[runtime] Use the correct generic construct stub based on harmony flags

We hardcoded this accidentally in the original CL for the turbofan case,
instead we need to call JSConstructStubGeneric() which will return the
correct construct stub based on the harmony_restrict_constructor_return
flag.

Bug: chromium:829899
Change-Id: I6776a5daebd57d8881d926ad68595141312a877d
Reviewed-on: https://chromium-review.googlesource.com/1001893
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52470}

src/compiler/js-typed-lowering.cc

@@ -1577,10 +1577,9 @@ Reduction JSTypedLowering::ReduceJSConstruct(Node* node) {
     // Patch {node} to an indirect call via the {function}s construct stub.
     bool use_builtin_construct_stub = shared->construct_as_builtin();
 
-    Handle<Code> code =
-        use_builtin_construct_stub
-            ? BUILTIN_CODE(isolate(), JSBuiltinsConstructStub)
-            : BUILTIN_CODE(isolate(), JSConstructStubGenericUnrestrictedReturn);
+    Handle<Code> code = use_builtin_construct_stub
+                            ? BUILTIN_CODE(isolate(), JSBuiltinsConstructStub)
+                            : isolate()->builtins()->JSConstructStubGeneric();
 
     node->RemoveInput(arity + 1);
     node->InsertInput(graph()->zone(), 0, jsgraph()->HeapConstant(code));

test/mjsunit/regress/regress-829889.js

@@ -0,0 +1,17 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-restrict-constructor-return --always-opt
+
+class Base {
+  constructor(x) {
+    return x;
+  }
+}
+class Derived extends Base {
+  constructor(use, x) {
+    super(use, x);
+  }
+}
+assertThrows(() => new Derived(true, 5), TypeError);