Merged bleeding_edge -r 685:746 into regexp2000.

src/codegen-arm.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 17 matching lines @@
 #include "v8.h"
 
 #include "bootstrapper.h"
 #include "codegen-inl.h"
 #include "debug.h"
 #include "scopes.h"
 #include "runtime.h"
 
 namespace v8 { namespace internal {
 
+#define __ masm_->
+
+// -------------------------------------------------------------------------
+// VirtualFrame implementation.
+
+VirtualFrame::VirtualFrame(CodeGenerator* cgen) {
+  ASSERT(cgen->scope() != NULL);
+
+  masm_ = cgen->masm();
+  frame_local_count_ = cgen->scope()->num_stack_slots();
+  parameter_count_ = cgen->scope()->num_parameters();
+}
+
+
+void VirtualFrame::Enter() {
+  Comment cmnt(masm_, "[ Enter JS frame");
+#ifdef DEBUG
+  { Label done, fail;
+    __ tst(r1, Operand(kSmiTagMask));
+    __ b(eq, &fail);
+    __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
+    __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
+    __ cmp(r2, Operand(JS_FUNCTION_TYPE));
+    __ b(eq, &done);
+    __ bind(&fail);
+    __ stop("CodeGenerator::EnterJSFrame - r1 not a function");
+    __ bind(&done);
+  }
+#endif  // DEBUG
+
+  __ stm(db_w, sp, r1.bit() | cp.bit() | fp.bit() | lr.bit());
+  // Adjust FP to point to saved FP.
+  __ add(fp, sp, Operand(2 * kPointerSize));
+}
+
+
+void VirtualFrame::Exit() {
+  Comment cmnt(masm_, "[ Exit JS frame");
+  // Drop the execution stack down to the frame pointer and restore the caller
+  // frame pointer and return address.
+  __ mov(sp, fp);
+  __ ldm(ia_w, sp, fp.bit() | lr.bit());
+}
+
+
+void VirtualFrame::AllocateLocals() {
+  if (frame_local_count_ > 0) {
+    Comment cmnt(masm_, "[ Allocate space for locals");
+      // Initialize stack slots with 'undefined' value.
+    __ mov(ip, Operand(Factory::undefined_value()));
+    for (int i = 0; i < frame_local_count_; i++) {
+      __ push(ip);
+    }
+  }
+}
+
+
+void VirtualFrame::Drop(int count) {
+  ASSERT(count >= 0);
+  if (count > 0) {
+    __ add(sp, sp, Operand(count * kPointerSize));
+  }
+}
+
+
+void VirtualFrame::Pop() { Drop(1); }
+
+
+void VirtualFrame::Pop(Register reg) {
+  __ pop(reg);
+}
+
+
+void VirtualFrame::Push(Register reg) {
+  __ push(reg);
+}
+
+
 // -------------------------------------------------------------------------
 // CodeGenState implementation.
 
 CodeGenState::CodeGenState(CodeGenerator* owner)
     : owner_(owner),
       typeof_state_(NOT_INSIDE_TYPEOF),
       true_target_(NULL),
       false_target_(NULL),
       previous_(NULL) {
   owner_->set_state(this);
@@ skipping 12 matching lines @@
   owner_->set_state(this);
 }
 
 
 CodeGenState::~CodeGenState() {
   ASSERT(owner_->state() == this);
   owner_->set_state(previous_);
 }
 
 
-// -----------------------------------------------------------------------------
+// -------------------------------------------------------------------------
 // CodeGenerator implementation
 
-#define __ masm_->
-
 CodeGenerator::CodeGenerator(int buffer_size, Handle<Script> script,
                              bool is_eval)
     : is_eval_(is_eval),
       script_(script),
       deferred_(8),
       masm_(new MacroAssembler(NULL, buffer_size)),
       scope_(NULL),
+      frame_(NULL),
       cc_reg_(al),
       state_(NULL),
       break_stack_height_(0) {
 }
 
 
 // Calling conventions:
-
 // r0: the number of arguments
 // fp: frame pointer
 // sp: stack pointer
 // pp: caller's parameter pointer
 // cp: callee's context
 
 void CodeGenerator::GenCode(FunctionLiteral* fun) {
-  Scope* scope = fun->scope();
   ZoneList<Statement*>* body = fun->body();
 
   // Initialize state.
-  { CodeGenState state(this);
-    scope_ = scope;
-    cc_reg_ = al;
+  ASSERT(scope_ == NULL);
+  scope_ = fun->scope();
+  ASSERT(frame_ == NULL);
+  VirtualFrame virtual_frame(this);
+  frame_ = &virtual_frame;
+  cc_reg_ = al;
+  {
+    CodeGenState state(this);
 
     // Entry
     // stack: function, receiver, arguments, return address
     // r0: number of arguments
     // sp: stack pointer
     // fp: frame pointer
     // pp: caller's parameter pointer
     // cp: callee's context
 
-    { Comment cmnt(masm_, "[ enter JS frame");
-      EnterJSFrame();
-    }
+    frame_->Enter();
     // tos: code slot
 #ifdef DEBUG
     if (strlen(FLAG_stop_at) > 0 &&
         fun->name()->IsEqualTo(CStrVector(FLAG_stop_at))) {
       __ stop("stop-at");
     }
 #endif
 
     // Allocate space for locals and initialize them.
-    if (scope->num_stack_slots() > 0) {
-      Comment cmnt(masm_, "[ allocate space for locals");
-      // Initialize stack slots with 'undefined' value.
-      __ mov(ip, Operand(Factory::undefined_value()));
-      for (int i = 0; i < scope->num_stack_slots(); i++) {
-        __ push(ip);
-      }
-    }
+    frame_->AllocateLocals();
 
-    if (scope->num_heap_slots() > 0) {
+    if (scope_->num_heap_slots() > 0) {
       // Allocate local context.
       // Get outer context and create a new context based on it.
-      __ ldr(r0, FunctionOperand());
-      __ push(r0);
+      __ ldr(r0, frame_->Function());
+      frame_->Push(r0);
       __ CallRuntime(Runtime::kNewContext, 1);  // r0 holds the result
 
       if (kDebug) {
         Label verified_true;
         __ cmp(r0, Operand(cp));
         __ b(eq, &verified_true);
         __ stop("NewContext: r0 is expected to be the same as cp");
         __ bind(&verified_true);
       }
       // Update context local.
-      __ str(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
+      __ str(cp, frame_->Context());
     }
 
-    // TODO(1241774): Improve this code!!!
+    // TODO(1241774): Improve this code:
     // 1) only needed if we have a context
     // 2) no need to recompute context ptr every single time
     // 3) don't copy parameter operand code from SlotOperand!
     {
       Comment cmnt2(masm_, "[ copy context parameters into .context");
 
       // Note that iteration order is relevant here! If we have the same
       // parameter twice (e.g., function (x, y, x)), and that parameter
       // needs to be copied into the context, it must be the last argument
       // passed to the parameter that needs to be copied. This is a rare
       // case so we don't check for it, instead we rely on the copying
       // order: such a parameter is copied repeatedly into the same
       // context location and thus the last value is what is seen inside
       // the function.
-      for (int i = 0; i < scope->num_parameters(); i++) {
-        Variable* par = scope->parameter(i);
+      for (int i = 0; i < scope_->num_parameters(); i++) {
+        Variable* par = scope_->parameter(i);
         Slot* slot = par->slot();
         if (slot != NULL && slot->type() == Slot::CONTEXT) {
-          ASSERT(!scope->is_global_scope());  // no parameters in global scope
-          __ ldr(r1, ParameterOperand(i));
+          ASSERT(!scope_->is_global_scope());  // no parameters in global scope
+          __ ldr(r1, frame_->Parameter(i));
           // Loads r2 with context; used below in RecordWrite.
           __ str(r1, SlotOperand(slot, r2));
           // Load the offset into r3.
           int slot_offset =
               FixedArray::kHeaderSize + slot->index() * kPointerSize;
           __ mov(r3, Operand(slot_offset));
           __ RecordWrite(r2, r3, r1);
         }
       }
     }
 
-    // Store the arguments object.
-    // This must happen after context initialization because
-    // the arguments array may be stored in the context!
-    if (scope->arguments() != NULL) {
-      ASSERT(scope->arguments_shadow() != NULL);
+    // Store the arguments object.  This must happen after context
+    // initialization because the arguments object may be stored in the
+    // context.
+    if (scope_->arguments() != NULL) {
+      ASSERT(scope_->arguments_shadow() != NULL);
       Comment cmnt(masm_, "[ allocate arguments object");
-      { Reference shadow_ref(this, scope->arguments_shadow());
-        { Reference arguments_ref(this, scope->arguments());
+      { Reference shadow_ref(this, scope_->arguments_shadow());
+        { Reference arguments_ref(this, scope_->arguments());
           ArgumentsAccessStub stub(ArgumentsAccessStub::NEW_OBJECT);
-          __ ldr(r2, FunctionOperand());
+          __ ldr(r2, frame_->Function());
           // The receiver is below the arguments, the return address,
           // and the frame pointer on the stack.
-          const int kReceiverDisplacement = 2 + scope->num_parameters();
+          const int kReceiverDisplacement = 2 + scope_->num_parameters();
           __ add(r1, fp, Operand(kReceiverDisplacement * kPointerSize));
-          __ mov(r0, Operand(Smi::FromInt(scope->num_parameters())));
+          __ mov(r0, Operand(Smi::FromInt(scope_->num_parameters())));
           __ stm(db_w, sp, r0.bit() | r1.bit() | r2.bit());
           __ CallStub(&stub);
-          __ push(r0);
+          frame_->Push(r0);
           arguments_ref.SetValue(NOT_CONST_INIT);
         }
         shadow_ref.SetValue(NOT_CONST_INIT);
       }
-      __ pop(r0);  // Value is no longer needed.
+      frame_->Pop();  // Value is no longer needed.
     }
 
