[Backport] CVE-2024-7550: Type Confusion in V8

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5741275:
[maglev] Consider WasmStruct in InferHasInPrototypeChain

Fixed: 355256380
Change-Id: I0d82c1a723685cf4c1a093ed9e8eb8190502fce8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5741275
Commit-Queue: Leszek Swirski <[email protected]>
Auto-Submit: Victor Gomes <[email protected]>
Reviewed-by: Leszek Swirski <[email protected]>
Cr-Commit-Position: refs/heads/main@{#95271}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/582139
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: victorgomes

chromium/v8/src/maglev/maglev-graph-builder.cc

@@ -7428,7 +7428,9 @@ MaglevGraphBuilder::InferHasInPrototypeChain(
       // might be a different object each time, so it's much simpler to include
       // {prototype}. That does, however, mean that we must check {prototype}'s
       // map stability.
-      if (!prototype.map(broker()).is_stable()) return kMayBeInPrototypeChain;
+      if (!prototype.IsJSObject() || !prototype.map(broker()).is_stable()) {
+        return kMayBeInPrototypeChain;
+      }
       last_prototype = prototype.AsJSObject();
     }
     broker()->dependencies()->DependOnStablePrototypeChains(