[deoptimizer] Fix JSFunction materialization instance size.

This ensures the JSFunction objects materialized by the deoptimizer have
the correct instance size (depending on the given map). There are corner
cases where the instance size might vary due to in-object properties.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-772610
BUG=chromium:772610

Change-Id: I4808c7260db1adbd1cdc3871c2a946475e4934f2
Reviewed-on: https://chromium-review.googlesource.com/707109
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48383}

src/deoptimizer.cc

@@ -3635,9 +3635,8 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
       return object;
     }
     case JS_FUNCTION_TYPE: {
-      Handle<JSFunction> object =
-          isolate_->factory()->NewFunctionFromSharedFunctionInfo(
-              handle(isolate_->object_function()->shared()),
+      Handle<JSFunction> object = isolate_->factory()->NewFunction(
+          map, handle(isolate_->object_function()->shared()),
           handle(isolate_->context()), NOT_TENURED);
       slot->value_ = object;
       // We temporarily allocated a JSFunction for the {Object} function

test/mjsunit/regress/regress-crbug-772610.js

@@ -0,0 +1,18 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap --expose-gc
+
+function f() {
+  var o = [{
+    [Symbol.toPrimitive]() {}
+  }];
+  %_DeoptimizeNow();
+  return o.length;
+}
+assertEquals(1, f());
+assertEquals(1, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(1, f());
+gc();