The bug is still present in Canary 68.

Bisected to a36bfd61bb03bc4a29510e628146963e85f74d9d "Update V8 to version 6.5.173"
Landed in 65.0.3319.0

The only commit in V8 log is 03e9d415c2fbb51f6276b4abbb76d840f4106531
"Reland: Reimplement Object.entries/values as CSA to optimize performance."

Attaching a simplified test.html that shows GOOD in good builds and BAD in bad builds.

Deleted: test.html 438 bytes

test.html 438 bytes View Download

Here are some more test cases:

```
(() => {
  console.log('Works with Object.defineProperty');
  const object = {};
  Object.defineProperty(object, 'test', { value: undefined });
  object.a = object.b = object.c = 'value';
  console.log('values', Object.values(object).length);
  console.log('\n');
})();

(() => {
  console.log('Works with Object.keys');
  const object = {};
  object.a = object.b = object.c = 'value';
  Object.keys(object);
  console.log('values', Object.values(object).length);
  console.log('\n');
})();


(() => {
  console.log('Breaks with Object.keys + Object.defineProperty');
  const object = {};
  Object.defineProperty(object, 'test', { value: undefined });
  object.a = object.b = object.c = 'value';
  Object.keys(object);
  console.log('values', Object.values(object).length);
  console.log('\n');
})();

(() => {
  console.log('Works with Object.keys + Object.defineProperty after assignments');
  const object = {};
  object.a = object.b = object.c = 'value';
  Object.defineProperty(object, 'test', { value: undefined });
  Object.keys(object);
  console.log('values', Object.values(object).length);
  console.log('\n');
})();

(() => {
  console.log('Adding properties "fixes" it until iterating over object');

  const testCase = () => {
    const object = {};
    Object.defineProperty(object, 'test', { value: undefined });
    object.a = object.b = object.c = 'value';
    Object.keys(object);
    console.log('values', Object.values(object).length);

    object.d = 'value';
    console.log('it works again after adding property', Object.values(object).length);

    Object.keys(object);
    console.log('it breaks again after Object.keys', Object.values(object).length);

    console.log('\n');
  };

  testCase();

  console.log('But running the same code again causes different behavior');

  testCase();
})();
```

I've attached a screenshot of the output I get after running the above code in my console in Chrome 66.

Deleted: スクリーンショット 2018-04-24 18.43.53.png 190 KB

	スクリーンショット 2018-04-24 18.43.53.png 190 KB View Download

Happens on windows as well

Related issue: https://github.com/mobxjs/mobx/issues/1504#issuecomment-383909667

Object.entries is affected as well

Jakob, ptal

Looks very similar to  https://crbug.com/804159 , which caused the original revert/reland. cbruni@ kindly volunteered to look at this, thanks!

Able to reproduce the issue on Windows 10, mac 10.13.3 and Ubuntu 17.10 using chrome reported version #66.0.3359.117 and latest canary #68.0.3406.0.

Bisect Information:
=====================
Good build: 66.0.3343.0
Bad Build : 66.0.3344.0

Change Log URL: 
https://chromium.googlesource.com/chromium/src/+log/6f7666822a7ab47ecd86f732a4a62063298d3514..a36bfd61bb03bc4a29510e628146963e85f74d9d

v8-autoroll CL:
https://chromium.googlesource.com/v8/v8/+log/919e79fd..d61daa4a

From the above change log suspecting below change
Change-Id: I57e8b66e1c4ece2abb52e1630a97fbfd4070d810
Reviewed-on: https://chromium-review.googlesource.com/860679

yangguo@ - Could you please check whether this is caused with respect to author (Taketoshi Aono@) change, if not please help us in assigning it to the right owner.
Note: ccing the reviewer of the issue as the author (Taketoshi Aono@) doesn't seem to have a chromium id.

Thanks...!!

 Issue v8:7687  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/76cab5ff786bea157a6931296924384a2242da93

commit 76cab5ff786bea157a6931296924384a2242da93
Author: Camillo Bruni <cbruni@chromium.org>
Date: Wed Apr 25 13:44:32 2018

Fix Object.entries/.values with non-enumerable properties

Iterate over all descriptors instead of bailing out early and missing
enumerable properties later.

