[unittests] Fix use-after-free leak via compilation dependencies

Unittests may take compilation dependencies without committing them,
because no code object is ever created. This CL ensures that after each
unittest, all uncommitted dependencies are discarded. Without this,
the compilation dependencies leaks pointers to already freed C++ objects
between test-cases, which are then accessed after free if a unittest
invalidates the corresponding compilation dependency.

Bug: v8:851886
Change-Id: I55d989c42d45f5d713613bc1d3f86e00bd1b8d21
Reviewed-on: https://chromium-review.googlesource.com/1113313
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53998}

src/compilation-dependencies.h

@@ -15,7 +15,7 @@ namespace internal {
 
 // Collects dependencies for this compilation, e.g. assumptions about
 // stable maps, constant globals, etc.
-class CompilationDependencies {
+class V8_EXPORT_PRIVATE CompilationDependencies {
  public:
   CompilationDependencies(Isolate* isolate, Zone* zone)
       : isolate_(isolate),

test/unittests/compiler/js-call-reducer-unittest.cc

@@ -57,6 +57,11 @@ class JSCallReducerTest : public TypedGraphTest {
     i::FLAG_lazy_handler_deserialization = old_flag_lazy_handler_;
   }
 
+  // Ensure uncommitted compilation dependencies are discarded after each test.
+  // This prevents use-after-free accesses through invalidation of compilation
+  // dependencies.
+  void TearDown() override { deps_.Rollback(); }
+
   Node* GlobalFunction(const char* name) {
     Handle<JSFunction> f = Handle<JSFunction>::cast(
         Object::GetProperty(