deps: patch V8 to 7.4.288.18

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 7
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 288
-#define V8_PATCH_LEVEL 13
+#define V8_PATCH_LEVEL 18
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/builtins/array-map.tq

@@ -127,7 +127,7 @@ namespace array_map {
         for (let i: Smi = 0; i < validLength; i++) {
           typeswitch (this.fixedArray.objects[i]) {
             case (n: Number): {
-              elements.floats[i] = Float64SilenceNaN(Convert<float64>(n));
+              elements.floats[i] = Convert<float64>(n);
             }
             case (h: HeapObject): {
               assert(h == Hole);

deps/v8/src/builtins/base.tq

@@ -1464,8 +1464,6 @@ operator '[]=' macro StoreFixedArrayDirect(a: FixedArray, i: Smi, v: Object) {
 
 extern operator '.instance_type' macro LoadMapInstanceType(Map): int32;
 
-extern macro Float64SilenceNaN(float64): float64;
-
 extern macro GetNumberDictionaryNumberOfElements(NumberDictionary): Smi;
 extern macro GetIteratorMethod(implicit context: Context)(HeapObject): Object
     labels IfIteratorUndefined;

deps/v8/src/code-stub-assembler.cc

@@ -2827,7 +2827,9 @@ void CodeStubAssembler::StoreFixedDoubleArrayElement(
       ElementOffsetFromIndex(index_node, PACKED_DOUBLE_ELEMENTS, parameter_mode,
                              FixedArray::kHeaderSize - kHeapObjectTag);
   MachineRepresentation rep = MachineRepresentation::kFloat64;
-  StoreNoWriteBarrier(rep, object, offset, value);
+  // Make sure we do not store signalling NaNs into double arrays.
+  TNode<Float64T> value_silenced = Float64SilenceNaN(value);
+  StoreNoWriteBarrier(rep, object, offset, value_silenced);
 }
 
 void CodeStubAssembler::StoreFeedbackVectorSlot(Node* object,
@@ -2981,7 +2983,9 @@ void CodeStubAssembler::TryStoreArrayElement(ElementsKind kind,
   } else if (IsDoubleElementsKind(kind)) {
     GotoIfNotNumber(value, bailout);
   }
-  if (IsDoubleElementsKind(kind)) value = ChangeNumberToFloat64(value);
+  if (IsDoubleElementsKind(kind)) {
+    value = ChangeNumberToFloat64(value);
+  }
   StoreElement(elements, kind, index, value, mode);
 }
 
@@ -10236,9 +10240,8 @@ void CodeStubAssembler::StoreElement(Node* elements, ElementsKind kind,
     StoreNoWriteBarrier(rep, elements, offset, value);
     return;
   } else if (IsDoubleElementsKind(kind)) {
-    // Make sure we do not store signalling NaNs into double arrays.
-    TNode<Float64T> value_silenced = Float64SilenceNaN(value);
-    StoreFixedDoubleArrayElement(CAST(elements), index, value_silenced, mode);
+    TNode<Float64T> value_float64 = UncheckedCast<Float64T>(value);
+    StoreFixedDoubleArrayElement(CAST(elements), index, value_float64, mode);
   } else {
     WriteBarrierMode barrier_mode =
         IsSmiElementsKind(kind) ? SKIP_WRITE_BARRIER : UPDATE_WRITE_BARRIER;

deps/v8/src/compiler/node-properties.cc

@@ -412,7 +412,8 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
               mnewtarget.Ref(broker).IsJSFunction()) {
             JSFunctionRef original_constructor =
                 mnewtarget.Ref(broker).AsJSFunction();
-            if (original_constructor.has_initial_map()) {
+            if (original_constructor.map().has_prototype_slot() &&
+                original_constructor.has_initial_map()) {
               original_constructor.Serialize();
               MapRef initial_map = original_constructor.initial_map();
               if (initial_map.GetConstructor().equals(mtarget.Ref(broker))) {

deps/v8/src/compiler/typed-optimization.cc

@@ -727,7 +727,7 @@ Reduction TypedOptimization::ReduceSpeculativeNumberAdd(Node* node) {
     Node* const value =
         graph()->NewNode(simplified()->NumberAdd(), toNum_lhs, toNum_rhs);
     ReplaceWithValue(node, value);
-    return Replace(node);
+    return Replace(value);
   }
   return NoChange();
 }
@@ -796,7 +796,7 @@ Reduction TypedOptimization::ReduceSpeculativeNumberBinop(Node* node) {
         NumberOpFromSpeculativeNumberOp(simplified(), node->op()), toNum_lhs,
         toNum_rhs);
     ReplaceWithValue(node, value);
-    return Replace(node);
+    return Replace(value);
   }
   return NoChange();
 }
@@ -811,7 +811,7 @@ Reduction TypedOptimization::ReduceSpeculativeNumberComparison(Node* node) {
     Node* const value = graph()->NewNode(
         NumberOpFromSpeculativeNumberOp(simplified(), node->op()), lhs, rhs);
     ReplaceWithValue(node, value);
-    return Replace(node);
+    return Replace(value);
   }
   return NoChange();
 }

deps/v8/src/heap/mark-compact.cc

@@ -1645,6 +1645,7 @@ void MarkCompactCollector::ProcessEphemeronsLinear() {
     // is necessary.
 
