Pass correct representation to FastPropertyAt

These two calls used Tagged, which may not match the field in question
and thus might leak a MutableHeapNumber.  Since the result was used in a
very limited way, this was not a correctness bug but it should be fixed
anyways.

Bug: chromium:966229
Change-Id: Id237729b60d980ded154f70d03e98375f5edc4cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630681
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61878}

src/compiler/js-call-reducer.cc

@@ -6866,7 +6866,7 @@ Reduction JSCallReducer::ReduceRegExpPrototypeTest(Node* node) {
 
     // Bail out if the exec method is not the original one.
     Handle<Object> constant = JSObject::FastPropertyAt(
-        holder, Representation::Tagged(), ai_exec.field_index());
+        holder, ai_exec.field_representation(), ai_exec.field_index());
     if (!constant.is_identical_to(isolate()->regexp_exec_function())) {
       return inference.NoChange();
     }

src/compiler/js-native-context-specialization.cc

@@ -451,8 +451,8 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
     if (!found_on_proto) holder = receiver;
 
     FieldIndex field_index = access_info.field_index();
-    Handle<Object> constant =
-        JSObject::FastPropertyAt(holder, Representation::Tagged(), field_index);
+    Handle<Object> constant = JSObject::FastPropertyAt(
+        holder, access_info.field_representation(), field_index);
     if (!constant->IsCallable()) {
       return NoChange();
     }