deps: update V8 to 6.1.534.42

Refs: https://github.com/v8/v8/compare/6.1.534.38...6.1.534.42

PR-URL: https://github.com/nodejs/node/pull/15521
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

7 files changed, 73 insertions, 8 deletions

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 866f9dc826..b2c1e5384e 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 534
-#define V8_PATCH_LEVEL 38
+#define V8_PATCH_LEVEL 42
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/assembler.cc b/deps/v8/src/assembler.cc
index c561050ed6..c24dc28fed 100644
--- a/deps/v8/src/assembler.cc
+++ b/deps/v8/src/assembler.cc
@@ -340,11 +340,7 @@ void RelocInfo::update_wasm_function_table_size_reference(
     Isolate* isolate, uint32_t old_size, uint32_t new_size,
     ICacheFlushMode icache_flush_mode) {
   DCHECK(IsWasmFunctionTableSizeReference(rmode_));
-  uint32_t current_size_reference = wasm_function_table_size_reference();
-  uint32_t updated_size_reference =
-      new_size + (current_size_reference - old_size);
-  unchecked_update_wasm_size(isolate, updated_size_reference,
-                             icache_flush_mode);
+  unchecked_update_wasm_size(isolate, new_size, icache_flush_mode);
 }
 
 void RelocInfo::set_target_address(Isolate* isolate, Address target,
diff --git a/deps/v8/src/compiler/typer.cc b/deps/v8/src/compiler/typer.cc
index 94b6e5a922..64a028015c 100644
--- a/deps/v8/src/compiler/typer.cc
+++ b/deps/v8/src/compiler/typer.cc
@@ -1450,7 +1450,7 @@ Type* Typer::Visitor::JSCallTyper(Type* fun, Typer* t) {
           return Type::String();
         case kStringIndexOf:
         case kStringLastIndexOf:
-          return Type::Range(-1.0, String::kMaxLength - 1.0, t->zone());
+          return Type::Range(-1.0, String::kMaxLength, t->zone());
         case kStringEndsWith:
         case kStringIncludes:
           return Type::Boolean();
diff --git a/deps/v8/src/flag-definitions.h b/deps/v8/src/flag-definitions.h
index 4a5c8aa75b..5b380fb9f0 100644
--- a/deps/v8/src/flag-definitions.h
+++ b/deps/v8/src/flag-definitions.h
@@ -465,7 +465,7 @@ DEFINE_BOOL(turbo_loop_peeling, true, "Turbofan loop peeling")
 DEFINE_BOOL(turbo_loop_variable, true, "Turbofan loop variable optimization")
 DEFINE_BOOL(turbo_cf_optimization, true, "optimize control flow in TurboFan")
 DEFINE_BOOL(turbo_frame_elision, true, "elide frames in TurboFan")
-DEFINE_BOOL(turbo_escape, true, "enable escape analysis")
+DEFINE_BOOL(turbo_escape, false, "enable escape analysis")
 DEFINE_BOOL(turbo_instruction_scheduling, false,
             "enable instruction scheduling in TurboFan")
 DEFINE_BOOL(turbo_stress_instruction_scheduling, false,
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-762874-1.js b/deps/v8/test/mjsunit/regress/regress-crbug-762874-1.js
new file mode 100644
index 0000000000..b82a786159
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-762874-1.js
@@ -0,0 +1,18 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const maxLength = 268435440;
+const s = 'A'.repeat(maxLength);
+
+function foo(s) {
+  let x = s.indexOf("", maxLength);
+  return x === maxLength;
+}
+
+assertTrue(foo(s));
+assertTrue(foo(s));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(foo(s));
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-762874-2.js b/deps/v8/test/mjsunit/regress/regress-crbug-762874-2.js
new file mode 100644
index 0000000000..9a2a3f18eb
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-762874-2.js
@@ -0,0 +1,18 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const maxLength = 268435440;
+const s = 'A'.repeat(maxLength);
+
+function foo(s) {
+  let x = s.lastIndexOf("", maxLength);
+  return x === maxLength;
+}
+
+assertTrue(foo(s));
+assertTrue(foo(s));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(foo(s));
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-752423.js b/deps/v8/test/mjsunit/regress/wasm/regress-752423.js
new file mode 100644
index 0000000000..15ee9a6c34
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/wasm/regress-752423.js
@@ -0,0 +1,33 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+'use strict';
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+var builder = new WasmModuleBuilder();
+builder.addImportedTable("x", "table", 1, 10000000);
+builder.addFunction("main", kSig_i_i)
+  .addBody([
+    kExprI32Const, 0,
+    kExprGetLocal, 0,
+    kExprCallIndirect, 0, kTableZero])
+  .exportAs("main");
+let module = new WebAssembly.Module(builder.toBuffer());
+let table = new WebAssembly.Table({element: "anyfunc",
+  initial: 1, maximum:1000000});
+let instance = new WebAssembly.Instance(module, {x: {table:table}});
+
+table.grow(0x40001);
+
+let instance2 = new WebAssembly.Instance(module, {x: {table:table}});
+
+try {
+  instance2.exports.main(402982); // should be OOB
+} catch (e) {
+  print("Correctly caught: ", e);
+}