[Backport] CVE-2021-30598: Type Confusion in V8

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3084363:
Merged: [compiler] Harden JSCallReducer::ReduceArrayIteratorPrototypeNext

Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4

BUG=chromium:1234764
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=vahl@chromium.org

Change-Id: I45faf253695011092de144c8e29bafac5337adec
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.2@{#53}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

Author: GeorgNeis

chromium/v8/src/compiler/js-call-reducer.cc

@@ -5826,11 +5826,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
   Node* etrue = effect;
   Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
   {
-    // We know that the {index} is range of the {length} now.
+    // This extra check exists to refine the type of {index} but also to break
+    // an exploitation technique that abuses typer mismatches.
     index = etrue = graph()->NewNode(
-        common()->TypeGuard(
-            Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
-        index, etrue, if_true);
+        simplified()->CheckBounds(p.feedback(),
+                                  CheckBoundsFlag::kAbortOnOutOfBounds),
+        index, length, etrue, if_true);
 
     done_true = jsgraph()->FalseConstant();
     if (iteration_kind == IterationKind::kKeys) {