projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1fc8ad9)
Let HTransitionElementsKind take part in RestoreActualValues phase
authorjkummerow@chromium.org <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Thu, 6 Mar 2014 12:13:49 +0000 (12:13 +0000)
committerjkummerow@chromium.org <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Thu, 6 Mar 2014 12:13:49 +0000 (12:13 +0000)
BUG=chromium:349853
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/183753005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/hydrogen-instructions.h patch | blob | history
test/mjsunit/regress/regress-crbug-349853.js [new file with mode: 0644] patch | blob

diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 3712dc7..5aedf46 100644 (file)
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -6885,6 +6885,8 @@ class HTransitionElementsKind V8_FINAL : public HTemplateInstruction<2> {
            transitioned_map_ == instr->transitioned_map_;
   }
 
+  virtual int RedefinedOperandIndex() { return 0; }
+
  private:
   HTransitionElementsKind(HValue* context,
                           HValue* object,
diff --git a/test/mjsunit/regress/regress-crbug-349853.js b/test/mjsunit/regress/regress-crbug-349853.js
new file mode 100644 (file)
index 0000000..53af64c
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-349853.js
@@ -0,0 +1,21 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = ["string"];
+function funky(array) { return array[0] = 1; }
+funky(a);
+
+function crash() {
+  var q = [0];
+  // The failing ASSERT was only triggered when compiling for OSR.
+  for (var i = 0; i < 100000; i++) {
+    funky(q);
+  }
+  q[0] = 0;
+  funky(q)
+}
+
+crash();
Domain: Web Framework / Web Engine;