Ensure that inner pseudo-chunks are correctly initialized in FreeQueuedChunks.

Fields introduced with guarding code space pages (area_start_, area_end_) were not correctly handled which lead to errors in StoreBuffer filtering.

R=mstarzinger@chromium.org
TEST=mozilla/data/js1_5/GC/regress-203278-2.js

Review URL: https://chromiumcodereview.appspot.com/9600020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10927 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/heap.cc

@@ -6918,14 +6918,18 @@ void Heap::FreeQueuedChunks() {
       // pieces and initialize size, owner and flags field of every piece.
       // If FromAnyPointerAddress encounters a slot that belongs to one of
       // these smaller pieces it will treat it as a slot on a normal Page.
+      Address chunk_end = chunk->address() + chunk->size();
       MemoryChunk* inner = MemoryChunk::FromAddress(
           chunk->address() + Page::kPageSize);
-      MemoryChunk* inner_last = MemoryChunk::FromAddress(
-          chunk->address() + chunk->size() - 1);
+      MemoryChunk* inner_last = MemoryChunk::FromAddress(chunk_end - 1);
       while (inner <= inner_last) {
         // Size of a large chunk is always a multiple of
         // OS::AllocateAlignment() so there is always
         // enough space for a fake MemoryChunk header.
+        Address area_end = Min(inner->address() + Page::kPageSize, chunk_end);
+        // Guard against overflow.
+        if (area_end < inner->address()) area_end = chunk_end;
+        inner->SetArea(inner->address(), area_end);
         inner->set_size(Page::kPageSize);
         inner->set_owner(lo_space());
         inner->SetFlag(MemoryChunk::ABOUT_TO_BE_FREED);

src/spaces.h

@@ -506,6 +506,11 @@ class MemoryChunk {
     size_ = size;
   }
 
+  void SetArea(Address area_start, Address area_end) {
+    area_start_ = area_start;
+    area_end_ = area_end;
+  }
+
   Executability executable() {
     return IsFlagSet(IS_EXECUTABLE) ? EXECUTABLE : NOT_EXECUTABLE;
   }