[heap] Fix adjusting of area end when shrinking large pages

Bug: chromium:733059, chromium:724947
Change-Id: Id7abc22ee0975cd609cc06a02552f68e9e0077e8
Reviewed-on: https://chromium-review.googlesource.com/535596
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45952}

src/heap/spaces.cc

@@ -839,7 +839,7 @@ size_t Page::ShrinkToHighWaterMark() {
         static_cast<int>(area_end() - filler->address() - unused),
         ClearRecordedSlots::kNo);
     heap()->memory_allocator()->PartialFreeMemory(
-        this, address() + size() - unused, unused);
+        this, address() + size() - unused, unused, area_end() - unused);
     CHECK(filler->IsFiller());
     CHECK_EQ(filler->address() + filler->Size(), area_end());
   }
@@ -871,11 +871,12 @@ void Page::DestroyBlackArea(Address start, Address end) {
 }
 
 void MemoryAllocator::PartialFreeMemory(MemoryChunk* chunk, Address start_free,
-                                        size_t bytes_to_free) {
+                                        size_t bytes_to_free,
+                                        Address new_area_end) {
   base::VirtualMemory* reservation = chunk->reserved_memory();
   DCHECK(reservation->IsReserved());
   chunk->size_ -= bytes_to_free;
-  chunk->area_end_ -= bytes_to_free;
+  chunk->area_end_ = new_area_end;
   if (chunk->IsFlagSet(MemoryChunk::IS_EXECUTABLE)) {
     DCHECK_EQ(0, reinterpret_cast<uintptr_t>(chunk->area_end_) %
                      static_cast<uintptr_t>(GetCommitPageSize()));
@@ -3261,12 +3262,14 @@ void LargeObjectSpace::FreeUnmarkedObjects() {
     if (ObjectMarking::IsBlack(object, MarkingState::Internal(object))) {
       Address free_start;
       if ((free_start = current->GetAddressToShrink()) != 0) {
+        DCHECK(!current->IsFlagSet(Page::IS_EXECUTABLE));
         current->ClearOutOfLiveRangeSlots(free_start);
         RemoveChunkMapEntries(current, free_start);
         const size_t bytes_to_free =
             current->size() - (free_start - current->address());
-        heap()->memory_allocator()->PartialFreeMemory(current, free_start,
-                                                      bytes_to_free);
+        heap()->memory_allocator()->PartialFreeMemory(
+            current, free_start, bytes_to_free,
+            current->area_start() + object->Size());
         size_ -= bytes_to_free;
         AccountUncommitted(bytes_to_free);
       }

src/heap/spaces.h

@@ -1365,7 +1365,7 @@ class V8_EXPORT_PRIVATE MemoryAllocator {
   // Additional memory beyond the page is not accounted though, so
   // |bytes_to_free| is computed by the caller.
   void PartialFreeMemory(MemoryChunk* chunk, Address start_free,
-                         size_t bytes_to_free);
+                         size_t bytes_to_free, Address new_area_end);
 
   // Commit a contiguous block of memory from the initial chunk.  Assumes that
   // the address is not NULL, the size is greater than zero, and that the

test/mjsunit/regress/regress-733059.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --enable-slow-asserts
+
+a = new Proxy([], {
+  defineProperty() {
+    b.length = 1; gc();
+    return Object.defineProperty.apply(this, arguments);
+  }
+});
+
+class MyArray extends Array {
+  static get[Symbol.species](){
+    return function() {
+      return a;
+    }
+  };
+}
+
+b = new MyArray(65535);
+b[1] = 0.1;
+c = Array.prototype.concat.call(b);
+gc();