Change CreationContext handling of JSBoundFunctions

This attaches a constructor to the bound function map so we can identify the creation context using the map, it chooses the bound-function map from the same realm as the target's creation context (additionally to avoid memory leaks and unnecessary transitions), and finally drops the loop unwrapping bound functions in GetCreationContext.

Bug: 
Change-Id: Icb6f4c29287f9cba69f11afbd070f52c0ad1aa16
Reviewed-on: https://chromium-review.googlesource.com/738097Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48956}

src/bootstrapper.cc

@@ -3405,6 +3405,7 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
     Handle<Map> map =
         factory->NewMap(JS_BOUND_FUNCTION_TYPE, JSBoundFunction::kSize,
                         TERMINAL_FAST_ELEMENTS_KIND, 0);
+    map->SetConstructor(native_context()->object_function());
     map->set_is_callable();
     Map::SetPrototype(map, empty_function);
 

src/factory.cc

@@ -2432,6 +2432,9 @@ MaybeHandle<JSBoundFunction> Factory::NewJSBoundFunction(
       isolate(), prototype,
       JSReceiver::GetPrototype(isolate(), target_function), JSBoundFunction);
 
+  SaveContext save(isolate());
+  isolate()->set_context(*target_function->GetCreationContext());
+
   // Create the [[BoundArguments]] for the result.
   Handle<FixedArray> bound_arguments;
   if (bound_args.length() == 0) {

src/objects.cc

@@ -3675,9 +3675,6 @@ Handle<String> JSReceiver::GetConstructorName(Handle<JSReceiver> receiver) {
 
 Handle<Context> JSReceiver::GetCreationContext() {
   JSReceiver* receiver = this;
-  while (receiver->IsJSBoundFunction()) {
-    receiver = JSBoundFunction::cast(receiver)->bound_target_function();
-  }
   // Externals are JSObjects with null as a constructor.
   DCHECK(!receiver->IsExternal());
   Object* constructor = receiver->map()->GetConstructor();