[crankshaft] Prevent inlining of new.target functions.

This moves the bailout for functions containing new.target variable to
the correct place so that Crankshaft doesn't accidentally inline such
functions, yielding an "undefined" new.target value all the time.

R=bmeurer@chromium.org
TEST=mjsunit/es6/regress/regress-inlined-new-target

Review URL: https://codereview.chromium.org/1484163003

Cr-Commit-Position: refs/heads/master@{#32468}

src/crankshaft/hydrogen.cc

@@ -8381,6 +8381,13 @@ bool HOptimizedGraphBuilder::TryInline(Handle<JSFunction> target,
     }
   }
 
+  // Unsupported variable references present.
+  if (function->scope()->this_function_var() != nullptr ||
+      function->scope()->new_target_var() != nullptr) {
+    TraceInline(target, caller, "target uses new target or this function");
+    return false;
+  }
+
   // All declarations must be inlineable.
   ZoneList<Declaration*>* decls = target_info.scope()->declarations();
   int decl_count = decls->length();

test/mjsunit/es6/regress/regress-inlined-new-target.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function g() { return { val: new.target }; }
+function f() { return (new g()).val; }
+
+assertEquals(g, f());
+assertEquals(g, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(g, f());