This fixes a bug introduced in crrev.com/c/2717308. For JSArray
holders, we must observe JSArray::length for bounds checks (in
addition to elements.length).

JSArray::length cannot reliably be read from the background thread;
thus we do a best-effort read there, and verify the result during
finalization through a new ArrayIndexIsInBoundsDependency.

Bug: v8:7790,chromium:1209444
Change-Id: I189df9f58043411ada62f32fe741d4729874d357
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2928509
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74904}