[turbofan] Fix lowering of Function.prototype accesses.

This fixes a corner case where the "instance prototype" diverges from the "non-instance prototype" that we store on the initial map of a constructor function. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-703610 BUG=chromium:703610 Change-Id: I30a19ae621e10b512215ffb191ce00d030941440 Reviewed-on: https://chromium-review.googlesource.com/458396 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#44008}
2017-03-22 10:09:21 +01:00 · 2017-03-22 10:09:21 +01:00 · 37b9d653c2
commit 37b9d653c2
parent a6e6160e48
2 changed files with 17 additions and 1 deletions
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@ -846,7 +846,7 @@ Reduction JSNativeContextSpecialization::ReduceJSLoadNamed(Node* node) {
        // continue unless deoptimization is enabled.
        Handle<Map> initial_map(function->initial_map(), isolate());
        dependencies()->AssumeInitialMapCantChange(initial_map);
-        Handle<Object> prototype(initial_map->prototype(), isolate());
+        Handle<Object> prototype(function->prototype(), isolate());
        Node* value = jsgraph()->Constant(prototype);
        ReplaceWithValue(node, value);
        return Replace(value);
--- a/test/mjsunit/regress/regress-crbug-703610.js
+++ b/test/mjsunit/regress/regress-crbug-703610.js
@ -0,0 +1,16 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function fun() {};
+fun.prototype = 42;
+new fun();
+function f() {
+  return fun.prototype;
+}
+assertEquals(42, f());
+assertEquals(42, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(42, f());