[builtins] Add Object#toLocaleString stack check

Fixes a regression causing a seg fault instead of the
expected stack overflow.

Bug: chromium:796427, v8:6005
Change-Id: Ifc752a4009a25f447f5e87745dcc1bb83722c34e
Reviewed-on: https://chromium-review.googlesource.com/838854
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50265}

src/builtins/builtins-object-gen.cc

@@ -101,6 +101,8 @@ TF_BUILTIN(ObjectPrototypeToLocaleString, CodeStubAssembler) {
   TNode<Context> context = CAST(Parameter(Descriptor::kContext));
   TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
 
+  PerformStackCheck(context);
+
   Label if_null_or_undefined(this, Label::kDeferred);
   GotoIf(IsNullOrUndefined(receiver), &if_null_or_undefined);
 

test/mjsunit/regress/regress-796427.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --stack-size=150
+
+assertThrows(() => "" + { toString: Object.prototype.toLocaleString }, RangeError);