From 05530e833320e3147bd7789d57ea85d832351a4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Date: Sat, 17 Apr 2021 16:28:45 +0200
Subject: [PATCH] deps: V8: cherry-pick e527ba4bf8af
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original commit message:

    Merged: [interpreter] Store accumulator to callee after optional chain checks

    Revision: df98901c19ce17ca995ee6750379b0f004210d68

    BUG=chromium:1171954
    NOTRY=true
    NOPRESUBMIT=true
    NOTREECHECKS=true
    R=​rmcilroy@chromium.org

    (cherry picked from commit f309db52c2ccab8c9a04fcd236e89deb077061f9)

    Change-Id: If09e1503ca07b47a112362495ec0bb9d502118c9
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2674008
    Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
    Cr-Original-Commit-Position: refs/branch-heads/8.9@{#33}
    Cr-Original-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1}
    Cr-Original-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2706110
    Reviewed-by: Mythri Alle <mythria@chromium.org>
    Commit-Queue: Achuith Bhandarkar <achuith@chromium.org>
    Cr-Commit-Position: refs/branch-heads/8.6@{#62}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: https://github.com/v8/v8/commit/e527ba4bf8afc62928abd2ad5d2e03f55160181b

PR-URL: https://github.com/nodejs/node/pull/38275
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
---
 common.gypi                                   |  2 +-
 deps/v8/src/interpreter/bytecode-generator.cc |  3 ++-
 .../mjsunit/regress/regress-crbug-1038178.js  |  6 +++---
 .../mjsunit/regress/regress-crbug-1171954.js  | 19 +++++++++++++++++++
 4 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-1171954.js

diff --git a/common.gypi b/common.gypi
index 414d4ea32ce19b..22ddea26774b22 100644
--- a/common.gypi
+++ b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.43',
+    'v8_embedder_string': '-node.44',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/interpreter/bytecode-generator.cc b/deps/v8/src/interpreter/bytecode-generator.cc
index 4a1c045927e733..26ec1600278cdb 100644
--- a/deps/v8/src/interpreter/bytecode-generator.cc
+++ b/deps/v8/src/interpreter/bytecode-generator.cc
@@ -4891,8 +4891,9 @@ void BytecodeGenerator::VisitCall(Call* expr) {
       Property* property = chain->expression()->AsProperty();
       BuildOptionalChain([&]() {
         VisitAndPushIntoRegisterList(property->obj(), &args);
-        VisitPropertyLoadForRegister(args.last_register(), property, callee);
+        VisitPropertyLoad(args.last_register(), property);
       });
+      builder()->StoreAccumulatorInRegister(callee);
       break;
     }
     case Call::SUPER_CALL:
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1038178.js b/deps/v8/test/mjsunit/regress/regress-crbug-1038178.js
index 0362f69bcda3ad..3a84066b837d51 100644
--- a/deps/v8/test/mjsunit/regress/regress-crbug-1038178.js
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-1038178.js
@@ -15,7 +15,7 @@ function opt(){
     (((function(){})())?.v)()
 }
 %PrepareFunctionForOptimization(opt)
-assertThrows(opt());
-assertThrows(opt());
+assertThrows(() => opt());
+assertThrows(() => opt());
 %OptimizeFunctionOnNextCall(opt)
-assertThrows(opt());
+assertThrows(() => opt());
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1171954.js b/deps/v8/test/mjsunit/regress/regress-crbug-1171954.js
new file mode 100644
index 00000000000000..94fbb329bc47b4
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-1171954.js
@@ -0,0 +1,19 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+// This causes the register used by the call in the later try-catch block to be
+// used by the ToName conversion for null which causes a DCHECK fail when
+// compiling. If register allocation changes, this test may no longer reproduce
+// the crash but it is not easy write a proper test because it is linked to
+// register allocation. This test should always work, so shouldn't cause any
+// flakes.
+try {
+  var { [null]: __v_12, } = {};
+} catch (e) {}
+
+try {
+  assertEquals((__v_40?.o?.m)().p);
+} catch (e) {}