Check ClosureFeedbackCellArray length is as expected

When bytecode gets flushed from SFI and we generate the bytecode again,
we expect that the generated bytecode is exactly the same as the earlier
bytecode. We reuse the same closure feedback cell array allocated
earlier and hence it is required that number of closure feedback slots
remain the same. This cl just adds a CHECK for that, so we fail when
this is not the case.

Bug: chromium:1147917
Change-Id: I4b09ce3f741bc15c3b141b1fe057a667496c925d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2613037
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71954}

src/objects/js-function.cc

@@ -321,6 +321,12 @@ void JSFunction::InitializeFeedbackCell(Handle<JSFunction> function,
     return;
   }
 
+  if (function->has_closure_feedback_cell_array()) {
+    CHECK_EQ(
+        function->closure_feedback_cell_array().length(),
+        function->shared().feedback_metadata().create_closure_slot_count());
+  }
+
   const bool needs_feedback_vector =
       !FLAG_lazy_feedback_allocation || FLAG_always_opt ||
       function->shared().may_have_cached_code() ||