Fix JSArray::kInitialMaxFastElementArray to make sense for 32-bit platforms.

Bug: chromium:772672, v8:6399
Change-Id: Ib44f5c5c2a62a8ec2cd824ba57a1af8f456853af
Reviewed-on: https://chromium-review.googlesource.com/706782
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48364}

src/builtins/builtins-constructor.h

@@ -22,7 +22,7 @@ class ConstructorBuiltins {
   // Maximum number of elements in copied array (chosen so that even an array
   // backed by a double backing store will fit into new-space).
   static const int kMaximumClonedShallowArrayElements =
-      JSArray::kInitialMaxFastElementArray * kPointerSize / kDoubleSize;
+      JSArray::kInitialMaxFastElementArray;
   // Maximum number of properties in copied object so that the properties store
   // will fit into new-space. This constant is based on the assumption that
   // NameDictionaries are 50% over-allocated.

src/objects.h

@@ -6527,8 +6527,8 @@ class JSArray: public JSObject {
 
   static const int kInitialMaxFastElementArray =
       (kMaxRegularHeapObjectSize - FixedArray::kHeaderSize - kSize -
-       AllocationMemento::kSize) /
-      kPointerSize;
+       AllocationMemento::kSize) >>
+      kDoubleSizeLog2;
 
  private:
   DISALLOW_IMPLICIT_CONSTRUCTORS(JSArray);

test/mjsunit/regress/regress-crbug-772672.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { return new Array(120 * 1024); }
+
+foo()[0] = 0.1;
+%OptimizeFunctionOnNextCall(foo);
+foo();