Cherry-pick 01e86f1. rdar://problem/110785576

    Backport fix for erroneous CSE of EnumeratorNextUpdateIndexAndMode and HasIndexedProperty
    rdar://110785576

    Reviewed by Michael Saboff, Justin Michaud and Yusuke Suzuki.

    Backports part of https://commits.webkit.org/263909@main, which
    prevents erroneous elimination of an EnumeratorNextUpdateIndexAndMode
    and HasIndexedProperty node pair if they have the same operands.
    The full commit in 263909@main depends on the existence of DFG tuples,
    which haven't yet been brought into the security branch, so those
    parts are omitted from this patch.

    * Source/JavaScriptCore/dfg/DFGClobberize.h:
    (JSC::DFG::clobberize):
    * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
    (WTF::printInternal):
    * Source/JavaScriptCore/dfg/DFGHeapLocation.h:

    Canonical link: https://commits.webkit.org/259548.828@safari-7615-branch

Canonical link: https://commits.webkit.org/245886.882@safari-7613.4.1.0-branch

Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -371,6 +371,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
 
         read(JSObject_butterfly);
         ArrayMode mode = node->arrayMode();
+        LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc;
         switch (mode.type()) {
         case Array::ForceExit: {
             write(SideState);
@@ -380,7 +381,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
             if (mode.isInBounds()) {
                 read(Butterfly_publicLength);
                 read(IndexedInt32Properties);
-                def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
                 return;
             }
             break;
@@ -390,7 +391,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
             if (mode.isInBounds()) {
                 read(Butterfly_publicLength);
                 read(IndexedDoubleProperties);
-                def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
                 return;
             }
             break;
@@ -400,7 +401,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
             if (mode.isInBounds()) {
                 read(Butterfly_publicLength);
                 read(IndexedContiguousProperties);
-                def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
                 return;
             }
             break;

Source/JavaScriptCore/dfg/DFGHeapLocation.cpp

@@ -129,11 +129,15 @@ void printInternal(PrintStream& out, LocationKind kind)
     case GlobalVariableLoc:
         out.print("GlobalVariableLoc");
         return;
-        
+
     case HasIndexedPropertyLoc:
         out.print("HasIndexedPorpertyLoc");
         return;
 
+    case EnumeratorNextUpdateIndexAndModeLoc:
+        out.print("EnumeratorNextUpdateIndexAndModeLoc");
+        return;
+
     case IndexedPropertyDoubleLoc:
         out.print("IndexedPropertyDoubleLoc");
         return;

Source/JavaScriptCore/dfg/DFGHeapLocation.h

@@ -46,6 +46,7 @@ enum LocationKind {
     DirectArgumentsLoc,
     GetterLoc,
     GlobalVariableLoc,
+    EnumeratorNextUpdateIndexAndModeLoc,
     HasIndexedPropertyLoc,
     IndexedPropertyDoubleLoc,
     IndexedPropertyDoubleSaneChainLoc,