JS: Summarise store steps for type tracking

[asgerf]

For type-tracking, we currently have a simple summarization of functions in two cases:

• Induce a local step when a parameter is returned, and
• Induce a load step when a property of a parameter is returned.

This PR adds two more summaries:

• Induce a store step when a parameter is stored on the returned object.
• Induce a load-store step when a property of a parameter is stored on the returned object.

I ran two evaluations, both of which are fairly quiet. The new call edges seem valid.

• With store steps only
• With both steps