[Backport] CVE-2023-6702: Type Confusion in V8

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5110982:
[M114-LTS][promises, async stack traces] Fix the case when the closure has run

M114 changes:
- replace IsNativeContext(*context) by context->IsNativeContext()

We were using the closure pointing to NativeContext as a marker that the
closure has run, but async stack trace code was confused about it.

(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f)

Bug: chromium:1501326
Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083
Cr-Original-Commit-Position: refs/heads/main@{#90949}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982
Commit-Queue: Marja Hölttä <[email protected]>
Auto-Submit: Marja Hölttä <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#18}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
(cherry picked from commit cbd09b2ca928f1fd929ef52e173aa81213e38cb8)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526232
Reviewed-by: Michal Klocek <[email protected]>

Author: zakharvoit

chromium/v8/src/execution/isolate.cc

@@ -944,7 +944,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise,
       builder->AppendPromiseCombinatorFrame(function, combinator,
                                             FrameArray::kIsPromiseAll, context);
 
-      // Now peak into the Promise.all() resolve element context to
+      if (context->IsNativeContext()) {
+        // NativeContext is used as a marker that the closure was already
+        // called. We can't access the reject element context any more.
+        return;
+      }
+
+      // Now peek into the Promise.all() resolve element context to
       // find the promise capability that's being resolved when all
       // the concurrent promises resolve.
       int const index =
@@ -963,7 +969,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise,
       builder->AppendPromiseCombinatorFrame(function, combinator,
                                             FrameArray::kIsPromiseAny, context);
 
-      // Now peak into the Promise.any() reject element context to
+      if (context->IsNativeContext()) {
+        // NativeContext is used as a marker that the closure was already
+        // called. We can't access the reject element context any more.
+        return;
+      }
+
+      // Now peek into the Promise.any() reject element context to
       // find the promise capability that's being resolved when any of
       // the concurrent promises resolve.
       int const index = PromiseBuiltins::kPromiseAnyRejectElementCapabilitySlot;