Fix bug in environment simulation after inlined call-as-function.

Fix bug in environment simulation after inlined call-as-function.

This change is based on my previous change enabling inlining calls-as-function
fixing the bugs related to deoptimization.

The function value on top of the environment was dropped too late in the old code.
As a result we could get a wrong value on top after deoptimization.

This change includes r9619. It was reverted because of test failures that are fixed
with this patch.
Committed: http://code.google.com/p/v8/source/detail?r=9758

[fschneider, 2011-10-20 15:25:47]

This is based on r9619 which had tests failing. I added a reliable reproduction
as a unit test.

The plan is to land this together with my previous change that enabled inlining
calls-as-function.

Right now, wiring the exits of inlined functions and fixing up the environment
is distributed in many places. Maybe we can find a way to do this in one place
instead.

[Kevin Millikin (Chromium), 2011-10-21 09:23:41]

OK, but it's impossible to know it's actually correct at all sites.  Let us put
it in to fix the issue, but I have an idea:

The caller-drop function has been a problem for various reasons.  I wonder if it
would be simpler to change the CallFunction stub to (a) call, not tail call, the
function (so the stub has to have its own frame) and (b) act as an adaptor to
drop the extra argument.

We could have another version of the stub for Crankshaft that just took the
function in edi with no need to drop it or emit it in PushArgument to push it
out to the stub.