[snapshot] fix resetting function code.

Unconditionally setting the JSFunction code to that of the SFI
may skip initializing the feedback vector.

R=leszeks@chromium.org

Bug: v8:7857
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I65d4bf32493be4cade2eaf3d665d44f93e80f809
Reviewed-on: https://chromium-review.googlesource.com/1107618
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53881}

src/api.cc

@@ -770,8 +770,11 @@ StartupData SnapshotCreator::CreateBlob(
       // Complete in-object slack tracking for all functions.
       fun->CompleteInobjectSlackTrackingIfActive();
 
-      // Also, clear out feedback vectors.
-      fun->feedback_cell()->set_value(isolate->heap()->undefined_value());
+      // Also, clear out feedback vectors, or any optimized code.
+      if (fun->has_feedback_vector()) {
+        fun->feedback_cell()->set_value(isolate->heap()->undefined_value());
+        fun->set_code(isolate->builtins()->builtin(i::Builtins::kCompileLazy));
+      }
     }
 
     // Clear out re-compilable data from all shared function infos. Any

src/snapshot/partial-serializer.cc

@@ -105,7 +105,7 @@ void PartialSerializer::SerializeObject(HeapObject* obj, HowToCode how_to_code,
     // Unconditionally reset the JSFunction to its SFI's code, since we can't
     // serialize optimized code anyway.
     JSFunction* closure = JSFunction::cast(obj);
-    closure->set_code(closure->shared()->GetCode());
+    if (closure->is_compiled()) closure->set_code(closure->shared()->GetCode());
   }
 
   CheckRehashability(obj);

test/cctest/test-serialize.cc

@@ -2663,6 +2663,47 @@ TEST(SnapshotCreatorPreparseDataAndNoOuterScope) {
   delete[] blob.data;
 }
 
+v8::StartupData CreateCustomSnapshotArrayJoinWithKeep() {
+  v8::SnapshotCreator creator;
+  v8::Isolate* isolate = creator.GetIsolate();
+  {
+    v8::HandleScope handle_scope(isolate);
+    {
+      v8::Local<v8::Context> context = v8::Context::New(isolate);
+      v8::Context::Scope context_scope(context);
+      CompileRun(
+          "[].join('');\n"
+          "function g() { return String([1,2,3]); }\n");
+      ExpectString("g()", "1,2,3");
+      creator.SetDefaultContext(context);
+    }
+  }
+  return creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kKeep);
+}
+
+TEST(SnapshotCreatorArrayJoinWithKeep) {
+  DisableAlwaysOpt();
+  v8::StartupData blob = CreateCustomSnapshotArrayJoinWithKeep();
+
+  // Deserialize with an incomplete list of external references.
+  {
+    v8::Isolate::CreateParams params;
+    params.snapshot_blob = &blob;
+    params.array_buffer_allocator = CcTest::array_buffer_allocator();
+    // Test-appropriate equivalent of v8::Isolate::New.
+    v8::Isolate* isolate = TestIsolate::New(params);
+    {
+      v8::Isolate::Scope isolate_scope(isolate);
+      v8::HandleScope handle_scope(isolate);
+      v8::Local<v8::Context> context = v8::Context::New(isolate);
+      v8::Context::Scope context_scope(context);
+      ExpectString("g()", "1,2,3");
+    }
+    isolate->Dispose();
+  }
+  delete[] blob.data;
+}
+
 TEST(SnapshotCreatorNoExternalReferencesCustomFail1) {
   DisableAlwaysOpt();
   v8::StartupData blob = CreateSnapshotWithDefaultAndCustom();