[Backport] Security bug 1204071

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2869986:
Fix f64x2 min max to use registers

We don't have memory alignment yet, so using memory operands will cause
segv if we try to access the unaligned operands (on non-AVX systems).

The fix here is kept simple (the logic can be cleaned up a bit and
optimized to not use unique registers), in order to keep the cherry-pick
and back-merge as small and safe as possible.

Bug: chromium:1204071
Change-Id: Ieda23dcc097a06c6db20b952d7061708c3be0d24
Reviewed-by: Bill Budge <[email protected]>
Commit-Queue: Zhi An Ng <[email protected]>
Cr-Commit-Position: refs/heads/master@{#74363}
Reviewed-by: Michal Klocek <[email protected]>

Author: ngzhian

chromium/v8/src/compiler/backend/ia32/instruction-selector-ia32.cc

@@ -2199,7 +2199,7 @@ void InstructionSelector::VisitF64x2Min(Node* node) {
   IA32OperandGenerator g(this);
   InstructionOperand temps[] = {g.TempSimd128Register()};
   InstructionOperand operand0 = g.UseUniqueRegister(node->InputAt(0));
-  InstructionOperand operand1 = g.UseUnique(node->InputAt(1));
+  InstructionOperand operand1 = g.UseUniqueRegister(node->InputAt(1));
 
   if (IsSupported(AVX)) {
     Emit(kIA32F64x2Min, g.DefineAsRegister(node), operand0, operand1,
@@ -2214,7 +2214,7 @@ void InstructionSelector::VisitF64x2Max(Node* node) {
   IA32OperandGenerator g(this);
   InstructionOperand temps[] = {g.TempSimd128Register()};
   InstructionOperand operand0 = g.UseUniqueRegister(node->InputAt(0));
-  InstructionOperand operand1 = g.UseUnique(node->InputAt(1));
+  InstructionOperand operand1 = g.UseUniqueRegister(node->InputAt(1));
   if (IsSupported(AVX)) {
     Emit(kIA32F64x2Max, g.DefineAsRegister(node), operand0, operand1,
          arraysize(temps), temps);