diff --git a/src/objects.cc b/src/objects.cc index 62a0dceacb..48873fc8c9 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -13383,6 +13383,8 @@ namespace { bool FastInitializeDerivedMap(Isolate* isolate, Handle new_target, Handle constructor, Handle constructor_initial_map) { + // Use the default intrinsic prototype instead. + if (!new_target->has_prototype_slot()) return false; // Check that |function|'s initial map still in sync with the |constructor|, // otherwise we must create a new initial map for |function|. if (new_target->has_initial_map() && @@ -13457,9 +13459,14 @@ MaybeHandle JSFunction::GetDerivedMap(Isolate* isolate, Handle prototype; if (new_target->IsJSFunction()) { Handle function = Handle::cast(new_target); - // Make sure the new.target.prototype is cached. - EnsureHasInitialMap(function); - prototype = handle(function->prototype(), isolate); + if (function->has_prototype_slot()) { + // Make sure the new.target.prototype is cached. + EnsureHasInitialMap(function); + prototype = handle(function->prototype(), isolate); + } else { + // No prototype property, use the intrinsict default proto further down. + prototype = isolate->factory()->undefined_value(); + } } else { Handle prototype_string = isolate->factory()->prototype_string(); ASSIGN_RETURN_ON_EXCEPTION( diff --git a/test/mjsunit/regress/regress-crbug-90771.js b/test/mjsunit/regress/regress-crbug-90771.js new file mode 100644 index 0000000000..b541ff8cc2 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-90771.js @@ -0,0 +1,15 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + + +// Flags: --allow-natives-syntax +function target() {}; + +for (let key of Object.getOwnPropertyNames(this)) { + try { + let newTarget = this[key]; + let arg = target; + Reflect.construct(target, arg, newTarget); + } catch {} +}