[crankshaft] Pass new.target to direct function calls.

src/crankshaft/x64/lithium-codegen-x64.cc

Index: src/crankshaft/x64/lithium-codegen-x64.cc
diff --git a/src/crankshaft/x64/lithium-codegen-x64.cc b/src/crankshaft/x64/lithium-codegen-x64.cc
index d6ad87be1cfba70300ae7dc58e5b8cb053f7e69b..010fdbc86f9a8af00d5d55c5a25825f94519642d 100644
--- a/src/crankshaft/x64/lithium-codegen-x64.cc
+++ b/src/crankshaft/x64/lithium-codegen-x64.cc
@@ -3368,7 +3368,8 @@ void LCodeGen::CallKnownFunction(Handle<JSFunction> function,
     // Change context.
     __ movp(rsi, FieldOperand(function_reg, JSFunction::kContextOffset));
 
-    // Always initialize rax to the number of actual arguments.
+    // Always initialize new target and number of actual arguments.
+    __ LoadRoot(rdx, Heap::kUndefinedValueRootIndex);
     __ Set(rax, arity);
 
     // Invoke function.
@@ -3432,11 +3433,13 @@ void LCodeGen::DoCallJSFunction(LCallJSFunction* instr) {
   DCHECK(ToRegister(instr->function()).is(rdi));
   DCHECK(ToRegister(instr->result()).is(rax));
 
-  __ Set(rax, instr->arity());
-
   // Change context.
   __ movp(rsi, FieldOperand(rdi, JSFunction::kContextOffset));
 
+  // Always initialize new target and number of actual arguments.
+  __ LoadRoot(rdx, Heap::kUndefinedValueRootIndex);
+  __ Set(rax, instr->arity());
+
   LPointerMap* pointers = instr->pointer_map();
   SafepointGenerator generator(this, pointers, Safepoint::kLazyDeopt);