[Turboprop] Ensure deopt return point is after branch poisoning

If we return to code after a dynamic map check bailout, ensure the
return point is after the branch poisoning logic, since we might
cause the speculation poisoning register to be cleared otherwise.

Change-Id: Ia003aac16196857218fdfcdc7c2a4c9e8f02b1c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2692576
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72719}

src/compiler/backend/code-generator.cc

@@ -856,16 +856,18 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleInstruction(
           DeoptImmedArgsCountField::decode(instr->opcode());
       DeoptimizationExit* const exit = AddDeoptimizationExit(
           instr, frame_state_offset, immediate_args_count);
+      Label continue_label;
       BranchInfo branch;
       branch.condition = condition;
       branch.true_label = exit->label();
-      branch.false_label = exit->continue_label();
+      branch.false_label = &continue_label;
       branch.fallthru = true;
       AssembleArchDeoptBranch(instr, &branch);
-      tasm()->bind(exit->continue_label());
+      tasm()->bind(&continue_label);
       if (mode == kFlags_deoptimize_and_poison) {
         AssembleBranchPoisoning(NegateFlagsCondition(branch.condition), instr);
       }
+      tasm()->bind(exit->continue_label());
       break;
     }
     case kFlags_set: {