Make v8::TracedReference a root for Scavenger if tracing is in progress

This fixes a stale pointer in the following scenario:
1) We have a JS object A in the young generation of V8's heap.
2) A Blink object B points to A via v8::TracedReference.
3) Incremental unified heap GC starts.
4) A V8 Scavenge happens during the unified heap GC and discovers that
   object A is reachable only via the v8::TracedReference. It checks
   whether the object can be collected using IsRootForNonTracingGC,
   which returns false.
5) Object A is collected by the Scavenger and object B points to a free
   region (i.e. it has a stale pointer to V8's heap).
6) Object B is traced and the stale pointer is reported to V8 and
   added to V8's marking worklist.
7) Next Scavenge crashes when it tries to update the marking worklist.

Bug: 1019839
Change-Id: I6f5ae2e21273cdd3ea4150ceb0f70fe33eeb2614
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1893255
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#711268}

third_party/blink/renderer/platform/heap/unified_heap_controller.cc

@@ -146,6 +146,11 @@ bool UnifiedHeapController::IsTracingDone() {
 
 bool UnifiedHeapController::IsRootForNonTracingGC(
     const v8::TracedReference<v8::Value>& handle) {
+  if (!IsTracingDone()) {
+    // We have a non-tracing GC while unified GC is in progress. Treat all
+    // objects as roots to avoid stale pointers in the marking worklists.
+    return true;
+  }
   const uint16_t class_id = handle.WrapperClassId();
   // Stand-alone reference or kCustomWrappableId. Keep as root as
   // we don't know better.