[builtins] Fix String.p.split for one-byte-wraps-two-byte string

It's possible for a one-byte string to wrap a two-byte string. For
example:

      CONS_ONE_BYTE_STRING_TYPE
wraps THIN_STRING_TYPE
wraps EXTERNAL_INTERNALIZED_STRING_TYPE

We thus have to validate the extracted instance type when relying on
the string being one-byte.

Bug: chromium:1088179
Change-Id: Id0f996761a3ae2f1233e12c95e663e77d4a5ebf9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2226752Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68124}

src/builtins/builtins-string-gen.cc

@@ -1635,6 +1635,12 @@ TNode<JSArray> StringBuiltinsAssembler::StringToArray(
 
     ToDirectStringAssembler to_direct(state(), subject_string);
     to_direct.TryToDirect(&call_runtime);
+
+    // The extracted direct string may be two-byte even though the wrapping
+    // string is one-byte.
+    GotoIfNot(IsOneByteStringInstanceType(to_direct.instance_type()),
+              &call_runtime);
+
     TNode<FixedArray> elements = CAST(AllocateFixedArray(
         PACKED_ELEMENTS, length, AllocationFlag::kAllowLargeObjectAllocation));
     // Don't allocate anything while {string_data} is live!