| // Copyright 2017 the V8 project authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // Flags: --allow-natives-syntax |
| |
| function f() { |
| function g(arg) { return arg; } |
| // The closure contains a call IC slot. |
| return function() { return g(42); }; |
| } |
| |
| const a = Realm.create(); |
| const b = Realm.create(); |
| |
| // Create two closures in different contexts sharing the same |
| // SharedFunctionInfo (shared due to code caching). |
| const x = Realm.eval(a, f.toString() + " f()"); |
| const y = Realm.eval(b, f.toString() + " f()"); |
| |
| // Run the first closure to create SFI::code. |
| x(); |
| |
| // At this point, SFI::code is set and `x` has a feedback vector (`y` does not). |
| |
| // Enabling block code coverage deoptimizes all functions and triggers the |
| // buggy code path in which we'd unconditionally replace JSFunction::code with |
| // its SFI::code (but skip feedback vector setup). |
| %DebugToggleBlockCoverage(true); |
| |
| // Still no feedback vector set on `y` but it now contains code. Run it to |
| // trigger the crash when attempting to write into the non-existent feedback |
| // vector. |
| y(); |
