1// Copyright 2014 the V8 project authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5// Flags: --allow-natives-syntax --block-concurrent-recompilation 6// Flags: --no-concurrent-osr --expose-gc 7 8function Ctor() { 9 this.a = 1; 10} 11 12function get_closure() { 13 return function add_field(obj) { 14 obj.c = 3; 15 obj.a = obj.a + obj.c; 16 return obj.a; 17 } 18} 19function get_closure2() { 20 return function cc(obj) { 21 obj.c = 3; 22 obj.a = obj.a + obj.c; 23 } 24} 25 26function dummy() { 27 (function () { 28 var o = {c: 10}; 29 var f1 = get_closure2(); 30 f1(o); 31 f1(o); 32 %OptimizeFunctionOnNextCall(f1); 33 f1(o); 34 })(); 35} 36 37var o = new Ctor(); 38function opt() { 39 (function () { 40 var f1 = get_closure(); 41 f1(new Ctor()); 42 f1(new Ctor()); 43 %OptimizeFunctionOnNextCall(f1); 44 f1(o); 45 })(); 46} 47 48// Optimize add_field and install its code in optimized code cache. 49opt(); 50opt(); 51opt(); 52 53// Optimize dummy function to remove the add_field from head of optimized 54// function list in the context. 55dummy(); 56dummy(); 57 58// Kill add_field in new space GC. 59for(var i = 0; i < 3; i++) gc(true); 60 61// Trigger deopt. 62o.c = 2.2; 63 64// Fetch optimized code of add_field from cache and crash. 65var f2 = get_closure(); 66f2(new Ctor()); 67