[heap] Fix overflow in ComputeLimit on 32-bit

On 32-bit systems the calculation could overflow, leading to an illegal
limit of the LAB. Cast to uint64_t to avoid this. Add DCHECKs to
catch this earlier.

Bug: chromium:1110214, v8:10315
Change-Id: I73679a2daeb3b83bb303d411c77782a2172e98cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2320654Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69101}

src/heap/new-spaces.cc

@@ -496,6 +496,8 @@ void NewSpace::ResetLinearAllocationArea() {
 
 void NewSpace::UpdateInlineAllocationLimit(size_t min_size) {
   Address new_limit = ComputeLimit(top(), to_space_.page_high(), min_size);
+  DCHECK_LE(top(), new_limit);
+  DCHECK_LE(new_limit, to_space_.page_high());
   allocation_info_.set_limit(new_limit);
   DCHECK_SEMISPACE_ALLOCATION_INFO(allocation_info_, to_space_);
 }

src/heap/paged-spaces.cc

@@ -849,6 +849,7 @@ void PagedSpace::VerifyCountersBeforeConcurrentSweeping() {
 
 void PagedSpace::UpdateInlineAllocationLimit(size_t min_size) {
   Address new_limit = ComputeLimit(top(), limit(), min_size);
+  DCHECK_LE(top(), new_limit);
   DCHECK_LE(new_limit, limit());
   DecreaseLimit(new_limit);
 }

src/heap/spaces.cc

@@ -302,7 +302,10 @@ Address SpaceWithLinearArea::ComputeLimit(Address start, Address end,
     size_t step = allocation_counter_.GetNextInlineAllocationStepSize();
     size_t rounded_step =
         RoundSizeDownToObjectAlignment(static_cast<int>(step - 1));
-    return Min(static_cast<Address>(start + min_size + rounded_step), end);
+    // Use uint64_t to avoid overflow on 32-bit
+    uint64_t step_end = static_cast<uint64_t>(start) + min_size + rounded_step;
+    uint64_t new_end = Min(step_end, static_cast<uint64_t>(end));
+    return static_cast<Address>(new_end);
   } else {
     // The entire node can be used as the linear allocation area.
     return end;