-    // Generate code to 'execute' declarations and initialize
-    // functions (source elements). In case of an illegal
-    // redeclaration we need to handle that instead of processing the
-    // declarations.
-    if (scope->HasIllegalRedeclaration()) {
+    // Generate code to 'execute' declarations and initialize functions
+    // (source elements). In case of an illegal redeclaration we need to
+    // handle that instead of processing the declarations.
+    if (scope_->HasIllegalRedeclaration()) {
       Comment cmnt(masm_, "[ illegal redeclarations");
-      scope->VisitIllegalRedeclaration(this);
+      scope_->VisitIllegalRedeclaration(this);
     } else {
       Comment cmnt(masm_, "[ declarations");
-      // ProcessDeclarations calls DeclareGlobals indirectly
-      ProcessDeclarations(scope->declarations());
-
-      // Bail out if a stack-overflow exception occurred when
-      // processing declarations.
+      ProcessDeclarations(scope_->declarations());
+      // Bail out if a stack-overflow exception occurred when processing
+      // declarations.
       if (HasStackOverflow()) return;
     }
 
     if (FLAG_trace) {
-      // Push a valid value as the parameter. The runtime call only uses
-      // it as the return value to indicate non-failure.
       __ CallRuntime(Runtime::kTraceEnter, 0);
+      // Ignore the return value.
     }
     CheckStack();
 
     // Compile the body of the function in a vanilla state. Don't
     // bother compiling all the code if the scope has an illegal
     // redeclaration.
-    if (!scope->HasIllegalRedeclaration()) {
+    if (!scope_->HasIllegalRedeclaration()) {
       Comment cmnt(masm_, "[ function body");
 #ifdef DEBUG
       bool is_builtin = Bootstrapper::IsActive();
       bool should_trace =
           is_builtin ? FLAG_trace_builtin_calls : FLAG_trace_calls;
       if (should_trace) {
         __ CallRuntime(Runtime::kDebugTrace, 0);
+        // Ignore the return value.
       }
 #endif
       VisitStatements(body);
     }
   }
 
   // exit
   // r0: result
   // sp: stack pointer
   // fp: frame pointer
   // pp: parameter pointer
   // cp: callee's context
   __ mov(r0, Operand(Factory::undefined_value()));
 
   __ bind(&function_return_);
   if (FLAG_trace) {
     // Push the return value on the stack as the parameter.
     // Runtime::TraceExit returns the parameter as it is.
-    __ push(r0);
+    frame_->Push(r0);
     __ CallRuntime(Runtime::kTraceExit, 1);
   }
 
   // Tear down the frame which will restore the caller's frame pointer and the
   // link register.
-  ExitJSFrame();
+  frame_->Exit();
 
   __ add(sp, sp, Operand((scope_->num_parameters() + 1) * kPointerSize));
   __ mov(pc, lr);
 
   // Code generation state must be reset.
   scope_ = NULL;
+  frame_ = NULL;
   ASSERT(!has_cc());
   ASSERT(state_ == NULL);
 }
 
 
 MemOperand CodeGenerator::SlotOperand(Slot* slot, Register tmp) {
   // Currently, this assertion will fail if we try to assign to
   // a constant variable that is constant because it is read-only
   // (such as the variable referring to a named function expression).
   // We need to implement assignments to read-only variables.
   // Ideally, we should do this during AST generation (by converting
   // such assignments into expression statements); however, in general
   // we may not be able to make the decision until past AST generation,
   // that is when the entire program is known.
   ASSERT(slot != NULL);
   int index = slot->index();
   switch (slot->type()) {
     case Slot::PARAMETER:
-      return ParameterOperand(index);
+      return frame_->Parameter(index);
 
-    case Slot::LOCAL: {
-      ASSERT(0 <= index && index < scope()->num_stack_slots());
-      const int kLocalOffset = JavaScriptFrameConstants::kLocal0Offset;
-      return MemOperand(fp, kLocalOffset - index * kPointerSize);
-    }
+    case Slot::LOCAL:
+      return frame_->Local(index);
 
     case Slot::CONTEXT: {
       // Follow the context chain if necessary.
       ASSERT(!tmp.is(cp));  // do not overwrite context register
       Register context = cp;
       int chain_length = scope()->ContextChainLength(slot->var()->scope());
       for (int i = chain_length; i-- > 0;) {
         // Load the closure.
         // (All contexts, even 'with' contexts, have a closure,
         // and it is the same for all contexts inside a function.
@@ skipping 14 matching lines @@
       return ContextOperand(tmp, index);
     }
 
     default:
       UNREACHABLE();
       return MemOperand(r0, 0);
   }
 }
 
 
-// Loads a value on the stack. If it is a boolean value, the result may have
-// been (partially) translated into branches, or it may have set the condition
-// code register. If force_cc is set, the value is forced to set the condition
-// code register and no value is pushed. If the condition code register was set,
-// has_cc() is true and cc_reg_ contains the condition to test for 'true'.
+// Loads a value on TOS. If it is a boolean value, the result may have been
+// (partially) translated into branches, or it may have set the condition
+// code register. If force_cc is set, the value is forced to set the
+// condition code register and no value is pushed. If the condition code
+// register was set, has_cc() is true and cc_reg_ contains the condition to
+// test for 'true'.
 void CodeGenerator::LoadCondition(Expression* x,
-                                     TypeofState typeof_state,
-                                     Label* true_target,
-                                     Label* false_target,
-                                     bool force_cc) {
+                                  TypeofState typeof_state,
+                                  Label* true_target,
+                                  Label* false_target,
+                                  bool force_cc) {
   ASSERT(!has_cc());
 
   { CodeGenState new_state(this, typeof_state, true_target, false_target);
     Visit(x);
   }
   if (force_cc && !has_cc()) {
     // Convert the TOS value to a boolean in the condition code register.
+    // Visiting an expression may possibly choose neither (a) to leave a
+    // value in the condition code register nor (b) to leave a value in TOS
+    // (eg, by compiling to only jumps to the targets).  In that case the
+    // code generated by ToBoolean is wrong because it assumes the value of
+    // the expression in TOS.  So long as there is always a value in TOS or
+    // the condition code register when control falls through to here (there
+    // is), the code generated by ToBoolean is dead and therefore safe.
     ToBoolean(true_target, false_target);
   }
   ASSERT(has_cc() || !force_cc);
 }
 
 
 void CodeGenerator::Load(Expression* x, TypeofState typeof_state) {
   Label true_target;
   Label false_target;
   LoadCondition(x, typeof_state, &true_target, &false_target, false);
 
   if (has_cc()) {
     // convert cc_reg_ into a bool
     Label loaded, materialize_true;
     __ b(cc_reg_, &materialize_true);
     __ mov(r0, Operand(Factory::false_value()));
-    __ push(r0);
+    frame_->Push(r0);
     __ b(&loaded);
     __ bind(&materialize_true);
     __ mov(r0, Operand(Factory::true_value()));
-    __ push(r0);
+    frame_->Push(r0);
     __ bind(&loaded);
     cc_reg_ = al;
   }
 
   if (true_target.is_linked() || false_target.is_linked()) {
     // we have at least one condition value
     // that has been "translated" into a branch,
     // thus it needs to be loaded explicitly again
     Label loaded;
     __ b(&loaded);  // don't lose current TOS
     bool both = true_target.is_linked() && false_target.is_linked();
     // reincarnate "true", if necessary
     if (true_target.is_linked()) {
       __ bind(&true_target);
       __ mov(r0, Operand(Factory::true_value()));
-      __ push(r0);
+      frame_->Push(r0);
     }
     // if both "true" and "false" need to be reincarnated,
     // jump across code for "false"
     if (both)
       __ b(&loaded);
     // reincarnate "false", if necessary
     if (false_target.is_linked()) {
       __ bind(&false_target);
       __ mov(r0, Operand(Factory::false_value()));
-      __ push(r0);
+      frame_->Push(r0);
     }
     // everything is loaded at this point
     __ bind(&loaded);
   }
   ASSERT(!has_cc());
 }
 
 
 void CodeGenerator::LoadGlobal() {
   __ ldr(r0, GlobalObject());
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
-void CodeGenerator::LoadGlobalReceiver(Register s) {
-  __ ldr(s, ContextOperand(cp, Context::GLOBAL_INDEX));
-  __ ldr(s, FieldMemOperand(s, GlobalObject::kGlobalReceiverOffset));
-  __ push(s);
+void CodeGenerator::LoadGlobalReceiver(Register scratch) {
+  __ ldr(scratch, ContextOperand(cp, Context::GLOBAL_INDEX));
+  __ ldr(scratch,
+         FieldMemOperand(scratch, GlobalObject::kGlobalReceiverOffset));
+  frame_->Push(scratch);
 }
 
 
 // TODO(1241834): Get rid of this function in favor of just using Load, now
 // that we have the INSIDE_TYPEOF typeof state. => Need to handle global
 // variables w/o reference errors elsewhere.
 void CodeGenerator::LoadTypeofExpression(Expression* x) {
   Variable* variable = x->AsVariableProxy()->AsVariable();
   if (variable != NULL && !variable->is_this() && variable->is_global()) {
     // NOTE: This is somewhat nasty. We force the compiler to load
@@ skipping 17 matching lines @@
 }
 
 
 Reference::~Reference() {
   cgen_->UnloadReference(this);
 }
 
 
 void CodeGenerator::LoadReference(Reference* ref) {
   Comment cmnt(masm_, "[ LoadReference");
-
   Expression* e = ref->expression();
   Property* property = e->AsProperty();
   Variable* var = e->AsVariableProxy()->AsVariable();
 
   if (property != NULL) {
     // The expression is either a property or a variable proxy that rewrites
     // to a property.
     Load(property->obj());
     // We use a named reference if the key is a literal symbol, unless it is
     // a string that can be legally parsed as an integer.  This is because
@@ skipping 21 matching lines @@
     }
   } else {
     // Anything else is a runtime error.
     Load(e);
     __ CallRuntime(Runtime::kThrowReferenceError, 1);
   }
 }
 
 
 void CodeGenerator::UnloadReference(Reference* ref) {
+  // Pop a reference from the stack while preserving TOS.
   Comment cmnt(masm_, "[ UnloadReference");
-
   int size = ref->size();
-  if (size <= 0) {
-    // Do nothing. No popping is necessary.
-  } else {
-    __ pop(r0);
-    __ add(sp, sp, Operand(size * kPointerSize));
-    __ push(r0);
+  if (size > 0) {
+    frame_->Pop(r0);
+    frame_->Drop(size);
+    frame_->Push(r0);
   }
 }
 
