Upgrade V8 to version 4.9.385.28 https://chromium.googlesource.com/v8/v8/+/4.9.385.28 FPIIM-449 Change-Id: I4b2e74289d4bf3667f2f3dc8aa2e541f63e26eb4

commit: 4a90d5fbbb6802c59093b866f3478a814bf02b95 [log] [tgz]
author: Ben Murdoch <benm@google.com> Tue Mar 22 12:00:34 2016 +0000
committer: Dirk Vogt <dirk@fairphone.com> Fri Mar 17 16:05:42 2017 +0100
tree: 486867e3a04e7f17454c94a4c97891bb0e237f1f
parent: 3821a70061b1b2077ee51c70eda717bddac94f58 [diff] [blame]
diff --git a/test/mjsunit/regress/regress-crbug-571064.js b/test/mjsunit/regress/regress-crbug-571064.js
new file mode 100644
index 0000000..a28a383
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-571064.js

@@ -0,0 +1,19 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+Array.prototype.__proto__ = null;
+var func = Array.prototype.push;
+var prototype = Array.prototype;
+function CallFunc(a) {
+  func.call(a);
+}
+function CallFuncWithPrototype() {
+  CallFunc(prototype);
+}
+CallFunc([]);
+CallFunc([]);
+%OptimizeFunctionOnNextCall(CallFuncWithPrototype);
+CallFuncWithPrototype();
commit	4a90d5fbbb6802c59093b866f3478a814bf02b95	[log] [tgz]
author	Ben Murdoch <benm@google.com>	Tue Mar 22 12:00:34 2016 +0000
committer	Dirk Vogt <dirk@fairphone.com>	Fri Mar 17 16:05:42 2017 +0100
tree	486867e3a04e7f17454c94a4c97891bb0e237f1f
parent	3821a70061b1b2077ee51c70eda717bddac94f58 [diff] [blame]