diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index da78020d07515c..68d0a359292bd7 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 346
-#define V8_PATCH_LEVEL 23
+#define V8_PATCH_LEVEL 24
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/compiler/js-call-reducer.cc b/deps/v8/src/compiler/js-call-reducer.cc
index 12fb14c6fc831c..f229cdefedf30e 100644
--- a/deps/v8/src/compiler/js-call-reducer.cc
+++ b/deps/v8/src/compiler/js-call-reducer.cc
@@ -419,7 +419,7 @@ Reduction JSCallReducer::ReduceFunctionPrototypeBind(Node* node) {
     // runtime otherwise.
     Handle<DescriptorArray> descriptors(receiver_map->instance_descriptors(),
                                         isolate());
-    if (descriptors->length() < 2) return NoChange();
+    if (descriptors->number_of_descriptors() < 2) return NoChange();
     if (descriptors->GetKey(JSFunction::kLengthDescriptorIndex) !=
         isolate()->heap()->length_string()) {
       return NoChange();
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-825045.js b/deps/v8/test/mjsunit/regress/regress-crbug-825045.js
new file mode 100644
index 00000000000000..34af20897a0d86
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-825045.js
@@ -0,0 +1,14 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const obj = new class A extends (async function (){}.constructor) {};
+delete obj.name;
+Number.prototype.__proto__ = obj;
+function foo() { return obj.bind(); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();