[zone] Fix propagation of OOM in Zone::NewSegment.

This fixes various allocator methods to properly propagate {nullptr} to
callers without accidentally dereferencing it. We also disable one test
case for stress mode as it runs out of memory due to inlining limits
being lifted in the stress mode.

R=bmeurer@chromium.org
TEST=mjsunit/array-natives-elements
BUG=v8:6061

Change-Id: Id0a7b826a8612d00b4f4ae8aa0bea011c50890ca
Reviewed-on: https://chromium-review.googlesource.com/451365
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43672}

src/zone/accounting-allocator.cc

@@ -73,7 +73,9 @@ Segment* AccountingAllocator::GetSegment(size_t bytes) {
   Segment* result = GetSegmentFromPool(bytes);
   if (result == nullptr) {
     result = AllocateSegment(bytes);
-    result->Initialize(bytes);
+    if (result != nullptr) {
+      result->Initialize(bytes);
+    }
   }
 
   return result;

src/zone/zone.cc

@@ -114,9 +114,9 @@ void Zone::DeleteAll() {
 // of the segment chain. Returns the new segment.
 Segment* Zone::NewSegment(size_t requested_size) {
   Segment* result = allocator_->GetSegment(requested_size);
-  DCHECK_GE(result->size(), requested_size);
-  segment_bytes_allocated_ += result->size();
   if (result != nullptr) {
+    DCHECK_GE(result->size(), requested_size);
+    segment_bytes_allocated_ += result->size();
     result->set_zone(this);
     result->set_next(segment_head_);
     segment_head_ = result;

test/mjsunit/mjsunit.status

@@ -598,6 +598,7 @@
 ['variant == stress', {
   'es6/array-iterator-turbo': [SKIP],
 
+  'array-natives-elements': [SKIP],
   'ignition/regress-599001-verifyheap': [SKIP],
   'unicode-test': [SKIP],
 }],  # variant == stress