[esnext] initialize native_context()->initial_async_generator_prototype

Fix an error overwriting the `prototype` property of async generator
functions when FLAG_enable_slow_asserts is enabled.

Previously, the `initial_async_generator_prototype` field was never
written to the native context, and was always undefined. This caused
some incorrect runtime behaviour, and would crash when loading the field
using the Context::initial_aysnc_generator_prototype accessor when
attempting to cast the Undefined oddball to a JSObject.

BUG=chromium:771470, v8:5855
R=adamk@chromium.org, verwaest@chromium.org, gsathya@chromium.org

Change-Id: I13f2a518c59852bc77c2de1f2468a4eea457609e
Reviewed-on: https://chromium-review.googlesource.com/700261Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48291}

src/bootstrapper.cc

@@ -948,6 +948,8 @@ void Genesis::CreateAsyncIteratorMaps(Handle<JSFunction> empty) {
   // %AsyncGeneratorPrototype%
   JSObject::ForceSetPrototype(async_generator_object_prototype,
                               async_iterator_prototype);
+  native_context()->set_initial_async_generator_prototype(
+      *async_generator_object_prototype);
 
   JSObject::AddProperty(async_generator_object_prototype,
                         factory()->to_string_tag_symbol(),

test/mjsunit/harmony/regress/regress-771470.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+async function* gen() { };
+gen.prototype = 1;