[heap] Keep DroppableApiWrappers alive if used as WeakMap key

This ensures that ApiObjects in V8 are not dropped if they are
currently used as WeakCollection keys. As proxy to determine key
status we use the presence of the identity hash on the object.

R=ulan@chromium.org

Bug: v8:8557, chromium:949244
Change-Id: Ifa0e24be44431a0200fd6a1d9898cd366b940bd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557143Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60675}

src/objects/js-objects.cc

@@ -2553,6 +2553,7 @@ bool JSObject::IsUnmodifiedApiObject(FullObjectSlot o) {
   if (!maybe_constructor->IsJSFunction()) return false;
   JSFunction constructor = JSFunction::cast(maybe_constructor);
   if (js_object->elements()->length() != 0) return false;
+  if (!js_object->GetIdentityHash()->IsUndefined()) return false;
 
   return constructor->initial_map() == heap_object->map();
 }

test/cctest/test-global-handles.cc

@@ -310,6 +310,20 @@ TEST(WeakHandleToUnmodifiedJSApiObjectDiesOnScavenge) {
       []() { InvokeScavenge(); }, SurvivalMode::kDies);
 }
 
+TEST(WeakHandleToJSApiObjectWithIdentityHashSurvivesScavenge) {
+  CcTest::InitializeVM();
+  WeakHandleTest(
+      CcTest::isolate(), &ConstructJSApiObject,
+      [](FlagAndPersistent* fp) {
+        v8::HandleScope scope(CcTest::isolate());
+        v8::Local<v8::Object> handle =
+            v8::Local<v8::Object>::New(CcTest::isolate(), fp->handle);
+        handle->GetIdentityHash();
+        handle.Clear();
+      },
+      []() { InvokeScavenge(); }, SurvivalMode::kSurvives);
+}
+
 TEST(WeakHandleToUnmodifiedJSApiObjectSurvivesScavengeWhenInHandle) {
   CcTest::InitializeVM();
   WeakHandleTest(