diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 6e5e205cdfd355..997adabaafc82c 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 11
 #define V8_MINOR_VERSION 8
 #define V8_BUILD_NUMBER 172
-#define V8_PATCH_LEVEL 3
+#define V8_PATCH_LEVEL 6
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/builtins/promise-any.tq b/deps/v8/src/builtins/promise-any.tq
index b9d9b2b5bac61e..8b21ebfff0fed4 100644
--- a/deps/v8/src/builtins/promise-any.tq
+++ b/deps/v8/src/builtins/promise-any.tq
@@ -105,9 +105,10 @@ transitioning javascript builtin PromiseAnyRejectElementClosure(
   const index = Signed(ChangeUint32ToWord(identityHash)) - 1;
 
   // 6. Let errors be F.[[Errors]].
-  let errors = *ContextSlot(
+  let errorsRef:&FixedArray = ContextSlot(
       context,
       PromiseAnyRejectElementContextSlots::kPromiseAnyRejectElementErrorsSlot);
+  let errors = *errorsRef;
 
   // 7. Let promiseCapability be F.[[Capability]].
 
@@ -133,10 +134,7 @@ transitioning javascript builtin PromiseAnyRejectElementClosure(
       IntPtrMax(SmiUntag(remainingElementsCount) - 1, index + 1);
   if (newCapacity > errors.length_intptr) deferred {
       errors = ExtractFixedArray(errors, 0, errors.length_intptr, newCapacity);
-      *ContextSlot(
-          context,
-          PromiseAnyRejectElementContextSlots::
-              kPromiseAnyRejectElementErrorsSlot) = errors;
+      *errorsRef = errors;
     }
   errors.objects[index] = value;
 
@@ -154,6 +152,10 @@ transitioning javascript builtin PromiseAnyRejectElementClosure(
 
     //   b. Set error.[[AggregateErrors]] to errors.
     const error = ConstructAggregateError(errors);
+
+    // After this point, errors escapes to user code. Clear the slot.
+    *errorsRef = kEmptyFixedArray;
+
     //   c. Return ? Call(promiseCapability.[[Reject]], undefined, « error »).
     const capability = *ContextSlot(
         context,
diff --git a/deps/v8/src/json/json-stringifier.cc b/deps/v8/src/json/json-stringifier.cc
index 17280bf100eb8e..c7fcc87b08e331 100644
--- a/deps/v8/src/json/json-stringifier.cc
+++ b/deps/v8/src/json/json-stringifier.cc
@@ -836,6 +836,10 @@ JsonStringifier::Result JsonStringifier::Serialize_(Handle<Object> object,
       if (deferred_string_key) SerializeDeferredKey(comma, key);
       return SerializeJSArray(Handle<JSArray>::cast(object), key);
     case JS_PRIMITIVE_WRAPPER_TYPE:
+      if (!need_stack_) {
+        need_stack_ = true;
+        return NEED_STACK;
+      }
       if (deferred_string_key) SerializeDeferredKey(comma, key);
       return SerializeJSPrimitiveWrapper(
           Handle<JSPrimitiveWrapper>::cast(object), key);
diff --git a/deps/v8/src/maglev/maglev-graph-builder.cc b/deps/v8/src/maglev/maglev-graph-builder.cc
index 524403051c1853..d79490137b3d11 100644
--- a/deps/v8/src/maglev/maglev-graph-builder.cc
+++ b/deps/v8/src/maglev/maglev-graph-builder.cc
@@ -5633,7 +5633,7 @@ ReduceResult MaglevGraphBuilder::TryReduceArrayForEach(
         // before the call.
         if (receiver_info_after_call &&
             receiver_info_after_call->possible_maps_are_known()) {
-          recheck_maps_after_call = receiver_maps_before_loop.contains(
+          recheck_maps_after_call = !receiver_maps_before_loop.contains(
               receiver_info_after_call->possible_maps());
         }
       }
diff --git a/deps/v8/test/mjsunit/json2.js b/deps/v8/test/mjsunit/json2.js
index e39b17b3e55066..e61b4f7b6ef7a9 100644
--- a/deps/v8/test/mjsunit/json2.js
+++ b/deps/v8/test/mjsunit/json2.js
@@ -195,3 +195,23 @@ var o = {};
 o.somespecialproperty = 10;
 o["\x19"] = 10;
 assertThrows("JSON.parse('{\"somespecialproperty\":100, \"\x19\":10}')");
+
+let exception_count = 0;
+function foo(v) {
+  try {
+    v["set-i32"];
+  } catch (e) {
+    exception_count++;
+  }
+  try {
+    JSON.stringify(v);
+  } catch (e) {}
+}
+let obj1 = Object('2');
+obj1.__proto__ = { toString: function () {} };
+Object.defineProperty(obj1, "toString", {value: foo});
+%EnsureFeedbackVectorForFunction(foo);
+foo(obj1);
+assertEquals(1, exception_count);
+foo({obj1, b: { toJSON: function () {} }});
+assertEquals(2, exception_count);
diff --git a/deps/v8/test/mjsunit/maglev/regress-1481179.js b/deps/v8/test/mjsunit/maglev/regress-1481179.js
new file mode 100644
index 00000000000000..01cce025399ab2
--- /dev/null
+++ b/deps/v8/test/mjsunit/maglev/regress-1481179.js
@@ -0,0 +1,20 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev --no-lazy-feedback-allocation
+
+function f(e, i, a) {
+  a[65535] = 42;
+  a.e = a;
+}
+function foo() {
+  const a = [1,2];
+  a.e = 42;
+  a.forEach(f);
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+%OptimizeMaglevOnNextCall(foo);
+foo();