[heap, runtime] Fix data race in prototype map transition during

concurrent marking.

BUG=chromium:694255

Change-Id: I172167623e9deab692fb506d7d4211d210b09a80
Reviewed-on: https://chromium-review.googlesource.com/579092Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46813}

src/heap/heap.cc

@@ -4522,7 +4522,8 @@ void Heap::NotifyObjectLayoutChange(HeapObject* object,
     incremental_marking()->MarkBlackAndPush(object);
   }
 #ifdef VERIFY_HEAP
-  DCHECK(pending_layout_change_object_ == nullptr);
+  DCHECK(pending_layout_change_object_ == nullptr ||
+         pending_layout_change_object_ == object);
   pending_layout_change_object_ = object;
 #endif
 }

src/objects.cc

@@ -4129,6 +4129,13 @@ void JSObject::MigrateToMap(Handle<JSObject> object, Handle<Map> new_map,
     // Slow-to-slow migration is trivial.
     object->synchronized_set_map(*new_map);
   } else if (!new_map->is_dictionary_map()) {
+    if (old_map->is_prototype_map()) {
+      DisallowHeapAllocation no_allocation;
+      // Ensure that the object is marked because its old map is going
+      // to drop the descriptor array and the layout descriptor, which
+      // is unsafe for the concurrent marker.
+      object->GetHeap()->NotifyObjectLayoutChange(*object, no_allocation);
+    }
     MigrateFastToFast(object, new_map);
     if (old_map->is_prototype_map()) {
       DCHECK(!old_map->is_stable());