This makes fuses a little more robust when code messes with prototypes without
actually changing the property's value.

The callers have it available so there's no need to look it up again.

Renames PropertyChange to PropertyFlagsChange because this operation now only
covers the property flags. This is now only called when we're actually changing the
flags.

Adds separate watchPropertyModification calls for the case where defineProperty
is used to change the property's value (or both the value and the flags).

These changes help avoid unnecessary Watchtower calls.

This fixes a pre-exsting bug: the iterator must be created in the realm of the
arguments object.

OptimizeGetIteratorFuse guards against:

1. Changes to Array.prototype[@@iterator].
2. Changes to %ArrayIteratorPrototype%.

This patch adds a separate ArrayIteratorPrototypeFuse that covers just the second
case, and also changes OptimizeGetIteratorFuse to be dependent on this fuse.

Later patches will use this new fuse to replace ForOfPIC::Chain::tryOptimizeArrayIteratorNext.

This changes the CacheIR code to match the VM code changes from the previous patches.

Telemetry shows that the OptimizeGetIterator fuse is popped on less than 0.05% of
websites. With the first two patches in this stack this might drop even more.

The ArrayIteratorPrototype fuse is a subset of the OptimizeGetIterator fuse
so worst-case its numbers should be similar.

This micro-benchmark improves from 52 ms to 45 ms (best of 10 runs, with --spectre-mitigations=off):

function f() {
    var arr = [1];
    var t = new Date;
    for (var i = 0; i < 1_000_000; i++) {
        var res = new Set(arr);
    }
    print(new Date - t);
    return res;
}
f();

With new Int8Array(arr) it improves from 54 ms to 49 ms.

Checking the fuse is faster and simpler than the ForOfPIC code.

This way we have PropertyFlagsChange and PropertyValueChange.

The only reason for this to be fallible is the Watchtower testing code, but if we
recover from failure there we can simplify some of the callers. In particular in
NativeObject.cpp this moves the watchPropertyValueChange calls closer to the
setSlot calls.

https://hg.mozilla.org/mozilla-central/rev/f9ea525db663
https://hg.mozilla.org/mozilla-central/rev/fb467cb72422
https://hg.mozilla.org/mozilla-central/rev/5584386646bc
https://hg.mozilla.org/mozilla-central/rev/3692e56920cc
https://hg.mozilla.org/mozilla-central/rev/5db74dbc123f

https://hg.mozilla.org/mozilla-central/rev/c617c71a16ae
https://hg.mozilla.org/mozilla-central/rev/ffc35ef730e4
https://hg.mozilla.org/mozilla-central/rev/23cb8e597ba8
https://hg.mozilla.org/mozilla-central/rev/4c817911289e
https://hg.mozilla.org/mozilla-central/rev/f5cf04c3b582
https://hg.mozilla.org/mozilla-central/rev/2a0b3de2486f

(In reply to Pulsebot from comment #15)

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c617c71a16ae
part 6 - Fix bug with cross-realm arguments[Symbol.iterator]. r=mgaudet
https://hg.mozilla.org/integration/autoland/rev/ffc35ef730e4
part 7 - Add separate OptimizeArrayIteratorPrototypeFuse. r=mgaudet
https://hg.mozilla.org/integration/autoland/rev/23cb8e597ba8
part 8 - Replace uses of ForOfPIC with fuse checks. r=mgaudet
https://hg.mozilla.org/integration/autoland/rev/4c817911289e
part 9 - Remove now unused ForOfPIC and PIC code. r=mgaudet
https://hg.mozilla.org/integration/autoland/rev/f5cf04c3b582
part 10 - Make some functions infallible. r=mgaudet
https://hg.mozilla.org/integration/autoland/rev/2a0b3de2486f
part 11 - Rely on fuses in CacheIR code. r=mgaudet

This lead to a 512 byte increase in BAse contetn JS opt fission on MacOS and Linux.