diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc index efea2ebfd3..94e228eff4 100644 --- a/src/deoptimizer.cc +++ b/src/deoptimizer.cc @@ -3774,14 +3774,15 @@ Handle TranslatedState::MaterializeAt(int frame_index, return object; } case JS_FUNCTION_TYPE: { + Handle temporary_shared = + isolate_->factory()->NewSharedFunctionInfo( + isolate_->factory()->empty_string(), MaybeHandle(), + false); Handle object = isolate_->factory()->NewFunctionFromSharedFunctionInfo( - handle(isolate_->object_function()->shared()), - handle(isolate_->context())); + map, temporary_shared, isolate_->factory()->undefined_value(), + NOT_TENURED); slot->value_ = object; - // We temporarily allocated a JSFunction for the {Object} function - // within the current context, to break cycles in the object graph. - // The correct function and context will be set below once available. Handle properties = MaterializeAt(frame_index, value_index); Handle elements = MaterializeAt(frame_index, value_index); Handle prototype = MaterializeAt(frame_index, value_index); diff --git a/test/mjsunit/compiler/escape-analysis-materialize.js b/test/mjsunit/compiler/escape-analysis-materialize.js new file mode 100644 index 0000000000..e72797d823 --- /dev/null +++ b/test/mjsunit/compiler/escape-analysis-materialize.js @@ -0,0 +1,29 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --turbo --turbo-escape + +(function TestMaterializeArray() { + function f() { + var a = [1,2,3]; + %_DeoptimizeNow(); + return a.length; + } + assertEquals(3, f()); + assertEquals(3, f()); + %OptimizeFunctionOnNextCall(f); + assertEquals(3, f()); +})(); + +(function TestMaterializeFunction() { + function g() { + function fun(a, b) {} + %_DeoptimizeNow(); + return fun.length; + } + assertEquals(2, g()); + assertEquals(2, g()); + %OptimizeFunctionOnNextCall(g); + assertEquals(2, g()); +})();