| Index: test/mjsunit/regress/regress-crbug-485548-1.js
|
| diff --git a/test/mjsunit/regress/regress-crbug-485548-1.js b/test/mjsunit/regress/regress-crbug-485548-1.js
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..bbd0f7dd45e263330320990ef305a134c1397e0f
|
| --- /dev/null
|
| +++ b/test/mjsunit/regress/regress-crbug-485548-1.js
|
| @@ -0,0 +1,33 @@
|
| +// Copyright 2015 the V8 project authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +// Flags: --allow-natives-syntax --expose-gc
|
| +
|
| +var inner = new Array();
|
| +inner.a = {x:1};
|
| +inner[0] = 1.5;
|
| +inner.b = {x:2};
|
| +assertTrue(%HasFastDoubleElements(inner));
|
| +
|
| +function foo(o) {
|
| + return o.field.a.x;
|
| +}
|
| +
|
| +var outer = {};
|
| +outer.field = inner;
|
| +foo(outer);
|
| +foo(outer);
|
| +foo(outer);
|
| +%OptimizeFunctionOnNextCall(foo);
|
| +foo(outer);
|
| +
|
| +// Generalize representation of field "a" of inner object.
|
| +var v = { get x() { return 0x7fffffff; } };
|
| +inner.a = v;
|
| +
|
| +gc();
|
| +
|
| +var boom = foo(outer);
|
| +print(boom);
|
| +assertEquals(0x7fffffff, boom);
|
|
|
Chromium Code Reviews
Issue 1128043005:
Map::ReconfigureProperty() should mark map as unstable when there is an element kind transition som… (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master