LibJS: Do more comprehensive check if next() fast path is possible

Before this change each built-in iterator object has a boolean
`m_next_method_was_redefined`. If user code later changed the iterator’s
prototype (e.g. `Object.setPrototypeOf()`), we still believed the
built-in fast-path was safe and skipped the user supplied override,
producing wrong results.

With this change
`BuiltinIterator::as_builtin_iterator_if_next_is_not_redefined()` looks
up the current `next` property and verifies that it is still the
built-in native function.

Libraries/LibJS/Runtime/MapIterator.cpp

@@ -7,6 +7,7 @@
 #include <LibJS/Runtime/Array.h>
 #include <LibJS/Runtime/MapIterator.h>
 #include <LibJS/Runtime/MapIteratorPrototype.h>
+#include <LibJS/Runtime/NativeFunction.h>
 
 namespace JS {
 
@@ -23,8 +24,6 @@ MapIterator::MapIterator(Map& map, Object::PropertyKind iteration_kind, Object&
     , m_iteration_kind(iteration_kind)
     , m_iterator(static_cast<Map const&>(map).begin())
 {
-    auto& map_iterator_prototype = as<MapIteratorPrototype>(prototype);
-    m_next_method_was_redefined = map_iterator_prototype.next_method_was_redefined();
 }
 
 void MapIterator::visit_edges(Cell::Visitor& visitor)
@@ -33,6 +32,19 @@ void MapIterator::visit_edges(Cell::Visitor& visitor)
     visitor.visit(m_map);
 }
 
+BuiltinIterator* MapIterator::as_builtin_iterator_if_next_is_not_redefined(IteratorRecord const& iterator_record)
+{
+    if (iterator_record.next_method.is_object()) {
+        auto& next_function = iterator_record.next_method.as_object();
+        if (next_function.is_native_function()) {
+            auto const& native_function = static_cast<NativeFunction const&>(next_function);
+            if (native_function.is_map_prototype_next_builtin())
+                return this;
+        }
+    }
+    return nullptr;
+}
+
 ThrowCompletionOr<void> MapIterator::next(VM& vm, bool& done, Value& value)
 {
     if (m_done) {