From fed8242eff286b2d56cb912fb7bc14002f7860c7 Mon Sep 17 00:00:00 2001
From: Myles Borins <mylesborins@google.com>
Date: Fri, 13 Apr 2018 00:39:44 -0400
Subject: [PATCH] deps: patch V8 to 6.6.346.24

Refs: https://github.com/v8/v8/compare/6.6.346.23...6.6.346.24
---
 deps/v8/include/v8-version.h                       |  2 +-
 deps/v8/src/compiler/js-call-reducer.cc            |  2 +-
 .../test/mjsunit/regress/regress-crbug-825045.js   | 14 ++++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-825045.js

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index da78020d07515c..68d0a359292bd7 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 346
-#define V8_PATCH_LEVEL 23
+#define V8_PATCH_LEVEL 24
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/compiler/js-call-reducer.cc b/deps/v8/src/compiler/js-call-reducer.cc
index 12fb14c6fc831c..f229cdefedf30e 100644
--- a/deps/v8/src/compiler/js-call-reducer.cc
+++ b/deps/v8/src/compiler/js-call-reducer.cc
@@ -419,7 +419,7 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
     // runtime otherwise.
     Handle<DescriptorArray> descriptors(receiver_map->instance_descriptors(),
                                         isolate());
-    if (descriptors->length() < 2) return NoChange();
+    if (descriptors->number_of_descriptors() < 2) return NoChange();
     if (descriptors->GetKey(JSFunction::kLengthDescriptorIndex) !=
         isolate()->heap()->length_string()) {
       return NoChange();
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-825045.js b/deps/v8/test/mjsunit/regress/regress-crbug-825045.js
new file mode 100644
index 00000000000000..34af20897a0d86
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-825045.js
@@ -0,0 +1,14 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const obj = new class A extends (async function (){}.constructor) {};
+delete obj.name;
+Number.prototype.__proto__ = obj;
+function foo() { return obj.bind(); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();