[array] Add stack overflow check for Array#flat

This CL adds a stack check to the TFS builtin "FlattenIntoArray" as it
is called recursively and can cause a SEGV with a large enough
"depth" argument.

R=jgruber@chromium.org

Bug: v8:8708
Change-Id: I833506531bcff1c4703b9a21678028cf0e63638d
Reviewed-on: https://chromium-review.googlesource.com/c/1424858
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58952}

src/builtins/builtins-array-gen.cc

@@ -3189,6 +3189,10 @@ TF_BUILTIN(FlattenIntoArray, ArrayFlattenAssembler) {
   Node* const start = Parameter(Descriptor::kStart);
   Node* const depth = Parameter(Descriptor::kDepth);
 
+  // FlattenIntoArray might get called recursively, check stack for overflow
+  // manually as it has stub linkage.
+  PerformStackCheck(CAST(context));
+
   Return(
       FlattenIntoArray(context, target, source, source_length, start, depth));
 }

test/mjsunit/regress/regress-8708.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack-size=100
+
+let array = new Array(1);
+array.splice(1, 0, array);
+
+assertThrows(() => array.flat(Infinity), RangeError);