[JSC] RegExpExecNonGlobalOrSticky should have NodeMustGenerate to prevent DCE

DFGStrengthReductionPhase converts RegExpExec to RegExpExecNonGlobalOrSticky
when the regexp is a constant without the global or sticky flag. This
conversion calls setOpAndDefaultFlags(RegExpExecNonGlobalOrSticky) which
resets flags to the default, and RegExpExecNonGlobalOrSticky was missing
NodeMustGenerate.

DFGClobberize.h correctly declares write(RegExpState) for this node (it
shares the same case block as RegExpMatchFastGlobal). When the exec result
is unused, DCE eliminates the node and RegExp.lastMatch/$1/etc. are left
stale from a prior match:

    function test(s) { /bc/.exec(s); }  // result unused
    /seed/.test("seeded");
    test("abcd");
    RegExp.lastMatch;  // DFG/FTL: "seed" (stale), expected: "bc"

This is the same bug pattern as RegExpMatchFastGlobal, which was fixed in
309271@main (https://bugs.webkit.org/show_bug.cgi?id=309953). Both nodes
share the same Clobberize case block and the same conversion pattern in
DFGNode.cpp (convertToRegExpExecNonGlobalOrStickyWithoutChecks and
convertToRegExpMatchFastGlobalWithoutChecks both call setOpAndDefaultFlags).

RegExpExec (the source op) already has NodeMustGenerate. Adding it to
RegExpExecNonGlobalOrSticky makes DFG/FTL behavior match lower tiers.

Test: JSTests/stress/regexp-exec-non-global-or-sticky-dce-lastmatch.js

* JSTests/stress/regexp-exec-non-global-or-sticky-dce-lastmatch.js: Added.
(shouldBe):
(test):
(testCapture):
(testLeftRight):
(testNoMatch):
* Source/JavaScriptCore/dfg/DFGNodeType.h:

Author: Jarred-Sumner

JSTests/stress/regexp-exec-non-global-or-sticky-dce-lastmatch.js

@@ -0,0 +1,60 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error("bad value: " + JSON.stringify(actual) + " expected: " + JSON.stringify(expected));
+}
+
+// RegExpExecNonGlobalOrSticky writes to RegExpState (RegExp.lastMatch, $1, etc.)
+// but was missing NodeMustGenerate, allowing FTL DCE to eliminate it when
+// the result is unused. This is the same bug pattern as
+// https://bugs.webkit.org/show_bug.cgi?id=309953 (RegExpMatchFastGlobal).
+//
+// DFGStrengthReductionPhase converts RegExpExec to RegExpExecNonGlobalOrSticky
+// via convertToRegExpExecNonGlobalOrStickyWithoutChecks when the regexp is a
+// constant without the global or sticky flag.
+
+function test(s) {
+    /bc/.exec(s);
+}
+noInline(test);
+
+for (let i = 0; i < testLoopCount; ++i) {
+    /seed/.test("seeded");
+    test("abcd");
+    shouldBe(RegExp.lastMatch, "bc");
+    shouldBe(RegExp.input, "abcd");
+}
+
+function testCapture(s) {
+    /(b)(c)/.exec(s);
+}
+noInline(testCapture);
+
+for (let i = 0; i < testLoopCount; ++i) {
+    /(s)(e)/.test("seed");
+    testCapture("abcd");
+    shouldBe(RegExp.$1, "b");
+    shouldBe(RegExp.$2, "c");
+}
+
+function testLeftRight(s) {
+    /bc/.exec(s);
+}
+noInline(testLeftRight);
+
+for (let i = 0; i < testLoopCount; ++i) {
+    /seed/.test("seeded");
+    testLeftRight("abcd");
+    shouldBe(RegExp.leftContext, "a");
+    shouldBe(RegExp.rightContext, "d");
+}
+
+function testNoMatch(s) {
+    /xyz/.exec(s);
+}
+noInline(testNoMatch);
+
+for (let i = 0; i < testLoopCount; ++i) {
+    /seed/.test("seeded");
+    testNoMatch("abcd");
+    shouldBe(RegExp.lastMatch, "seed");
+}

Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -349,7 +349,7 @@ namespace JSC { namespace DFG {
     \
     /* Optimizations for regular expression matching. */\
     macro(RegExpExec, NodeResultJS | NodeMustGenerate) \
-    macro(RegExpExecNonGlobalOrSticky, NodeResultJS) \
+    macro(RegExpExecNonGlobalOrSticky, NodeResultJS | NodeMustGenerate) \
     macro(RegExpTest, NodeResultJS | NodeMustGenerate) \
     macro(RegExpTestInline, NodeResultJS | NodeMustGenerate) \
     macro(RegExpMatchFast, NodeResultJS | NodeMustGenerate) \