[proxy] Reload the initial map after prototype lookup on constructable

Proxy. If a constructable Proxy changes the target's prototype during the prototype lookup the target's initial map stays uninitialized half-way during object construction. LOG=n BUG=chromium:578039 Review URL: https://codereview.chromium.org/1586203003 Cr-Commit-Position: refs/heads/master@{#33359}
nerdmed · Jan 18, 2016 · ec30425 · ec30425
1 parent 9b7035d
commit ec30425
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/src/objects.cc b/src/objects.cc
@@ -13170,6 +13170,10 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate, prototype,
         JSReceiver::GetProperty(new_target, prototype_string), Map);
+    // The above prototype lookup might change the constructor and its
+    // prototype, hence we have to reload the initial map.
+    EnsureHasInitialMap(constructor);
+    constructor_initial_map = handle(constructor->initial_map(), isolate);
   }
 
   // If prototype is not a JSReceiver, fetch the intrinsicDefaultProto from the

diff --git a/test/mjsunit/regress/regress-crbug-578039-Proxy_construct_prototype_change.js b/test/mjsunit/regress/regress-crbug-578039-Proxy_construct_prototype_change.js
@@ -0,0 +1,14 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+function target() {};
+
+var proxy = new Proxy(target, {
+  get() {
+    // Reset the initial map of the target.
+    target.prototype = 123;
+  }});
+
+new proxy();