[Backport] Security bug 1171954

Partial cherry-pick (leaving out tests) of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2674008:
Merged: [interpreter] Store accumulator to callee after optional chain checks

Revision: df98901c19ce17ca995ee6750379b0f004210d68

BUG=chromium:1171954
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: If09e1503ca07b47a112362495ec0bb9d502118c9
Reviewed-by: Ross McIlroy <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.9@{#33}
Cr-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1}
Cr-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: mythrialle

chromium/v8/src/interpreter/bytecode-generator.cc

@@ -4921,8 +4921,9 @@ void BytecodeGenerator::VisitCall(Call* expr) {
       Property* property = chain->expression()->AsProperty();
       BuildOptionalChain([&]() {
         VisitAndPushIntoRegisterList(property->obj(), &args);
-        VisitPropertyLoadForRegister(args.last_register(), property, callee);
+        VisitPropertyLoad(args.last_register(), property);
       });
+      builder()->StoreAccumulatorInRegister(callee);
       break;
     }
     case Call::SUPER_CALL: