[compiler] Fix data race between FindRootMap and DetachGlobal

... by adding atomic (relaxed) accessor's for a map's
constructor_or_backpointer field, and using them in the two functions.

Bug: chromium:1250216, v8:7790
Change-Id: I3416799cca73792ff5f8963685274ad9afdc6229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162129Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76876}

src/init/bootstrapper.cc

@@ -368,7 +368,8 @@ void Bootstrapper::DetachGlobal(Handle<Context> env) {
   // causing a map change.
   JSObject::ForceSetPrototype(isolate_, global_proxy,
                               isolate_->factory()->null_value());
-  global_proxy->map().SetConstructor(roots.null_value());
+  global_proxy->map().set_constructor_or_back_pointer(roots.null_value(),
+                                                      kRelaxedStore);
   if (FLAG_track_detached_contexts) {
     isolate_->AddDetachedContext(env);
   }

src/objects/map-inl.h

@@ -748,7 +748,7 @@ bool Map::ConcurrentIsMap(PtrComprCageBase cage_base,
 }
 
 DEF_GETTER(Map, GetBackPointer, HeapObject) {
-  Object object = constructor_or_back_pointer(cage_base);
+  Object object = constructor_or_back_pointer(cage_base, kRelaxedLoad);
   if (ConcurrentIsMap(cage_base, object)) {
     return Map::cast(object);
   }
@@ -776,6 +776,9 @@ ACCESSORS(Map, prototype_validity_cell, Object, kPrototypeValidityCellOffset)
 ACCESSORS_CHECKED2(Map, constructor_or_back_pointer, Object,
                    kConstructorOrBackPointerOrNativeContextOffset,
                    !IsContextMap(), value.IsNull() || !IsContextMap())
+RELAXED_ACCESSORS_CHECKED2(Map, constructor_or_back_pointer, Object,
+                           kConstructorOrBackPointerOrNativeContextOffset,
+                           !IsContextMap(), value.IsNull() || !IsContextMap())
 ACCESSORS_CHECKED(Map, native_context, NativeContext,
                   kConstructorOrBackPointerOrNativeContextOffset,
                   IsContextMap())

src/objects/map.h

@@ -565,6 +565,7 @@ class Map : public TorqueGeneratedMap<Map, HeapObject> {
   // The field also overlaps with the native context pointer for context maps,
   // and with the Wasm type info for WebAssembly object maps.
   DECL_ACCESSORS(constructor_or_back_pointer, Object)
+  DECL_RELAXED_ACCESSORS(constructor_or_back_pointer, Object)
   DECL_ACCESSORS(native_context, NativeContext)
   DECL_ACCESSORS(native_context_or_null, Object)
   DECL_ACCESSORS(wasm_type_info, WasmTypeInfo)

test/mjsunit/compiler/regress-1250216.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+{
+  const realm = Realm.createAllowCrossRealmAccess();
+  const foo = Realm.eval(realm, "function foo() {return globalThis.foo}; foo");
+  assertSame(foo(), foo);
+}
+
+{
+  const realm = Realm.createAllowCrossRealmAccess();
+  const foo = Realm.eval(realm, "function foo() {return globalThis.foo}; foo");
+  assertSame(foo(), foo);
+  Realm.detachGlobal(realm);
+}