deps: cherry-pick 5b5d24b for X87 from V8 upstream

Original commit message:

    port 2aa070b (r34863)

    original commit message:
        Repair this to match what the runtime correctly does,
        by first checking if the function is a constructor
        before we access the prototype.

    BUG=

    Review URL: https://codereview.chromium.org/1809333002

    Cr-Commit-Position: refs/heads/master@{#34880}

Fixes: https://github.com/nodejs/node/issues/7592 for X87
PR-URL: https://github.com/nodejs/node/pull/7638
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/deps/v8/src/x87/code-stubs-x87.cc b/deps/v8/src/x87/code-stubs-x87.cc
index ff6c8d29e5..787ff2d71c 100644
--- a/deps/v8/src/x87/code-stubs-x87.cc
+++ b/deps/v8/src/x87/code-stubs-x87.cc
@@ -1835,6 +1835,11 @@ void InstanceOfStub::Generate(MacroAssembler* masm) {
   __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
   __ j(not_equal, &slow_case);
 
+  // Go to the runtime if the function is not a constructor.
+  __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
+            static_cast<uint8_t>(1 << Map::kIsConstructor));
+  __ j(zero, &slow_case);
+
   // Ensure that {function} has an instance prototype.
   __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
             static_cast<uint8_t>(1 << Map::kHasNonInstancePrototype));