src: fix crash when reading length on Storage.prototype

[3zrv]

Fixes #63514

The following one-liner reliably segfaults:

$ node -e 'globalThis.sessionStorage.setItem.length;globalThis.Storage.prototype.length'
[1]    42883 segmentation fault (core dumped)

Stack trace:

#0  sqlite3LockAndPrepare ()
#1  sqlite3_prepare_v2 ()
#2  node::webstorage::Storage::Length ()
#3  node::webstorage::StorageLengthGetter ()

Root cause

Storage's length accessor is defined on the prototype template:

Local<FunctionTemplate> length_getter =
    FunctionTemplate::New(isolate, StorageLengthGetter);   // no signature
ctor_tmpl->PrototypeTemplate()->SetAccessorProperty(env->length_string(), ...);

Fix

Create the getter's FunctionTemplate with a v8::Signature bound to the Storage constructor template, exactly as the methods do. V8 now rejects an incompatible receiver with a TypeError: Illegal invocation before the C++ callback runs matching browser behavior instead of crashing. Real localStorage/sessionStorage instances are unaffected.

[aduh95]

Suggested change

	test('reading "length" on Storage.prototype throws instead of crashing', async () => {
	// Refs: the `length` getter is defined on Storage.prototype but used to lack
	// a signature, so accessing it on the prototype (not a real Storage instance)
	// unwrapped a non-Storage object and segfaulted.
	const cp = await spawnPromisified(process.execPath, [
	'-e',
	'globalThis.sessionStorage.setItem.length;globalThis.Storage.prototype.length',
	]);
	assert.strictEqual(cp.signal, null);
	assert.strictEqual(cp.code, 1);
	assert.strictEqual(cp.stdout, '');
	assert.match(cp.stderr, /Illegal invocation/);
	});
	test('calling "length" getter on invalid this throws', async () => {
	assert.throws(() => Storage.prototype.length, TypeError);
	const { get } = Object.getOwnPropertyDescriptor(Storage.prototype, 'length');
	for (const thisArg of [null, undefined, 1n, -0, NaN, true, false, '', [], {}, Symbol()]) {
	assert.throws(() => get.call(thisArg), TypeError);
	}
	});