[turbofan] Don't type-check in ObjectRef cast.

We use the object<T>() getter to extract the handle from an ObjectRef
instance and cast it to Handle<T>. In DEBUG mode, the cast does a type
check which accesses the heap. We must not access the heap though. This
CL is a quick fix that skips the type check. Eventually we should
replace the templatized accessor with a subclass-specific one to have
some safety.

Bug: v8:7790, v8:8316
Change-Id: I71048be2bc36570cce33b0e680824dd6bc407d14
Reviewed-on: https://chromium-review.googlesource.com/c/1282963
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56756}

src/compiler/js-heap-broker.h

@@ -89,8 +89,7 @@ class ObjectRef {
   // TODO(neis): Remove eventually.
   template <typename T>
   Handle<T> object() const {
-    AllowHandleDereference handle_dereference;
-    return Handle<T>::cast(object());
+    return Handle<T>(reinterpret_cast<T**>(object().address()));
   }
 
   bool IsSmi() const;