Clear optimized code cache in shared function info when code gets deoptimized

test/mjsunit/regress/regress-343609.js

Index: test/mjsunit/regress/regress-343609.js
diff --git a/test/mjsunit/regress/regress-343609.js b/test/mjsunit/regress/regress-343609.js
new file mode 100644
index 0000000000000000000000000000000000000000..5205ca13300a98f4794a4b5412f8d6c26115020c
--- /dev/null
+++ b/test/mjsunit/regress/regress-343609.js
@@ -0,0 +1,66 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --block-concurrent-recompilation
+// Flags: --no-concurrent-osr --expose-gc
+
+function Ctor() {
+  this.a = 1;
+}
+
+function get_closure() {
+  return function add_field(obj) {
+    obj.c = 3;
+    obj.a = obj.a + obj.c;
+    return obj.a;
+  }
+}
+function get_closure2() {
+  return function cc(obj) {
+    obj.c = 3;
+    obj.a = obj.a + obj.c;
+  }
+}
+
+function dummy() {
+  (function () {
+    var o = {c: 10};
+    var f1 = get_closure2();
+    f1(o);
+    f1(o);
+    %OptimizeFunctionOnNextCall(f1);
+    f1(o);
+  })();
+}
+
+var o = new Ctor();
+function opt() {
+  (function () {
+    var f1 = get_closure();
+    f1(new Ctor());
+    f1(new Ctor());
+    %OptimizeFunctionOnNextCall(f1);
+    f1(o);
+  })();
+}
+
+// Optimize add_field and install its code in optimized code cache.
+opt();
+opt();
+opt();
+
+// Optimize dummy function to remove the add_field from head of optimized
+// function list in the context.
+dummy();
+dummy();
+
+// Kill add_field in new space GC.
+for(var i = 0; i < 3; i++) gc(true);
+
+// Trigger deopt.
+o.c = 2.2;
+
+// Fetch optimized code of add_field from cache and crash.
+var f2 = get_closure();
+f2(new Ctor());