[TurboFan] Fix JSNativeContextSpecialization::InferReceiverMap

Before the fix it checked whether the initial map of the base constructor pointed back to the new target. That's only true if initial_map->new_target_is_base() (new.target == target). Now it properly checks that the initial map of the original constructor (new.target) was created in combination with target by checking back that new.target->initial_map()->constructor() == target.

BUG=

Review-Url: https://codereview.chromium.org/2621303003
Cr-Commit-Position: refs/heads/master@{#42263}

src/compiler/js-native-context-specialization.cc

@@ -1835,11 +1835,11 @@ MaybeHandle<Map> JSNativeContextSpecialization::InferReceiverMap(Node* receiver,
     HeapObjectMatcher mtarget(m.InputAt(0));
     HeapObjectMatcher mnewtarget(m.InputAt(1));
     if (mtarget.HasValue() && mnewtarget.HasValue()) {
-      Handle<JSFunction> constructor =
-          Handle<JSFunction>::cast(mtarget.Value());
-      if (constructor->has_initial_map()) {
-        Handle<Map> initial_map(constructor->initial_map(), isolate());
-        if (initial_map->constructor_or_backpointer() == *mnewtarget.Value()) {
+      Handle<JSFunction> original_constructor =
+          Handle<JSFunction>::cast(mnewtarget.Value());
+      if (original_constructor->has_initial_map()) {
+        Handle<Map> initial_map(original_constructor->initial_map(), isolate());
+        if (initial_map->constructor_or_backpointer() == *mtarget.Value()) {
           // Walk up the {effect} chain to see if the {receiver} is the
           // dominating effect and there's no other observable write in
           // between.