 
 // ECMA-262, section 9.2, page 30: ToBoolean(). Convert the given
 // register to a boolean in the condition code register. The code
 // may jump to 'false_target' in case the register converts to 'false'.
 void CodeGenerator::ToBoolean(Label* true_target,
-                                 Label* false_target) {
+                              Label* false_target) {
   // Note: The generated code snippet does not change stack variables.
   //       Only the condition code should be set.
-  __ pop(r0);
+  frame_->Pop(r0);
 
   // Fast case checks
 
   // Check if the value is 'false'.
   __ cmp(r0, Operand(Factory::false_value()));
   __ b(eq, false_target);
 
   // Check if the value is 'true'.
   __ cmp(r0, Operand(Factory::true_value()));
   __ b(eq, true_target);
 
   // Check if the value is 'undefined'.
   __ cmp(r0, Operand(Factory::undefined_value()));
   __ b(eq, false_target);
 
   // Check if the value is a smi.
   __ cmp(r0, Operand(Smi::FromInt(0)));
   __ b(eq, false_target);
   __ tst(r0, Operand(kSmiTagMask));
   __ b(eq, true_target);
 
   // Slow case: call the runtime.
-  __ push(r0);
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kToBool, 1);
-
-  // Convert result (r0) to condition code
+  // Convert the result (r0) to a condition code.
   __ cmp(r0, Operand(Factory::false_value()));
 
   cc_reg_ = ne;
 }
 
 
 class GetPropertyStub : public CodeStub {
  public:
   GetPropertyStub() { }
 
@@ skipping 80 matching lines @@
   switch (op) {
     case Token::ADD:  // fall through.
     case Token::SUB:  // fall through.
     case Token::MUL:
     case Token::BIT_OR:
     case Token::BIT_AND:
     case Token::BIT_XOR:
     case Token::SHL:
     case Token::SHR:
     case Token::SAR: {
-      __ pop(r0);  // r0 : y
-      __ pop(r1);  // r1 : x
+      frame_->Pop(r0);  // r0 : y
+      frame_->Pop(r1);  // r1 : x
       GenericBinaryOpStub stub(op);
       __ CallStub(&stub);
       break;
     }
 
     case Token::DIV: {
       __ mov(r0, Operand(1));
       __ InvokeBuiltin(Builtins::DIV, CALL_JS);
       break;
     }
 
     case Token::MOD: {
       __ mov(r0, Operand(1));
       __ InvokeBuiltin(Builtins::MOD, CALL_JS);
       break;
     }
 
     case Token::COMMA:
-      __ pop(r0);
+      frame_->Pop(r0);
       // simply discard left value
-      __ pop();
+      frame_->Pop();
       break;
 
     default:
       // Other cases should have been handled before this point.
       UNREACHABLE();
       break;
   }
 }
 
 
@@ skipping 67 matching lines @@
   }
 
  private:
   Token::Value op_;
   int value_;
   bool reversed_;
 };
 
 
 void CodeGenerator::SmiOperation(Token::Value op,
-                                    Handle<Object> value,
-                                    bool reversed) {
+                                 Handle<Object> value,
+                                 bool reversed) {
   // NOTE: This is an attempt to inline (a bit) more of the code for
   // some possible smi operations (like + and -) when (at least) one
   // of the operands is a literal smi. With this optimization, the
   // performance of the system is increased by ~15%, and the generated
   // code size is increased by ~1% (measured on a combination of
   // different benchmarks).
 
   // sp[0] : operand
 
   int int_value = Smi::cast(*value)->value();
 
   Label exit;
-  __ pop(r0);
+  frame_->Pop(r0);
 
   switch (op) {
     case Token::ADD: {
       DeferredCode* deferred =
         new DeferredInlinedSmiOperation(this, op, int_value, reversed);
 
       __ add(r0, r0, Operand(value), SetCC);
       __ b(vs, deferred->enter());
       __ tst(r0, Operand(kSmiTagMask));
       __ b(ne, deferred->enter());
@@ skipping 32 matching lines @@
       }
       __ bind(deferred->exit());
       break;
     }
 
     case Token::SHL:
     case Token::SHR:
     case Token::SAR: {
       if (reversed) {
         __ mov(ip, Operand(value));
-        __ push(ip);
-        __ push(r0);
+        frame_->Push(ip);
+        frame_->Push(r0);
         GenericBinaryOperation(op);
 
       } else {
         int shift_value = int_value & 0x1f;  // least significant 5 bits
         DeferredCode* deferred =
           new DeferredInlinedSmiOperation(this, op, shift_value, false);
         __ tst(r0, Operand(kSmiTagMask));
         __ b(ne, deferred->enter());
         __ mov(r2, Operand(r0, ASR, kSmiTagSize));  // remove tags
         switch (op) {
@@ skipping 29 matching lines @@
           default: UNREACHABLE();
         }
         __ mov(r0, Operand(r2, LSL, kSmiTagSize));
         __ bind(deferred->exit());
       }
       break;
     }
 
     default:
       if (!reversed) {
-        __ push(r0);
+        frame_->Push(r0);
         __ mov(r0, Operand(value));
-        __ push(r0);
+        frame_->Push(r0);
       } else {
         __ mov(ip, Operand(value));
-        __ push(ip);
-        __ push(r0);
+        frame_->Push(ip);
+        frame_->Push(r0);
       }
       GenericBinaryOperation(op);
       break;
   }
 
   __ bind(&exit);
 }
 
 
 void CodeGenerator::Comparison(Condition cc, bool strict) {
   // sp[0] : y
   // sp[1] : x
   // result : cc register
 
   // Strict only makes sense for equality comparisons.
   ASSERT(!strict || cc == eq);
 
   Label exit, smi;
   // Implement '>' and '<=' by reversal to obtain ECMA-262 conversion order.
   if (cc == gt || cc == le) {
     cc = ReverseCondition(cc);
-    __ pop(r1);
-    __ pop(r0);
+    frame_->Pop(r1);
+    frame_->Pop(r0);
   } else {
-    __ pop(r0);
-    __ pop(r1);
+    frame_->Pop(r0);
+    frame_->Pop(r1);
   }
   __ orr(r2, r0, Operand(r1));
   __ tst(r2, Operand(kSmiTagMask));
   __ b(eq, &smi);
 
   // Perform non-smi comparison by runtime call.
-  __ push(r1);
+  frame_->Push(r1);
 
   // Figure out which native to call and setup the arguments.
   Builtins::JavaScript native;
   int argc;
   if (cc == eq) {
     native = strict ? Builtins::STRICT_EQUALS : Builtins::EQUALS;
     argc = 1;
   } else {
     native = Builtins::COMPARE;
     int ncr;  // NaN compare result
     if (cc == lt || cc == le) {
       ncr = GREATER;
     } else {
       ASSERT(cc == gt || cc == ge);  // remaining cases
       ncr = LESS;
     }
-    __ push(r0);
+    frame_->Push(r0);
     __ mov(r0, Operand(Smi::FromInt(ncr)));
     argc = 2;
   }
 
   // Call the native; it returns -1 (less), 0 (equal), or 1 (greater)
   // tagged as a small integer.
-  __ push(r0);
+  frame_->Push(r0);
   __ mov(r0, Operand(argc));
   __ InvokeBuiltin(native, CALL_JS);
   __ cmp(r0, Operand(0));
   __ b(&exit);
 
   // test smi equality by pointer comparison.
   __ bind(&smi);
   __ cmp(r1, Operand(r0));
 
   __ bind(&exit);
@@ skipping 28 matching lines @@
   }
 
   // Record the position for debugging purposes.
   __ RecordPosition(position);
 
   // Use the shared code stub to call the function.
   CallFunctionStub call_function(args->length());
   __ CallStub(&call_function);
 
   // Restore context and pop function from the stack.
-  __ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
-  __ pop();  // discard the TOS
+  __ ldr(cp, frame_->Context());
+  frame_->Pop();  // discard the TOS
 }
 
 
 void CodeGenerator::Branch(bool if_true, Label* L) {
   ASSERT(has_cc());
   Condition cc = if_true ? cc_reg_ : NegateCondition(cc_reg_);
   __ b(cc, L);
   cc_reg_ = al;
 }
 
@@ skipping 11 matching lines @@
   Comment cmnt(masm_, "[ Block");
   if (FLAG_debug_info) RecordStatementPosition(node);
   node->set_break_stack_height(break_stack_height_);
   VisitStatements(node->statements());
   __ bind(node->break_target());
 }
 
 
 void CodeGenerator::DeclareGlobals(Handle<FixedArray> pairs) {
   __ mov(r0, Operand(pairs));
-  __ push(r0);
-  __ push(cp);
+  frame_->Push(r0);
+  frame_->Push(cp);
   __ mov(r0, Operand(Smi::FromInt(is_eval() ? 1 : 0)));
-  __ push(r0);
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kDeclareGlobals, 3);
   // The result is discarded.
 }
 
 
 void CodeGenerator::VisitDeclaration(Declaration* node) {
   Comment cmnt(masm_, "[ Declaration");
   Variable* var = node->proxy()->var();
   ASSERT(var != NULL);  // must have been resolved
   Slot* slot = var->slot();
 
