diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc
index 5406997012..b8a9188701 100644
--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
@@ -849,6 +849,7 @@ void EscapeStatusAnalysis::DebugPrint() {
 EscapeAnalysis::EscapeAnalysis(Graph* graph, CommonOperatorBuilder* common,
                                Zone* zone)
     : zone_(zone),
+      slot_not_analyzed_(graph->NewNode(common->NumberConstant(0x1c0debad))),
       common_(common),
       status_analysis_(new (zone) EscapeStatusAnalysis(this, graph, zone)),
       virtual_states_(zone),
@@ -1460,6 +1461,15 @@ void EscapeAnalysis::ProcessStoreField(Node* node) {
   if (obj && obj->IsTracked() &&
       static_cast<size_t>(offset) < obj->field_count()) {
     Node* val = ResolveReplacement(NodeProperties::GetValueInput(node, 1));
+    // TODO(mstarzinger): The following is a workaround to not track the code
+    // entry field in virtual JSFunction objects. We only ever store the inner
+    // pointer into the compile lazy stub in this field and the deoptimizer has
+    // this assumption hard-coded in {TranslatedState::MaterializeAt} as well.
+    if (val->opcode() == IrOpcode::kInt32Constant ||
+        val->opcode() == IrOpcode::kInt64Constant) {
+      DCHECK_EQ(JSFunction::kCodeEntryOffset, FieldAccessOf(node->op()).offset);
+      val = slot_not_analyzed_;
+    }
     if (obj->GetField(offset) != val) {
       obj = CopyForModificationAt(obj, state, node);
       obj->SetField(offset, val);
diff --git a/src/compiler/escape-analysis.h b/src/compiler/escape-analysis.h
index 4ef5257492..839e54ccd3 100644
--- a/src/compiler/escape-analysis.h
+++ b/src/compiler/escape-analysis.h
@@ -70,6 +70,7 @@ class EscapeAnalysis {
   CommonOperatorBuilder* common() const { return common_; }
 
   Zone* const zone_;
+  Node* const slot_not_analyzed_;
   CommonOperatorBuilder* const common_;
   EscapeStatusAnalysis* status_analysis_;
   ZoneVector<VirtualState*> virtual_states_;
diff --git a/test/mjsunit/regress/regress-crbug-613494.js b/test/mjsunit/regress/regress-crbug-613494.js
new file mode 100644
index 0000000000..6fcc1e94f4
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-613494.js
@@ -0,0 +1,14 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-escape --noanalyze-environment-liveness
+
+function f() {
+  var bound = 0;
+  function g() { return bound }
+}
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();