[heap] Clear invalidated slots when aborting compaction

When evacuation is aborted for a page, objects at the beginning of a
page might have been evacuated. In addition to deleting recorded slots
for this area, evacuated objects need to be removed from the set of
invalidated objects since those objects store a forwarding pointer in
their map word. Calls to Size() and IsValidSlot() in the subsequent
"pointers updating"-phase would fail without a valid map pointer.

Bug: chromium:1012081
Change-Id: I15df6f6840cbecf019437562190d4fc1f3b6e368
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1852764Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64221}

src/heap/mark-compact.cc

@@ -3796,6 +3796,14 @@ void MarkCompactCollector::PostProcessEvacuationCandidates() {
                                            SlotSet::FREE_EMPTY_BUCKETS);
     RememberedSet<OLD_TO_NEW>::RemoveRangeTyped(page, page->address(),
                                                 failed_object.address());
+
+    // Remove invalidated slots.
+    if (failed_object.address() > page->area_start()) {
+      InvalidatedSlotsCleanup old_to_new_cleanup =
+          InvalidatedSlotsCleanup::OldToNew(page);
+      old_to_new_cleanup.Free(page->area_start(), failed_object.address());
+    }
+
     // Recompute live bytes.
     LiveObjectVisitor::RecomputeLiveBytes(page, non_atomic_marking_state());
     // Re-record slots.