Let HTransitionElementsKind take part in RestoreActualValues phase

BUG=chromium:349853 LOG=n R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/183753005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 12:13:49 +00:00 · 2014-03-06 12:13:49 +00:00 · 5ea3f0004a
commit 5ea3f0004a
parent 1fc8ad9486
2 changed files with 23 additions and 0 deletions
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@ -6885,6 +6885,8 @@ class HTransitionElementsKind V8_FINAL : public HTemplateInstruction<2> {
           transitioned_map_ == instr->transitioned_map_;
  }

+  virtual int RedefinedOperandIndex() { return 0; }
+
 private:
  HTransitionElementsKind(HValue* context,
                          HValue* object,
--- a/test/mjsunit/regress/regress-crbug-349853.js
+++ b/test/mjsunit/regress/regress-crbug-349853.js
@ -0,0 +1,21 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = ["string"];
+function funky(array) { return array[0] = 1; }
+funky(a);
+
+function crash() {
+  var q = [0];
+  // The failing ASSERT was only triggered when compiling for OSR.
+  for (var i = 0; i < 100000; i++) {
+    funky(q);
+  }
+  q[0] = 0;
+  funky(q)
+}
+
+crash();