cppgc: Unpoison memory before writing a free list sentinel

Free memory is marked as inaccessible, which means that it contains a
zap value and is poisoned in ASAN builds.

Before writing the unlinked sentinel, we must unpoison the memory
area in ASAN builds.

Bug: chromium:1056170
Change-Id: Ib253913cce7d62e1000d4b581bdeb13a1e19cc67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2232541
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68206}

src/heap/cppgc/free-list.cc

@@ -68,12 +68,17 @@ void FreeList::Add(FreeList::Block block) {
   if (block.size < sizeof(Entry)) {
     // Create wasted entry. This can happen when an almost emptied linear
     // allocation buffer is returned to the freelist.
+    // This could be SET_MEMORY_ACCESSIBLE. Since there's no payload, the next
+    // operating overwrites the memory completely, and we can thus avoid
+    // zeroing it out.
+    ASAN_UNPOISON_MEMORY_REGION(block.address, sizeof(HeapObjectHeader));
     new (block.address) HeapObjectHeader(size, kFreeListGCInfoIndex);
     return;
   }
 
-  // Make sure the freelist header is writable.
-  SET_MEMORY_ACCESIBLE(block.address, sizeof(Entry));
+  // Make sure the freelist header is writable. SET_MEMORY_ACCESSIBLE is not
+  // needed as we write the whole payload of Entry.
+  ASAN_UNPOISON_MEMORY_REGION(block.address, sizeof(Entry));
   Entry* entry = new (block.address) Entry(size);
   const size_t index = BucketIndexForSize(static_cast<uint32_t>(size));
   entry->Link(&free_list_heads_[index]);