[wasm] Throw a RangeError if Wasm memory could not be allocated.

This fixes a bug found by the fuzzer where we would attempt to
dereference a null handle if memory allocation failed. In this case,
the failure was because the amount of memory requested was above V8's
hardcoded limit.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=666741

Review-Url: https://codereview.chromium.org/2514983002
Cr-Commit-Position: refs/heads/master@{#41158}

src/wasm/wasm-js.cc

@@ -335,7 +335,7 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
   v8::Isolate* isolate = args.GetIsolate();
   HandleScope scope(isolate);
   ErrorThrower thrower(reinterpret_cast<i::Isolate*>(isolate),
-                       "WebAssembly.Module()");
+                       "WebAssembly.Memory()");
   if (args.Length() < 1 || !args[0]->IsObject()) {
     thrower.TypeError("Argument 0 must be a memory descriptor");
     return;
@@ -368,7 +368,10 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
                 static_cast<size_t>(initial);
   i::Handle<i::JSArrayBuffer> buffer =
       i::wasm::NewArrayBuffer(i_isolate, size, i::FLAG_wasm_guard_pages);
-
+  if (buffer.is_null()) {
+    thrower.RangeError("could not allocate memory");
+    return;
+  }
   i::Handle<i::JSObject> memory_obj = i::WasmMemoryObject::New(
       i_isolate, buffer, has_maximum.FromJust() ? maximum : -1);
   args.GetReturnValue().Set(Utils::ToLocal(memory_obj));

test/mjsunit/regress/wasm/regression-666741.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --random-seed=-1101427159 --enable-slow-asserts --expose-wasm
+
+(function __f_7() {
+  assertThrows(() => new WebAssembly.Memory({initial: 59199}), RangeError);
+})();