Bug:  chromium:836145 
Change-Id: I104f7ea89480383b6b4b9204942a166bdf8e0597
Reviewed-on: https://chromium-review.googlesource.com/1027832
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52786}
[modify] https://crrev.com/76cab5ff786bea157a6931296924384a2242da93/src/builtins/builtins-object-gen.cc
[modify] https://crrev.com/76cab5ff786bea157a6931296924384a2242da93/test/mjsunit/es8/object-entries.js

This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Rejecting merge for M66. This just landed today in Canary without any coverage. Why is this critical for M66?

It's important because it's breaking the internet:
https://bugs.chromium.org/p/v8/issues/detail?id=7687
https://github.com/nodejs/node/issues/20278

Yep, today we had to make an emergency release just to polyfill this issue.

nodejs would be unaffected by this beackmerge and needs to be resolved separately.

This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge your change to M67 branch 3396 ASAP so we can pick it up for next M67 Dev/Beta release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/02854fbce63c23c8adbbbe0422492da12a521d9d

commit 02854fbce63c23c8adbbbe0422492da12a521d9d
Author: Camillo Bruni <cbruni@chromium.org>
Date: Thu Apr 26 17:14:39 2018

Merged: Fix Object.entries/.values with non-enumerable properties

Revision: 76cab5ff786bea157a6931296924384a2242da93

BUG= chromium:836145 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=ishell@chromium.org

Change-Id: Ie8d030e7d4eb945da501a989bd8645582c644f06
Reviewed-on: https://chromium-review.googlesource.com/1030556
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.7@{#37}
Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2}
Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547}
[modify] https://crrev.com/02854fbce63c23c8adbbbe0422492da12a521d9d/src/builtins/builtins-object-gen.cc
[modify] https://crrev.com/02854fbce63c23c8adbbbe0422492da12a521d9d/test/mjsunit/es8/object-entries.js

It also very welcome to see landed on M66.

> This just landed today in Canary without any coverage. 

There is a test in the patch included. Or what type of coverage is needed?

> Why is this critical for M66?

This bug can clearly cause all kinds of problems depending on how these functions are used. Any application run with M66 is facing the risk of not running properly even though some test cases might have passed and it seemed to work at first.

I am just confused that the backport was denied and I am not sure I can follow the reasoning. Is there any downside to backporting this patch?

 Issue 837906  has been merged into this issue.

Any updates on this critical bug? And when fix will land on M66?

*** Bulk Edit ***
M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. 

If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.

Approving merge to M66. Branch:3359. We don't have a respin planned yet, but will be included if there is a respin. 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/90220c561d0dbc00e17e4a658302960589c8e103

commit 90220c561d0dbc00e17e4a658302960589c8e103
Author: Camillo Bruni <cbruni@chromium.org>
Date: Thu May 03 12:31:23 2018

Merged: Fix Object.entries/.values with non-enumerable properties

Revision: 76cab5ff786bea157a6931296924384a2242da93

BUG= chromium:836145 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=ishell@chromium.org

Change-Id: I6888f7aff9f35636cacfe015f128db3019836029
Reviewed-on: https://chromium-review.googlesource.com/1041985
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.6@{#55}
Cr-Branched-From: d500271571b92cb18dcd7b15885b51e8f437d640-refs/heads/6.6.346@{#1}
Cr-Branched-From: 265ef0b635f8761df7c89eb4e8ec9c1a6ebee184-refs/heads/master@{#51624}
[modify] https://crrev.com/90220c561d0dbc00e17e4a658302960589c8e103/src/builtins/builtins-object-gen.cc
[modify] https://crrev.com/90220c561d0dbc00e17e4a658302960589c8e103/test/mjsunit/es8/object-entries.js

Not needed for active Node.js release lines.

Able to reproduce the issue on Mac 10.13.3 using chrome build without fix.

Verified the fix on Mac 10.13.3, Win-10 and Ubuntu 17.10 using Chrome beta version #68.0.3440.42 as per the comment #1.
Attaching screen shot for reference.
Observed that upon opening the test.html, got GOOD in good builds.
Hence, the fix is working as expected. 
Adding the verified labels.

Thanks...!!

Deleted: 836145.png 317 KB

	836145.png 317 KB View Download