   // If it was not possible to allocate the variable at compile time,
   // we need to "declare" it at runtime to make sure it actually
   // exists in the local context.
   if (slot != NULL && slot->type() == Slot::LOOKUP) {
     // Variables with a "LOOKUP" slot were introduced as non-locals
     // during variable resolution and must have mode DYNAMIC.
     ASSERT(var->mode() == Variable::DYNAMIC);
     // For now, just do a runtime call.
-    __ push(cp);
+    frame_->Push(cp);
     __ mov(r0, Operand(var->name()));
-    __ push(r0);
+    frame_->Push(r0);
     // Declaration nodes are always declared in only two modes.
     ASSERT(node->mode() == Variable::VAR || node->mode() == Variable::CONST);
     PropertyAttributes attr = node->mode() == Variable::VAR ? NONE : READ_ONLY;
     __ mov(r0, Operand(Smi::FromInt(attr)));
-    __ push(r0);
+    frame_->Push(r0);
     // Push initial value, if any.
     // Note: For variables we must not push an initial value (such as
     // 'undefined') because we may have a (legal) redeclaration and we
     // must not destroy the current value.
     if (node->mode() == Variable::CONST) {
       __ mov(r0, Operand(Factory::the_hole_value()));
-      __ push(r0);
+      frame_->Push(r0);
     } else if (node->fun() != NULL) {
       Load(node->fun());
     } else {
       __ mov(r0, Operand(0));  // no initial value!
-      __ push(r0);
+      frame_->Push(r0);
     }
     __ CallRuntime(Runtime::kDeclareContextSlot, 4);
     // Ignore the return value (declarations are statements).
     return;
   }
 
   ASSERT(!var->is_global());
 
   // If we have a function or a constant, we need to initialize the variable.
   Expression* val = NULL;
   if (node->mode() == Variable::CONST) {
     val = new Literal(Factory::the_hole_value());
   } else {
     val = node->fun();  // NULL if we don't have a function
   }
 
   if (val != NULL) {
     // Set initial value.
     Reference target(this, node->proxy());
     ASSERT(target.is_slot());
     Load(val);
     target.SetValue(NOT_CONST_INIT);
     // Get rid of the assigned value (declarations are statements).  It's
     // safe to pop the value lying on top of the reference before unloading
     // the reference itself (which preserves the top of stack) because we
     // know it is a zero-sized reference.
-    __ pop();
+    frame_->Pop();
   }
 }
 
 
 void CodeGenerator::VisitExpressionStatement(ExpressionStatement* node) {
   Comment cmnt(masm_, "[ ExpressionStatement");
   if (FLAG_debug_info) RecordStatementPosition(node);
   Expression* expression = node->expression();
   expression->MarkAsStatement();
   Load(expression);
-  __ pop();
+  frame_->Pop();
 }
 
 
 void CodeGenerator::VisitEmptyStatement(EmptyStatement* node) {
   Comment cmnt(masm_, "// EmptyStatement");
   // nothing to do
 }
 
 
 void CodeGenerator::VisitIfStatement(IfStatement* node) {
@@ skipping 44 matching lines @@
     Visit(node->else_statement());
 
   } else {
     Comment cmnt(masm_, "[ If");
     ASSERT(!has_then_stm && !has_else_stm);
     // if (cond)
     LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &exit, &exit, false);
     if (has_cc()) {
       cc_reg_ = al;
     } else {
-      __ pop(r0);  // __ Pop(no_reg)
+      frame_->Pop();
     }
   }
 
   // end
   __ bind(&exit);
 }
 
 
 void CodeGenerator::CleanStack(int num_bytes) {
-  ASSERT(num_bytes >= 0);
-  if (num_bytes > 0) {
-    __ add(sp, sp, Operand(num_bytes));
-  }
+  ASSERT(num_bytes % kPointerSize == 0);
+  frame_->Drop(num_bytes / kPointerSize);
 }
 
 
 void CodeGenerator::VisitContinueStatement(ContinueStatement* node) {
   Comment cmnt(masm_, "[ ContinueStatement");
   if (FLAG_debug_info) RecordStatementPosition(node);
   CleanStack(break_stack_height_ - node->target()->break_stack_height());
   __ b(node->target()->continue_target());
 }
 
 
 void CodeGenerator::VisitBreakStatement(BreakStatement* node) {
   Comment cmnt(masm_, "[ BreakStatement");
   if (FLAG_debug_info) RecordStatementPosition(node);
   CleanStack(break_stack_height_ - node->target()->break_stack_height());
   __ b(node->target()->break_target());
 }
 
 
 void CodeGenerator::VisitReturnStatement(ReturnStatement* node) {
   Comment cmnt(masm_, "[ ReturnStatement");
   if (FLAG_debug_info) RecordStatementPosition(node);
   Load(node->expression());
   // Move the function result into r0.
-  __ pop(r0);
+  frame_->Pop(r0);
 
   __ b(&function_return_);
 }
 
 
 void CodeGenerator::VisitWithEnterStatement(WithEnterStatement* node) {
   Comment cmnt(masm_, "[ WithEnterStatement");
   if (FLAG_debug_info) RecordStatementPosition(node);
   Load(node->expression());
   __ CallRuntime(Runtime::kPushContext, 1);
   if (kDebug) {
     Label verified_true;
     __ cmp(r0, Operand(cp));
     __ b(eq, &verified_true);
     __ stop("PushContext: r0 is expected to be the same as cp");
     __ bind(&verified_true);
   }
   // Update context local.
-  __ str(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
+  __ str(cp, frame_->Context());
 }
 
 
 void CodeGenerator::VisitWithExitStatement(WithExitStatement* node) {
   Comment cmnt(masm_, "[ WithExitStatement");
   // Pop context.
   __ ldr(cp, ContextOperand(cp, Context::PREVIOUS_INDEX));
   // Update context local.
-  __ str(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
+  __ str(cp, frame_->Context());
 }
 
 
 int CodeGenerator::FastCaseSwitchMaxOverheadFactor() {
     return kFastSwitchMaxOverheadFactor;
 }
 
 int CodeGenerator::FastCaseSwitchMinCaseCount() {
     return kFastSwitchMinCaseCount;
 }
 
 
 void CodeGenerator::GenerateFastCaseSwitchJumpTable(
     SwitchStatement* node,
     int min_index,
     int range,
     Label* fail_label,
     Vector<Label*> case_targets,
     Vector<Label> case_labels) {
 
   ASSERT(kSmiTag == 0 && kSmiTagSize <= 2);
 
-  __ pop(r0);
+  frame_->Pop(r0);
 
   // Test for a Smi value in a HeapNumber.
   Label is_smi;
   __ tst(r0, Operand(kSmiTagMask));
   __ b(eq, &is_smi);
   __ ldr(r1, MemOperand(r0, HeapObject::kMapOffset - kHeapObjectTag));
   __ ldrb(r1, MemOperand(r1, Map::kInstanceTypeOffset - kHeapObjectTag));
   __ cmp(r1, Operand(HEAP_NUMBER_TYPE));
   __ b(ne, fail_label);
-  __ push(r0);
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kNumberToSmi, 1);
   __ bind(&is_smi);
 
   if (min_index != 0) {
     // Small positive numbers can be immediate operands.
     if (min_index < 0) {
       // If min_index is Smi::kMinValue, -min_index is not a Smi.
       if (Smi::IsValid(-min_index)) {
         __ add(r0, r0, Operand(Smi::FromInt(-min_index)));
       } else {
@@ skipping 47 matching lines @@
       // statements if it does not match any of the cases.
       __ b(&next);
 
       // Bind the default case label, so we can branch to it when we
       // have compared against all other cases.
       ASSERT(default_case.is_unused());  // at most one default clause
       __ bind(&default_case);
     } else {
       __ bind(&next);
       next.Unuse();
-      __ ldr(r0, MemOperand(sp, 0));
-      __ push(r0);  // duplicate TOS
+      __ ldr(r0, frame_->Top());
+      frame_->Push(r0);  // duplicate TOS
       Load(clause->label());
       Comparison(eq, true);
       Branch(false, &next);
     }
 
     // Entering the case statement for the first time. Remove the switch value
     // from the stack.
-    __ pop(r0);
+    frame_->Pop();
 
     // Generate code for the body.
     // This is also the target for the fall through from the previous case's
     // statements which has to skip over the matching code and the popping of
     // the switch value.
     __ bind(&fall_through);
     fall_through.Unuse();
     VisitStatements(clause->statements());
     __ b(&fall_through);
   }
 
   __ bind(&next);
   // Reached the end of the case statements without matching any of the cases.
   if (default_case.is_bound()) {
     // A default case exists -> execute its statements.
     __ b(&default_case);
   } else {
     // Remove the switch value from the stack.
-    __ pop(r0);
+    frame_->Pop();
   }
 
   __ bind(&fall_through);
   __ bind(node->break_target());
 }
 
 
 void CodeGenerator::VisitLoopStatement(LoopStatement* node) {
   Comment cmnt(masm_, "[ LoopStatement");
   if (FLAG_debug_info) RecordStatementPosition(node);
@@ skipping 75 matching lines @@
   // can restore the stack.
   const int kForInStackSize = 5 * kPointerSize;
   break_stack_height_ += kForInStackSize;
   node->set_break_stack_height(break_stack_height_);
 
   Label loop, next, entry, cleanup, exit, primitive, jsobject;
   Label filter_key, end_del_check, fixed_array, non_string;
 
   // Get the object to enumerate over (converted to JSObject).
   Load(node->enumerable());
-  __ pop(r0);
+  frame_->Pop(r0);
 
   // Both SpiderMonkey and kjs ignore null and undefined in contrast
   // to the specification.  12.6.4 mandates a call to ToObject.
   __ cmp(r0, Operand(Factory::undefined_value()));
   __ b(eq, &exit);
   __ cmp(r0, Operand(Factory::null_value()));
   __ b(eq, &exit);
 
   // Stack layout in body:
   // [iteration counter (Smi)]
   // [length of array]
   // [FixedArray]
   // [Map or 0]
   // [Object]
 
