1// Copyright 2014 the V8 project authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5// Flags: --allow-natives-syntax 6 7var dummy = {foo: "true"}; 8 9var a = {y:0.5}; 10a.y = 357; 11var b = a.y; 12 13var d; 14function f( ) { 15 d = 357; 16 return {foo: b}; 17} 18f(); 19f(); 20%OptimizeFunctionOnNextCall(f); 21var x = f(); 22 23// With the bug, x is now an invalid object; the code below 24// triggers a crash. 25 26function g(obj) { 27 return obj.foo.length; 28} 29 30g(dummy); 31g(dummy); 32%OptimizeFunctionOnNextCall(g); 33g(x); 34