[heap] Fix data race in sweeper.

The race happens when the sweeper is looking up the size of an object
that had its map replaced concurrently.

The fix is to load the object map using an acquire load so that the
sweeper observes the initializing stores of the new map.

Bug: v8:8303
Change-Id: Ifaaef06cb815be7d07b6a574085ee61a466bc1d6
Reviewed-on: https://chromium-review.googlesource.com/c/1280310Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56652}

src/heap/mark-compact-inl.h

@@ -517,7 +517,7 @@ void LiveObjectRange<mode>::iterator::AdvanceToNextValidObject() {
         // object ends.
         HeapObject* black_object = HeapObject::FromAddress(addr);
         map =
-            base::AsAtomicPointer::Relaxed_Load(reinterpret_cast<Map**>(addr));
+            base::AsAtomicPointer::Acquire_Load(reinterpret_cast<Map**>(addr));
         size = black_object->SizeFromMap(map);
         Address end = addr + size - kPointerSize;
         // One word filler objects do not borrow the second mark bit. We have
@@ -545,7 +545,7 @@ void LiveObjectRange<mode>::iterator::AdvanceToNextValidObject() {
         }
       } else if ((mode == kGreyObjects || mode == kAllLiveObjects)) {
         map =
-            base::AsAtomicPointer::Relaxed_Load(reinterpret_cast<Map**>(addr));
+            base::AsAtomicPointer::Acquire_Load(reinterpret_cast<Map**>(addr));
         object = HeapObject::FromAddress(addr);
         size = object->SizeFromMap(map);
       }

test/mjsunit/mjsunit.status

@@ -467,9 +467,6 @@
   'regress/wasm/regress-694433': [SKIP],
   'es6/typedarray': [PASS, NO_VARIANTS],
   'regress/regress-752764': [PASS, NO_VARIANTS],
-
-  # BUG(v8:8303). Flaky test
-  'wasm/user-properties-module': [SKIP],
 }],  # 'tsan == True'
 
 ##############################################################################