[maglev] Fix temp use in StringLength

Avoid clobbering the object register when it aliases the result register
in StringLength.

Bug: v8:7700
Change-Id: Ib96522ca89313ae7c54af829d8f9743d1ab7d705
Fixed: chromium:1374231
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952593
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83691}

src/maglev/maglev-ir.cc

@@ -1837,13 +1837,16 @@ void StringLength::GenerateCode(MaglevAssembler* masm,
                                 const ProcessingState& state) {
   Register object = ToRegister(object_input());
   if (v8_flags.debug_code) {
-    // Use return register as temporary.
+    // Use return register as temporary. Push it in case it aliases the object
+    // register.
     Register tmp = ToRegister(result());
+    __ Push(tmp);
     // Check if {object} is a string.
     __ AssertNotSmi(object);
     __ LoadMap(tmp, object);
     __ CmpInstanceTypeRange(tmp, tmp, FIRST_STRING_TYPE, LAST_STRING_TYPE);
     __ Check(below_equal, AbortReason::kUnexpectedValue);
+    __ Pop(tmp);
   }
   __ movl(ToRegister(result()), FieldOperand(object, String::kLengthOffset));
 }