[snapshot] Fix clearing of feedback vector in serializer (follow-up)

The fix in https://chromium-review.googlesource.com/c/v8/v8/+/1698383
was not complete. We can have a case when a function is neither
optmized or intepreted but still has a feedback vector. This can
happen when the code of the function was flushed.

Bug: v8:7857
Change-Id: I9cb6e474d79a5d4956301e87705af136baeaeb8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714875
Auto-Submit: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62880}

src/api/api.cc

@@ -812,7 +812,14 @@ StartupData SnapshotCreator::CreateBlob(
       fun.CompleteInobjectSlackTrackingIfActive();
 
       // Also, clear out feedback vectors, or any optimized code.
-      if (fun.IsOptimized() || fun.IsInterpreted()) {
+      // Note that checking for fun.IsOptimized() || fun.IsInterpreted() is not
+      // sufficient because the function can have a feedback vector even if it
+      // is not compiled (e.g. when the bytecode was flushed). On the other
+      // hand, only checking for the feedback vector is not sufficient because
+      // there can be multiple functions sharing the same feedback vector. So we
+      // need all these checks.
+      if (fun.IsOptimized() || fun.IsInterpreted() ||
+          !fun.raw_feedback_cell().value().IsUndefined()) {
         fun.raw_feedback_cell().set_value(
             i::ReadOnlyRoots(isolate).undefined_value());
         fun.set_code(isolate->builtins()->builtin(i::Builtins::kCompileLazy));