[compiler] Representation mismatch detection missed a case

In GetOwnFastDataPropertyFromHeap, we read a property value
then compare it with the expected representation. We already
had code to bail out of that particular optimization if there
was a mismatch, however it missed the case of expected
representation being a HeapObject, and when a Smi value was found.

The fix is to use the excellent pre-existing method
Object::FitsRepresentation() to make this check. Thusly, all
cases are handled.

Bug: chromium:1225607, v8:7790
Change-Id: I7d9b1b7722d9691cf5427f8456a6deb466dda0d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008218
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75587}

src/compiler/heap-refs.cc

@@ -591,9 +591,8 @@ base::Optional<ObjectRef> GetOwnFastDataPropertyFromHeap(
     }
     // Since we don't have a guarantee that {value} is the correct value of the
     // property, we use the expected {representation} to weed out the most
-    // egregious types  of wrong values.
-    if ((representation.IsSmi() && !value->IsSmi()) ||
-        (representation.IsDouble() && !value->IsHeapNumber())) {
+    // egregious types of wrong values.
+    if (!value->object()->FitsRepresentation(representation)) {
       TRACE_BROKER_MISSING(
           broker, "Mismatch between representation and value in " << holder);
       return {};

test/mjsunit/compiler/regress-1225607.js

@@ -0,0 +1,21 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --interrupt-budget=1024 --concurrent-inlining
+
+const v2 = {};
+const v4 = {a:42};
+function v8() {
+    const v11 = v4.g;
+}
+function v13() {
+    v4.g = v2;
+}
+const v22 = v13();
+function v26() {
+}
+for (let v46 = 0; v46 < 100; v46++) {
+    const v53 = v8();
+}
+v4.g = 42;