v8 crash when reaching heap limit

[Jason Wan]

v8 version: 9.6

Hi I was able to reproduce a crash in the example shell and d8 with following script. Before this could be caught by an OOM handler. Also if I set the heap size to be very small (e.g. 2MB) the oom handler could still work.

let a = [];

for (;;) a.push("test")

#
# Fatal error in ../../src/heap/factory-base.cc, line 77
# Fatal JavaScript invalid size error 169220804
#
#
#
#FailureMessage Object: 0x7ffe207e93b0
==== C stack trace ===============================

    /v8/out.gn/x64.debug/libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x16) [0x7fa2f31944a6]
/v8/out.gn/x64.debug/libv8_libplatform.so(+0xfe9b) [0x7fa2f2f55e9b]
/v8/out.gn/x64.debug/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x170) [0x7fa2f31789a0]
/v8/out.gn/x64.debug/libv8.so(+0xf17863) [0x7fa2f42b7863]
/v8/out.gn/x64.debug/libv8.so(+0x11d9a30) [0x7fa2f4579a30]
/v8/out.gn/x64.debug/libv8.so(+0x11db385) [0x7fa2f457b385]
/v8/out.gn/x64.debug/libv8.so(+0x14932cd) [0x7fa2f48332cd]
/v8/out.gn/x64.debug/libv8.so(+0x1493914) [0x7fa2f4833914]
    [0x335c003705bf]
Trace/breakpoint trap (core dumped)