[heap] Invalidate objects unconditionally

InvalidateRecordedSlots needs to invalidate old-to new objects
unconditionally. Checking slot_set_[OLD_TO_NEW] is not enough, since the
sweeping_slot_set_ could still contain slots.

ClearRecordedSlot in MigrateFastToFast is not necessary as well. This is
only required in DeleteObjectPropertyFast since we might potentially
shrink the object.

Bug: chromium:1008301,chromium:1008046
Change-Id: If2c757a619b52d070825e4faadce7710eae61a07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1826717Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63985}

src/heap/spaces.cc

@@ -1558,11 +1558,7 @@ void MemoryChunk::InvalidateRecordedSlots(HeapObject object) {
     RegisterObjectWithInvalidatedSlots<OLD_TO_OLD>(object);
   }
 
-  heap()->MoveStoreBufferEntriesToRememberedSet();
-
-  if (slot_set_[OLD_TO_NEW] != nullptr) {
-    RegisterObjectWithInvalidatedSlots<OLD_TO_NEW>(object);
-  }
+  RegisterObjectWithInvalidatedSlots<OLD_TO_NEW>(object);
 }
 
 template bool MemoryChunk::RegisteredObjectWithInvalidatedSlots<OLD_TO_NEW>(

src/objects/js-objects.cc

@@ -2795,7 +2795,6 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
           index, HeapNumber::cast(value).value_as_bits());
       if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
         // Transition from tagged to untagged slot.
-        heap->ClearRecordedSlot(*object, object->RawField(index.offset()));
         MemoryChunk* chunk = MemoryChunk::FromHeapObject(*object);
         chunk->InvalidateRecordedSlots(*object);
       } else {