diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index d281773473a019..21d2a6ae9e2655 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 5 #define V8_MINOR_VERSION 1 #define V8_BUILD_NUMBER 281 -#define V8_PATCH_LEVEL 97 +#define V8_PATCH_LEVEL 98 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/ast/ast-value-factory.h b/deps/v8/src/ast/ast-value-factory.h index 8b3f0ed252c7e6..11851535f01d3b 100644 --- a/deps/v8/src/ast/ast-value-factory.h +++ b/deps/v8/src/ast/ast-value-factory.h @@ -257,6 +257,7 @@ class AstValue : public ZoneObject { F(eval, "eval") \ F(function, "function") \ F(get_space, "get ") \ + F(length, "length") \ F(let, "let") \ F(native, "native") \ F(new_target, ".new.target") \ diff --git a/deps/v8/src/parsing/parser.cc b/deps/v8/src/parsing/parser.cc index bbb75de3ea3dab..7f1303cedb3cde 100644 --- a/deps/v8/src/parsing/parser.cc +++ b/deps/v8/src/parsing/parser.cc @@ -5582,16 +5582,35 @@ Expression* Parser::RewriteSpreads(ArrayLiteral* lit) { if (spread == nullptr) { // If the element is not a spread, we're adding a single: // %AppendElement($R, value) - ZoneList* append_element_args = NewExpressionList(2, zone()); - append_element_args->Add(factory()->NewVariableProxy(result), zone()); - append_element_args->Add(value, zone()); - do_block->statements()->Add( - factory()->NewExpressionStatement( - factory()->NewCallRuntime(Runtime::kAppendElement, - append_element_args, + // or, in case of a hole, + // ++($R.length) + if (!value->IsLiteral() || + !value->AsLiteral()->raw_value()->IsTheHole()) { + ZoneList* append_element_args = + NewExpressionList(2, zone()); + append_element_args->Add(factory()->NewVariableProxy(result), zone()); + append_element_args->Add(value, zone()); + do_block->statements()->Add( + factory()->NewExpressionStatement( + factory()->NewCallRuntime(Runtime::kAppendElement, + append_element_args, + RelocInfo::kNoPosition), + RelocInfo::kNoPosition), + zone()); + } else { + Property* length_property = factory()->NewProperty( + factory()->NewVariableProxy(result), + factory()->NewStringLiteral(ast_value_factory()->length_string(), RelocInfo::kNoPosition), - RelocInfo::kNoPosition), - zone()); + RelocInfo::kNoPosition); + CountOperation* count_op = factory()->NewCountOperation( + Token::INC, true /* prefix */, length_property, + RelocInfo::kNoPosition); + do_block->statements()->Add( + factory()->NewExpressionStatement(count_op, + RelocInfo::kNoPosition), + zone()); + } } else { // If it's a spread, we're adding a for/of loop iterating through it. Variable* each = diff --git a/deps/v8/src/runtime/runtime-object.cc b/deps/v8/src/runtime/runtime-object.cc index 5bdb08541f18d5..bc42b7c7fcca8b 100644 --- a/deps/v8/src/runtime/runtime-object.cc +++ b/deps/v8/src/runtime/runtime-object.cc @@ -543,6 +543,7 @@ RUNTIME_FUNCTION(Runtime_AppendElement) { CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0); CONVERT_ARG_HANDLE_CHECKED(Object, value, 1); + CHECK(!value->IsTheHole()); uint32_t index; CHECK(array->length()->ToArrayIndex(&index)); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-644215.js b/deps/v8/test/mjsunit/regress/regress-crbug-644215.js new file mode 100644 index 00000000000000..c74112542d8af2 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-644215.js @@ -0,0 +1,13 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +var arr = [...[],,]; +assertTrue(%HasFastHoleyElements(arr)); +assertEquals(1, arr.length); +assertFalse(arr.hasOwnProperty(0)); +assertEquals(undefined, arr[0]); +// Should not crash. +assertThrows(() => arr[0][0], TypeError);