[turbofan] Do not call JSFunction::has_initial_map without has_prototype_slot

Bug: chromium:939316
Change-Id: I2a132b6cce208e110fe30de8d75743ac7534fc94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1525942
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60291}

src/compiler/node-properties.cc

@@ -412,7 +412,8 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
               mnewtarget.Ref(broker).IsJSFunction()) {
             JSFunctionRef original_constructor =
                 mnewtarget.Ref(broker).AsJSFunction();
-            if (original_constructor.has_initial_map()) {
+            if (original_constructor.map().has_prototype_slot() &&
+                original_constructor.has_initial_map()) {
               original_constructor.Serialize();
               MapRef initial_map = original_constructor.initial_map();
               if (initial_map.GetConstructor().equals(mtarget.Ref(broker))) {

test/mjsunit/compiler/regress-939316.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(arg) {
+  const o = Reflect.construct(Object, arguments, Proxy);
+  o.foo = arg;
+}
+
+function g(i) {
+  f(i);
+}
+
+g(0);
+g(1);
+%OptimizeFunctionOnNextCall(g);
+g(2);