[runtime] Fix failing map verification on GC stress bot

This is a follow-up fix for
  https://chromium-review.googlesource.com/c/v8/v8/+/3482436
which introduced a new check to Map verification.

Bug: v8:10391
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg_ng
Change-Id: I8c02354bc159259c7157b296939790d0fc2c31c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3483662Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79232}

src/objects/map.cc

@@ -1136,8 +1136,8 @@ Handle<Map> Map::RawCopy(Isolate* isolate, Handle<Map> src_handle,
   Handle<Map> result = isolate->factory()->NewMap(
       src_handle->instance_type(), instance_size, TERMINAL_FAST_ELEMENTS_KIND,
       inobject_properties);
-  Handle<HeapObject> prototype(src_handle->prototype(), isolate);
-  Map::SetPrototype(isolate, result, prototype);
+  // We have to set the bitfields before any potential GCs could happen because
+  // heap verification might fail otherwise.
   {
     DisallowGarbageCollection no_gc;
     Map src = *src_handle;
@@ -1161,6 +1161,8 @@ Handle<Map> Map::RawCopy(Isolate* isolate, Handle<Map> src_handle,
     raw.set_bit_field3(new_bit_field3);
     raw.clear_padding();
   }
+  Handle<HeapObject> prototype(src_handle->prototype(), isolate);
+  Map::SetPrototype(isolate, result, prototype);
   return result;
 }