summaryrefslogtreecommitdiff
path: root/deps/v8/test/mjsunit/regress/regress-crbug-412215.js
diff options
context:
space:
mode:
Diffstat (limited to 'deps/v8/test/mjsunit/regress/regress-crbug-412215.js')
-rw-r--r--deps/v8/test/mjsunit/regress/regress-crbug-412215.js33
1 files changed, 33 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-412215.js b/deps/v8/test/mjsunit/regress/regress-crbug-412215.js
new file mode 100644
index 0000000000..ad926fc4a2
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-412215.js
@@ -0,0 +1,33 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var dummy = {foo: "true"};
+
+var a = {y:0.5};
+a.y = 357;
+var b = a.y;
+
+var d;
+function f( ) {
+ d = 357;
+ return {foo: b};
+}
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+var x = f();
+
+// With the bug, x is now an invalid object; the code below
+// triggers a crash.
+
+function g(obj) {
+ return obj.foo.length;
+}
+
+g(dummy);
+g(dummy);
+%OptimizeFunctionOnNextCall(g);
+g(x);
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-11 19:19:07 +0000