   // Check if enumerable is already a JSObject
   __ tst(r0, Operand(kSmiTagMask));
   __ b(eq, &primitive);
   __ ldr(r1, FieldMemOperand(r0, HeapObject::kMapOffset));
   __ ldrb(r1, FieldMemOperand(r1, Map::kInstanceTypeOffset));
   __ cmp(r1, Operand(FIRST_JS_OBJECT_TYPE));
   __ b(hs, &jsobject);
 
   __ bind(&primitive);
-  __ push(r0);
+  frame_->Push(r0);
   __ mov(r0, Operand(0));
   __ InvokeBuiltin(Builtins::TO_OBJECT, CALL_JS);
 
 
   __ bind(&jsobject);
 
   // Get the set of properties (as a FixedArray or Map).
-  __ push(r0);  // duplicate the object being enumerated
-  __ push(r0);
+  frame_->Push(r0);  // duplicate the object being enumerated
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kGetPropertyNamesFast, 1);
 
   // If we got a Map, we can do a fast modification check.
   // Otherwise, we got a FixedArray, and we have to do a slow check.
   __ mov(r2, Operand(r0));
   __ ldr(r1, FieldMemOperand(r2, HeapObject::kMapOffset));
   __ cmp(r1, Operand(Factory::meta_map()));
   __ b(ne, &fixed_array);
 
   // Get enum cache
   __ mov(r1, Operand(r0));
   __ ldr(r1, FieldMemOperand(r1, Map::kInstanceDescriptorsOffset));
   __ ldr(r1, FieldMemOperand(r1, DescriptorArray::kEnumerationIndexOffset));
   __ ldr(r2,
          FieldMemOperand(r1, DescriptorArray::kEnumCacheBridgeCacheOffset));
 
-  __ push(r0);  // map
-  __ push(r2);  // enum cache bridge cache
+  frame_->Push(r0);  // map
+  frame_->Push(r2);  // enum cache bridge cache
   __ ldr(r0, FieldMemOperand(r2, FixedArray::kLengthOffset));
   __ mov(r0, Operand(r0, LSL, kSmiTagSize));
-  __ push(r0);
+  frame_->Push(r0);
   __ mov(r0, Operand(Smi::FromInt(0)));
-  __ push(r0);
+  frame_->Push(r0);
   __ b(&entry);
 
 
   __ bind(&fixed_array);
 
   __ mov(r1, Operand(Smi::FromInt(0)));
-  __ push(r1);  // insert 0 in place of Map
-  __ push(r0);
+  frame_->Push(r1);  // insert 0 in place of Map
+  frame_->Push(r0);
 
   // Push the length of the array and the initial index onto the stack.
   __ ldr(r0, FieldMemOperand(r0, FixedArray::kLengthOffset));
   __ mov(r0, Operand(r0, LSL, kSmiTagSize));
-  __ push(r0);
+  frame_->Push(r0);
   __ mov(r0, Operand(Smi::FromInt(0)));  // init index
-  __ push(r0);
+  frame_->Push(r0);
 
   __ b(&entry);
 
   // Body.
   __ bind(&loop);
   Visit(node->body());
 
   // Next.
   __ bind(node->continue_target());
   __ bind(&next);
-  __ pop(r0);
+  frame_->Pop(r0);
   __ add(r0, r0, Operand(Smi::FromInt(1)));
-  __ push(r0);
+  frame_->Push(r0);
 
   // Condition.
   __ bind(&entry);
 
   // sp[0] : index
   // sp[1] : array/enum cache length
   // sp[2] : array or enum cache
   // sp[3] : 0 or map
   // sp[4] : enumerable
-  __ ldr(r0, MemOperand(sp, 0 * kPointerSize));  // load the current count
-  __ ldr(r1, MemOperand(sp, 1 * kPointerSize));  // load the length
+  __ ldr(r0, frame_->Element(0));  // load the current count
+  __ ldr(r1, frame_->Element(1));  // load the length
   __ cmp(r0, Operand(r1));  // compare to the array length
   __ b(hs, &cleanup);
 
-  __ ldr(r0, MemOperand(sp, 0 * kPointerSize));
+  __ ldr(r0, frame_->Element(0));
 
   // Get the i'th entry of the array.
-  __ ldr(r2, MemOperand(sp, 2 * kPointerSize));
+  __ ldr(r2, frame_->Element(2));
   __ add(r2, r2, Operand(FixedArray::kHeaderSize - kHeapObjectTag));
   __ ldr(r3, MemOperand(r2, r0, LSL, kPointerSizeLog2 - kSmiTagSize));
 
   // Get Map or 0.
-  __ ldr(r2, MemOperand(sp, 3 * kPointerSize));
+  __ ldr(r2, frame_->Element(3));
   // Check if this (still) matches the map of the enumerable.
   // If not, we have to filter the key.
-  __ ldr(r1, MemOperand(sp, 4 * kPointerSize));
+  __ ldr(r1, frame_->Element(4));
   __ ldr(r1, FieldMemOperand(r1, HeapObject::kMapOffset));
   __ cmp(r1, Operand(r2));
   __ b(eq, &end_del_check);
 
   // Convert the entry to a string (or null if it isn't a property anymore).
-  __ ldr(r0, MemOperand(sp, 4 * kPointerSize));  // push enumerable
-  __ push(r0);
-  __ push(r3);  // push entry
+  __ ldr(r0, frame_->Element(4));  // push enumerable
+  frame_->Push(r0);
+  frame_->Push(r3);  // push entry
   __ mov(r0, Operand(1));
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_JS);
   __ mov(r3, Operand(r0));
 
   // If the property has been removed while iterating, we just skip it.
   __ cmp(r3, Operand(Factory::null_value()));
   __ b(eq, &next);
 
 
   __ bind(&end_del_check);
 
   // Store the entry in the 'each' expression and take another spin in the loop.
   // r3: i'th entry of the enum cache (or string there of)
-  __ push(r3);  // push entry
+  frame_->Push(r3);  // push entry
   { Reference each(this, node->each());
     if (!each.is_illegal()) {
       if (each.size() > 0) {
-        __ ldr(r0, MemOperand(sp, kPointerSize * each.size()));
-        __ push(r0);
+        __ ldr(r0, frame_->Element(each.size()));
+        frame_->Push(r0);
       }
       // If the reference was to a slot we rely on the convenient property
       // that it doesn't matter whether a value (eg, r3 pushed above) is
       // right on top of or right underneath a zero-sized reference.
       each.SetValue(NOT_CONST_INIT);
       if (each.size() > 0) {
         // It's safe to pop the value lying on top of the reference before
         // unloading the reference itself (which preserves the top of stack,
         // ie, now the topmost value of the non-zero sized reference), since
         // we will discard the top of stack after unloading the reference
         // anyway.
-        __ pop(r0);
+        frame_->Pop(r0);
       }
     }
   }
   // Discard the i'th entry pushed above or else the remainder of the
   // reference, whichever is currently on top of the stack.
-  __ pop();
+  frame_->Pop();
   CheckStack();  // TODO(1222600): ignore if body contains calls.
   __ jmp(&loop);
 
   // Cleanup.
   __ bind(&cleanup);
   __ bind(node->break_target());
-  __ add(sp, sp, Operand(5 * kPointerSize));
+  frame_->Drop(5);
 
   // Exit.
   __ bind(&exit);
 
   break_stack_height_ -= kForInStackSize;
 }
 
 
 void CodeGenerator::VisitTryCatch(TryCatch* node) {
   Comment cmnt(masm_, "[ TryCatch");
 
   Label try_block, exit;
 
   __ bl(&try_block);
-
   // --- Catch block ---
+  frame_->Push(r0);
 
   // Store the caught exception in the catch variable.
-  __ push(r0);
   { Reference ref(this, node->catch_var());
     ASSERT(ref.is_slot());
     // Here we make use of the convenient property that it doesn't matter
     // whether a value is immediately on top of or underneath a zero-sized
     // reference.
     ref.SetValue(NOT_CONST_INIT);
   }
 
   // Remove the exception from the stack.
-  __ pop();
+  frame_->Pop();
 
   VisitStatements(node->catch_block()->statements());
   __ b(&exit);
 
 
   // --- Try block ---
   __ bind(&try_block);
 
   __ PushTryHandler(IN_JAVASCRIPT, TRY_CATCH_HANDLER);
 
   // Shadow the labels for all escapes from the try block, including
   // returns. During shadowing, the original label is hidden as the
   // LabelShadow and operations on the original actually affect the
   // shadowing label.
   //
   // We should probably try to unify the escaping labels and the return
   // label.
   int nof_escapes = node->escaping_labels()->length();
   List<LabelShadow*> shadows(1 + nof_escapes);
   shadows.Add(new LabelShadow(&function_return_));
   for (int i = 0; i < nof_escapes; i++) {
     shadows.Add(new LabelShadow(node->escaping_labels()->at(i)));
   }
 
   // Generate code for the statements in the try block.
   VisitStatements(node->try_block()->statements());
-  __ pop(r0);  // Discard the result.
+  frame_->Pop();  // Discard the result.
 
