Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(236)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: test/mjsunit/regress/regress-crbug-412215.js

Issue 556563005: Fix Smi vs. HeapObject confusion in HConstants. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/hydrogen-types.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/mjsunit/regress/regress-crbug-412215.js
diff --git a/test/mjsunit/regress/regress-crbug-412215.js b/test/mjsunit/regress/regress-crbug-412215.js
new file mode 100644
index 0000000000000000000000000000000000000000..ad926fc4a2a8b84846fb985b30bfce1d5aa0590f
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-412215.js
@@ -0,0 +1,33 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var dummy = {foo: "true"};
+
+var a = {y:0.5};
+a.y = 357;
+var b = a.y;
+
+var d;
+function f( ) {
+ d = 357;
+ return {foo: b};
+}
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+var x = f();
+
+// With the bug, x is now an invalid object; the code below
+// triggers a crash.
+
+function g(obj) {
+ return obj.foo.length;
+}
+
+g(dummy);
+g(dummy);
+%OptimizeFunctionOnNextCall(g);
+g(x);
« no previous file with comments | « src/hydrogen-types.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698