[js weak refs] Several fixes

1) As found by the GC fuzzer: missing HandleScopes.

2) The RecordSlot barrier was missing for NativeContext::AddDirtyJSWeakFactory.

3) Need Context::Scope to surround the cleanup function (if it results in an
error, we try to get native_context() from Isolate).

BUG=v8:8179,v8:8286

Change-Id: I2d995a76770658848e3c9629333bedbc2ef43b82
Reviewed-on: https://chromium-review.googlesource.com/c/1273051Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56529}

src/contexts-inl.h

@@ -218,12 +218,21 @@ Map* Context::GetInitialJSArrayMap(ElementsKind kind) const {
   return Map::cast(initial_js_array_map);
 }
 
-void NativeContext::AddDirtyJSWeakFactory(JSWeakFactory* weak_factory,
-                                          Isolate* isolate) {
+void NativeContext::AddDirtyJSWeakFactory(
+    JSWeakFactory* weak_factory, Isolate* isolate,
+    std::function<void(HeapObject* object, Object** slot, Object* target)>
+        gc_notify_updated_slot) {
   DCHECK(dirty_js_weak_factories()->IsUndefined(isolate) ||
          dirty_js_weak_factories()->IsJSWeakFactory());
   weak_factory->set_next(dirty_js_weak_factories());
+  gc_notify_updated_slot(
+      weak_factory,
+      HeapObject::RawField(weak_factory, JSWeakFactory::kNextOffset),
+      dirty_js_weak_factories());
   set_dirty_js_weak_factories(weak_factory);
+  int offset = kHeaderSize + DIRTY_JS_WEAK_FACTORIES_INDEX * kPointerSize;
+  gc_notify_updated_slot(this, HeapObject::RawField(this, offset),
+                         weak_factory);
 }
 
 }  // namespace internal

src/contexts.h

@@ -640,9 +640,11 @@ class NativeContext : public Context {
   static inline NativeContext* cast(Object* context);
   // TODO(neis): Move some stuff from Context here.
 
-  // Add weak_factory into the dirty_weak_js_factories list.
-  inline void AddDirtyJSWeakFactory(JSWeakFactory* weak_factory,
-                                    Isolate* isolate);
+  // Add weak_factory into the dirty_js_weak_factories list.
+  inline void AddDirtyJSWeakFactory(
+      JSWeakFactory* weak_factory, Isolate* isolate,
+      std::function<void(HeapObject* object, Object** slot, Object* target)>
+          gc_notify_updated_slot);
 
  private:
   DISALLOW_IMPLICIT_CONSTRUCTORS(NativeContext);

src/heap/mark-compact.cc

@@ -2094,6 +2094,7 @@ void MarkCompactCollector::ClearJSWeakCells() {
   }
   JSWeakCell* weak_cell;
   bool schedule_cleanup_task = false;
+  HandleScope handle_scope(isolate());
   while (weak_objects_.js_weak_cells.Pop(kMainThread, &weak_cell)) {
     // We do not insert cleared weak cells into the list, so the value
     // cannot be a Smi here.
@@ -2103,8 +2104,13 @@ void MarkCompactCollector::ClearJSWeakCells() {
       if (!weak_factory->NeedsCleanup()) {
         // This is the first dirty JSWeakCell of that JSWeakFactory. Record
         // the dirty JSWeakFactory in the native context.
-        isolate()->native_context()->AddDirtyJSWeakFactory(weak_factory,
-                                                           isolate());
+        isolate()->native_context()->AddDirtyJSWeakFactory(
+            weak_factory, isolate(),
+            [](HeapObject* object, Object** slot, Object* target) {
+              if (target->IsHeapObject()) {
+                RecordSlot(object, slot, HeapObject::cast(target));
+              }
+            });
         schedule_cleanup_task = true;
       }
       // We're modifying the pointers in JSWeakCell and JSWeakFactory during GC;

src/objects.cc

@@ -18829,6 +18829,8 @@ void JSWeakFactoryCleanupTask::Run() {
   HandleScope handle_scope(isolate_);
   Handle<Context> native_context =
       Handle<Context>::cast(Utils::OpenPersistent(native_context_));
+  v8::Local<v8::Context> context_local = Utils::ToLocal(native_context);
+  v8::Context::Scope context_scope(context_local);
 
   while (native_context->dirty_js_weak_factories()->IsJSWeakFactory()) {
     Handle<JSWeakFactory> weak_factory =