     work_to_do = !marking_worklist()->IsEmpty() ||
+                 !marking_worklist()->IsEmbedderEmpty() ||
                  !heap()->local_embedder_heap_tracer()->IsRemoteTracingDone();
     CHECK(weak_objects_.discovered_ephemerons.IsEmpty());
   }

deps/v8/src/regexp/regexp-utils.cc

@@ -36,7 +36,7 @@ Handle<String> RegExpUtils::GenericCaptureGetter(
 
 namespace {
 
-V8_INLINE bool HasInitialRegExpMap(Isolate* isolate, Handle<JSReceiver> recv) {
+V8_INLINE bool HasInitialRegExpMap(Isolate* isolate, JSReceiver recv) {
   return recv->map() == isolate->regexp_function()->initial_map();
 }
 
@@ -47,7 +47,7 @@ MaybeHandle<Object> RegExpUtils::SetLastIndex(Isolate* isolate,
                                               uint64_t value) {
   Handle<Object> value_as_object =
       isolate->factory()->NewNumberFromInt64(value);
-  if (HasInitialRegExpMap(isolate, recv)) {
+  if (HasInitialRegExpMap(isolate, *recv)) {
     JSRegExp::cast(*recv)->set_last_index(*value_as_object, SKIP_WRITE_BARRIER);
     return recv;
   } else {
@@ -59,7 +59,7 @@ MaybeHandle<Object> RegExpUtils::SetLastIndex(Isolate* isolate,
 
 MaybeHandle<Object> RegExpUtils::GetLastIndex(Isolate* isolate,
                                               Handle<JSReceiver> recv) {
-  if (HasInitialRegExpMap(isolate, recv)) {
+  if (HasInitialRegExpMap(isolate, *recv)) {
     return handle(JSRegExp::cast(*recv)->last_index(), isolate);
   } else {
     return Object::GetProperty(isolate, recv,
@@ -155,9 +155,7 @@ bool RegExpUtils::IsUnmodifiedRegExp(Isolate* isolate, Handle<Object> obj) {
 
   JSReceiver recv = JSReceiver::cast(*obj);
 
-  // Check the receiver's map.
-  Handle<JSFunction> regexp_function = isolate->regexp_function();
-  if (recv->map() != regexp_function->initial_map()) return false;
+  if (!HasInitialRegExpMap(isolate, recv)) return false;
 
   // Check the receiver's prototype's map.
   Object proto = recv->map()->prototype();

deps/v8/src/runtime/runtime-regexp.cc

@@ -1250,20 +1250,16 @@ static Object SearchRegExpMultiple(Isolate* isolate, Handle<String> subject,
 // doesn't properly call the underlying exec method.
 V8_WARN_UNUSED_RESULT MaybeHandle<String> RegExpReplace(
     Isolate* isolate, Handle<JSRegExp> regexp, Handle<String> string,
-    Handle<Object> replace_obj) {
+    Handle<String> replace) {
   // Functional fast-paths are dispatched directly by replace builtin.
   DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, regexp));
-  DCHECK(!replace_obj->IsCallable());
 
   Factory* factory = isolate->factory();
 
   const int flags = regexp->GetFlags();
   const bool global = (flags & JSRegExp::kGlobal) != 0;
   const bool sticky = (flags & JSRegExp::kSticky) != 0;
 
-  Handle<String> replace;
-  ASSIGN_RETURN_ON_EXCEPTION(isolate, replace,
-                             Object::ToString(isolate, replace_obj), String);
   replace = String::Flatten(isolate, replace);
 
   Handle<RegExpMatchInfo> last_match_info = isolate->regexp_last_match_info();
@@ -1363,18 +1359,23 @@ RUNTIME_FUNCTION(Runtime_RegExpExecMultiple) {
   CONVERT_ARG_HANDLE_CHECKED(String, subject, 1);
   CONVERT_ARG_HANDLE_CHECKED(RegExpMatchInfo, last_match_info, 2);
   CONVERT_ARG_HANDLE_CHECKED(JSArray, result_array, 3);
+
+  DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, regexp));
   CHECK(result_array->HasObjectElements());
 
   subject = String::Flatten(isolate, subject);
   CHECK(regexp->GetFlags() & JSRegExp::kGlobal);
 
