cppgc: Fix race in RegisterWeakReferenceIfNeeded

As an optimization, RegisterWeakReferenceIfNeeded checks whether the
target object is marked, and only registers it if it's not marked.
The target object may still be under construction, in which case
checking the mark bit will race with allocating the object.

Bug: chromium:1056170, chromium:1232339
Change-Id: I0a41afba7f48f288f708441176f89509a81ebb09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3048171
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75879}

src/heap/cppgc/marking-state.h

@@ -229,8 +229,10 @@ void MarkingStateBase::RegisterWeakReferenceIfNeeded(const void* object,
   // Filter out already marked values. The write barrier for WeakMember
   // ensures that any newly set value after this point is kept alive and does
   // not require the callback.
-  if (HeapObjectHeader::FromObject(desc.base_object_payload)
-          .IsMarked<AccessMode::kAtomic>())
+  const HeapObjectHeader& header =
+      HeapObjectHeader::FromObject(desc.base_object_payload);
+  if (!header.IsInConstruction<AccessMode::kAtomic>() &&
+      header.IsMarked<AccessMode::kAtomic>())
     return;
   RegisterWeakCallback(weak_callback, parameter);
 }