[sandbox] Treat sandbox reservation failures as OOMs

When the sandbox cannot be initialized, it's either because there is not
enough virtual address space available, or because there is not enough
memory for the kernel data structures needed for the reservation (this
typically happens on Windows 7/8 where reserving virtual memory is
expensive). Both cases should be reported as OOMs, not CHECK failures.

Bug: chromium:1325302
Change-Id: I17bde9bcd4fbd6e3d54075b8891287c8fb01c1d7
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688406
Auto-Submit: Samuel Groß <saelo@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80975}

src/sandbox/sandbox.cc

@@ -95,15 +95,15 @@ bool Sandbox::Initialize(v8::VirtualAddressSpace* vas) {
   // creating a partially reserved sandbox, as that allows covering more virtual
   // address space. This happens for CPUs with only 36 virtual address bits, in
   // which case the sandbox size would end up being only 8GB.
-  bool partially_reserve = false;
+  bool create_partially_reserved_sandbox = false;
   if (sandbox_size < kSandboxMinimumSize) {
     static_assert(
         (8ULL * GB) >= kSandboxMinimumReservationSize,
         "Minimum reservation size for a partially reserved sandbox must be at "
-        "most 8GB to support CPUs with only 36 virtual address bits");
+        "most 8GB to support systems with only 36 virtual address bits");
     size_to_reserve = sandbox_size;
     sandbox_size = kSandboxMinimumSize;
-    partially_reserve = true;
+    create_partially_reserved_sandbox = true;
   }
 
 #if defined(V8_OS_WIN)
@@ -116,7 +116,7 @@ bool Sandbox::Initialize(v8::VirtualAddressSpace* vas) {
     // doesn't reserve most of the virtual memory, and so doesn't incur the
     // cost, but also doesn't provide the desired security benefits.
     size_to_reserve = kSandboxMinimumReservationSize;
-    partially_reserve = true;
+    create_partially_reserved_sandbox = true;
   }
 #endif  // V8_OS_WIN
 
@@ -131,18 +131,19 @@ bool Sandbox::Initialize(v8::VirtualAddressSpace* vas) {
     // technically required for a different reason (large virtual memory
     // reservations being too expensive).
     size_to_reserve = kSandboxMinimumReservationSize;
-    partially_reserve = true;
+    create_partially_reserved_sandbox = true;
   }
 
   // In any case, the sandbox must be at most as large as our address space.
   DCHECK_LE(sandbox_size, address_space_limit);
 
-  if (partially_reserve) {
-    return InitializeAsPartiallyReservedSandbox(vas, sandbox_size,
-                                                size_to_reserve);
+  bool success = false;
+  if (create_partially_reserved_sandbox) {
+    success = InitializeAsPartiallyReservedSandbox(vas, sandbox_size,
+                                                   size_to_reserve);
   } else {
     const bool use_guard_regions = true;
-    bool success = Initialize(vas, sandbox_size, use_guard_regions);
+    success = Initialize(vas, sandbox_size, use_guard_regions);
 #ifdef V8_SANDBOXED_POINTERS
     // If sandboxed pointers are enabled, we need the sandbox to be initialized,
     // so fall back to creating a partially reserved sandbox.
@@ -154,8 +155,17 @@ bool Sandbox::Initialize(v8::VirtualAddressSpace* vas) {
           vas, sandbox_size, kSandboxMinimumReservationSize);
     }
 #endif  // V8_SANDBOXED_POINTERS
-    return success;
   }
+
+#ifdef V8_SANDBOXED_POINTERS
+  if (!success) {
+    V8::FatalProcessOutOfMemory(
+        nullptr,
+        "Failed to reserve the virtual address space for the V8 sandbox");
+  }
+#endif  // V8_SANDBOXED_POINTERS
+
+  return success;
 }
 
 bool Sandbox::Initialize(v8::VirtualAddressSpace* vas, size_t size,