[heap] Fix handling of JSApiObjects in concurrent marking thread.

Now the concurrent marker pushes these objects in the bailout worklist
so that the main thread can perform wrapper tracing.

BUG=chromium:694255

Change-Id: I64f194334458fbabf16a63a8ae570456cb5fee19
Reviewed-on: https://chromium-review.googlesource.com/574603
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46716}

src/heap/concurrent-marking.cc

@@ -99,7 +99,18 @@ class ConcurrentMarkingVisitor final
   }
 
   int VisitJSApiObject(Map* map, JSObject* object) {
-    return VisitJSObject(map, object);
+    if (ObjectMarking::IsGrey<AccessMode::ATOMIC>(object,
+                                                  marking_state(object))) {
+      int size = JSObject::BodyDescriptor::SizeOf(map, object);
+      VisitMapPointer(object, object->map_slot());
+      // It is OK to iterate body of JS API object here because they do not have
+      // unboxed double fields.
+      DCHECK(map->HasFastPointerLayout());
+      JSObject::BodyDescriptor::IterateBody(object, size, this);
+      // The main thread will do wrapper tracing in Blink.
+      bailout_.Push(object);
+    }
+    return 0;
   }
 
   // ===========================================================================