blob: c1da1f0847a75761dde8a938b4e7eb28d9478e18 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var dummy = {foo: "true"};
var a = {y:0.5};
a.y = 357;
var b = a.y;
var d;
function f( ) {
d = 357;
return {foo: b};
}
%PrepareFunctionForOptimization(f);
f();
f();
%OptimizeFunctionOnNextCall(f);
var x = f();
// With the bug, x is now an invalid object; the code below
// triggers a crash.
function g(obj) {
return obj.foo.length;
}
%PrepareFunctionForOptimization(g);
g(dummy);
g(dummy);
%OptimizeFunctionOnNextCall(g);
g(x);
|
