Bisects to 84dc8ed4c3e6c8c1e3005b2d2445c64328b139a4. Reproduces easily.

Fix up for review at https://chromium-review.googlesource.com/c/486130/

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/86aa7960cc53d73d7ffe408184e762fb1c75610e

commit 86aa7960cc53d73d7ffe408184e762fb1c75610e
Author: Adam Klein <adamk@chromium.org>
Date: Wed Apr 26 20:56:30 2017

Revert behavioral part of 84dc8ed4c3e6c8c1e3005b2d2445c64328b139a4

Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.

Bug:  chromium:714972 
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}
[modify] https://crrev.com/86aa7960cc53d73d7ffe408184e762fb1c75610e/src/objects.cc
[add] https://crrev.com/86aa7960cc53d73d7ffe408184e762fb1c75610e/test/mjsunit/regress/regress-crbug-714872.js

ClusterFuzz has detected this issue as fixed in range 44905:44906.

Detailed report: https://clusterfuzz.com/testcase?key=5303471449571328

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !constructor_or_backpointer()->IsMap() in objects-inl.h
  
Sanitizer: address (ASAN)

Regressed: V8: 44820:44821
Fixed: V8: 44905:44906

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5303471449571328


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.