[runtime] Align Seq{One,Two}ByteString::kMaxSize.

Because SizeFor only returns aligned values, when we check values
returned there against kMaxSize, they can be larger if they were
rounded up.

It wasn't possible to write a test for the 2-byte version that didn't
regularly OOM.

Bug: chromium:752764
Change-Id: Id2f387449e0fafe633a2fde1ac728be31487f62d
Reviewed-on: https://chromium-review.googlesource.com/607935Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47252}

src/objects/string.h

@@ -513,7 +513,7 @@ class SeqOneByteString : public SeqString {
   }
 
   // Maximal memory usage for a single sequential one-byte string.
-  static const int kMaxSize = kMaxLength + kHeaderSize;
+  static const int kMaxSize = OBJECT_POINTER_ALIGN(kMaxLength + kHeaderSize);
   STATIC_ASSERT((kMaxSize - kHeaderSize) >= String::kMaxLength);
 
   class BodyDescriptor;
@@ -559,7 +559,8 @@ class SeqTwoByteString : public SeqString {
   }
 
   // Maximal memory usage for a single sequential two-byte string.
-  static const int kMaxSize = kMaxLength * 2 + kHeaderSize;
+  static const int kMaxSize =
+      OBJECT_POINTER_ALIGN(kMaxLength * 2 + kHeaderSize);
   STATIC_ASSERT(static_cast<int>((kMaxSize - kHeaderSize) / sizeof(uint16_t)) >=
                 String::kMaxLength);
 

test/mjsunit/mjsunit.status

@@ -177,6 +177,9 @@
 
   # BUG(v8:6306).
   'wasm/huge-memory': [SKIP],
+
+  # Allocates a huge string and then flattens it, very slow in debug mode.
+  'regress/regress-752764': [PASS, ['mode == debug', SLOW]],
 }],  # ALWAYS
 
 ['novfp3 == True', {

test/mjsunit/regress/regress-752764.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+a = "a".repeat(%StringMaxLength() - 3);
+assertThrows(() => new RegExp("a" + a), SyntaxError);