diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index d1b79e3da8..5dbf6c08fd 100644
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3635,10 +3635,9 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
       return object;
     }
     case JS_FUNCTION_TYPE: {
-      Handle<JSFunction> object =
-          isolate_->factory()->NewFunctionFromSharedFunctionInfo(
-              handle(isolate_->object_function()->shared()),
-              handle(isolate_->context()), NOT_TENURED);
+      Handle<JSFunction> object = isolate_->factory()->NewFunction(
+          map, handle(isolate_->object_function()->shared()),
+          handle(isolate_->context()), NOT_TENURED);
       slot->value_ = object;
       // We temporarily allocated a JSFunction for the {Object} function
       // within the current context, to break cycles in the object graph.
diff --git a/test/mjsunit/regress/regress-crbug-772610.js b/test/mjsunit/regress/regress-crbug-772610.js
new file mode 100644
index 0000000000..d68ebbf2be
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-772610.js
@@ -0,0 +1,18 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap --expose-gc
+
+function f() {
+  var o = [{
+    [Symbol.toPrimitive]() {}
+  }];
+  %_DeoptimizeNow();
+  return o.length;
+}
+assertEquals(1, f());
+assertEquals(1, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(1, f());
+gc();