[heap] Relax NotifyObjectLayoutChange DCHECK to allow ByteArrays changes in LO space

Bug: chromium:869735
Change-Id: I65c4a1b92e1e0874eabff14e9cf6f5b56dc8d43a
Reviewed-on: https://chromium-review.googlesource.com/1158065Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54909}

src/heap/heap.cc

@@ -3290,8 +3290,13 @@ void Heap::RegisterDeserializedObjectsForBlackAllocation(
 
 void Heap::NotifyObjectLayoutChange(HeapObject* object, int size,
                                     const DisallowHeapAllocation&) {
+  // In large object space, we only allow changing from non-pointers to
+  // pointers, so that there are no slots in the invalidated slots buffer.
+  // TODO(ulan) Make the IsString assertion stricter, we only want to allow
+  // strings that cannot have slots in them (seq-strings and such).
   DCHECK(InOldSpace(object) || InNewSpace(object) ||
-         (lo_space()->Contains(object) && object->IsString()));
+         (lo_space()->Contains(object) &&
+          (object->IsString() || object->IsByteArray())));
   if (FLAG_incremental_marking && incremental_marking()->IsMarking()) {
     incremental_marking()->MarkBlackAndPush(object);
     if (InOldSpace(object) && incremental_marking()->IsCompacting()) {

test/mjsunit/regress/regress-869735.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  return arguments.length;
+}
+
+var a = [];
+%OptimizeFunctionOnNextCall(f);
+a.length = 81832;
+f(...a);