The CanAllocateArray used to be executed during JSCreateLowering,
leading to bailouts when large arrays are passed as arguments to
an async function or a bound function. This meant that
JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach
JSGenericLowering, where they are not lowered. This CL moves
the checks earlier in the pipeline during JSNativeContextSpecialization
and JSCallReducer respectively, so that those operators are not
created at all in such cases and we bail out to the runtime instead.

Bug: v8:11564
Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73928}