[compiler] Observe JSArray::length in GetOwnConstantElement

This fixes a bug introduced in crrev.com/c/2717308. For JSArray
holders, we must observe JSArray::length for bounds checks (in
addition to elements.length).

JSArray::length cannot reliably be read from the background thread;
thus we do a best-effort read there, and verify the result during
finalization through a new ArrayIndexIsInBoundsDependency.

Bug: v8:7790,chromium:1209444
Change-Id: I189df9f58043411ada62f32fe741d4729874d357
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2928509
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74904}

src/compiler/heap-refs.cc

@@ -3891,6 +3891,23 @@ base::Optional<ObjectRef> JSObjectRef::GetOwnConstantElement(
 
     DCHECK_LE(index, JSObject::kMaxElementIndex);
 
+    // See also ElementsAccessorBase::GetMaxIndex.
+    if (IsJSArray()) {
+      // For JSArrays we additionally need to check against JSArray::length.
+      // Length_unsafe is safe to use in this case since:
+      // - GetOwnConstantElement only detects a constant for JSArray holders if
+      //   the array is frozen/sealed.
+      // - Frozen/sealed arrays can't change length.
+      // - We've already seen a map with frozen/sealed elements_kinds (above);
+      // - The release-load of that map ensures we read the newest value
+      //   of `length` below.
+      uint32_t array_length;
+      if (!AsJSArray().length_unsafe().object()->ToArrayLength(&array_length)) {
+        return {};
+      }
+      if (index >= array_length) return {};
+    }
+
     Object maybe_element;
     auto result = ConcurrentLookupIterator::TryGetOwnConstantElement(
         &maybe_element, broker()->isolate(), broker()->local_isolate(),