Cancel EnqueueMicrotask of FinalizationGroup on detached contexts

MicrotaskQueue associated to Context may be null after DetachGlobal,
and triggering FinalizationGroup clean up on the detached context
causes a crash.
This CL fixes the crash by cancelling the clean up on such a context.

Bug: chromium:937784
Change-Id: I57883ae0caf6c6bb35e482e441b6e09e921d9def
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552500
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60931}

src/heap/heap.cc

@@ -1026,7 +1026,8 @@ void Heap::GarbageCollectionEpilogue() {
       Handle<FinalizationGroupCleanupJobTask> task =
           isolate()->factory()->NewFinalizationGroupCleanupJobTask(
               finalization_group);
-      context->microtask_queue()->EnqueueMicrotask(*task);
+      MicrotaskQueue* microtask_queue = context->microtask_queue();
+      if (microtask_queue) microtask_queue->EnqueueMicrotask(*task);
     }
   }
 }

test/mjsunit/harmony/weakrefs/cleanup-on-detached-realm.js

@@ -0,0 +1,22 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-weak-refs --expose-gc --noincremental-marking
+
+let r = Realm.create();
+let FG = Realm.eval(r, "FinalizationGroup");
+Realm.detachGlobal(r);
+
+let fg = new FG(()=> {
+  assertUnreachable();
+});
+
+(() => {
+  let object = {};
+  fg.register(object, {});
+
+  // object goes out of scope.
+})();
+
+gc();