deps: patch V8 to 6.3.292.48

Refs: https://github.com/v8/v8/compare/6.3.292.46...6.3.292.48
PR-URL: https://github.com/nodejs/node/pull/17773
Reviewed-By: Michaël Zasso <targos@protonmail.com>

4 files changed, 40 insertions, 9 deletions

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 46bb92f650..86c50fd4f5 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 3
 #define V8_BUILD_NUMBER 292
-#define V8_PATCH_LEVEL 46
+#define V8_PATCH_LEVEL 48
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/builtins/builtins-typedarray-gen.cc b/deps/v8/src/builtins/builtins-typedarray-gen.cc
index 07f122b909..86ec0e7bd9 100644
--- a/deps/v8/src/builtins/builtins-typedarray-gen.cc
+++ b/deps/v8/src/builtins/builtins-typedarray-gen.cc
@@ -799,7 +799,7 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource(
   // means we're safe from overflows in the following multiplication.
   TNode<IntPtrT> source_byte_length = IntPtrMul(source_length, source_el_size);
   CSA_ASSERT(this,
-             IntPtrGreaterThanOrEqual(source_byte_length, IntPtrConstant(0)));
+             UintPtrGreaterThanOrEqual(source_byte_length, IntPtrConstant(0)));
 
   Label call_memmove(this), fast_c_call(this), out(this);
   Branch(Word32Equal(source_el_kind, target_el_kind), &call_memmove,
@@ -821,8 +821,8 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource(
 
     TNode<IntPtrT> target_byte_length =
         IntPtrMul(target_length, target_el_size);
-    CSA_ASSERT(this,
-               IntPtrGreaterThanOrEqual(target_byte_length, IntPtrConstant(0)));
+    CSA_ASSERT(
+        this, UintPtrGreaterThanOrEqual(target_byte_length, IntPtrConstant(0)));
 
     TNode<IntPtrT> target_data_end_ptr =
         IntPtrAdd(target_data_ptr, target_byte_length);
@@ -830,8 +830,8 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource(
         IntPtrAdd(source_data_ptr, source_byte_length);
 
     GotoIfNot(
-        Word32Or(IntPtrLessThanOrEqual(target_data_end_ptr, source_data_ptr),
-                 IntPtrLessThanOrEqual(source_data_end_ptr, target_data_ptr)),
+        Word32Or(UintPtrLessThanOrEqual(target_data_end_ptr, source_data_ptr),
+                 UintPtrLessThanOrEqual(source_data_end_ptr, target_data_ptr)),
         call_runtime);
 
     TNode<IntPtrT> source_length =
diff --git a/deps/v8/src/debug/debug-coverage.cc b/deps/v8/src/debug/debug-coverage.cc
index 8fe2edc08a..8b87286d29 100644
--- a/deps/v8/src/debug/debug-coverage.cc
+++ b/deps/v8/src/debug/debug-coverage.cc
@@ -544,9 +544,6 @@ void Coverage::SelectMode(Isolate* isolate, debug::Coverage::Mode mode) {
             if (!shared->IsSubjectToDebugging()) continue;
             vector->clear_invocation_count();
             vectors.emplace_back(vector, isolate);
-          } else if (current_obj->IsJSFunction()) {
-            JSFunction* function = JSFunction::cast(current_obj);
-            function->set_code(function->shared()->code());
           }
         }
       }
diff --git a/deps/v8/test/mjsunit/regress/regress-786784.js b/deps/v8/test/mjsunit/regress/regress-786784.js
new file mode 100644
index 0000000000..fb0f3a95b3
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-786784.js
@@ -0,0 +1,34 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  function g(arg) { return arg; }
+  // The closure contains a call IC slot.
+  return function() { return g(42); };
+}
+
+const a = Realm.create();
+const b = Realm.create();
+
+// Create two closures in different contexts sharing the same
+// SharedFunctionInfo (shared due to code caching).
+const x = Realm.eval(a, f.toString() + " f()");
+const y = Realm.eval(b, f.toString() + " f()");
+
+// Run the first closure to create SFI::code.
+x();
+
+// At this point, SFI::code is set and `x` has a feedback vector (`y` does not).
+
+// Enabling block code coverage deoptimizes all functions and triggers the
+// buggy code path in which we'd unconditionally replace JSFunction::code with
+// its SFI::code (but skip feedback vector setup).
+%DebugToggleBlockCoverage(true);
+
+// Still no feedback vector set on `y` but it now contains code. Run it to
+// trigger the crash when attempting to write into the non-existent feedback
+// vector.
+y();