[PA] Add another PartitionPage into PartitionDirectMapMetadata

Otherwise SlowPathAlloc() overwrites PartitionDirectMapMetadata::bucket
when calling SetRawSize(), which reaches to the next PartitionPage after

PartitionDirectMapMetadata: :page via pointer arithmetic.
Change-Id: I0ca8a92ddf10f0687cb7f704148e283f0d748bba
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2914964
Auto-Submit: Bartek Nowierski <bartekn@chromium.org>
Commit-Queue: Takashi Sakamoto <tasak@google.com>
Reviewed-by: Takashi Sakamoto <tasak@google.com>
Cr-Commit-Position: refs/heads/master@{#886220}

base/allocator/partition_allocator/partition_bucket.cc

@@ -279,6 +279,10 @@ SlotSpanMetadata<thread_safe>* PartitionDirectMap(
     PA_DCHECK(!page->slot_span_metadata.num_unprovisioned_slots);
     PA_DCHECK(!page->slot_span_metadata.empty_cache_index);
 
+    PA_DCHECK(!metadata->subsequent_page.subsequent_page_metadata.raw_size);
+    // Raw size is set later, by the caller.
+    metadata->subsequent_page.slot_span_metadata_offset = 1;
+
     PA_DCHECK(!metadata->bucket.active_slot_spans_head);
     PA_DCHECK(!metadata->bucket.empty_slot_spans_head);
     PA_DCHECK(!metadata->bucket.decommitted_slot_spans_head);

base/allocator/partition_allocator/partition_direct_map_extent.h

@@ -32,6 +32,7 @@ struct PartitionDirectMapMetadata {
     PartitionPage<thread_safe> first_invalid_page;
   };
   PartitionPage<thread_safe> page;
+  PartitionPage<thread_safe> subsequent_page;
   PartitionBucket<thread_safe> bucket;
   PartitionDirectMapExtent<thread_safe> direct_map_extent;
 };