cppgc-js: Reset buffered allocation counter before reporting to V8

Reporting to V8 may trigger GCs and thus also synchronously invoke
callbacks. Since such callbacks may allocate they can add to
allocated bytes. If the counter is reset after the call to the GC,
then those bytes are not properly recorded anywhere and can trigger an
underflow in case they are explicitly freed later on.

Bug: chromium:1056170
Change-Id: Id384eaeffa129e5b75f6ca16d43eb1c89e0fffec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891838Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74532}

src/heap/cppgc-js/cpp-heap.cc

@@ -428,12 +428,17 @@ void CppHeap::ReportBufferedAllocationSizeIfPossible() {
     return;
   }
 
-  if (buffered_allocated_bytes_ < 0) {
-    DecreaseAllocatedSize(static_cast<size_t>(-buffered_allocated_bytes_));
+  // The calls below may trigger full GCs that are synchronous and also execute
+  // epilogue callbacks. Since such callbacks may allocate, the counter must
+  // already be zeroed by that time.
+  const int64_t bytes_to_report = buffered_allocated_bytes_;
+  buffered_allocated_bytes_ = 0;
+
+  if (bytes_to_report < 0) {
+    DecreaseAllocatedSize(static_cast<size_t>(-bytes_to_report));
   } else {
-    IncreaseAllocatedSize(static_cast<size_t>(buffered_allocated_bytes_));
+    IncreaseAllocatedSize(static_cast<size_t>(bytes_to_report));
   }
-  buffered_allocated_bytes_ = 0;
 }
 
 void CppHeap::CollectGarbageForTesting(