nodejs · targos · Mar 25, 2017 · Mar 25, 2017 · Mar 25, 2017
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 5
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 281
-#define V8_PATCH_LEVEL 95
+#define V8_PATCH_LEVEL 98
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/deps/v8/src/ast/ast-value-factory.h b/deps/v8/src/ast/ast-value-factory.h
@@ -257,6 +257,7 @@ class AstValue : public ZoneObject {
   F(eval, "eval")                               \
   F(function, "function")                       \
   F(get_space, "get ")                          \
+  F(length, "length")                           \
   F(let, "let")                                 \
   F(native, "native")                           \
   F(new_target, ".new.target")                  \

diff --git a/deps/v8/src/parsing/parser-base.h b/deps/v8/src/parsing/parser-base.h
@@ -1307,8 +1307,11 @@ ParserBase<Traits>::ParsePrimaryExpression(ExpressionClassifier* classifier,
                                           MessageTemplate::kUnexpectedToken,
                                           Token::String(Token::ELLIPSIS));
         classifier->RecordNonSimpleParameter();
-        ExpressionT expr =
-            this->ParseAssignmentExpression(true, classifier, CHECK_OK);
+        ExpressionClassifier binding_classifier(this);
+        ExpressionT expr = this->ParseAssignmentExpression(
+            true, &binding_classifier, CHECK_OK);
+        classifier->Accumulate(&binding_classifier,
+                               ExpressionClassifier::AllProductions);
         if (!this->IsIdentifier(expr) && !IsValidPattern(expr)) {
           classifier->RecordArrowFormalParametersError(
               Scanner::Location(ellipsis_pos, scanner()->location().end_pos),
@@ -1400,11 +1403,14 @@ typename ParserBase<Traits>::ExpressionT ParserBase<Traits>::ParseExpression(
   //   AssignmentExpression
   //   Expression ',' AssignmentExpression
 
-  ExpressionClassifier binding_classifier(this);
-  ExpressionT result =
-      this->ParseAssignmentExpression(accept_IN, &binding_classifier, CHECK_OK);
-  classifier->Accumulate(&binding_classifier,
-                         ExpressionClassifier::AllProductions);
+  ExpressionT result = this->EmptyExpression();
+  {
+    ExpressionClassifier binding_classifier(this);
+    result = this->ParseAssignmentExpression(accept_IN, &binding_classifier,
+                                             CHECK_OK);
+    classifier->Accumulate(&binding_classifier,
+                           ExpressionClassifier::AllProductions);
+  }
   bool is_simple_parameter_list = this->IsIdentifier(result);
   bool seen_rest = false;
   while (peek() == Token::COMMA) {

diff --git a/deps/v8/src/parsing/parser.cc b/deps/v8/src/parsing/parser.cc
@@ -5582,16 +5582,35 @@ Expression* Parser::RewriteSpreads(ArrayLiteral* lit) {
     if (spread == nullptr) {
       // If the element is not a spread, we're adding a single:
       // %AppendElement($R, value)
-      ZoneList<Expression*>* append_element_args = NewExpressionList(2, zone());
-      append_element_args->Add(factory()->NewVariableProxy(result), zone());
-      append_element_args->Add(value, zone());
-      do_block->statements()->Add(
-          factory()->NewExpressionStatement(
-              factory()->NewCallRuntime(Runtime::kAppendElement,
-                                        append_element_args,
+      // or, in case of a hole,
+      // ++($R.length)
+      if (!value->IsLiteral() ||
+          !value->AsLiteral()->raw_value()->IsTheHole()) {
+        ZoneList<Expression*>* append_element_args =
+            NewExpressionList(2, zone());
+        append_element_args->Add(factory()->NewVariableProxy(result), zone());
+        append_element_args->Add(value, zone());
+        do_block->statements()->Add(
+            factory()->NewExpressionStatement(
+                factory()->NewCallRuntime(Runtime::kAppendElement,
+                                          append_element_args,
+                                          RelocInfo::kNoPosition),
+                RelocInfo::kNoPosition),
+            zone());
+      } else {
+        Property* length_property = factory()->NewProperty(
+            factory()->NewVariableProxy(result),
+            factory()->NewStringLiteral(ast_value_factory()->length_string(),
                                         RelocInfo::kNoPosition),
-              RelocInfo::kNoPosition),
-          zone());
+            RelocInfo::kNoPosition);
+        CountOperation* count_op = factory()->NewCountOperation(
+            Token::INC, true /* prefix */, length_property,
+            RelocInfo::kNoPosition);
+        do_block->statements()->Add(
+            factory()->NewExpressionStatement(count_op,
+                                              RelocInfo::kNoPosition),
+            zone());
+      }
     } else {
       // If it's a spread, we're adding a for/of loop iterating through it.
       Variable* each =

diff --git a/deps/v8/src/runtime/runtime-object.cc b/deps/v8/src/runtime/runtime-object.cc
@@ -543,6 +543,7 @@ RUNTIME_FUNCTION(Runtime_AppendElement) {
 
   CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0);
   CONVERT_ARG_HANDLE_CHECKED(Object, value, 1);
+  CHECK(!value->IsTheHole());
 
   uint32_t index;
   CHECK(array->length()->ToArrayIndex(&index));

diff --git a/deps/v8/test/mjsunit/harmony/regress/regress-crbug-621111.js b/deps/v8/test/mjsunit/harmony/regress/regress-crbug-621111.js
@@ -0,0 +1,6 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(y = 1[1, [...[]]]) => 1;   // will core dump, if not fixed
+(y = 1[1, [...[]]]) => {};  // will core dump, if not fixed
diff --git a/deps/v8/test/mjsunit/harmony/regress/regress-crbug-621496.js b/deps/v8/test/mjsunit/harmony/regress/regress-crbug-621496.js
@@ -0,0 +1,7 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function testIllegalSpreadAsSingleArrowParameter() {
+  assertThrows("(...[42]) => 42)", SyntaxError)  // will core dump, if not fixed
+})();
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-644215.js b/deps/v8/test/mjsunit/regress/regress-crbug-644215.js
@@ -0,0 +1,13 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var arr = [...[],,];
+assertTrue(%HasFastHoleyElements(arr));
+assertEquals(1, arr.length);
+assertFalse(arr.hasOwnProperty(0));
+assertEquals(undefined, arr[0]);
+// Should not crash.
+assertThrows(() => arr[0][0], TypeError);