[heap] Bailout in top frame visitor for references into client heaps

Unlike regular marking code we can encounter client references in a
shared GC, so we need a bail out here as well.

Bug: v8:11708, v8:12647
Change-Id: Ie5ccb66206a8dca7d7bb08c75c90ce4999ed5a78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3483663Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79241}

src/heap/mark-compact.cc

@@ -1180,7 +1180,12 @@ class MarkCompactCollector::CustomRootBodyMarkingVisitor final
   V8_INLINE void MarkObject(HeapObject host, Object object) {
     if (!object.IsHeapObject()) return;
     HeapObject heap_object = HeapObject::cast(object);
-    if (!collector_->is_shared_heap() && heap_object.InSharedHeap()) return;
+    // We use this visitor both in client and shared GCs. The client GC should
+    // not mark objects in the shared heap. In shared GCs we are marking each
+    // client's top stack frame, so it is actually legal to encounter references
+    // into the client heap here in a shared GC. We need to bail out in these
+    // cases as well.
+    if (collector_->is_shared_heap() != heap_object.InSharedHeap()) return;
     collector_->MarkObject(host, heap_object);
   }