JS: Call graph improvements

[asgerf]

Does two things:

• Loosens the restriction for when to track objects with methods. Previously the object had to be an allocation site, now it can be any SourceNode other than this inside a constructor (functions stored on that are instead seen as instance methods).
• Improves detection of function-style classes, by looking for functions that are invoked with new.

The tracking of objects affects the call graph directly, and also contributes to the impliedReceiverStep, which causes the host object to flow into this in the body of method:

bar().foo = function() { 
  this; // <- value of bar() now flows here
}

Evaluation shows neutral performance and about 24k new call edges and a few new alerts. The alerts I've looked at are due new TP call edges.