deps: V8: cherry-pick 1e35f6472510

Original commit message:

    [LTS-M86][builtins] Harden Array.prototype.concat.

    Defence in depth patch to prevent JavaScript from executing
    from within IterateElements.

    R=​[email protected]
    R=​[email protected]

    (cherry picked from commit 8284359ed0607e452a4dda2ce89811fb019b4aaa)

    No-Try: true
    No-Presubmit: true
    No-Tree-Checks: true
    Bug: chromium:1195977
    Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941
    Reviewed-by: Camillo Bruni <[email protected]>
    Reviewed-by: Igor Sheludko <[email protected]>
    Commit-Queue: Igor Sheludko <[email protected]>
    Cr-Original-Commit-Position: refs/heads/master@{#73898}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821961
    Commit-Queue: Jana Grill <[email protected]>
    Reviewed-by: Victor-Gabriel Savu <[email protected]>
    Cr-Commit-Position: refs/branch-heads/8.6@{#76}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: v8/v8@1e35f64

PR-URL: #38275
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Shelley Vohr <[email protected]>

Author: targos

common.gypi

@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.50',
+    'v8_embedder_string': '-node.51',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/AUTHORS

@@ -67,6 +67,7 @@ Ben Newman <[email protected]>
 Ben Noordhuis <[email protected]>
 Benjamin Tan <[email protected]>
 Bert Belder <[email protected]>
+Brendon Tiszka <[email protected]>
 Burcu Dogan <[email protected]>
 Caitlin Potter <[email protected]>
 Craig Schlenter <[email protected]>

deps/v8/src/builtins/builtins-array.cc

@@ -1080,6 +1080,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     case HOLEY_SEALED_ELEMENTS:
     case HOLEY_NONEXTENSIBLE_ELEMENTS:
     case HOLEY_ELEMENTS: {
+      // Disallow execution so the cached elements won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       // Run through the elements FixedArray and use HasElement and GetElement
       // to check the prototype for missing elements.
       Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
@@ -1106,6 +1109,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     }
     case HOLEY_DOUBLE_ELEMENTS:
     case PACKED_DOUBLE_ELEMENTS: {
+      // Disallow execution so the cached elements won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       // Empty array is FixedArray but not FixedDoubleArray.
       if (length == 0) break;
       // Run through the elements FixedArray and use HasElement and GetElement
@@ -1142,6 +1148,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     }
 
     case DICTIONARY_ELEMENTS: {
+      // Disallow execution so the cached dictionary won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
       std::vector<uint32_t> indices;
       indices.reserve(dict->Capacity() / 2);