[builtins] Fix missing ToString in RegExp.p.match

It is not safe to assume the first match is a string just
because the RegExp result is fast.

Bug: chromium:831943
Change-Id: Idd40f8b75312f0be54f45f626dc017339033abc6
Reviewed-on: https://chromium-review.googlesource.com/1009325Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#52578}

src/builtins/builtins-regexp-gen.cc

@@ -1875,10 +1875,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeMatchBody(Node* const context,
             Node* const result_fixed_array = LoadElements(result);
             Node* const match = LoadFixedArrayElement(result_fixed_array, 0);
 
-            // The match is guaranteed to be a string on the fast path.
-            CSA_ASSERT(this, IsString(match));
-
-            var_match.Bind(match);
+            var_match.Bind(ToString_Inline(context, match));
             Goto(&if_didmatch);
           }
 

test/mjsunit/regress/regress-crbug-831943.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class MyRegExp extends RegExp {
+  exec(str) {
+    const r = super.exec.call(this, str);
+    if (r) r[0] = 0;
+    return r;
+  }
+}
+
+const result = 'a'.match(new MyRegExp('.', 'g'));
+assertArrayEquals(result, ['0']);