diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 3503f3fbb4b90e..dafa83627b224a 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 388
-#define V8_PATCH_LEVEL 40
+#define V8_PATCH_LEVEL 41
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/factory.cc b/deps/v8/src/factory.cc
index fbb8d55bef151f..ea3936e2321ab5 100644
--- a/deps/v8/src/factory.cc
+++ b/deps/v8/src/factory.cc
@@ -1613,6 +1613,7 @@ Handle<JSFunction> Factory::NewFunction(const NewFunctionArgs& args) {
     }
     Handle<Map> initial_map = NewMap(args.type_, args.instance_size_,
                                      elements_kind, args.inobject_properties_);
+    result->shared()->set_expected_nof_properties(args.inobject_properties_);
     // TODO(littledan): Why do we have this is_generator test when
     // NewFunctionPrototype already handles finding an appropriately
     // shared prototype?
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-800032.js b/deps/v8/test/mjsunit/regress/regress-crbug-800032.js
new file mode 100644
index 00000000000000..7c9206c7f6ebfc
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-800032.js
@@ -0,0 +1,22 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+
+class Derived extends RegExp {
+  constructor(a) {
+    // Syntax Error
+    const a = 1;
+  }
+}
+
+let o = Reflect.construct(RegExp, [], Derived);
+%HeapObjectVerify(o);
+// Check that we can properly access lastIndex.
+assertEquals(o.lastIndex, 0);
+o.lastIndex = 1;
+assertEquals(o.lastIndex, 1);
+o.lastIndex = 0;
+gc();