[heap] Fix ArrayBufferTracker processing

Avoid accessing |byte_length| during processing buffers. The length
might be a HeapNumber that has already been processed (e.g. moved) in
the current garbage collection cycle.

Bug: v8:8076
Change-Id: I6d79631e300845a29f15a9f60933ee41ffc95300
Reviewed-on: https://chromium-review.googlesource.com/1183193
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55256}

src/heap/array-buffer-tracker.cc

@@ -45,24 +45,25 @@ void LocalArrayBufferTracker::Process(Callback callback) {
           tracker = target_page->local_tracker();
         }
         DCHECK_NOT_NULL(tracker);
-        const size_t size = NumberToSize(new_buffer->byte_length());
+        const size_t length = it->second.length;
         // We should decrement before adding to avoid potential overflows in
         // the external memory counters.
         DCHECK_EQ(it->first->is_wasm_memory(), it->second.is_wasm_memory);
         old_page->DecrementExternalBackingStoreBytes(
-            ExternalBackingStoreType::kArrayBuffer, it->second.length);
-        tracker->Add(new_buffer, size);
+            ExternalBackingStoreType::kArrayBuffer, length);
+        tracker->Add(new_buffer, length);
       }
       moved_memory += it->second.length;
 
     } else if (result == kRemoveEntry) {
-      freed_memory += it->second.length;
+      const size_t length = it->second.length;
+      freed_memory += length;
       // We pass backing_store() and stored length to the collector for freeing
       // the backing store. Wasm allocations will go through their own tracker
       // based on the backing store.
       backing_stores_to_free.push_back(it->second);
       old_page->DecrementExternalBackingStoreBytes(
-          ExternalBackingStoreType::kArrayBuffer, it->second.length);
+          ExternalBackingStoreType::kArrayBuffer, length);
     } else {
       UNREACHABLE();
     }