[regexp] Fix dirty read in regexp interpreter.

When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c8).
This CL prevents this dirty read, that could have been a security issue.

Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}

src/regexp/regexp-interpreter.cc

@@ -377,9 +377,9 @@ IrregexpInterpreter::Result RawMatch(Isolate* isolate, ByteArray code_array,
       IrregexpInterpreter::Result return_code =
           HandleInterrupts(isolate, call_origin, &code_array, &subject_string,
                            &code_base, &subject, &pc);
-      SET_PC_FROM_OFFSET(backtrack_stack.pop());
       if (return_code != IrregexpInterpreter::SUCCESS) return return_code;
 
+      SET_PC_FROM_OFFSET(backtrack_stack.pop());
       DISPATCH();
     }
     BYTECODE(POP_REGISTER) {

test/mjsunit/regress/regress-992389.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --jitless --gc-interval=12 --stack-size=50
+
+__f_0();
+function __f_0() {
+  try {
+    __f_0();
+  } catch(e) {
+    "b".replace(/(b)/g, function() { return "c"; });
+  }
+}