R=titzer@chromium.org
TEST=mjsunit/regress/regress-crbug-489293
BUG=chromium:489293
LOG=n
Review URL: https://codereview.chromium.org/
1142873005
Cr-Commit-Position: refs/heads/master@{#28486}
isolate()->factory()->NewNumberFromInt(constant.ToInt32());
break;
case Constant::kFloat64:
- DCHECK(type == kMachFloat64 || type == kMachAnyTagged ||
- type == kRepTagged || type == (kTypeNumber | kRepTagged) ||
- type == (kTypeInt32 | kRepTagged) ||
- type == (kTypeUint32 | kRepTagged));
+ DCHECK((type & (kRepFloat64 | kRepTagged)) != 0);
constant_object = isolate()->factory()->NewNumber(constant.ToFloat64());
break;
case Constant::kHeapObject:
--- /dev/null
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-filter=f --turbo-deoptimization
+// Flags: --noanalyze-environment-liveness
+
+function f() {
+ var x = 0;
+ for (var y = 0; y < 0; ++y) {
+ x = (x + y) | 0;
+ }
+ return unbound;
+}
+%OptimizeFunctionOnNextCall(f);
+assertThrows(f, ReferenceError);
projects / platform / upstream / v8.git / commitdiff