heap: Fix concurrent double free of cross-thread node

https://crrev.com/695748 introduced an issue as the refactoring missed
out on preserving a crucial null check for already destructed nodes.

The problem is that we create a fast path by checking for whether a node
is initialized already outside of the lock but forgot to recheck after
we entered again. The check is put in FreeNode() to avoid repeated
atomic loads.

Bug: 1013915
Change-Id: Iffa5b982791ac8d239650499bcab355a3e2fa5ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1860022Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#705543}

third_party/blink/renderer/platform/heap/persistent_node.h

@@ -293,6 +293,14 @@ inline PersistentNode* CrossThreadPersistentRegion::AllocateNode(
 
 inline void CrossThreadPersistentRegion::FreeNode(PersistentNode* node) {
   PersistentMutexTraits<kCrossThreadPersistentConfiguration>::AssertAcquired();
+  // PersistentBase::UninitializeSafe opportunistically checks for uninitialized
+  // nodes to allow a fast path destruction of unused nodes. This check is
+  // performed without taking the lock that is required for processing a
+  // cross-thread node. After taking the lock the condition needs to checked
+  // again to avoid double-freeing a node because the node may have been
+  // concurrently freed by the garbage collector on another thread.
+  if (!node)
+    return;
   PersistentRegionBase::FreeNode(node);
 }