The first: we allocated within the argument list of a function call on
a handlified receiver. The allocation may trigger GC which leaves us
with a stale receiver reference.

The second: in generated code we triggered further allocations while
an uninitialized fixed array was live.

Bug: v8:8145
Change-Id: If59cab6274277534b2ff6463daa5863b8feae22c
Reviewed-on: https://chromium-review.googlesource.com/1213162Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55717}