Array.prototype.indexOf: Be more careful about handle creation.

The slow path in Runtime_ArrayIndexOf allocates handles in each
iteration over the input object. This CL gives each iteration its
own handle scope in order to avoid consuming more and more memory
the longer the loop runs.

This can be observed e.g. by executing
 console.log(new Proxy(new Array(2**30), {}).indexOf(42))
which used to run out of memory on my machine.

Bug: v8:8386
Change-Id: Idab98ef7e1e4047c21c1dc0e01ba2d3d363c1f09
Reviewed-on: https://chromium-review.googlesource.com/c/1309759
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57173}

src/runtime/runtime-array.cc

@@ -833,7 +833,7 @@ RUNTIME_FUNCTION(Runtime_ArrayIncludes_Slow) {
 }
 
 RUNTIME_FUNCTION(Runtime_ArrayIndexOf) {
-  HandleScope shs(isolate);
+  HandleScope hs(isolate);
   DCHECK_EQ(3, args.length());
   CONVERT_ARG_HANDLE_CHECKED(Object, search_element, 1);
   CONVERT_ARG_HANDLE_CHECKED(Object, from_index, 2);
@@ -911,6 +911,7 @@ RUNTIME_FUNCTION(Runtime_ArrayIndexOf) {
 
   // Otherwise, perform slow lookups for special receiver types
   for (; index < len; ++index) {
+    HandleScope iteration_hs(isolate);
     // Let elementK be the result of ? Get(O, ! ToString(k)).
     Handle<Object> element_k;
     {