[torque] require exact match in return type for cast-like operations

This fixes the bug that cast<A>(...) could be interpreted as
cast<B>(...) if B is a subtype of A.

Bug: v8:7793

Change-Id: Ia03ce832f8c14ced09114d41c935be06d4629d99
Reviewed-on: https://chromium-review.googlesource.com/1075890
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53397}

src/builtins/base.tq

@@ -231,6 +231,8 @@ extern operator 'cast<>' macro ConvertFixedArrayBaseToFixedArray(
     FixedArrayBase): FixedArray labels CastError;
 extern operator 'cast<>' macro ConvertFixedArrayBaseToFixedDoubleArray(
     FixedArrayBase): FixedDoubleArray labels CastError;
+extern operator 'cast<>' macro TaggedToNumber(
+      Object): Number labels CastError;
 
 extern macro AllocateHeapNumberWithValue(float64): HeapNumber;
 

src/code-stub-assembler.h

@@ -163,6 +163,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
     return UncheckedCast<Smi>(value);
   }
 
+  TNode<Number> TaggedToNumber(TNode<Object> value, Label* fail) {
+    GotoIfNot(IsNumber(value), fail);
+    return UncheckedCast<Number>(value);
+  }
+
   TNode<HeapObject> TaggedToHeapObject(TNode<Object> value, Label* fail) {
     GotoIf(TaggedIsSmi(value), fail);
     return UncheckedCast<HeapObject>(value);

src/torque/implementation-visitor.cc

@@ -1092,8 +1092,7 @@ VisitResult ImplementationVisitor::GenerateOperation(
           }
         }
 
-        if (!return_type || (GetTypeOracle().IsAssignableFrom(
-                                *return_type, handler.result_type))) {
+        if (!return_type || return_type == handler.result_type) {
           return GenerateCall(handler.macro_name, arguments, false);
         }
       }