The C++ code uses the A instruction key for return address signing,
which is the default for Clang and GCC when the -mbranch-protection
option is used (although this can be configured to use the B key).

Using the B key for JS means that it's not possible to use an A key
signing gadget to replace a return address signed with the B key and
vice-versa. This should offer a degree of separation from the C++ side.

Bug: v8:10026
Change-Id: Ia9dcc7ae7096c96b4a271efbe25fc02940f6fc8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2242953Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#68360}