   // Stop the introduced shadowing and count the number of required unlinks.
   // After shadowing stops, the original labels are unshadowed and the
   // LabelShadows represent the formerly shadowing labels.
   int nof_unlinks = 0;
   for (int i = 0; i <= nof_escapes; i++) {
     shadows[i]->StopShadowing();
     if (shadows[i]->is_linked()) nof_unlinks++;
   }
 
   // Unlink from try chain.
   // TOS contains code slot
-  const int kNextOffset = StackHandlerConstants::kNextOffset +
-      StackHandlerConstants::kAddressDisplacement;
-  __ ldr(r1, MemOperand(sp, kNextOffset));  // read next_sp
+  const int kNextIndex = (StackHandlerConstants::kNextOffset
+                          + StackHandlerConstants::kAddressDisplacement)
+                       / kPointerSize;
+  __ ldr(r1, frame_->Element(kNextIndex));  // read next_sp
   __ mov(r3, Operand(ExternalReference(Top::k_handler_address)));
   __ str(r1, MemOperand(r3));
   ASSERT(StackHandlerConstants::kCodeOffset == 0);  // first field is code
-  __ add(sp, sp, Operand(StackHandlerConstants::kSize - kPointerSize));
+  frame_->Drop(StackHandlerConstants::kSize / kPointerSize - 1);
   // Code slot popped.
   if (nof_unlinks > 0) __ b(&exit);
 
   // Generate unlink code for the (formerly) shadowing labels that have been
   // jumped to.
   for (int i = 0; i <= nof_escapes; i++) {
     if (shadows[i]->is_linked()) {
       // Unlink from try chain;
       __ bind(shadows[i]);
 
       // Reload sp from the top handler, because some statements that we
       // break from (eg, for...in) may have left stuff on the stack.
       __ mov(r3, Operand(ExternalReference(Top::k_handler_address)));
       __ ldr(sp, MemOperand(r3));
 
-      __ ldr(r1, MemOperand(sp, kNextOffset));
+      __ ldr(r1, frame_->Element(kNextIndex));
       __ str(r1, MemOperand(r3));
       ASSERT(StackHandlerConstants::kCodeOffset == 0);  // first field is code
-      __ add(sp, sp, Operand(StackHandlerConstants::kSize - kPointerSize));
+      frame_->Drop(StackHandlerConstants::kSize / kPointerSize - 1);
       // Code slot popped.
 
       __ b(shadows[i]->original_label());
     }
   }
 
   __ bind(&exit);
 }
 
 
 void CodeGenerator::VisitTryFinally(TryFinally* node) {
   Comment cmnt(masm_, "[ TryFinally");
 
   // State: Used to keep track of reason for entering the finally
   // block. Should probably be extended to hold information for
   // break/continue from within the try block.
   enum { FALLING, THROWING, JUMPING };
 
   Label exit, unlink, try_block, finally_block;
 
   __ bl(&try_block);
 
-  __ push(r0);  // save exception object on the stack
+  frame_->Push(r0);  // save exception object on the stack
   // In case of thrown exceptions, this is where we continue.
   __ mov(r2, Operand(Smi::FromInt(THROWING)));
   __ b(&finally_block);
 
 
   // --- Try block ---
   __ bind(&try_block);
 
   __ PushTryHandler(IN_JAVASCRIPT, TRY_FINALLY_HANDLER);
 
@@ skipping 17 matching lines @@
   // After shadowing stops, the original labels are unshadowed and the
   // LabelShadows represent the formerly shadowing labels.
   int nof_unlinks = 0;
   for (int i = 0; i <= nof_escapes; i++) {
     shadows[i]->StopShadowing();
     if (shadows[i]->is_linked()) nof_unlinks++;
   }
 
   // Set the state on the stack to FALLING.
   __ mov(r0, Operand(Factory::undefined_value()));  // fake TOS
-  __ push(r0);
+  frame_->Push(r0);
   __ mov(r2, Operand(Smi::FromInt(FALLING)));
   if (nof_unlinks > 0) __ b(&unlink);
 
   // Generate code to set the state for the (formerly) shadowing labels that
   // have been jumped to.
   for (int i = 0; i <= nof_escapes; i++) {
     if (shadows[i]->is_linked()) {
       __ bind(shadows[i]);
       if (shadows[i]->original_label() == &function_return_) {
         // If this label shadowed the function return, materialize the
         // return value on the stack.
-        __ push(r0);
+        frame_->Push(r0);
       } else {
         // Fake TOS for labels that shadowed breaks and continues.
         __ mov(r0, Operand(Factory::undefined_value()));
-        __ push(r0);
+        frame_->Push(r0);
       }
       __ mov(r2, Operand(Smi::FromInt(JUMPING + i)));
       __ b(&unlink);
     }
   }
 
   // Unlink from try chain;
   __ bind(&unlink);
 
-  __ pop(r0);  // Store TOS in r0 across stack manipulation
+  frame_->Pop(r0);  // Store TOS in r0 across stack manipulation
   // Reload sp from the top handler, because some statements that we
   // break from (eg, for...in) may have left stuff on the stack.
   __ mov(r3, Operand(ExternalReference(Top::k_handler_address)));
   __ ldr(sp, MemOperand(r3));
-  const int kNextOffset = StackHandlerConstants::kNextOffset +
-      StackHandlerConstants::kAddressDisplacement;
-  __ ldr(r1, MemOperand(sp, kNextOffset));
+  const int kNextIndex = (StackHandlerConstants::kNextOffset
+                          + StackHandlerConstants::kAddressDisplacement)
+                       / kPointerSize;
+  __ ldr(r1, frame_->Element(kNextIndex));
   __ str(r1, MemOperand(r3));
   ASSERT(StackHandlerConstants::kCodeOffset == 0);  // first field is code
-  __ add(sp, sp, Operand(StackHandlerConstants::kSize - kPointerSize));
+  frame_->Drop(StackHandlerConstants::kSize / kPointerSize - 1);
   // Code slot popped.
-  __ push(r0);
+  frame_->Push(r0);
 
   // --- Finally block ---
   __ bind(&finally_block);
 
   // Push the state on the stack.
-  __ push(r2);
+  frame_->Push(r2);
 
   // We keep two elements on the stack - the (possibly faked) result
   // and the state - while evaluating the finally block. Record it, so
   // that a break/continue crossing this statement can restore the
   // stack.
   const int kFinallyStackSize = 2 * kPointerSize;
   break_stack_height_ += kFinallyStackSize;
 
   // Generate code for the statements in the finally block.
   VisitStatements(node->finally_block()->statements());
 
   // Restore state and return value or faked TOS.
-  __ pop(r2);
-  __ pop(r0);
+  frame_->Pop(r2);
+  frame_->Pop(r0);
   break_stack_height_ -= kFinallyStackSize;
 
   // Generate code to jump to the right destination for all used (formerly)
   // shadowing labels.
   for (int i = 0; i <= nof_escapes; i++) {
     if (shadows[i]->is_bound()) {
       __ cmp(r2, Operand(Smi::FromInt(JUMPING + i)));
       if (shadows[i]->original_label() != &function_return_) {
         Label next;
         __ b(ne, &next);
         __ b(shadows[i]->original_label());
         __ bind(&next);
       } else {
         __ b(eq, shadows[i]->original_label());
       }
     }
   }
 
   // Check if we need to rethrow the exception.
   __ cmp(r2, Operand(Smi::FromInt(THROWING)));
   __ b(ne, &exit);
 
   // Rethrow exception.
-  __ push(r0);
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kReThrow, 1);
 
   // Done.
   __ bind(&exit);
 }
 
 
 void CodeGenerator::VisitDebuggerStatement(DebuggerStatement* node) {
   Comment cmnt(masm_, "[ DebuggerStatament");
   if (FLAG_debug_info) RecordStatementPosition(node);
   __ CallRuntime(Runtime::kDebugBreak, 0);
   // Ignore the return value.
 }
 
 
 void CodeGenerator::InstantiateBoilerplate(Handle<JSFunction> boilerplate) {
   ASSERT(boilerplate->IsBoilerplate());
 
   // Push the boilerplate on the stack.
   __ mov(r0, Operand(boilerplate));
-  __ push(r0);
+  frame_->Push(r0);
 
   // Create a new closure.
-  __ push(cp);
+  frame_->Push(cp);
   __ CallRuntime(Runtime::kNewClosure, 2);
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::VisitFunctionLiteral(FunctionLiteral* node) {
   Comment cmnt(masm_, "[ FunctionLiteral");
 
   // Build the function boilerplate and instantiate it.
   Handle<JSFunction> boilerplate = BuildBoilerplate(node);
   // Check for stack-overflow exception.
   if (HasStackOverflow()) return;
@@ skipping 20 matching lines @@
   Load(node->else_expression(), typeof_state());
   __ bind(&exit);
 }
 
 
 void CodeGenerator::LoadFromSlot(Slot* slot, TypeofState typeof_state) {
   if (slot->type() == Slot::LOOKUP) {
     ASSERT(slot->var()->mode() == Variable::DYNAMIC);
 
     // For now, just do a runtime call.
-    __ push(cp);
+    frame_->Push(cp);
     __ mov(r0, Operand(slot->var()->name()));
-    __ push(r0);
+    frame_->Push(r0);
 
     if (typeof_state == INSIDE_TYPEOF) {
       __ CallRuntime(Runtime::kLoadContextSlotNoReferenceError, 2);
     } else {
       __ CallRuntime(Runtime::kLoadContextSlot, 2);
     }
-    __ push(r0);
+    frame_->Push(r0);
 
   } else {
     // Note: We would like to keep the assert below, but it fires because of
     // some nasty code in LoadTypeofExpression() which should be removed...
     // ASSERT(slot->var()->mode() != Variable::DYNAMIC);
 
     // Special handling for locals allocated in registers.
     __ ldr(r0, SlotOperand(slot, r2));
-    __ push(r0);
+    frame_->Push(r0);
     if (slot->var()->mode() == Variable::CONST) {
       // Const slots may contain 'the hole' value (the constant hasn't been
       // initialized yet) which needs to be converted into the 'undefined'
       // value.
       Comment cmnt(masm_, "[ Unhole const");
-      __ pop(r0);
+      frame_->Pop(r0);
       __ cmp(r0, Operand(Factory::the_hole_value()));
       __ mov(r0, Operand(Factory::undefined_value()), LeaveCC, eq);
-      __ push(r0);
+      frame_->Push(r0);
     }
   }
 }
 
 
 void CodeGenerator::VisitSlot(Slot* node) {
   Comment cmnt(masm_, "[ Slot");
   LoadFromSlot(node, typeof_state());
 }
 
 
 void CodeGenerator::VisitVariableProxy(VariableProxy* node) {
   Comment cmnt(masm_, "[ VariableProxy");
 
   Variable* var = node->var();
   Expression* expr = var->rewrite();
   if (expr != NULL) {
     Visit(expr);
   } else {
     ASSERT(var->is_global());
     Reference ref(this, node);
     ref.GetValue(typeof_state());
   }
 }
 
 
 void CodeGenerator::VisitLiteral(Literal* node) {
   Comment cmnt(masm_, "[ Literal");
   __ mov(r0, Operand(node->handle()));
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::VisitRegExpLiteral(RegExpLiteral* node) {
   Comment cmnt(masm_, "[ RexExp Literal");
 
   // Retrieve the literal array and check the allocated entry.
 
