[heap] Fix TypedSlots data race when compiled off-thread

When a LocalHeap is destroyed, we update (publish) the changes
in the TypedSlots, this need to be protected by a mutex, since
we may read the RecordRelocSlot in a different thread.

Bug: v8:12054, v8:12411, chromium:1272364
Change-Id: Id1684dad3ed9e02c597099c440d1fbfdbd8c47ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3297892
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78059}

src/heap/mark-compact.cc

@@ -2862,6 +2862,12 @@ void MarkCompactCollector::RecordRelocSlot(Code host, RelocInfo* rinfo,
                                            HeapObject target) {
   RecordRelocSlotInfo info = PrepareRecordRelocSlot(host, rinfo, target);
   if (info.should_record) {
+    // Access to TypeSlots need to be protected, since LocalHeaps might
+    // publish code in the background thread.
+    base::Optional<base::MutexGuard> opt_guard;
+    if (FLAG_concurrent_sparkplug) {
+      opt_guard.emplace(info.memory_chunk->mutex());
+    }
     RememberedSet<OLD_TO_OLD>::InsertTyped(info.memory_chunk, info.slot_type,
                                            info.offset);
   }

src/heap/marking-barrier.cc

@@ -158,6 +158,12 @@ void MarkingBarrier::Publish() {
     worklist_.Publish();
     for (auto& it : typed_slots_map_) {
       MemoryChunk* memory_chunk = it.first;
+      // Access to TypeSlots need to be protected, since LocalHeaps might
+      // publish code in the background thread.
+      base::Optional<base::MutexGuard> opt_guard;
+      if (FLAG_concurrent_sparkplug) {
+        opt_guard.emplace(memory_chunk->mutex());
+      }
       std::unique_ptr<TypedSlots>& typed_slots = it.second;
       RememberedSet<OLD_TO_OLD>::MergeTyped(memory_chunk,
                                             std::move(typed_slots));