[json] Strings can lie to us about representation, so check what's underneath

Bug: chromium:967151
Change-Id: I54a856cfcc4b4b17bd282dd3eabe5a915e617ca5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630683
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61846}

src/builtins/builtins-json.cc

@@ -22,7 +22,7 @@ BUILTIN(JsonParse) {
                                      Object::ToString(isolate, source));
   string = String::Flatten(isolate, string);
   RETURN_RESULT_OR_FAILURE(
-      isolate, string->IsOneByteRepresentation()
+      isolate, String::IsOneByteRepresentationUnderneath(*string)
                    ? JsonParser<uint8_t>::Parse(isolate, string, reviver)
                    : JsonParser<uint16_t>::Parse(isolate, string, reviver));
 }

test/mjsunit/regress/regress-crbug-967151.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-externalize-string
+
+__v_3 = "100                         external string turned into two byte";
+__v_2 = __v_3.substring(0, 28);
+try {
+  externalizeString(__v_3, true);
+} catch (e) {}
+assertEquals(100, JSON.parse(__v_2));