deps: V8: cherry-pick e527ba4bf8af

targos · targos · commit 05530e833320 · 2021-04-30T12:54:03.000+02:00
Original commit message: Merged: [interpreter] Store accumulator to callee after optional chain checks Revision: df98901c19ce17ca995ee6750379b0f004210d68 BUG=chromium:1171954 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=​rmcilroy@chromium.org (cherry picked from commit f309db52c2ccab8c9a04fcd236e89deb077061f9) Change-Id: If09e1503ca07b47a112362495ec0bb9d502118c9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2674008 Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Original-Commit-Position: refs/branch-heads/8.9@{#33} Cr-Original-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1} Cr-Original-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2706110 Reviewed-by: Mythri Alle <mythria@chromium.org> Commit-Queue: Achuith Bhandarkar <achuith@chromium.org> Cr-Commit-Position: refs/branch-heads/8.6@{#62} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: v8/v8@e527ba4 PR-URL: #38275 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Shelley Vohr <codebytere@gmail.com>
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.43',
+    'v8_embedder_string': '-node.44',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/interpreter/bytecode-generator.cc b/deps/v8/src/interpreter/bytecode-generator.cc
@@ -4891,8 +4891,9 @@ void BytecodeGenerator::VisitCall(Call* expr) {
       Property* property = chain->expression()->AsProperty();
       BuildOptionalChain([&]() {
         VisitAndPushIntoRegisterList(property->obj(), &args);
-        VisitPropertyLoadForRegister(args.last_register(), property, callee);
+        VisitPropertyLoad(args.last_register(), property);
       });
+      builder()->StoreAccumulatorInRegister(callee);
       break;
     }
     case Call::SUPER_CALL:
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1038178.js b/deps/v8/test/mjsunit/regress/regress-crbug-1038178.js
@@ -15,7 +15,7 @@ function opt(){
     (((function(){})())?.v)()
 }
 %PrepareFunctionForOptimization(opt)
-assertThrows(opt());
-assertThrows(opt());
+assertThrows(() => opt());
+assertThrows(() => opt());
 %OptimizeFunctionOnNextCall(opt)
-assertThrows(opt());
+assertThrows(() => opt());
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1171954.js b/deps/v8/test/mjsunit/regress/regress-crbug-1171954.js
@@ -0,0 +1,19 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+// This causes the register used by the call in the later try-catch block to be
+// used by the ToName conversion for null which causes a DCHECK fail when
+// compiling. If register allocation changes, this test may no longer reproduce
+// the crash but it is not easy write a proper test because it is linked to
+// register allocation. This test should always work, so shouldn't cause any
+// flakes.
+try {
+  var { [null]: __v_12, } = {};
+} catch (e) {}
+
+try {
+  assertEquals((__v_40?.o?.m)().p);
+} catch (e) {}
