[generators] Let parameters and register FixedArray be a large object

Bug: v8:11491
Change-Id: I603bc9ab6c4e925bc210a8cf420e2d7c6bcfb186
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2712782
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73252}

src/builtins/builtins-object-gen.cc

@@ -1226,7 +1226,7 @@ TF_BUILTIN(CreateGeneratorObject, ObjectBuiltinsAssembler) {
       IntPtrAdd(WordSar(frame_size, IntPtrConstant(kTaggedSizeLog2)),
                 formal_parameter_count);
   TNode<FixedArrayBase> parameters_and_registers =
-      AllocateFixedArray(HOLEY_ELEMENTS, size);
+      AllocateFixedArray(HOLEY_ELEMENTS, size, kAllowLargeObjectAllocation);
   FillFixedArrayWithValue(HOLEY_ELEMENTS, parameters_and_registers,
                           IntPtrConstant(0), size, RootIndex::kUndefinedValue);
   // TODO(cbruni): support start_offset to avoid double initialization.

test/mjsunit/regress/regress-11491.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function test() {
+  // Create a generator constructor with the maximum number of allowed parameters.
+  const args = new Array(65535);
+  function* gen() {}
+  const c = gen.constructor.apply(null, args);
+
+  // 'c' having 65535 parameters causes the parameters/registers fixed array
+  // attached to the generator object to be considered a large object.
+  // We call it twice so that it both covers the CreateJSGeneratorObject() C++
+  // runtime function as well as the CreateGeneratorObject() CSA builtin.
+  c();
+  c();
+}
+
+test();