deps: cherry-pick 5b5d24b for X87 from V8 upstream

fhinkel · evanlucas · commit 287006149b7d · 2016-07-21T15:01:44.000-05:00
Original commit message: port 2aa070b (r34863) original commit message: Repair this to match what the runtime correctly does, by first checking if the function is a constructor before we access the prototype. BUG= Review URL: https://codereview.chromium.org/1809333002 Cr-Commit-Position: refs/heads/master@{#34880} Fixes: #7592 for X87 PR-URL: #7638 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
diff --git a/deps/v8/src/x87/code-stubs-x87.cc b/deps/v8/src/x87/code-stubs-x87.cc
@@ -1835,6 +1835,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
   __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
   __ j(not_equal, &slow_case);
 
+  // Go to the runtime if the function is not a constructor.
+  __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
+            static_cast<uint8_t>(1 << Map::kIsConstructor));
+  __ j(zero, &slow_case);
+
   // Ensure that {function} has an instance prototype.
   __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
             static_cast<uint8_t>(1 << Map::kHasNonInstancePrototype));
