1 files changed, 34 insertions, 0 deletions

diff --git a/deps/v8/test/mjsunit/regress/regress-786784.js b/deps/v8/test/mjsunit/regress/regress-786784.js
new file mode 100644
index 0000000000..fb0f3a95b3
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-786784.js
@@ -0,0 +1,34 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  function g(arg) { return arg; }
+  // The closure contains a call IC slot.
+  return function() { return g(42); };
+}
+
+const a = Realm.create();
+const b = Realm.create();
+
+// Create two closures in different contexts sharing the same
+// SharedFunctionInfo (shared due to code caching).
+const x = Realm.eval(a, f.toString() + " f()");
+const y = Realm.eval(b, f.toString() + " f()");
+
+// Run the first closure to create SFI::code.
+x();
+
+// At this point, SFI::code is set and `x` has a feedback vector (`y` does not).
+
+// Enabling block code coverage deoptimizes all functions and triggers the
+// buggy code path in which we'd unconditionally replace JSFunction::code with
+// its SFI::code (but skip feedback vector setup).
+%DebugToggleBlockCoverage(true);
+
+// Still no feedback vector set on `y` but it now contains code. Run it to
+// trigger the crash when attempting to write into the non-existent feedback
+// vector.
+y();