deps: backport 3a9bfec from v8 upstream

Myles Borins · rvagg · commit fcb9145e291e · 2016-06-23T22:31:20.000+10:00
Some of the logic from `zone.cc` is found in `zone-inl.h` in this release stream. Original commit message: Fix overflow issue in Zone::New When requesting a large allocation near the end of the address space, the computation could overflow and erroneously *not* grow the Zone as required. BUG=chromium:606115 LOG=y Review-Url: https://codereview.chromium.org/1930873002 Cr-Commit-Position: refs/heads/master@{#35903} PR-URL: nodejs-private/node-private#43 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rod Vagg <rod@vagg.org>
diff --git a/deps/v8/src/zone-inl.h b/deps/v8/src/zone-inl.h
@@ -55,7 +55,10 @@ inline void* Zone::New(int size) {
   // Check if the requested size is available without expanding.
   Address result = position_;
 
-  if (size > limit_ - position_) {
+  const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_);
+  const uintptr_t position = reinterpret_cast<uintptr_t>(position_);
+  // position_ > limit_ can be true after the alignment correction above.
+  if (limit < position || size > limit - position) {
      result = NewExpand(size);
   } else {
      position_ += size;
diff --git a/deps/v8/src/zone.cc b/deps/v8/src/zone.cc
@@ -168,7 +168,10 @@ Address Zone::NewExpand(int size) {
   // Make sure the requested size is already properly aligned and that
   // there isn't enough room in the Zone to satisfy the request.
   ASSERT(size == RoundDown(size, kAlignment));
-  ASSERT(size > limit_ - position_);
+  ASSERT(limit_ < position_ ||
+         reinterpret_cast<uintptr_t>(limit_) -
+                 reinterpret_cast<uintptr_t>(position_) <
+             size);
 
   // Compute the new segment size. We use a 'high water mark'
   // strategy, where we increase the segment size every time we expand
