heap: Fix data race in DynamicallyMarkAddress

If a not_fully_constructed object was reached again and marked by
concurrent markers while the not_fully_constructed worklist was being
emptied, we would get a race between setting mark bit and reading size
for verification in debug modes.

Bug: 986235
Change-Id: Ibb7b7619e6965901fb2a94a5c742db10070b64e1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2156488
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#760490}

third_party/blink/renderer/platform/heap/marking_visitor.cc

@@ -223,7 +223,9 @@ MarkingVisitor::MarkingVisitor(ThreadState* state, MarkingMode marking_mode)
 }
 
 void MarkingVisitor::DynamicallyMarkAddress(ConstAddress address) {
-  HeapObjectHeader* const header = HeapObjectHeader::FromInnerAddress(address);
+  HeapObjectHeader* const header =
+      HeapObjectHeader::FromInnerAddress<HeapObjectHeader::AccessMode::kAtomic>(
+          address);
   DCHECK(header);
   DCHECK(!IsInConstruction(header));
   if (MarkHeaderNoTracing(header)) {