[heap] Marker needs to take snapshot first and then try to mark object

The concurrent marker needs to first read the object's content into a
buffer. Only then the marker can try to mark the object black, if this
succeeds the content in the snapshot is valid. If not, the main thread
has changed the layout of the object concurrently.

Change-Id: Ia8bb26953ee78771baf6d4e67af5f86ee3fe8095
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2933142Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74924}

src/heap/concurrent-marking.cc

@@ -260,11 +260,11 @@ class ConcurrentMarkingVisitor final
 
   template <typename T>
   int VisitFullyWithSnapshot(Map map, T object) {
-    if (!ShouldVisit(object)) return 0;
     using TBodyDescriptor = typename T::BodyDescriptor;
     int size = TBodyDescriptor::SizeOf(map, object);
     const SlotSnapshot& snapshot =
         MakeSlotSnapshot<T, TBodyDescriptor>(map, object, size);
+    if (!ShouldVisit(object)) return 0;
     VisitPointersInSnapshot(object, snapshot);
     return size;
   }