The heap verifier does certain invariant checks on JSBoundFunction
objects, i.e. it assumes that the bound_target_function is a proper
JSReceiver. The Deoptimizer cannot maintain this invariant, because it
first allocates the JSBoundFunction in an invalid state and only
afterwards fix up the state. But the GC (and thus the heap verifier)
can observe this invalid state why materializing field values, so
we need to relax the verification slightly.

BUG=chromium:729573,chromium:732176
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2933283002
Cr-Commit-Position: refs/heads/master@{#45988}