[crankshaft] Don't inline the fast path for instanceof if the function has a non-instance .prototype

BUG=chromium:666308 Review-Url: https://codereview.chromium.org/2516603002 Cr-Commit-Position: refs/heads/master@{#41105}
2016-11-18 04:57:02 -08:00 · 2016-11-18 04:57:02 -08:00 · 0c70f3729e
commit 0c70f3729e
parent 7e5755cbc5
2 changed files with 12 additions and 2 deletions
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@ -11209,8 +11209,9 @@ void HOptimizedGraphBuilder::VisitCompareOperation(CompareOperation* expr) {
          Handle<JSFunction>::cast(HConstant::cast(right)->handle(isolate()));
      // Make sure that the {function} already has a meaningful initial map
      // (i.e. we constructed at least one instance using the constructor
-      // {function}).
-      if (function->has_initial_map()) {
+      // {function}), and has an instance as .prototype.
+      if (function->has_initial_map() &&
+          !function->map()->has_non_instance_prototype()) {
        // Lookup @@hasInstance on the {function}.
        Handle<Map> function_map(function->map(), isolate());
        PropertyAccessInfo has_instance(
--- a/test/mjsunit/regress/regress-crbug-666308.js
+++ b/test/mjsunit/regress/regress-crbug-666308.js
@ -0,0 +1,9 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function foo() {}
+foo.prototype = 1;
+v = new foo();
+function bar() { return v instanceof foo; }
+assertThrows(bar);