v8/test/mjsunit/regress/regress-crbug-412215.js

// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

var dummy = {foo: "true"};

var a = {y:0.5};
a.y = 357;
var b = a.y;

var d;
function f(  )  {
  d = 357;
  return {foo: b};
}
f();
f();
%OptimizeFunctionOnNextCall(f);
var x = f();

// With the bug, x is now an invalid object; the code below
// triggers a crash.

function g(obj) {
  return obj.foo.length;
}

g(dummy);
g(dummy);
%OptimizeFunctionOnNextCall(g);
g(x);
Fix Smi vs. HeapObject confusion in HConstants. Representation and HType should agree with each other. BUG=chromium:412215 LOG=y R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/556563005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23901 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 2014-09-12 08:44:14 +00:00			`// Copyright 2014 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`// Flags: --allow-natives-syntax`

			`var dummy = {foo: "true"};`

			`var a = {y:0.5};`
			`a.y = 357;`
			`var b = a.y;`

			`var d;`
			`function f( ) {`
			`d = 357;`
			`return {foo: b};`
			`}`
			`f();`
			`f();`
			`%OptimizeFunctionOnNextCall(f);`
			`var x = f();`

			`// With the bug, x is now an invalid object; the code below`
			`// triggers a crash.`

			`function g(obj) {`
			`return obj.foo.length;`
			`}`

			`g(dummy);`
			`g(dummy);`
			`%OptimizeFunctionOnNextCall(g);`
			`g(x);`