heap: ArrayBufferSweeper: Fix freed counter overflow

The array buffer sweeper has its own freed counter which is migrated
back to a global counter. There exist two paths for finalizing array
buffer sweeping which both need to merge back the counters. If we miss
out on merging back the counter, the freed counter may overflow in the
next cycle.

Bug: chromium:1241332
Change-Id: Ic985f72414198de2eaf900b8e2e9b39bed24d87e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3121905Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76503}

src/heap/array-buffer-sweeper.cc

@@ -113,9 +113,10 @@ void ArrayBufferSweeper::MergeBackExtensionsWhenSwept() {
     if (job_->state_ == SweepingState::kDone) {
       Merge();
       sweeping_in_progress_ = false;
-    } else {
-      UpdateCountersForConcurrentlySweptExtensions();
     }
+    // Update freed counters either way. It is necessary to update the counter
+    // in case sweeping is done to avoid counter overflows.
+    UpdateCountersForConcurrentlySweptExtensions();
   }
 }