| // Copyright 2014 the V8 project authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // Flags: --allow-natives-syntax |
| |
| var dummy = {foo: "true"}; |
| |
| var a = {y:0.5}; |
| a.y = 357; |
| var b = a.y; |
| |
| var d; |
| function f( ) { |
| d = 357; |
| return {foo: b}; |
| } |
| %PrepareFunctionForOptimization(f); |
| f(); |
| f(); |
| %OptimizeFunctionOnNextCall(f); |
| var x = f(); |
| |
| // With the bug, x is now an invalid object; the code below |
| // triggers a crash. |
| |
| function g(obj) { |
| return obj.foo.length; |
| } |
| |
| %PrepareFunctionForOptimization(g); |
| g(dummy); |
| g(dummy); |
| %OptimizeFunctionOnNextCall(g); |
| g(x); |
