android: disable JIT in SM to workaround #31134 (#31270)

The crash when loading servo.org happens in the JIT code
emitted by SM's CacheIRCompiler to invoke the VM function
`ProxyGetPropertyByValue`.

To disable this code path, it is not sufficient to disable
just the baseline JIT (which exposed in servo under the
pref `js.baseline.enabled`) but also the baseline
interpreter which is controlled by a different flag in SM.

This PR disables renames the `js.baseline.enabled` pref in
Servo to `js.baseline_jit.enabled` and introduces a new
pref `js.baseline_interpreter.enabled` that controls the
baseline interpreter.

Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>

components/script/script_runtime.rs

@@ -530,10 +530,15 @@ unsafe fn new_rt_and_cx_with_parent(
 
     // Enable or disable the JITs.
     let cx_opts = &mut *ContextOptionsRef(cx);
+    JS_SetGlobalJitCompilerOption(
+        cx,
+        JSJitCompilerOption::JSJITCOMPILER_BASELINE_INTERPRETER_ENABLE,
+        pref!(js.baseline_interpreter.enabled) as u32,
+    );
     JS_SetGlobalJitCompilerOption(
         cx,
         JSJitCompilerOption::JSJITCOMPILER_BASELINE_ENABLE,
-        pref!(js.baseline.enabled) as u32,
+        pref!(js.baseline_jit.enabled) as u32,
     );
     JS_SetGlobalJitCompilerOption(
         cx,
@@ -564,7 +569,7 @@ unsafe fn new_rt_and_cx_with_parent(
     JS_SetGlobalJitCompilerOption(
         cx,
         JSJitCompilerOption::JSJITCOMPILER_BASELINE_WARMUP_TRIGGER,
-        if pref!(js.baseline.unsafe_eager_compilation.enabled) {
+        if pref!(js.baseline_jit.unsafe_eager_compilation.enabled) {
             0
         } else {
             u32::max_value()