[proxy] Reload the initial map after prototype lookup on constructable

Proxy.

If a constructable Proxy changes the target's prototype during the
prototype lookup the target's initial map stays uninitialized half-way
during object construction.

LOG=n
BUG=chromium:578039

Review URL: https://codereview.chromium.org/1586203003

Cr-Commit-Position: refs/heads/master@{#33359}

src/objects.cc

@@ -13170,6 +13170,10 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
     ASSIGN_RETURN_ON_EXCEPTION(
         isolate, prototype,
         JSReceiver::GetProperty(new_target, prototype_string), Map);
+    // The above prototype lookup might change the constructor and its
+    // prototype, hence we have to reload the initial map.
+    EnsureHasInitialMap(constructor);
+    constructor_initial_map = handle(constructor->initial_map(), isolate);
   }
 
   // If prototype is not a JSReceiver, fetch the intrinsicDefaultProto from the

test/mjsunit/regress/regress-crbug-578039-Proxy_construct_prototype_change.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+function target() {};
+
+var proxy = new Proxy(target, {
+  get() {
+    // Reset the initial map of the target.
+    target.prototype = 123;
+  }});
+
+new proxy();