Insert a filler at the new space top even if the top is at the limit.

BUG=chromium:470390
R=hpayer@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1066653003

Cr-Commit-Position: refs/heads/master@{#27819}

src/heap/heap.cc

@@ -794,10 +794,14 @@ void Heap::EnsureFillerObjectAtTop() {
   // pointer of the new space page. We store a filler object there to
   // identify the unused space.
   Address from_top = new_space_.top();
-  Address from_limit = new_space_.limit();
+  // Check that from_top is inside its page (i.e., not at the end).
-  if (from_top < from_limit) {
+  Address space_end = new_space_.ToSpaceEnd();
-    int remaining_in_page = static_cast<int>(from_limit - from_top);
+  if (from_top < space_end) {
-    CreateFillerObjectAt(from_top, remaining_in_page);
+    Page* page = Page::FromAddress(from_top);
+    if (page->Contains(from_top)) {
+      int remaining_in_page = static_cast<int>(page->area_end() - from_top);
+      CreateFillerObjectAt(from_top, remaining_in_page);
+    }
   }
 }
 

test/cctest/test-mementos.cc

@@ -58,9 +58,26 @@ TEST(Regress340063) {
   if (!i::FLAG_allocation_site_pretenuring) return;
   v8::HandleScope scope(CcTest::isolate());
 
+  SetUpNewSpaceWithPoisonedMementoAtTop();
+
+  // Call GC to see if we can handle a poisonous memento right after the
+  // current new space top pointer.
+  CcTest::i_isolate()->heap()->CollectAllGarbage(
+      Heap::kAbortIncrementalMarkingMask);
+}
+
+
+TEST(Regress470390) {
+  CcTest::InitializeVM();
+  if (!i::FLAG_allocation_site_pretenuring) return;
+  v8::HandleScope scope(CcTest::isolate());
 
   SetUpNewSpaceWithPoisonedMementoAtTop();
 
+  // Set the new space limit to be equal to the top.
+  Address top = CcTest::i_isolate()->heap()->new_space()->top();
+  *(CcTest::i_isolate()->heap()->new_space()->allocation_limit_address()) = top;
+
   // Call GC to see if we can handle a poisonous memento right after the
   // current new space top pointer.
   CcTest::i_isolate()->heap()->CollectAllGarbage(