[heap] Notify GC on potentially unsafe object layout changes.

src/heap/heap.h

Index: src/heap/heap.h
diff --git a/src/heap/heap.h b/src/heap/heap.h
index dc86608b79326954d8119bbe039d10e5b4a44856..0bbdb6bc2d3a9986bfd914ee5c29b2d45d8f5b97 100644
--- a/src/heap/heap.h
+++ b/src/heap/heap.h
@@ -1227,6 +1227,20 @@ class Heap {
 
   IncrementalMarking* incremental_marking() { return incremental_marking_; }
 
+  // The runtime uses this function to notify potentially unsafe object layout
+  // changes that require special synchronization with the concurrent marker.
+  // A layout change is unsafe if
+  // - it removes a tagged in-object field.
+  // - it replaces a tagged in-objects field with an untagged in-object field.
+  void NotifyObjectLayoutChange(HeapObject* object,
+                                const DisallowHeapAllocation&);
+#ifdef VERIFY_HEAP
+  // This function checks that either
+  // - the map transition is safe,
+  // - or it was communicated to GC using NotifyObjectLayoutChange.
+  void VerifyObjectLayoutChange(HeapObject* object, Map* new_map);
+#endif
+
   // ===========================================================================
   // Embedder heap tracer support. =============================================
   // ===========================================================================
@@ -2344,6 +2358,8 @@ class Heap {
   bool force_oom_;
   bool delay_sweeper_tasks_for_testing_;
 
+  HeapObject* pending_layout_change_object_;
+
   // Classes in "heap" can be friends.
   friend class AlwaysAllocateScope;
   friend class GCCallbacksScope;