +gc(); +%HeapObjectVerify(o);