Fix cluster-fuzz regression with Workers and recursive serialization

Shell::SerializeValue was using a HandleScope, but was also storing Handles in
an ObjectList. The ObjectList handles would persist after the function had
returned, but will have already been destroyed by the HandleScope, so there is
a use-after-free.

This change removes the HandleScope in Shell::SerializeValue and relies on the
caller's HandleScope.

BUG=chromium:503968
R=jochen@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1211433003

Cr-Commit-Position: refs/heads/master@{#29265}

src/d8.cc

@@ -1972,7 +1972,6 @@ bool Shell::SerializeValue(Isolate* isolate, Handle<Value> value,
                            ObjectList* seen_objects,
                            SerializationData* out_data) {
   DCHECK(out_data);
-  HandleScope scope(isolate);
   Local<Context> context = isolate->GetCurrentContext();
 
   if (value->IsUndefined()) {

test/mjsunit/regress/regress-crbug-503968.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  function __f_0() { this.s = new Object(); }
+  function __f_1() {
+    this.l = [new __f_0, new __f_0];
+  }
+  __v_6 = new __f_1;
+  function __f_4() {
+  }
+  var __v_9 = new Worker(__f_4);
+  __v_9.postMessage(__v_6);
+}