[runtime] Fix Class Literals

Do not overwrite handle values in AddNamedProperty which could cause
invalid handles in combination with CanonicalHandleScope.

Bug: chromium:802333
Change-Id: I373ab60579901bba65336ae3814e466e07392e22
Reviewed-on: https://chromium-review.googlesource.com/873032
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50890}

src/objects/literal-objects.cc

@@ -423,6 +423,10 @@ void ClassBoilerplate::AddToElementsTemplate(
 
 Handle<ClassBoilerplate> ClassBoilerplate::BuildClassBoilerplate(
     Isolate* isolate, ClassLiteral* expr) {
+  // Create a non-caching handle scope to ensure that the temporary handle used
+  // by ObjectDescriptor for passing Smis around does not corrupt handle cache
+  // in CanonicalHandleScope.
+  HandleScope scope(isolate);
   Factory* factory = isolate->factory();
   ObjectDescriptor static_desc;
   ObjectDescriptor instance_desc;
@@ -580,7 +584,7 @@ Handle<ClassBoilerplate> ClassBoilerplate::BuildClassBoilerplate(
   class_boilerplate->set_instance_computed_properties(
       *instance_desc.computed_properties());
 
-  return class_boilerplate;
+  return scope.CloseAndEscape(class_boilerplate);
 }
 
 }  // namespace internal

test/mjsunit/regress/regress-crbug-802333.js

@@ -0,0 +1,26 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function deferred_func() {
+    class C {
+        method1() {
+
+        }
+    }
+}
+
+let bound = (a => a).bind(this, 0);
+
+function opt() {
+    deferred_func.prototype;  // ReduceJSLoadNamed
+
+    return bound();
+}
+
+assertEquals(0, opt());
+%OptimizeFunctionOnNextCall(opt);
+
+assertEquals(0, opt());