[Backport] CVE-2021-30563: Type Confusion in V8

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3027260:
Merged: [compiler] Fix a bug in CodeGenerator::AddTranslationForOperand

(cherry picked from commit 374354bfe4a30740b96936b33e522d6fcd1cda67)

Bug: chromium:1228407
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I358d8736b7b5f87300496cbb39a7689d8207d85f
Bot-Commit: Rubber Stamper <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.1@{#77}
Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Michal Klocek <[email protected]>

Author: GeorgNeis

chromium/v8/src/compiler/backend/code-generator.cc

@@ -1306,7 +1306,8 @@ void CodeGenerator::AddTranslationForOperand(Translation* translation,
       default:
         UNREACHABLE();
     }
-    if (literal.object().equals(info()->closure())) {
+    if (literal.object().equals(info()->closure()) &&
+        info()->function_context_specializing()) {
       translation->StoreJSFrameFunction();
     } else {
       int literal_id = DefineDeoptimizationLiteral(literal);