Revert behavioral part of 84dc8ed4

Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.

Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}

src/objects.cc

@@ -12721,10 +12721,7 @@ void JSFunction::SetPrototype(Handle<JSFunction> function,
         isolate);
   } else {
     construct_prototype = Handle<JSReceiver>::cast(value);
-    if (function->map()->has_non_instance_prototype()) {
-      function->map()->set_non_instance_prototype(false);
-      function->map()->SetConstructor(isolate->heap()->null_value());
-    }
+    function->map()->set_non_instance_prototype(false);
   }
 
   SetInstancePrototype(isolate, function, construct_prototype);

test/mjsunit/regress/regress-crbug-714872.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {}
+f.prototype = 1;
+f.foo = 1;
+f.prototype = {};