[Builtins]: Array.prototype.map out of memory error

If we need to allocate a DOUBLE_ELEMENTS backing store, it's important
to allow large object space allocation.

BUG: chromium:926856

Change-Id: I9dd94f7176891a6f8f11d5f579b67df8151a40b5
Reviewed-on: https://chromium-review.googlesource.com/c/1449531Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59285}

src/builtins/array-map.tq

@@ -136,8 +136,8 @@ namespace array_map {
         // We need to allocate and copy.
         // First, initialize the elements field before allocation to prevent
         // heap corruption.
-        const elements: FixedDoubleArray =
-            AllocateFixedDoubleArrayWithHoles(SmiUntag(length), kNone);
+        const elements: FixedDoubleArray = AllocateFixedDoubleArrayWithHoles(
+            SmiUntag(length), kAllowLargeObjectAllocation);
         a = new JSArray{map, this.fixedArray};
         for (let i: Smi = 0; i < validLength; i++) {
           typeswitch (this.fixedArray[i]) {

test/mjsunit/regress/regress-crbug-926856.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Need a fast array with enough elements to surpass
+// kMaxRegularHeapObjectSize.
+var size = 63392;
+var a = [];
+function build() {
+  for (let i = 0; i < size; i++) {
+    a.push(i);
+  }
+}
+
+build();
+
+function c(v) { return v + 0.5; }
+a.map(c);