Fix GC unsafety in ToPropertyDescriptorFastPath

Reading an object property can allocate a HeapNumber (even with
unboxed double fields turned off: we still use MutableHeapNumbers
to store properties).

Bug: chromium:1049859
Change-Id: I82228ccb98403b3db82671743f51b2e23f6636d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2050385
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66218}

src/objects/property-descriptor.cc

@@ -60,7 +60,6 @@ bool ToPropertyDescriptorFastPath(Isolate* isolate, Handle<JSReceiver> obj,
       Handle<DescriptorArray>(map.instance_descriptors(), isolate);
   for (InternalIndex i : map.IterateOwnDescriptors()) {
     PropertyDetails details = descs->GetDetails(i);
-    Name key = descs->GetKey(i);
     Handle<Object> value;
     if (details.location() == kField) {
       if (details.kind() == kData) {
@@ -83,6 +82,7 @@ bool ToPropertyDescriptorFastPath(Isolate* isolate, Handle<JSReceiver> obj,
         return false;
       }
     }
+    Name key = descs->GetKey(i);
     ReadOnlyRoots roots(isolate);
     if (key == roots.enumerable_string()) {
       desc->set_enumerable(value->BooleanValue(isolate));