   // Load the function of this activation.
-  __ ldr(r1, FunctionOperand());
+  __ ldr(r1, frame_->Function());
 
   // Load the literals array of the function.
   __ ldr(r1, FieldMemOperand(r1, JSFunction::kLiteralsOffset));
 
   // Load the literal at the ast saved index.
   int literal_offset =
       FixedArray::kHeaderSize + node->literal_index() * kPointerSize;
   __ ldr(r2, FieldMemOperand(r1, literal_offset));
 
   Label done;
   __ cmp(r2, Operand(Factory::undefined_value()));
   __ b(ne, &done);
 
   // If the entry is undefined we call the runtime system to computed
   // the literal.
-  __ push(r1);  // literal array  (0)
+  frame_->Push(r1);  // literal array  (0)
   __ mov(r0, Operand(Smi::FromInt(node->literal_index())));
-  __ push(r0);  // literal index  (1)
+  frame_->Push(r0);  // literal index  (1)
   __ mov(r0, Operand(node->pattern()));  // RegExp pattern (2)
-  __ push(r0);
+  frame_->Push(r0);
   __ mov(r0, Operand(node->flags()));  // RegExp flags   (3)
-  __ push(r0);
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kMaterializeRegExpLiteral, 4);
   __ mov(r2, Operand(r0));
 
   __ bind(&done);
   // Push the literal.
-  __ push(r2);
+  frame_->Push(r2);
 }
 
 
 // This deferred code stub will be used for creating the boilerplate
 // by calling Runtime_CreateObjectLiteral.
 // Each created boilerplate is stored in the JSFunction and they are
 // therefore context dependent.
 class ObjectLiteralDeferred: public DeferredCode {
  public:
   ObjectLiteralDeferred(CodeGenerator* generator, ObjectLiteral* node)
@@ skipping 24 matching lines @@
 
 
 void CodeGenerator::VisitObjectLiteral(ObjectLiteral* node) {
   Comment cmnt(masm_, "[ ObjectLiteral");
 
   ObjectLiteralDeferred* deferred = new ObjectLiteralDeferred(this, node);
 
   // Retrieve the literal array and check the allocated entry.
 
   // Load the function of this activation.
-  __ ldr(r1, FunctionOperand());
+  __ ldr(r1, frame_->Function());
 
   // Load the literals array of the function.
   __ ldr(r1, FieldMemOperand(r1, JSFunction::kLiteralsOffset));
 
   // Load the literal at the ast saved index.
   int literal_offset =
       FixedArray::kHeaderSize + node->literal_index() * kPointerSize;
   __ ldr(r2, FieldMemOperand(r1, literal_offset));
 
   // Check whether we need to materialize the object literal boilerplate.
   // If so, jump to the deferred code.
   __ cmp(r2, Operand(Factory::undefined_value()));
   __ b(eq, deferred->enter());
   __ bind(deferred->exit());
 
   // Push the object literal boilerplate.
-  __ push(r2);
+  frame_->Push(r2);
 
   // Clone the boilerplate object.
   __ CallRuntime(Runtime::kCloneObjectLiteralBoilerplate, 1);
-  __ push(r0);  // save the result
+  frame_->Push(r0);  // save the result
   // r0: cloned object literal
 
   for (int i = 0; i < node->properties()->length(); i++) {
     ObjectLiteral::Property* property = node->properties()->at(i);
     Literal* key = property->key();
     Expression* value = property->value();
     switch (property->kind()) {
       case ObjectLiteral::Property::CONSTANT: break;
       case ObjectLiteral::Property::COMPUTED:  // fall through
       case ObjectLiteral::Property::PROTOTYPE: {
-        __ push(r0);  // dup the result
+        frame_->Push(r0);  // dup the result
         Load(key);
         Load(value);
         __ CallRuntime(Runtime::kSetProperty, 3);
         // restore r0
-        __ ldr(r0, MemOperand(sp, 0));
+        __ ldr(r0, frame_->Top());
         break;
       }
       case ObjectLiteral::Property::SETTER: {
-        __ push(r0);
+        frame_->Push(r0);
         Load(key);
         __ mov(r0, Operand(Smi::FromInt(1)));
-        __ push(r0);
+        frame_->Push(r0);
         Load(value);
         __ CallRuntime(Runtime::kDefineAccessor, 4);
-        __ ldr(r0, MemOperand(sp, 0));
+        __ ldr(r0, frame_->Top());
         break;
       }
       case ObjectLiteral::Property::GETTER: {
-        __ push(r0);
+        frame_->Push(r0);
         Load(key);
         __ mov(r0, Operand(Smi::FromInt(0)));
-        __ push(r0);
+        frame_->Push(r0);
         Load(value);
         __ CallRuntime(Runtime::kDefineAccessor, 4);
-        __ ldr(r0, MemOperand(sp, 0));
+        __ ldr(r0, frame_->Top());
         break;
       }
     }
   }
 }
 
 
 void CodeGenerator::VisitArrayLiteral(ArrayLiteral* node) {
   Comment cmnt(masm_, "[ ArrayLiteral");
 
   // Call runtime to create the array literal.
   __ mov(r0, Operand(node->literals()));
-  __ push(r0);
+  frame_->Push(r0);
   // Load the function of this frame.
-  __ ldr(r0, FunctionOperand());
+  __ ldr(r0, frame_->Function());
   __ ldr(r0, FieldMemOperand(r0, JSFunction::kLiteralsOffset));
-  __ push(r0);
+  frame_->Push(r0);
   __ CallRuntime(Runtime::kCreateArrayLiteral, 2);
 
   // Push the resulting array literal on the stack.
-  __ push(r0);
+  frame_->Push(r0);
 
   // Generate code to set the elements in the array that are not
   // literals.
   for (int i = 0; i < node->values()->length(); i++) {
     Expression* value = node->values()->at(i);
 
     // If value is literal the property value is already
     // set in the boilerplate object.
     if (value->AsLiteral() == NULL) {
       // The property must be set by generated code.
       Load(value);
-      __ pop(r0);
+      frame_->Pop(r0);
 
       // Fetch the object literal
-      __ ldr(r1, MemOperand(sp, 0));
+      __ ldr(r1, frame_->Top());
         // Get the elements array.
       __ ldr(r1, FieldMemOperand(r1, JSObject::kElementsOffset));
 
       // Write to the indexed properties array.
       int offset = i * kPointerSize + Array::kHeaderSize;
       __ str(r0, FieldMemOperand(r1, offset));
 
       // Update the write barrier for the array address.
       __ mov(r3, Operand(offset));
       __ RecordWrite(r1, r3, r2);
@@ skipping 12 matching lines @@
   if (node->op() == Token::ASSIGN ||
       node->op() == Token::INIT_VAR ||
       node->op() == Token::INIT_CONST) {
     Load(node->value());
 
   } else {
     target.GetValue(NOT_INSIDE_TYPEOF);
     Literal* literal = node->value()->AsLiteral();
     if (literal != NULL && literal->handle()->IsSmi()) {
       SmiOperation(node->binary_op(), literal->handle(), false);
-      __ push(r0);
+      frame_->Push(r0);
 
     } else {
       Load(node->value());
       GenericBinaryOperation(node->binary_op());
-      __ push(r0);
+      frame_->Push(r0);
     }
   }
 
   Variable* var = node->target()->AsVariableProxy()->AsVariable();
   if (var != NULL &&
       (var->mode() == Variable::CONST) &&
       node->op() != Token::INIT_VAR && node->op() != Token::INIT_CONST) {
     // Assignment ignored - leave the value on the stack.
 
   } else {
     __ RecordPosition(node->position());
     if (node->op() == Token::INIT_CONST) {
       // Dynamic constant initializations must use the function context
       // and initialize the actual constant declared. Dynamic variable
       // initializations are simply assignments and use SetValue.
       target.SetValue(CONST_INIT);
     } else {
       target.SetValue(NOT_CONST_INIT);
     }
   }
 }
 
 
 void CodeGenerator::VisitThrow(Throw* node) {
   Comment cmnt(masm_, "[ Throw");
 
   Load(node->exception());
   __ RecordPosition(node->position());
   __ CallRuntime(Runtime::kThrow, 1);
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::VisitProperty(Property* node) {
   Comment cmnt(masm_, "[ Property");
 
   Reference property(this, node);
   property.GetValue(typeof_state());
 }
 
@@ skipping 20 matching lines @@
   // is resolved in cache misses (this also holds for megamorphic calls).
   // ------------------------------------------------------------------------
 
   if (var != NULL && !var->is_this() && var->is_global()) {
     // ----------------------------------
     // JavaScript example: 'foo(1, 2, 3)'  // foo is global
     // ----------------------------------
 
     // Push the name of the function and the receiver onto the stack.
     __ mov(r0, Operand(var->name()));
-    __ push(r0);
+    frame_->Push(r0);
 
     // Pass the global object as the receiver and let the IC stub
     // patch the stack to use the global proxy as 'this' in the
     // invoked function.
     LoadGlobal();
 
     // Load the arguments.
     for (int i = 0; i < args->length(); i++) Load(args->at(i));
 
     // Setup the receiver register and call the IC initialization code.
     Handle<Code> stub = ComputeCallInitialize(args->length());
     __ RecordPosition(node->position());
     __ Call(stub, RelocInfo::CODE_TARGET_CONTEXT);
-    __ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
+    __ ldr(cp, frame_->Context());
     // Remove the function from the stack.
-    __ pop();
-    __ push(r0);
+    frame_->Pop();
+    frame_->Push(r0);
 
