[heap] Fix various new LO space related DCHECKs.

Bug: chromium:852420
Change-Id: Ie3c2bb4d1d329e84e2cb9431cca129bdd7d09271
Reviewed-on: https://chromium-review.googlesource.com/c/1352291
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57880}

src/heap/heap.cc

@@ -2513,6 +2513,13 @@ bool Heap::IsLargeObject(HeapObject* object) {
          new_lo_space()->Contains(object);
 }
 
+bool Heap::IsInYoungGeneration(HeapObject* object) {
+  if (MemoryChunk::FromHeapObject(object)->IsInNewLargeObjectSpace()) {
+    return !object->map_word().IsForwardingAddress();
+  }
+  return Heap::InNewSpace(object);
+}
+
 #ifdef ENABLE_SLOW_DCHECKS
 namespace {
 

src/heap/heap.h

@@ -391,6 +391,8 @@ class Heap {
   bool IsLargeObject(HeapObject* object);
   inline bool IsWithinLargeObject(Address address);
 
+  bool IsInYoungGeneration(HeapObject* object);
+
   // Trim the given array from the left. Note that this relocates the object
   // start and hence is only valid if there is only a single reference to it.
   FixedArrayBase LeftTrimFixedArray(FixedArrayBase obj, int elements_to_trim);

src/heap/scavenger-inl.h

@@ -240,8 +240,6 @@ SlotCallbackResult Scavenger::EvacuateObjectDefault(Map map,
                                                     HeapObjectSlot slot,
                                                     HeapObject* object,
                                                     int object_size) {
-  SLOW_DCHECK(static_cast<size_t>(object_size) <=
-              MemoryChunkLayout::AllocatableMemoryInDataPage());
   SLOW_DCHECK(object->SizeFromMap(map) == object_size);
   CopyAndForwardResult result;
 
@@ -249,6 +247,9 @@ SlotCallbackResult Scavenger::EvacuateObjectDefault(Map map,
     return REMOVE_SLOT;
   }
 
+  SLOW_DCHECK(static_cast<size_t>(object_size) <=
+              MemoryChunkLayout::AllocatableMemoryInDataPage());
+
   if (!heap()->ShouldBePromoted(object->address())) {
     // A semi-space copy may fail due to fragmentation. In that case, we
     // try to promote the object.
@@ -396,7 +397,8 @@ SlotCallbackResult Scavenger::CheckAndScavengeObject(Heap* heap,
 
     SlotCallbackResult result =
         ScavengeObject(HeapObjectSlot(slot), heap_object);
-    DCHECK_IMPLIES(result == REMOVE_SLOT, !Heap::InNewSpace(*slot));
+    DCHECK_IMPLIES(result == REMOVE_SLOT,
+                   !heap->IsInYoungGeneration((*slot)->GetHeapObject()));
     return result;
   } else if (Heap::InToSpace(object)) {
     // Already updated slot. This can happen when processing of the work list

src/heap/spaces-inl.h

@@ -230,6 +230,10 @@ void MemoryChunk::MoveExternalBackingStoreBytes(ExternalBackingStoreType type,
                                        amount);
 }
 
+bool MemoryChunk::IsInNewLargeObjectSpace() const {
+  return owner()->identity() == NEW_LO_SPACE;
+}
+
 void Page::MarkNeverAllocateForTesting() {
   DCHECK(this->owner()->identity() != NEW_SPACE);
   DCHECK(!IsFlagSet(NEVER_ALLOCATE_ON_PAGE));

src/heap/spaces.h

@@ -637,6 +637,8 @@ class MemoryChunk {
 
   bool InLargeObjectSpace() const;
 
+  inline bool IsInNewLargeObjectSpace() const;
+
   Space* owner() const { return owner_; }
 
   void set_owner(Space* space) { owner_ = space; }