+  Object result;
   if (regexp->CaptureCount() == 0) {
-    return SearchRegExpMultiple<false>(isolate, subject, regexp,
-                                       last_match_info, result_array);
+    result = SearchRegExpMultiple<false>(isolate, subject, regexp,
+                                         last_match_info, result_array);
   } else {
-    return SearchRegExpMultiple<true>(isolate, subject, regexp, last_match_info,
-                                      result_array);
+    result = SearchRegExpMultiple<true>(isolate, subject, regexp,
+                                        last_match_info, result_array);
   }
+  DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, regexp));
+  return result;
 }
 
 RUNTIME_FUNCTION(Runtime_StringReplaceNonGlobalRegExpWithFunction) {
@@ -1691,24 +1692,27 @@ RUNTIME_FUNCTION(Runtime_RegExpReplace) {
 
   const bool functional_replace = replace_obj->IsCallable();
 
+  Handle<String> replace;
+  if (!functional_replace) {
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, replace,
+                                       Object::ToString(isolate, replace_obj));
+  }
+
   // Fast-path for unmodified JSRegExps (and non-functional replace).
   if (RegExpUtils::IsUnmodifiedRegExp(isolate, recv)) {
     // We should never get here with functional replace because unmodified
     // regexp and functional replace should be fully handled in CSA code.
     CHECK(!functional_replace);
-    RETURN_RESULT_OR_FAILURE(
-        isolate, RegExpReplace(isolate, Handle<JSRegExp>::cast(recv), string,
-                               replace_obj));
+    Handle<Object> result;
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+        isolate, result,
+        RegExpReplace(isolate, Handle<JSRegExp>::cast(recv), string, replace));
+    DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, recv));
+    return *result;
   }
 
   const uint32_t length = string->length();
 
-  Handle<String> replace;
-  if (!functional_replace) {
-    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, replace,
-                                       Object::ToString(isolate, replace_obj));
-  }
-
   Handle<Object> global_obj;
   ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
       isolate, global_obj,

deps/v8/test/mjsunit/compiler/regress-939316.js

@@ -0,0 +1,19 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(arg) {
+  const o = Reflect.construct(Object, arguments, Proxy);
+  o.foo = arg;
+}
+
+function g(i) {
+  f(i);
+}
+
+g(0);
+g(1);
+%OptimizeFunctionOnNextCall(g);
+g(2);

deps/v8/test/mjsunit/compiler/regress-945644.js

@@ -0,0 +1,23 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(v5,v6) {
+  const v16 = [1337,1337,-765470.5051836492];
+  let v19 = 0;
+  do {
+    const v20 = v19 + 1;
+    const v22 = Math.fround(v20);
+    v19 = v22;
+    const v23 = [v20, v22];
+    function v24() { v20; v22; }
+    const v33 = v16.indexOf(v19);
+  } while (v19 < 6);
+}
+
+f();
+Array.prototype.push(8);
+%OptimizeFunctionOnNextCall(f);
+f();

deps/v8/test/mjsunit/regress/regress-crbug-944435.js

@@ -0,0 +1,38 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap --expose-gc
+
+function foo(  )  {
+  return [
+  0,
+  1,
+  2,
+  3,
+  4,
+  5,
+  6,
+  7,
+  8,
+  9,
+  10,
+  0x1000000,
+  0x40000000,
+  12,
+  60,
+  100,
+  1000 * 60 * 60 * 24].map(Math.asin);
+}
+
+let b = [];
+b.constructor = {};
+b.constructor[Symbol.species] = function() {};
+
+let a = [];
+for (let i = 0; i < 10; i++) {
+  a.push(foo());
+  gc();
+  gc();
+  gc();
+}

deps/v8/test/mjsunit/regress/regress-crbug-944971.js

@@ -0,0 +1,19 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let re = /x/y;
+let cnt = 0;
+let str = re[Symbol.replace]("x", {
+  toString: () => {
+    cnt++;
+    if (cnt == 2) {
+      re.lastIndex = {valueOf: () => {
+        re.x = 42;
+        return 0;
+      }};
+    }
+    return 'y$';
+  }
+});
+assertEquals("y$", str);

deps/v8/third_party/v8/builtins/array-sort.tq

@@ -275,8 +275,7 @@ namespace array {
     const object = UnsafeCast<JSObject>(sortState.receiver);
     const elements = UnsafeCast<FixedDoubleArray>(object.elements);
     const heapVal = UnsafeCast<HeapNumber>(value);
-    // Make sure we do not store signalling NaNs into double arrays.
-    const val = Float64SilenceNaN(Convert<float64>(heapVal));
+    const val = Convert<float64>(heapVal);
     StoreFixedDoubleArrayElementSmi(elements, index, val);
     return kSuccess;
   }