[heap] Fix out-of-bounds read in LiveObjectIterator::Next

We need to check whether advancing the iterator moved us beyong the end
of the bitmap. This has not been flushed out as our inlined bitmap is
still in valid memory.

In practice this is not a problem because the value is never used as we
are at the end of the bitmap. Asan rightfully complains when using an
external bitmap though.

BUG=chromium:651354

Change-Id: I8b141a467e9552f8ac2287dd62a725a14a289a37
Reviewed-on: https://chromium-review.googlesource.com/452497Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43696}

src/heap/mark-compact-inl.h

@@ -136,7 +136,9 @@ HeapObject* LiveObjectIterator<T>::Next() {
                      ->one_pointer_filler_map());
           return nullptr;
         }
-        it_.Advance();
+        bool not_done = it_.Advance();
+        USE(not_done);
+        DCHECK(not_done);
         cell_base_ = it_.CurrentCellBase();
         current_cell_ = *it_.CurrentCell();
       }
@@ -194,8 +196,7 @@ HeapObject* LiveObjectIterator<T>::Next() {
     }
 
     if (current_cell_ == 0) {
-      if (!it_.Done()) {
-        it_.Advance();
+      if (!it_.Done() && it_.Advance()) {
         cell_base_ = it_.CurrentCellBase();
         current_cell_ = *it_.CurrentCell();
       }

src/heap/mark-compact.h

@@ -333,9 +333,9 @@ class MarkBitCellIterator BASE_EMBEDDED {
     return cell_base_;
   }
 
-  inline void Advance() {
-    cell_index_++;
+  MUST_USE_RESULT inline bool Advance() {
     cell_base_ += Bitmap::kBitsPerCell * kPointerSize;
+    return ++cell_index_ != last_cell_index_;
   }
 
   inline bool Advance(unsigned int new_cell_index) {