[Intl] Use JSObject with null proto to prevent side effects

Previously, we created a JSObject with a non null prototype for an
internal object which isn't what we want as it casues side effects.

Bug: chromium:872514
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I3318044a03318f3d7099f3ba889450c651cea9e1
Reviewed-on: https://chromium-review.googlesource.com/1171186Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55062}

src/objects/intl-objects.cc

@@ -896,7 +896,7 @@ V8_WARN_UNUSED_RESULT MaybeHandle<JSObject> Intl::AvailableLocalesOf(
   Factory* factory = isolate->factory();
   std::set<std::string> results =
       Intl::GetAvailableLocales(StringToIcuService(service));
-  Handle<JSObject> locales = factory->NewJSObject(isolate->object_function());
+  Handle<JSObject> locales = factory->NewJSObjectWithNullProto();
 
   int32_t i = 0;
   for (auto iter = results.begin(); iter != results.end(); ++iter) {

test/intl/regress-8725514.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Object.prototype.__defineGetter__('x', function () {
+    return -2147483648;
+  });
+
+var f = ["x-u-foo"];
+Intl.NumberFormat(f);