[fastcall] Harden function AddAllSequenceSlowCallback

Make sure AddAllSequenceSlowCallback works on arrays where some
elements cannot be accessed.

Bug: chromium:1338877
Change-Id: Icdf61a305fb208a91832d03ebc47201d8941e41a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3778410
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81896}

src/d8/d8-test.cc

@@ -255,11 +255,15 @@ class FastCApiObject {
 
     Type sum = 0;
     for (uint32_t i = 0; i < length; ++i) {
-      v8::Local<v8::Value> element =
-          seq_arg
-              ->Get(isolate->GetCurrentContext(),
-                    v8::Integer::NewFromUnsigned(isolate, i))
-              .ToLocalChecked();
+      v8::MaybeLocal<v8::Value> maybe_element =
+          seq_arg->Get(isolate->GetCurrentContext(),
+                       v8::Integer::NewFromUnsigned(isolate, i));
+      if (maybe_element.IsEmpty()) {
+        isolate->ThrowError("invalid element in JSArray");
+        return;
+      }
+
+      v8::Local<v8::Value> element = maybe_element.ToLocalChecked();
       if (element->IsNumber()) {
         double value = element->ToNumber(isolate->GetCurrentContext())
                            .ToLocalChecked()

test/mjsunit/compiler/fast-api-sequences.js

@@ -318,3 +318,18 @@ for (let i = 0; i < 100; i++) {
 
   assert_throws_and_optimized(null_test, null);
 })();
+
+// Passing `null` instead of a TypedArray in a non-overloaded function.
+(function () {
+  function invalid_value() {
+    const arr = new Array(2);
+    Object.defineProperty(Array.prototype, 1, {
+      get() {
+        throw new 'get is called.';
+      }
+    });
+
+    fast_c_api.add_all_sequence(false /* should_fallback */, arr);
+  }
+  assertThrows(() => invalid_value());
+})();