From b0d1a060e2ab49b177b8e1bc0e754811a30e400d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Date: Sat, 17 Apr 2021 16:28:41 +0200
Subject: [PATCH] deps: V8: cherry-pick abb4d0a431c0

Original commit message:

    Merged: [turbofan] Fix bug in inlining

    Revision: 219b28bfe2ea76de63f034eb75b67e8ded339d94

    BUG=chromium:1127319
    NOTRY=true
    NOPRESUBMIT=true
    NOTREECHECKS=true
    R=tebbi@chromium.org

    Change-Id: I98e77bac81e2cf822a4a4987115e0cf01b1dbc52
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2416383
    Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
    Commit-Queue: Georg Neis <neis@chromium.org>
    Cr-Commit-Position: refs/branch-heads/8.6@{#12}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: https://github.com/v8/v8/commit/abb4d0a431c0d3fb1f67eaf04c3a8bf1925f9b28

PR-URL: https://github.com/nodejs/node/pull/38275
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
---
 common.gypi                                   |  2 +-
 deps/v8/src/compiler/js-inlining-heuristic.cc |  7 ++--
 .../test/mjsunit/compiler/regress-1127319.js  | 40 +++++++++++++++++++
 3 files changed, 44 insertions(+), 5 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/compiler/regress-1127319.js

diff --git a/common.gypi b/common.gypi
index 8cf35e1ac1c71b..6281ebc6fca5e6 100644
--- a/common.gypi
+++ b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.31',
+    'v8_embedder_string': '-node.32',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/compiler/js-inlining-heuristic.cc b/deps/v8/src/compiler/js-inlining-heuristic.cc
index 1c2bf5bc0eafe6..aef85c5b48897d 100644
--- a/deps/v8/src/compiler/js-inlining-heuristic.cc
+++ b/deps/v8/src/compiler/js-inlining-heuristic.cc
@@ -259,10 +259,9 @@ void JSInliningHeuristic::Finalize() {
     Candidate candidate = *i;
     candidates_.erase(i);
 
-    // Make sure we don't try to inline dead candidate nodes.
-    if (candidate.node->IsDead()) {
-      continue;
-    }
+    // Ignore this candidate if it's no longer valid.
+    if (!IrOpcode::IsInlineeOpcode(candidate.node->opcode())) continue;
+    if (candidate.node->IsDead()) continue;
 
     // Make sure we have some extra budget left, so that any small functions
     // exposed by this function would be given a chance to inline.
diff --git a/deps/v8/test/mjsunit/compiler/regress-1127319.js b/deps/v8/test/mjsunit/compiler/regress-1127319.js
new file mode 100644
index 00000000000000..74d577bdd83e54
--- /dev/null
+++ b/deps/v8/test/mjsunit/compiler/regress-1127319.js
@@ -0,0 +1,40 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --interrupt-budget=1024
+
+function v1() {
+  const v4 = Reflect;
+  const v8 = [11.11];
+  const v10 = {__proto__:1111, a:-1, c:RegExp, f:v8, d:1111, e:-1};
+  const v12 = [11.11];
+  function v13() {}
+  const v16 = {a:v13, b:v13, c:v13, d:v13, e:v13, f:v13, g:v13, h:v13, i:v13, j:v13};
+}
+
+function foo() {
+  let v22 = Number;
+  v22 = v1;
+  const v23 = false;
+  if (v23) {
+    v22 = Number;
+  } else {
+    function v24() {
+      const v28 = ".Cactus"[0];
+      for (let v32 = 0; v32 < 7; v32++) {}
+    }
+    new Promise(v24);
+    try {
+      for (const v37 of v36) {
+        const v58 = [cactus,cactus,[] = cactus] = v117;
+      }
+    } catch(v119) {
+    }
+  }
+  v22();
+}
+
+for (let i = 0; i < 10; i++) {
+  foo();
+}