[wasm][ia32] Spill result register of CompareExchange before using it

R=clemensb@chromium.org

Bug: chromium:1196837
Change-Id: I8945e25be12155482e1feefe1cfd980a94b0488d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850646
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74180}

src/wasm/baseline/liftoff-compiler.cc

@@ -4262,6 +4262,7 @@ class LiftoffCompiler {
     __ DropValues(1);
 
     LiftoffRegister result = expected;
+    if (__ cache_state()->is_used(result)) __ SpillRegister(result);
 
     // We already added the index to addr, so we can just pass no_reg to the
     // assembler now.

test/mjsunit/regress/wasm/regress-1196837.js

@@ -0,0 +1,39 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32, false);
+builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
+builder.addFunction(undefined, 0 /* sig */)
+  .addBodyWithEnd([
+// signature: i_iii
+// body:
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x00,
+kExprMemoryGrow, 0x00,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x00,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x00,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprReturnCall, 0x00,
+kExprEnd,
+]);
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+assertTraps(kTrapUnalignedAccess, () => instance.exports.main(0, 0, 0));