Please refer to this CL:
https://chromium-review.googlesource.com/c/chromium/src/+/1423667

In the above CL, I created a simple test, which creates a WebThreadSupportingGC, and post a task to that thread. On that thread, I simply create a CSSUnsupportedStyleValue which is a GCed object.

Running the above test crashes and here is the stack trace:
#0 0x7f8ba3924e89 base::debug::StackTrace::StackTrace()
#1 0x7f8ba376daa5 base::debug::StackTrace::StackTrace()
#2 0x7f8ba392491a base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f8b953b10c0 <unknown>
#4 0x559bdf31e465 std::__Cr::unique_ptr<>::get()
#5 0x559bdf327269 blink::CompositorAnimationTestClient::GetCompositorAnimation()
#6 0x559bdf7e94df blink::ThreadHeap::Allocate<>()
#7 0x559bdf7e9445 blink::GarbageCollected<>::AllocateObject()
#8 0x559bdf7e93c8 blink::MakeGarbageCollected<>()
#9 0x559bdf7e9365 blink::CSSUnsupportedStyleValue::Create()
#10 0x559bdf7e9163 blink::WebThreadSupportingGCTest::DoWork()
#11 0x559bdf7527b2 base::internal::FunctorTraits<>::Invoke<>()
#12 0x559bdf752772 base::internal::InvokeHelper<>::MakeItSo<>()

haraken@, yutak@: could you triage?