[TurboFan] Ensure PossiblyBackgroundSerialized objects are considered serialized

Previously ShouldHaveBeenSerialized() would return false for
kPossiblyBackgroundSerializedHeapObject objects which prevented
checks for whether the correct serialization had been done before
accessing Map::prototype() for these ObjectRefs.

BUG=chromium:1168435,v8:7790,v8:9684

Change-Id: I31b4cf7c7ce67ba1c46aea1451172b279d215508
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2640479
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72215}

src/compiler/js-heap-broker.cc

@@ -2366,7 +2366,8 @@ bool ObjectRef::equals(const ObjectRef& other) const {
 
 bool ObjectRef::ShouldHaveBeenSerialized() const {
   return broker()->mode() == JSHeapBroker::kSerialized &&
-         data()->kind() == kSerializedHeapObject;
+         (data()->kind() == kSerializedHeapObject ||
+          data()->kind() == kPossiblyBackgroundSerializedHeapObject);
 }
 
 Isolate* ObjectRef::isolate() const { return broker()->isolate(); }

test/mjsunit/regress/regress-1168435.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --concurrent-inlining
+
+function bar() {
+  arr = new Array(4);
+  iter = arr[Symbol.iterator];
+  return iter;
+}
+
+function foo(a) {
+  iter = bar();
+  return iter.isPrototypeOf(iter);
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();