deps: fix segfault during gc

This is part 2/2 of the fixes needed for v8:4871. This fix never landed
upstream because the bug is not present in active V8 version. The patch
is available from the upstream v8 bug however.

The segfault occurs at the intersection of the following three
conditions that are dependent on the allocation pattern of an
application: A pretenured (1) allocation site has to be optimized into
a merged allocation by the allocation folding optimization (2) and
there needs to be overflow of the store buffer (3).

This patch disables the allocation folding optimization for pretenured
allocations. This may have some, hopefully negligible, performance
impact on real world applications.

Fixes: #5900

PR-URL: #7303
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Myles Borins <[email protected]>

Author: ofrobots

deps/v8/src/hydrogen-instructions.cc

@@ -3693,6 +3693,11 @@ Representation HUnaryMathOperation::RepresentationFromInputs() {
 
 bool HAllocate::HandleSideEffectDominator(GVNFlag side_effect,
                                           HValue* dominator) {
+  if (IsOldSpaceAllocation()) {
+    // Do not fold old space allocations because the store buffer might need
+    // to iterate old space pages during scavenges on overflow.
+    return false;
+  }
   DCHECK(side_effect == kNewSpacePromotion);
   Zone* zone = block()->zone();
   Isolate* isolate = block()->isolate();