Fix for bug 99663 (for loop resolves properties of the object being enumerated

with JSRESOLVE_ASSIGNING, wrongly), plus a few miscellaneous bugfixes.

- Combine the JSStackFrame members constructing, special, overrides, and
  reserved into a uint32 flags member.

- Separate JOF_ASSIGNING from the JOF_SET bytecode format flag, and impute
  JSRESOLVE_ASSIGNING from the presence of JOF_ASSIGNING among the current
  opcode's format flags.  To handle the for-in loop opcodes, which do more
  than simply assign -- in particular, they do property lookups whose resolve
  hook outcalls should not be flagged with JSRESOLVE_ASSIGNING -- a new frame
  flag, JSFRAME_ASSIGNING, has been added.

- Fix interpreter version selection to respect JS_SetVersion, whose effect on
  cx->version is "sticky".

- Fix js_DecompileValueGenerator to deal with JSOP_ENUMELEM -- it never had,
  as this testcase shows (it crashes without this patch):

    version(120);
    eval("function fe(s) { for (it[s] in this); }");
    try { fe('rdonly'); } catch (e) { print(e); }

js/src/jsopcode.h

@@ -78,6 +78,9 @@ typedef enum JSOp {
 #define JOF_INCDEC        0x0300  /* increment or decrement opcode */
 #define JOF_POST          0x0400  /* postorder increment or decrement */
 #define JOF_IMPORT        0x0800  /* import property op */
+#define JOF_FOR           0x1000  /* for-in property op */
+#define JOF_ASSIGNING     0x2000  /* hint for JSClass.resolve, used for ops
+                                     that do simplex assignment */
 
 /*
  * Immediate operand getters, setters, and bounds.