[Backport] CVE-2021-21224: Type Confusion in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2838235:
M86-LTS: [compiler] Fix bug in RepresentationChanger::GetWord32RepresentationFor

We have to respect the TypeCheckKind.

(cherry picked from commit fd29e246f65a7cee130e72cd10f618f3b82af232)

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#73909}
Owners-Override: Achuith Bhandarkar <[email protected]>
Reviewed-by: Artem Sumaneev <[email protected]>
Commit-Queue: Achuith Bhandarkar <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#79}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: GeorgNeis

chromium/v8/src/compiler/representation-change.cc

@@ -949,10 +949,10 @@ Node* RepresentationChanger::GetWord32RepresentationFor(
     return node;
   } else if (output_rep == MachineRepresentation::kWord64) {
     if (output_type.Is(Type::Signed32()) ||
-        output_type.Is(Type::Unsigned32())) {
-      op = machine()->TruncateInt64ToInt32();
-    } else if (output_type.Is(cache_->kSafeInteger) &&
-               use_info.truncation().IsUsedAsWord32()) {
+        (output_type.Is(Type::Unsigned32()) &&
+         use_info.type_check() == TypeCheckKind::kNone) ||
+        (output_type.Is(cache_->kSafeInteger) &&
+         use_info.truncation().IsUsedAsWord32())) {
       op = machine()->TruncateInt64ToInt32();
     } else if (use_info.type_check() == TypeCheckKind::kSignedSmall ||
                use_info.type_check() == TypeCheckKind::kSigned32 ||