[heap] Drop objects promoted into shared heap from marking worklist

Scavenger can promote objects into the shared heap. Since the scavenger
might also run while incremental marking is on, the promoted object
could already be stored in the marking worklist. When updating the
worklist after the scavenger, we need to remove entries with objects
promoted into the shared heap.

Bug: v8:11708, v8:12582
Change-Id: I4ccad74d23de7921e02adcdb04d2b4e46d9b3a4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452115Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79040}

src/heap/incremental-marking.cc

@@ -470,6 +470,11 @@ void IncrementalMarking::UpdateMarkingWorklistAfterScavenge() {
           HeapObject dest = map_word.ToForwardingAddress();
           DCHECK_IMPLIES(marking_state()->IsWhite(obj),
                          obj.IsFreeSpaceOrFiller());
+          if (dest.InSharedHeap()) {
+            // Object got promoted into the shared heap. Drop it from the client
+            // heap marking worklist.
+            return false;
+          }
           *out = dest;
           return true;
         } else if (Heap::InToPage(obj)) {