[turbofan] Use correct lazy frame state for JSCreate.

If JSCreate (which corresponds to %NewObject) would ever trigger a lazy
deopt, we would deopt after the constructor call, skipping all the
initialization and what else in the constructor function, which is
wrong. Instead we can use the eager bailout point right before the
constructor function, because allocation is not observable and so we can
safely repeat the %NewObject in case of lazy bailout.

R=yangguo@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1530583004

Cr-Commit-Position: refs/heads/master@{#32880}

src/compiler/js-inlining.cc

@@ -445,9 +445,9 @@ Reduction JSInliner::ReduceJSCall(Node* node, Handle<JSFunction> function) {
       NeedsImplicitReceiver(function, info_->isolate())) {
     Node* effect = NodeProperties::GetEffectInput(node);
     Node* context = NodeProperties::GetContextInput(node);
-    Node* create = jsgraph_->graph()->NewNode(jsgraph_->javascript()->Create(),
-                                              call.target(), call.new_target(),
-                                              context, frame_state, effect);
+    Node* create = jsgraph_->graph()->NewNode(
+        jsgraph_->javascript()->Create(), call.target(), call.new_target(),
+        context, call.frame_state_before(), effect);
     NodeProperties::ReplaceEffectInput(node, create);
     // Insert a check of the return value to determine whether the return value
     // or the implicit receiver should be selected as a result of the call.