From 5ea3f0004a71a211b039099cecf47100ccfa3574 Mon Sep 17 00:00:00 2001
From: "jkummerow@chromium.org"
 <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 6 Mar 2014 12:13:49 +0000
Subject: [PATCH] Let HTransitionElementsKind take part in RestoreActualValues
 phase

BUG=chromium:349853
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/183753005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/hydrogen-instructions.h                  |  2 ++
 test/mjsunit/regress/regress-crbug-349853.js | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 test/mjsunit/regress/regress-crbug-349853.js

diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 3712dc7..5aedf46 100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -6885,6 +6885,8 @@ class HTransitionElementsKind V8_FINAL : public HTemplateInstruction<2> {
            transitioned_map_ == instr->transitioned_map_;
   }
 
+  virtual int RedefinedOperandIndex() { return 0; }
+
  private:
   HTransitionElementsKind(HValue* context,
                           HValue* object,
diff --git a/test/mjsunit/regress/regress-crbug-349853.js b/test/mjsunit/regress/regress-crbug-349853.js
new file mode 100644
index 0000000..53af64c
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-349853.js
@@ -0,0 +1,21 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = ["string"];
+function funky(array) { return array[0] = 1; }
+funky(a);
+
+function crash() {
+  var q = [0];
+  // The failing ASSERT was only triggered when compiling for OSR.
+  for (var i = 0; i < 100000; i++) {
+    funky(q);
+  }
+  q[0] = 0;
+  funky(q)
+}
+
+crash();
-- 
2.7.4