Fix an early dereference in ReplacementStringBuilder

This fixes an early handle dereference before a potential allocation
in ReplacementStringBuilder.

Bug: chromium:935101
Change-Id: I03cf2b18b577a38af818dcc42f7c430faba23450
Reviewed-on: https://chromium-review.googlesource.com/c/1485831Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59811}

src/string-builder-inl.h

@@ -103,7 +103,7 @@ class ReplacementStringBuilder {
   }
 
  private:
-  void AddElement(Object element);
+  void AddElement(Handle<Object> element);
   void EnsureCapacity(int elements);
 
   Heap* heap_;

src/string-builder.cc

@@ -180,7 +180,7 @@ void ReplacementStringBuilder::EnsureCapacity(int elements) {
 void ReplacementStringBuilder::AddString(Handle<String> string) {
   int length = string->length();
   DCHECK_GT(length, 0);
-  AddElement(*string);
+  AddElement(string);
   if (!string->IsOneByteRepresentation()) {
     is_one_byte_ = false;
   }
@@ -221,10 +221,11 @@ MaybeHandle<String> ReplacementStringBuilder::ToString() {
   return joined_string;
 }
 
-void ReplacementStringBuilder::AddElement(Object element) {
+void ReplacementStringBuilder::AddElement(Handle<Object> element) {
   DCHECK(element->IsSmi() || element->IsString());
   EnsureCapacity(1);
-  array_builder_.Add(element);
+  DisallowHeapAllocation no_gc;
+  array_builder_.Add(*element);
 }
 
 IncrementalStringBuilder::IncrementalStringBuilder(Isolate* isolate)