From efe28b8581033381ebbd32f17c1fb41030334f1b Mon Sep 17 00:00:00 2001
From: Ali Ijaz Sheikh <ofrobots@google.com>
Date: Wed, 20 Jun 2018 11:58:15 -0700
Subject: [PATCH] deps: V8: fix bug in InternalPerformPromiseThen

This fix never landed upstream as it was not longer relevant to active
V8 branches for Chromium.

Original commit message:
  [turbofan] Fix bug in InternalPerformPromiseThen

  Bug: chromium:831170
  Change-Id: I1022fc360aafdfd392d6781eb50afc87a18096fd

PR-URL: https://github.com/nodejs/node/pull/21426
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 deps/v8/include/v8-version.h                  |  2 +-
 deps/v8/src/builtins/builtins-promise-gen.cc  |  4 ++--
 .../compiler/promise-proxy-callback.js        | 21 +++++++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/compiler/promise-proxy-callback.js

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 1f314518f5e1b3..f1f29d02de3fb5 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 2
 #define V8_BUILD_NUMBER 414
-#define V8_PATCH_LEVEL 59
+#define V8_PATCH_LEVEL 60
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/builtins/builtins-promise-gen.cc b/deps/v8/src/builtins/builtins-promise-gen.cc
index e10cc6e8d69721..d701d679922f4a 100644
--- a/deps/v8/src/builtins/builtins-promise-gen.cc
+++ b/deps/v8/src/builtins/builtins-promise-gen.cc
@@ -509,8 +509,8 @@ Node* PromiseBuiltinsAssembler::InternalPerformPromiseThen(
     BIND(&if_existingcallbacks);
     {
       Label if_singlecallback(this), if_multiplecallbacks(this);
-      BranchIfJSObject(existing_deferred_promise, &if_singlecallback,
-                       &if_multiplecallbacks);
+      Branch(HasInstanceType(existing_deferred_promise, FIXED_ARRAY_TYPE),
+             &if_multiplecallbacks, &if_singlecallback);
 
       BIND(&if_singlecallback);
       {
diff --git a/deps/v8/test/mjsunit/compiler/promise-proxy-callback.js b/deps/v8/test/mjsunit/compiler/promise-proxy-callback.js
new file mode 100644
index 00000000000000..b8ee948927cdd5
--- /dev/null
+++ b/deps/v8/test/mjsunit/compiler/promise-proxy-callback.js
@@ -0,0 +1,21 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class MyPromise extends Promise {
+    static get [Symbol.species]() {
+        return function(f) {
+            console.log("foo")
+            var a = new Promise(f);
+            return new Proxy(new Function(),{})
+        }
+    }
+}
+var p1 = new Promise(function(resolve, reject) {});
+p1.__proto__ = MyPromise.prototype;
+p1.then();
+p1.then();
+
+for (var i = 0; i < 0x20000; i++) {
+    new String()
+}