2 files changed, 16 insertions, 11 deletions

diff --git a/chromium/v8/src/builtins/base.tq b/chromium/v8/src/builtins/base.tq
index 07af1f441f8..24c355d6b3e 100644
--- a/chromium/v8/src/builtins/base.tq
+++ b/chromium/v8/src/builtins/base.tq
@@ -336,15 +336,13 @@ macro NewJSObject(implicit context: Context)(): JSObject {
   };
 }
 
-extern macro HasPrototypeSlot(JSFunction): bool;
+type JSFunctionWithPrototypeSlot extends JSFunction;
 
 macro GetDerivedMap(implicit context: Context)(
     target: JSFunction, newTarget: JSReceiver): Map {
   try {
-    const constructor = Cast<JSFunction>(newTarget) otherwise SlowPath;
-    if (!HasPrototypeSlot(constructor)) {
-      goto SlowPath;
-    }
+    const constructor =
+         Cast<JSFunctionWithPrototypeSlot>(newTarget) otherwise SlowPath;
     assert(IsConstructor(constructor));
     const map =
         Cast<Map>(constructor.prototype_or_initial_map) otherwise SlowPath;
@@ -1814,6 +1812,9 @@ extern macro HeapObjectToString(HeapObject): String
     labels CastError;
 extern macro HeapObjectToConstructor(HeapObject): Constructor
     labels CastError;
+extern macro HeapObjectToJSFunctionWithPrototypeSlot(HeapObject):
+    JSFunctionWithPrototypeSlot
+    labels CastError;
 extern macro HeapObjectToHeapNumber(HeapObject): HeapNumber
     labels CastError;
 extern macro HeapObjectToSloppyArgumentsElements(HeapObject):
@@ -1967,6 +1968,11 @@ Cast<Constructor>(o: HeapObject): Constructor
   return HeapObjectToConstructor(o) otherwise CastError;
 }
 
+Cast<JSFunctionWithPrototypeSlot>(o: HeapObject): JSFunctionWithPrototypeSlot
+    labels CastError {
+  return HeapObjectToJSFunctionWithPrototypeSlot(o) otherwise CastError;
+}
+
 Cast<HeapNumber>(o: HeapObject): HeapNumber
     labels CastError {
   if (IsHeapNumber(o)) return %RawDownCast<HeapNumber>(o);
diff --git a/chromium/v8/src/builtins/builtins-constructor-gen.cc b/chromium/v8/src/builtins/builtins-constructor-gen.cc
index 767e626432e..56dc23e233e 100644
--- a/chromium/v8/src/builtins/builtins-constructor-gen.cc
+++ b/chromium/v8/src/builtins/builtins-constructor-gen.cc
@@ -182,15 +182,14 @@ compiler::TNode<JSObject> ConstructorBuiltinsAssembler::EmitFastNewObject(
     SloppyTNode<Context> context, SloppyTNode<JSFunction> target,
     SloppyTNode<JSReceiver> new_target, Label* call_runtime) {
   // Verify that the new target is a JSFunction.
-  Label fast(this), end(this);
-  GotoIf(HasInstanceType(new_target, JS_FUNCTION_TYPE), &fast);
-  Goto(call_runtime);
-
-  BIND(&fast);
+  Label end(this);
+  TNode<JSFunction> new_target_func =
+      HeapObjectToJSFunctionWithPrototypeSlot(new_target, call_runtime);
+  // Fast path.
 
   // Load the initial map and verify that it's in fact a map.
   Node* initial_map =
-      LoadObjectField(new_target, JSFunction::kPrototypeOrInitialMapOffset);
+      LoadJSFunctionPrototypeOrInitialMap(new_target_func);
   GotoIf(TaggedIsSmi(initial_map), call_runtime);
   GotoIf(DoesntHaveInstanceType(initial_map, MAP_TYPE), call_runtime);