deps: V8: cherry-pick d2ad518a0b57

Original commit message:

    [serializer] serialize ExternalPointers in InterceptorInfo properly

    Previously the ObjectSerializer didn't serialize the ExternalPointers
    in the InterceptorInfo properly, but this case can be shadowed by
    the fact that they get promoted to RO space by default and don't get
    serialized by ObjectSerializer. This patch fixes up the missing
    handling in ObjectSerializer and adds a test case for this path.

    Refs: https://github.com/nodejs/node/pull/58064

    Change-Id: Icc62a01b006eaf68d1d2be1e3bc98b448f0c66dc
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6516091
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#100315}

Refs: d2ad518a0b
PR-URL: https://github.com/nodejs/node/pull/58064
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

common.gypi

@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.8',
+    'v8_embedder_string': '-node.9',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/snapshot/deserializer.cc

@@ -275,7 +275,11 @@ int Deserializer<IsolateT>::WriteExternalPointer(Tagged<HeapObject> host,
   }
 #endif  // V8_ENABLE_SANDBOX
 
+  if (tag == kExternalPointerNullTag && value == kNullAddress) {
+    dest.init_lazily_initialized();
+  } else {
     dest.init(main_thread_isolate(), host, value, tag);
+  }
 
 #ifdef V8_ENABLE_SANDBOX
   if (managed_resource) {

deps/v8/src/snapshot/serializer.cc

@@ -1074,7 +1074,8 @@ void Serializer::ObjectSerializer::OutputExternalReference(
     Address target, int target_size, bool sandboxify, ExternalPointerTag tag) {
   DCHECK_LE(target_size, sizeof(target));  // Must fit in Address.
   DCHECK_IMPLIES(sandboxify, V8_ENABLE_SANDBOX_BOOL);
-  DCHECK_IMPLIES(sandboxify, tag != kExternalPointerNullTag);
+  DCHECK_IMPLIES(sandboxify,
+                 tag != kExternalPointerNullTag || target == kNullAddress);
   ExternalReferenceEncoder::Value encoded_reference;
   bool encoded_successfully;
 
@@ -1153,6 +1154,7 @@ void Serializer::ObjectSerializer::VisitExternalPointer(
   if (InstanceTypeChecker::IsForeign(instance_type) ||
       InstanceTypeChecker::IsJSExternalObject(instance_type) ||
       InstanceTypeChecker::IsAccessorInfo(instance_type) ||
+      InstanceTypeChecker::IsInterceptorInfo(instance_type) ||
       InstanceTypeChecker::IsFunctionTemplateInfo(instance_type)) {
     // Output raw data payload, if any.
     OutputRawData(slot.address());

deps/v8/test/cctest/test-serialize.cc

@@ -5203,6 +5203,77 @@ UNINITIALIZED_TEST(SnapshotCreatorIncludeGlobalProxy) {
   FreeCurrentEmbeddedBlob();
 }
 
+UNINITIALIZED_TEST(SnapshotCreatorSerializeInterceptorInOldSpace) {
+  DisableAlwaysOpt();
+  DisableEmbeddedBlobRefcounting();
+  v8::StartupData blob;
+
+  {
+    SnapshotCreatorParams testing_params(original_external_references);
+    v8::SnapshotCreator creator(testing_params.create_params);
+    v8::Isolate* isolate = creator.GetIsolate();
+
+    {
+      v8::HandleScope handle_scope(isolate);
+
+      v8::Local<v8::ObjectTemplate> global_template =
+          v8::ObjectTemplate::New(isolate);
+
+      NamedPropertyHandlerConfiguration config(
+          NamedPropertyGetterForSerialization, {}, {}, {}, {}, {}, {},
+          v8_str("test"),  // Stop it from being promoted to RO space.
+          PropertyHandlerFlags::kHasNoSideEffect);
+
+      global_template->SetHandler(config);
+
+      v8::Local<v8::Context> context =
+          v8::Context::New(isolate, nullptr, global_template);
+      v8::Context::Scope context_scope(context);
+      ExpectInt32("x", 2016);
+      creator.SetDefaultContext(context);
+    }
+
+    blob =
+        creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+  }
+
+  {
+    v8::Isolate::CreateParams params;
+    params.snapshot_blob = &blob;
+    params.array_buffer_allocator = CcTest::array_buffer_allocator();
+    params.external_references = original_external_references;
+    // Test-appropriate equivalent of v8::Isolate::New.
+    v8::Isolate* isolate = TestSerializer::NewIsolate(params);
+    {
+      v8::Isolate::Scope isolate_scope(isolate);
+      v8::HandleScope handle_scope(isolate);
+
+      v8::Local<v8::Context> context = v8::Context::New(isolate);
+      v8::Context::Scope context_scope(context);
+
+      // Check that the InterceptorInfo is not promoted to RO space after
+      // deserialization.
+      i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
+      CHECK(i_isolate->global_object()->map()->has_named_interceptor());
+      CHECK(i_isolate->heap()->InOldSpace(
+          i_isolate->global_object()->GetNamedInterceptor()));
+
+      ExpectInt32("x", 2016);  // Check deserialized getter.
+      // Check the unset interceptors.
+      CompileRun(
+          "Object.defineProperty(globalThis, 'test', {"
+          "  value: 0, enumerable: true"
+          "})");
+      ExpectFalse("delete globalThis.test");
+      ExpectTrue("Object.keys(globalThis).includes('test')");
+    }
+
+    isolate->Dispose();
+  }
+  delete[] blob.data;
+  FreeCurrentEmbeddedBlob();
+}
+
 UNINITIALIZED_TEST(ReinitializeHashSeedJSCollectionRehashable) {
   DisableAlwaysOpt();
   i::v8_flags.rehash_snapshot = true;