[TurboFan] Protect object typing in ObjectRef constructors

We cherish the ability to create a (for example) JSFunctionRef by
passing an object handle in phases of the compiler where we can't
inspect the handle to verify the instance type. A slight change to
constructor definitions of classes derived from ObjectRef allows us to
police this typing effectively.

Bug: v8:7790
Change-Id: I6ac8e4780d578e9c9cad80fdc87f399a92bc988d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751343
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63199}

src/compiler/js-heap-broker.cc

@@ -3463,7 +3463,8 @@ CellRef SourceTextModuleRef::GetCell(int cell_index) const {
   return CellRef(broker(), data()->AsSourceTextModule()->GetCell(cell_index));
 }
 
-ObjectRef::ObjectRef(JSHeapBroker* broker, Handle<Object> object)
+ObjectRef::ObjectRef(JSHeapBroker* broker, Handle<Object> object,
+                     bool check_type)
     : broker_(broker) {
   switch (broker->mode()) {
     case JSHeapBroker::kSerialized: