[release/9.0-staging] [mono] Missing memory barrier leads to crash in multi-threaded scenarios (#113740)

Backport of #113140

Issue #109410 appears to be a case where klass is 0 when we perform an isinst operation, but the cache and obj are nonzero and look like valid addresses. klass is either a compile-time (well, jit-time) constant or being fetched out of the cache (it looks like it can be either depending on some sort of rgctx condition).

This PR adds null checks in two places along with a memory barrier in the location where we believe an uninitialized cache is being published to other threads.

---------

Co-authored-by: Katelyn Gadd <[email protected]>

Author: github-actions[bot]

src/mono/mono/metadata/object.c

@@ -6806,6 +6806,7 @@ mono_object_handle_isinst (MonoObjectHandle obj, MonoClass *klass, MonoError *er
 {
 	error_init (error);
 
+
 	if (!m_class_is_inited (klass))
 		mono_class_init_internal (klass);
 

src/mono/mono/mini/jit-icalls.c

@@ -1702,7 +1702,7 @@ mono_throw_type_load (MonoClass* klass)
 		mono_error_set_type_load_class (error, klass, "Attempting to load invalid type '%s'.", klass_name);
 		g_free (klass_name);
 	}
-	
+
 	mono_error_set_pending_exception (error);
 }
 
@@ -1743,6 +1743,11 @@ mini_init_method_rgctx (MonoMethodRuntimeGenericContext *mrgctx, MonoGSharedMeth
 													   mono_method_get_context (m), m->klass);
 		g_assert (data);
 
+		// we need a barrier before publishing data via mrgctx->infos [i] because the contents of data may not
+		//  have been published to all cores and another thread may read zeroes or partially initialized data
+		//  out of it, even though we have a barrier before publication of entries in mrgctx->entries below
+		mono_memory_barrier();
+
 		/* The first few entries are stored inline, the rest are stored in mrgctx->entries */
 		if (i < ninline)
 			mrgctx->infos [i] = data;