[compiler] Add missing prototype serialization of bound function map

This is needed for JSCallReducer. Bug: chromium:1217562 Change-Id: I1f06040a74c393598c134301ba0cf04a46380107 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2945184 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75019}
2021-06-08 15:30:57 +02:00 · 2021-06-08 15:30:57 +02:00 · 376eb8020d
commit 376eb8020d
parent dc5a4c909a
2 changed files with 28 additions and 0 deletions
--- a/src/compiler/serializer-for-background-compilation.cc
+++ b/src/compiler/serializer-for-background-compilation.cc
@ -2557,6 +2557,15 @@ void SerializerForBackgroundCompilation::ProcessBuiltinCall(
        result_hints->AddVirtualBoundFunction(
            VirtualBoundFunction(bound_target, new_arguments), zone(),
            broker());
+
+        broker()
+            ->target_native_context()
+            .bound_function_with_constructor_map()
+            .SerializePrototype();
+        broker()
+            ->target_native_context()
+            .bound_function_without_constructor_map()
+            .SerializePrototype();
      }
      break;
    case Builtin::kObjectGetPrototypeOf:
--- a/test/mjsunit/compiler/regress-1217562.js
+++ b/test/mjsunit/compiler/regress-1217562.js
@ -0,0 +1,19 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  foo.bind();
+  foo.__proto__ = class {};
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+foo();
+foo();
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();