[Backport] Security bug 378701682

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6022072:
[liftoff] Fix clobbered scratch register

`GetMemOp` returns an `Operand` which can contain `kScratchRegister`. We
should hence not clobber that register until after the last use of the
`Operand`.

This CL changes the scratch register to `kScratchRegister2` which has
much fewer uses, and in particular none which collides with `GetMemOp`.

R=mliedtke@chromium.org

Fixed: 378779897, 378701682
Change-Id: Id1ed25edfe76200d069ac2ab54e5000eed313c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6022072
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#97224}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/611746
Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>

Author: backes

chromium/v8/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h

@@ -54,6 +54,8 @@ constexpr Operand kInstanceDataOperand =
 
 constexpr Operand kOSRTargetSlot = GetStackSlot(kOSRTargetOffset);
 
+// Note: The returned Operand might contain {kScratchRegister2}; make sure not
+// to clobber that until after the last use of the Operand.
 inline Operand GetMemOp(LiftoffAssembler* assm, Register addr,
                         Register offset_reg, uintptr_t offset_imm,
                         ScaleFactor scale_factor = times_1) {
@@ -64,7 +66,7 @@ inline Operand GetMemOp(LiftoffAssembler* assm, Register addr,
                : Operand(addr, offset_reg, scale_factor, offset_imm32);
   }
   // Offset immediate does not fit in 31 bits.
-  Register scratch = kScratchRegister;
+  Register scratch = kScratchRegister2;
   assm->MacroAssembler::Move(scratch, offset_imm);
   if (offset_reg != no_reg) assm->addq(scratch, offset_reg);
   return Operand(addr, scratch, scale_factor, 0);