The regexp species protector was recently moved from the isolate onto
the native context to avoid cross-context pollution of the regexp fast
path state.

The implementation was incomplete. We unconditionally used the isolate's
current native context, but it is possible for the object we are looking
at to come from a different context (= its creation context).

The fix is two-fold. 1. when speed is not too important (e.g. when
invalidating the protector), grab the creation context off the object.
2. in the regexp fast path check, just document how our current solution
is sufficient: although we may initially look at the wrong protector
cell, we'd later bail out when comparing the object's map against the
initial regexp map (stored on the current native context).

Bug: v8:9463
Change-Id: I653732b573f2dd456b3c6b723653dcacf9ead591
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776078
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63520}