Merge v8 from https://chromium.googlesource.com/a/external/v8.git at d6a645f11c0b869f97961ce290c1d44bd4488e24

This commit was generated by merge_from_chromium.py.

Change-Id: I89af08d2de63ffa247b0bd36c0b53a6767c36252
diff --git a/build/features.gypi b/build/features.gypi
index e8f5b2f..d542d05 100644
--- a/build/features.gypi
+++ b/build/features.gypi
@@ -111,7 +111,7 @@
       'Release': {
         'variables': {
           'v8_enable_extra_checks%': 0,
-          'v8_enable_handle_zapping%': 1,
+          'v8_enable_handle_zapping%': 0,
         },
         'conditions': [
           ['v8_enable_extra_checks==1', {
diff --git a/src/runtime.cc b/src/runtime.cc
index b97af64..15e1ada 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10034,7 +10034,7 @@
       // getters on the arrays increasing the length of later arrays
       // during iteration.
       // This shouldn't happen in anything but pathological cases.
-      SetDictionaryMode(index);
+      SetDictionaryMode();
       // Fall-through to dictionary mode.
     }
     ASSERT(!fast_elements_);
@@ -10055,6 +10055,14 @@
     } else {
       index_offset_ += delta;
     }
+    // If the initial length estimate was off (see special case in visit()),
+    // but the array blowing the limit didn't contain elements beyond the
+    // provided-for index range, go to dictionary mode now.
+    if (fast_elements_ &&
+        index_offset_ >= static_cast<uint32_t>(
+            FixedArrayBase::cast(*storage_)->length())) {
+      SetDictionaryMode();
+    }
   }
 
   bool exceeds_array_limit() {
@@ -10076,7 +10084,7 @@
 
  private:
   // Convert storage to dictionary mode.
-  void SetDictionaryMode(uint32_t index) {
+  void SetDictionaryMode() {
     ASSERT(fast_elements_);
     Handle<FixedArray> current_storage(*storage_);
     Handle<SeededNumberDictionary> slow_storage(
diff --git a/src/spaces.cc b/src/spaces.cc
index 22233d9..1ffc314 100644
--- a/src/spaces.cc
+++ b/src/spaces.cc
@@ -193,7 +193,7 @@
       return true;  // Found a large enough allocation block.
     }
   }
-
+  current_allocation_block_index_ = 0;
   // Code range is full or too fragmented.
   return false;
 }
diff --git a/src/version.cc b/src/version.cc
index 0d26e22..cc52a0d 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     27
 #define BUILD_NUMBER      34
-#define PATCH_LEVEL       0
+#define PATCH_LEVEL       3
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
diff --git a/test/mjsunit/regress/regress-crbug-387031.js b/test/mjsunit/regress/regress-crbug-387031.js
new file mode 100644
index 0000000..77f52a9
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-387031.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+a = [1];
+b = [];
+a.__defineGetter__(0, function () {
+  b.length = 0xffffffff;
+});
+c = a.concat(b);
+for (var i = 0; i < 20; i++) {
+  assertEquals(undefined, (c[i]));
+}