From 50e60e979c946bd37f2763c313a454065c3a8c9d Mon Sep 17 00:00:00 2001
From: Yang Guo <yangguo@chromium.org>
Date: Thu, 27 Apr 2017 14:10:44 +0200
Subject: [PATCH] deps: backport dd310b4341 from upstream V8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original commit message:

    [crankshaft] Fix string addition to check for max length of cons string.

    BUG=chromium:678917

    Review-Url: https://codereview.chromium.org/2653623002
    Cr-Commit-Position: refs/heads/master@{#42621}

PR-URL: https://github.com/nodejs/node/pull/12696
Fixes: https://github.com/nodejs/node/issues/12573
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
---
 deps/v8/include/v8-version.h                  |  2 +-
 deps/v8/src/crankshaft/hydrogen.cc            |  3 +++
 .../v8/test/mjsunit/regress/regress-678917.js | 24 +++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-678917.js

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index efe00822dc..59b217daf3 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 5
 #define V8_MINOR_VERSION 5
 #define V8_BUILD_NUMBER 372
-#define V8_PATCH_LEVEL 44
+#define V8_PATCH_LEVEL 45
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/crankshaft/hydrogen.cc b/deps/v8/src/crankshaft/hydrogen.cc
index 8d7b4797c5..3359748d17 100644
--- a/deps/v8/src/crankshaft/hydrogen.cc
+++ b/deps/v8/src/crankshaft/hydrogen.cc
@@ -2541,6 +2541,9 @@ HValue* HGraphBuilder::BuildUncheckedStringAdd(
   IfBuilder if_createcons(this);
   if_createcons.If<HCompareNumericAndBranch>(
       length, Add<HConstant>(ConsString::kMinLength), Token::GTE);
+  if_createcons.And();
+  if_createcons.If<HCompareNumericAndBranch>(
+      length, Add<HConstant>(ConsString::kMaxLength), Token::LTE);
   if_createcons.Then();
   {
     // Create a cons string.
diff --git a/deps/v8/test/mjsunit/regress/regress-678917.js b/deps/v8/test/mjsunit/regress/regress-678917.js
new file mode 100644
index 0000000000..accb515623
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-678917.js
@@ -0,0 +1,24 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+s1 = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
+s1 += s1;
+s1 += s1;
+s1 += s1;
+s1 += s1;
+
+s0 = 'a';
+
+function g() {
+  for (var j = 0; j < 1000000; j++) {
+    s0 += s1;
+  }
+}
+
+try {
+  g();
+} catch (e) {
+}
+
+assertEquals('x', s0[10]);