[Backport] CVE-2024-0517: Out of bounds write in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5185558:
Merged: [maglev] Fix allocation folding in derived constructors

Bug: v8:7700
Fixed: chromium:1515930
(cherry picked from commit 78dd4b31847ab1f5b06ef3d8742a9f3835fb6919)

Change-Id: Ia5d80719f97a6676a778e46698ecd6f6999e90d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5185558
Auto-Submit: Leszek Swirski <[email protected]>
Commit-Queue: Victor Gomes <[email protected]>
Reviewed-by: Victor Gomes <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#30}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531978
Reviewed-by: Michal Klocek <[email protected]>

Author: LeszekSwirski

chromium/v8/src/maglev/maglev-graph-builder.cc

@@ -5144,6 +5144,7 @@ bool MaglevGraphBuilder::TryBuildFindNonDefaultConstructorOrConstruct(
           object = BuildAllocateFastObject(
               FastObject(new_target_function->AsJSFunction(), zone(), broker()),
               AllocationType::kYoung);
+          ClearCurrentRawAllocation();
         } else {
           object = BuildCallBuiltin<Builtin::kFastNewObject>(
               {GetConstant(current_function), new_target});