37b9d653c2
This fixes a corner case where the "instance prototype" diverges from the "non-instance prototype" that we store on the initial map of a constructor function. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-703610 BUG=chromium:703610 Change-Id: I30a19ae621e10b512215ffb191ce00d030941440 Reviewed-on: https://chromium-review.googlesource.com/458396 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#44008}
17 lines
394 B
JavaScript
17 lines
394 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function fun() {};
|
|
fun.prototype = 42;
|
|
new fun();
|
|
function f() {
|
|
return fun.prototype;
|
|
}
|
|
assertEquals(42, f());
|
|
assertEquals(42, f());
|
|
%OptimizeFunctionOnNextCall(f);
|
|
assertEquals(42, f());
|