cppgc: Fix data race when replacing a LAB

ClusterFuzz reported a non-reproducible issue here:
  https://clusterfuzz.com/testcase-detail/4634185246244864

What happens here is that a LAB is replaced that is adjacent to a live
object that is concurrently being marked using the object start
bitmap.

Bug: chromium:1056170
Change-Id: Iebc0db6b85262f2f544a76bac9b3d1c662e41d6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162603Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76865}

src/heap/cppgc/object-allocator.cc

@@ -59,9 +59,11 @@ void AddToFreeList(NormalPageSpace& space, Address start, size_t size) {
   // No need for SetMemoryInaccessible() as LAB memory is retrieved as free
   // inaccessible memory.
   space.free_list().Add({start, size});
+  // Concurrent marking may be running while the LAB is set up next to a live
+  // object sharing the same cell in the bitmap.
   NormalPage::From(BasePage::FromPayload(start))
       ->object_start_bitmap()
-      .SetBit(start);
+      .SetBit<AccessMode::kAtomic>(start);
 }
 
 void ReplaceLinearAllocationBuffer(NormalPageSpace& space,
@@ -78,7 +80,9 @@ void ReplaceLinearAllocationBuffer(NormalPageSpace& space,
     DCHECK_NOT_NULL(new_buffer);
     stats_collector.NotifyAllocation(new_size);
     auto* page = NormalPage::From(BasePage::FromPayload(new_buffer));
-    page->object_start_bitmap().ClearBit(new_buffer);
+    // Concurrent marking may be running while the LAB is set up next to a live
+    // object sharing the same cell in the bitmap.
+    page->object_start_bitmap().ClearBit<AccessMode::kAtomic>(new_buffer);
     MarkRangeAsYoung(page, new_buffer, new_buffer + new_size);
   }
 }