[cross-context] create new function prototypes in the context of the function

BUG=v8:4217
LOG=Y

Review URL: https://codereview.chromium.org/1381543005

Cr-Commit-Position: refs/heads/master@{#31074}

src/objects.cc

@@ -10829,7 +10829,7 @@ void JSFunction::SetPrototype(Handle<JSFunction> function,
     new_map->set_non_instance_prototype(true);
     Isolate* isolate = new_map->GetIsolate();
     construct_prototype = handle(
-        isolate->context()->native_context()->initial_object_prototype(),
+        function->context()->native_context()->initial_object_prototype(),
         isolate);
   } else {
     function->map()->set_non_instance_prototype(false);

test/mjsunit/cross-realm-filtering.js

@@ -70,3 +70,21 @@ assertSame(Realm.shared.caller_1, Realm.shared.result_1);
 Realm.eval(realms[0], script);
 assertSame(Realm.shared.caller_0, Realm.shared.result_0);
 assertSame(null, Realm.shared.result_1);
+
+
+// test that do not pollute / leak a function prototype v8/4217
+var realmIndex = Realm.create();
+var otherObject = Realm.eval(realmIndex, "Object");
+
+var f = Realm.eval(realmIndex, "function f(){}; f");
+f.prototype = null;
+
+var o = new f();
+var proto = Object.getPrototypeOf(o);
+assertFalse(proto === Object.prototype);
+assertTrue(proto === otherObject.prototype);
+
+o = Realm.eval(realmIndex, "new f()");
+proto = Object.getPrototypeOf(o);
+assertFalse(proto === Object.prototype);
+assertTrue(proto === otherObject.prototype);