[snapshot] Properly deserialize JSGlobalProxy.map references

Upon deserialization, serialized references to the global proxy are
replaced by the actual global proxy object. We must do the same for
the global proxy map.

Drive-by: Updated other outdated test skips.

Bug: v8:10504,v8:10416
Change-Id: Ib47ae2d08bbea2ca916f53152e9d4f75bb0a0e15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2183913Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67596}

src/snapshot/context-deserializer.cc

@@ -35,7 +35,10 @@ MaybeHandle<Object> ContextDeserializer::Deserialize(
     V8::FatalProcessOutOfMemory(isolate, "ContextDeserializer");
   }
 
+  // Replace serialized references to the global proxy and its map with the
+  // given global proxy and its map.
   AddAttachedObject(global_proxy);
+  AddAttachedObject(handle(global_proxy->map(), isolate));
 
   Handle<Object> result;
   {

src/snapshot/context-serializer.cc

@@ -85,8 +85,14 @@ void ContextSerializer::Serialize(Context* o,
                                   const DisallowHeapAllocation& no_gc) {
   context_ = *o;
   DCHECK(context_.IsNativeContext());
+
+  // Upon deserialization, references to the global proxy and its map will be
+  // replaced.
   reference_map()->AddAttachedReference(
       reinterpret_cast<void*>(context_.global_proxy().ptr()));
+  reference_map()->AddAttachedReference(
+      reinterpret_cast<void*>(context_.global_proxy().map().ptr()));
+
   // The bootstrap snapshot has a code-stub context. When serializing the
   // context snapshot, it is chained into the weak context list on the isolate
   // and it's next context pointer may point to the code-stub context.  Clear

test/mjsunit/mjsunit.status

@@ -1202,10 +1202,6 @@
   # Crashes the serializer due to recursion.
   'deep-recursion': [SKIP],
   'string-replace-gc': [SKIP],
-  # Check failed: !field_type.NowStable() || field_type.NowContains(value).
-  'eval': [SKIP],
-  'regress/regress-737588': [SKIP],
-  'regress/regress-crbug-716520': [SKIP],
   # Debug check failed:
   # map == GetReadOnlyRoots(isolate).fixed_array_map() || map == GetReadOnlyRoots(isolate).fixed_cow_array_map().
   # This means a mismatch of elements kinds / elements on the global object.
@@ -1226,13 +1222,6 @@
   'regress/regress-crbug-454091': [SKIP],
   'regress/regress-crbug-663750': [SKIP],
   'regress/regress-freeze-setter': [SKIP],
-  # TODO(v8:10495): Serialization now clears feedback vectors of the host
-  # isolate, but then execution cannot continue.
-  'compiler/regress-1028208': [SKIP],
-  'compiler/regress-1037771': [SKIP],
-  'es6/promises': [SKIP],
-  'serialize-deserialize-now': [SKIP],
-  'string-case': [SKIP],
   # TODO(v8:10494): asm Code objects can't be flushed and end up in the isolate
   # serializer.
   'asm/*': [SKIP],
@@ -1244,6 +1233,7 @@
   'regress/regress-7893': [SKIP],
   'regress/regress-799690': [SKIP],
   'regress/regress-8377': [SKIP],
+  'regress/regress-crbug-1047368': [SKIP],
   'regress/regress-crbug-898974': [SKIP],
   'regress/regress-crbug-935800': [SKIP],
   'regress/regress-crbug-976934': [SKIP],