[heap-profiler] Fix a crash in NativeObjectsExplorer.

The crash happens while adding an embedder edge. The |from| heap entry
can be invalidated when the |to| heap entry is added to the snapshot.

This happens because heap entries are pointers into the std::vector
backing store.

Bug: chromium:813515
Change-Id: I6a61bb3fc383a272887925c5da163766d23a0606
Reviewed-on: https://chromium-review.googlesource.com/926525
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51455}

src/profiler/heap-snapshot-generator.cc

@@ -2218,12 +2218,16 @@ bool NativeObjectsExplorer::IterateAndExtractReferences(
     // Fill edges of the graph.
     for (const auto& edge : graph.edges()) {
       HeapEntry* from = EntryForEmbedderGraphNode(edge.from);
-      HeapEntry* to = EntryForEmbedderGraphNode(edge.to);
       // The |from| and |to| can nullptr if the corrsponding node is a V8 node
       // pointing to a Smi.
-      if (from && to) {
+      if (!from) continue;
+      // Adding an entry for |edge.to| can invalidate the |from| entry because
+      // it is an address in std::vector. Use index instead of pointer.
+      int from_index = from->index();
+      HeapEntry* to = EntryForEmbedderGraphNode(edge.to);
+      if (to) {
         filler_->SetIndexedAutoIndexReference(HeapGraphEdge::kElement,
-                                              from->index(), to);
+                                              from_index, to);
       }
     }
   } else {