Add young generation check to PretenureAllocationSite

PretenureAllocationSite didn't check whether the given object is in new
space or not. Once given an object in old space, PretenureAllocationSite
tried to find a memento for it which didn't exist and crashed.

This CL adds a bailout for objects not in new space as there is no
memento and nothing to be done.

Bug: chromium:1244333
Change-Id: Ic26a6f5994ef9942decda69bb8a23fb730bf945c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140604Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76656}

src/runtime/runtime-test.cc

@@ -1095,6 +1095,11 @@ RUNTIME_FUNCTION(Runtime_PretenureAllocationSite) {
   JSObject object = JSObject::cast(arg);
 
   Heap* heap = object.GetHeap();
+  if (!heap->InYoungGeneration(object)) {
+    // Object is not in new space, thus there is no memento and nothing to do.
+    return ReturnFuzzSafe(ReadOnlyRoots(isolate).false_value(), isolate);
+  }
+
   AllocationMemento memento =
       heap->FindAllocationMemento<Heap::kForRuntime>(object.map(), object);
   if (memento.is_null())