When a page is selected as an evacuation candidate, we evict its free list, which invalidate all free list categories.

Later on in the finalization pause of GC, we may decide to release the evacuation candidate. Releasing a page also evicts page free list.

This can result in out-of-bounds read in:
void FreeList::RemoveCategory(FreeListCategory* category) {
  FreeListCategoryType type = category->type_;
  FreeListCategory* top = categories_[type]; // type = kInvalidCategory.

This is uncovered by 
https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux_-_arm64_-_sim_-_MSAN%2F18598%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2FArrayBuffer_Compaction%2F0