From 9aeffab45273575168e2f40f26900a7150bb3f30 Mon Sep 17 00:00:00 2001
From: Ali Ijaz Sheikh <ofrobots@google.com>
Date: Tue, 12 Jun 2018 13:16:13 -0700
Subject: [PATCH] deps: V8: cherry-pick 8361fa58 from upstream

Original commit message:
  [runtime] Fix derived class instantiation

  Bug: chromium:806388
  Change-Id: Ieb343f0d532c16b6102e85222b77713f23bacf8c
  Reviewed-on: https://chromium-review.googlesource.com/894942
  Reviewed-by: Igor Sheludko <ishell@chromium.org>
  Commit-Queue: Camillo Bruni <cbruni@chromium.org>
  Cr-Commit-Position: refs/heads/master@{#50990}

PR-URL: https://github.com/nodejs/node/pull/21294
Reviewed-By: Myles Borins <myles.borins@gmail.com>
---
 deps/v8/include/v8-version.h                  |  2 +-
 deps/v8/src/objects.cc                        | 27 ++++++++++++++-----
 deps/v8/src/objects.h                         |  2 +-
 .../mjsunit/regress/regress-crbug-806388.js   | 20 ++++++++++++++
 4 files changed, 42 insertions(+), 9 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-806388.js

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index fa65ee2ccc50be..1f314518f5e1b3 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 2
 #define V8_BUILD_NUMBER 414
-#define V8_PATCH_LEVEL 58
+#define V8_PATCH_LEVEL 59
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc
index b2b23c1f68f216..25bf0650245626 100644
--- a/deps/v8/src/objects.cc
+++ b/deps/v8/src/objects.cc
@@ -13056,14 +13056,19 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
                           constructor_initial_map->unused_property_fields();
       int instance_size;
       int in_object_properties;
-      CalculateInstanceSizeForDerivedClass(function, instance_type,
-                                           embedder_fields, &instance_size,
-                                           &in_object_properties);
+      bool success = CalculateInstanceSizeForDerivedClass(
+          function, instance_type, embedder_fields, &instance_size,
+          &in_object_properties);
 
       int unused_property_fields = in_object_properties - pre_allocated;
-      Handle<Map> map =
-          Map::CopyInitialMap(constructor_initial_map, instance_size,
-                              in_object_properties, unused_property_fields);
+
+      Handle<Map> map;
+      if (success) {
+        map = Map::CopyInitialMap(constructor_initial_map, instance_size,
+                                  in_object_properties, unused_property_fields);
+      } else {
+        map = Map::CopyInitialMap(constructor_initial_map);
+      }
       map->set_new_target_is_base(false);
 
       JSFunction::SetInitialMap(function, map, prototype);
@@ -13789,12 +13794,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
                           requested_embedder_fields;
 }
 
-void JSFunction::CalculateInstanceSizeForDerivedClass(
+// static
+bool JSFunction::CalculateInstanceSizeForDerivedClass(
     Handle<JSFunction> function, InstanceType instance_type,
     int requested_embedder_fields, int* instance_size,
     int* in_object_properties) {
   Isolate* isolate = function->GetIsolate();
   int expected_nof_properties = 0;
+  bool result = true;
   for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
        !iter.IsAtEnd(); iter.Advance()) {
     Handle<JSReceiver> current =
@@ -13808,6 +13815,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
         Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
       DCHECK(shared->is_compiled());
       expected_nof_properties += shared->expected_nof_properties();
+    } else if (!shared->is_compiled()) {
+      // In case there was a compilation error for the constructor we will
+      // throw an error during instantiation. Hence we directly return 0;
+      result = false;
+      break;
     }
     if (!IsDerivedConstructor(shared->kind())) {
       break;
@@ -13816,6 +13828,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
   CalculateInstanceSizeHelper(instance_type, requested_embedder_fields,
                               expected_nof_properties, instance_size,
                               in_object_properties);
+  return result;
 }
 
 
diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h
index 00a8d0da02220e..fa11d4d39fc3fb 100644
--- a/deps/v8/src/objects.h
+++ b/deps/v8/src/objects.h
@@ -5003,7 +5003,7 @@ class JSFunction: public JSObject {
   DECL_CAST(JSFunction)
 
   // Calculate the instance size and in-object properties count.
-  static void CalculateInstanceSizeForDerivedClass(
+  static bool CalculateInstanceSizeForDerivedClass(
       Handle<JSFunction> function, InstanceType instance_type,
       int requested_embedder_fields, int* instance_size,
       int* in_object_properties);
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-806388.js b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js
new file mode 100644
index 00000000000000..b55b50107ec977
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js
@@ -0,0 +1,20 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc
+
+class Derived extends Array {
+    constructor(a) {
+      // Syntax Error.
+      const a = 1;
+    }
+}
+
+// Derived is not a subclass of RegExp
+let o = Reflect.construct(RegExp, [], Derived);
+o.lastIndex = 0x1234;
+%HeapObjectVerify(o);
+
+gc();
+%HeapObjectVerify(o);