   } else if (var != NULL && var->slot() != NULL &&
              var->slot()->type() == Slot::LOOKUP) {
     // ----------------------------------
     // JavaScript example: 'with (obj) foo(1, 2, 3)'  // foo is in obj
     // ----------------------------------
 
     // Load the function
-    __ push(cp);
+    frame_->Push(cp);
     __ mov(r0, Operand(var->name()));
-    __ push(r0);
+    frame_->Push(r0);
     __ CallRuntime(Runtime::kLoadContextSlot, 2);
     // r0: slot value; r1: receiver
 
     // Load the receiver.
-    __ push(r0);  // function
-    __ push(r1);  // receiver
+    frame_->Push(r0);  // function
+    frame_->Push(r1);  // receiver
 
     // Call the function.
     CallWithArguments(args, node->position());
-    __ push(r0);
+    frame_->Push(r0);
 
   } else if (property != NULL) {
     // Check if the key is a literal string.
     Literal* literal = property->key()->AsLiteral();
 
     if (literal != NULL && literal->handle()->IsSymbol()) {
       // ------------------------------------------------------------------
       // JavaScript example: 'object.foo(1, 2, 3)' or 'map["key"](1, 2, 3)'
       // ------------------------------------------------------------------
 
       // Push the name of the function and the receiver onto the stack.
       __ mov(r0, Operand(literal->handle()));
-      __ push(r0);
+      frame_->Push(r0);
       Load(property->obj());
 
       // Load the arguments.
       for (int i = 0; i < args->length(); i++) Load(args->at(i));
 
       // Set the receiver register and call the IC initialization code.
       Handle<Code> stub = ComputeCallInitialize(args->length());
       __ RecordPosition(node->position());
       __ Call(stub, RelocInfo::CODE_TARGET);
-      __ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
+      __ ldr(cp, frame_->Context());
 
       // Remove the function from the stack.
-      __ pop();
+      frame_->Pop();
 
-      __ push(r0);  // push after get rid of function from the stack
+      frame_->Push(r0);  // push after get rid of function from the stack
 
     } else {
       // -------------------------------------------
       // JavaScript example: 'array[index](1, 2, 3)'
       // -------------------------------------------
 
       // Load the function to call from the property through a reference.
       Reference ref(this, property);
       ref.GetValue(NOT_INSIDE_TYPEOF);  // receiver
 
       // Pass receiver to called function.
-      __ ldr(r0, MemOperand(sp, ref.size() * kPointerSize));
-      __ push(r0);
+      __ ldr(r0, frame_->Element(ref.size()));
+      frame_->Push(r0);
       // Call the function.
       CallWithArguments(args, node->position());
-      __ push(r0);
+      frame_->Push(r0);
     }
 
   } else {
     // ----------------------------------
     // JavaScript example: 'foo(1, 2, 3)'  // foo is not global
     // ----------------------------------
 
     // Load the function.
     Load(function);
 
     // Pass the global proxy as the receiver.
     LoadGlobalReceiver(r0);
 
     // Call the function.
     CallWithArguments(args, node->position());
-    __ push(r0);
+    frame_->Push(r0);
   }
 }
 
 
 void CodeGenerator::VisitCallNew(CallNew* node) {
   Comment cmnt(masm_, "[ CallNew");
 
   // According to ECMA-262, section 11.2.2, page 44, the function
   // expression in new calls must be evaluated before the
   // arguments. This is different from ordinary calls, where the
   // actual function to call is resolved after the arguments have been
   // evaluated.
 
   // Compute function to call and use the global object as the
   // receiver. There is no need to use the global proxy here because
   // it will always be replaced with a newly allocated object.
   Load(node->expression());
   LoadGlobal();
 
   // Push the arguments ("left-to-right") on the stack.
   ZoneList<Expression*>* args = node->arguments();
   for (int i = 0; i < args->length(); i++) Load(args->at(i));
 
   // r0: the number of arguments.
   __ mov(r0, Operand(args->length()));
 
   // Load the function into r1 as per calling convention.
-  __ ldr(r1, MemOperand(sp, (args->length() + 1) * kPointerSize));
+  __ ldr(r1, frame_->Element(args->length() + 1));
 
   // Call the construct call builtin that handles allocation and
   // constructor invocation.
   __ RecordPosition(RelocInfo::POSITION);
   __ Call(Handle<Code>(Builtins::builtin(Builtins::JSConstructCall)),
           RelocInfo::CONSTRUCT_CALL);
 
   // Discard old TOS value and push r0 on the stack (same as Pop(), push(r0)).
-  __ str(r0, MemOperand(sp, 0 * kPointerSize));
+  __ str(r0, frame_->Top());
 }
 
 
 void CodeGenerator::GenerateValueOf(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Label leave;
   Load(args->at(0));
-  __ pop(r0);  // r0 contains object.
+  frame_->Pop(r0);  // r0 contains object.
   // if (object->IsSmi()) return the object.
   __ tst(r0, Operand(kSmiTagMask));
   __ b(eq, &leave);
   // It is a heap object - get map.
   __ ldr(r1, FieldMemOperand(r0, HeapObject::kMapOffset));
   __ ldrb(r1, FieldMemOperand(r1, Map::kInstanceTypeOffset));
   // if (!object->IsJSValue()) return the object.
   __ cmp(r1, Operand(JS_VALUE_TYPE));
   __ b(ne, &leave);
   // Load the value.
   __ ldr(r0, FieldMemOperand(r0, JSValue::kValueOffset));
   __ bind(&leave);
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::GenerateSetValueOf(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 2);
   Label leave;
   Load(args->at(0));  // Load the object.
   Load(args->at(1));  // Load the value.
-  __ pop(r0);  // r0 contains value
-  __ pop(r1);  // r1 contains object
+  frame_->Pop(r0);  // r0 contains value
+  frame_->Pop(r1);  // r1 contains object
   // if (object->IsSmi()) return object.
   __ tst(r1, Operand(kSmiTagMask));
   __ b(eq, &leave);
   // It is a heap object - get map.
   __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
   __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
   // if (!object->IsJSValue()) return object.
   __ cmp(r2, Operand(JS_VALUE_TYPE));
   __ b(ne, &leave);
   // Store the value.
   __ str(r0, FieldMemOperand(r1, JSValue::kValueOffset));
   // Update the write barrier.
   __ mov(r2, Operand(JSValue::kValueOffset - kHeapObjectTag));
   __ RecordWrite(r1, r2, r3);
   // Leave.
   __ bind(&leave);
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::GenerateIsSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
-  __ pop(r0);
+  frame_->Pop(r0);
   __ tst(r0, Operand(kSmiTagMask));
   cc_reg_ = eq;
 }
 
 
 void CodeGenerator::GenerateIsNonNegativeSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
-  __ pop(r0);
+  frame_->Pop(r0);
   __ tst(r0, Operand(kSmiTagMask | 0x80000000));
   cc_reg_ = eq;
 }
 
 
 // This should generate code that performs a charCodeAt() call or returns
 // undefined in order to trigger the slow case, Runtime_StringCharCodeAt.
 // It is not yet implemented on ARM, so it always goes to the slow case.
 void CodeGenerator::GenerateFastCharCodeAt(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 2);
   __ mov(r0, Operand(Factory::undefined_value()));
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::GenerateIsArray(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
   Label answer;
   // We need the CC bits to come out as not_equal in the case where the
   // object is a smi.  This can't be done with the usual test opcode so
   // we use XOR to get the right CC bits.
-  __ pop(r0);
+  frame_->Pop(r0);
   __ and_(r1, r0, Operand(kSmiTagMask));
   __ eor(r1, r1, Operand(kSmiTagMask), SetCC);
   __ b(ne, &answer);
   // It is a heap object - get the map.
   __ ldr(r1, FieldMemOperand(r0, HeapObject::kMapOffset));
   __ ldrb(r1, FieldMemOperand(r1, Map::kInstanceTypeOffset));
   // Check if the object is a JS array or not.
   __ cmp(r1, Operand(JS_ARRAY_TYPE));
   __ bind(&answer);
   cc_reg_ = eq;
 }
 
 
 void CodeGenerator::GenerateArgumentsLength(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 0);
 
   // Seed the result with the formal parameters count, which will be used
   // in case no arguments adaptor frame is found below the current frame.
   __ mov(r0, Operand(Smi::FromInt(scope_->num_parameters())));
 
   // Call the shared stub to get to the arguments.length.
   ArgumentsAccessStub stub(ArgumentsAccessStub::READ_LENGTH);
   __ CallStub(&stub);
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::GenerateArgumentsAccess(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
 
   // Satisfy contract with ArgumentsAccessStub:
   // Load the key into r1 and the formal parameters count into r0.
   Load(args->at(0));
-  __ pop(r1);
+  frame_->Pop(r1);
   __ mov(r0, Operand(Smi::FromInt(scope_->num_parameters())));
 
   // Call the shared stub to get to arguments[key].
   ArgumentsAccessStub stub(ArgumentsAccessStub::READ_ELEMENT);
   __ CallStub(&stub);
-  __ push(r0);
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::GenerateObjectEquals(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 2);
 
   // Load the two objects into registers and perform the comparison.
   Load(args->at(0));
   Load(args->at(1));
-  __ pop(r0);
-  __ pop(r1);
+  frame_->Pop(r0);
+  frame_->Pop(r1);
   __ cmp(r0, Operand(r1));
   cc_reg_ = eq;
 }
 
 
 void CodeGenerator::VisitCallRuntime(CallRuntime* node) {
   if (CheckForInlineRuntimeCall(node)) return;
 
   ZoneList<Expression*>* args = node->arguments();
   Comment cmnt(masm_, "[ CallRuntime");
   Runtime::Function* function = node->function();
 
   if (function != NULL) {
     // Push the arguments ("left-to-right").
     for (int i = 0; i < args->length(); i++) Load(args->at(i));
 
     // Call the C runtime function.
     __ CallRuntime(function, args->length());
-    __ push(r0);
+    frame_->Push(r0);
 
   } else {
     // Prepare stack for calling JS runtime function.
     __ mov(r0, Operand(node->name()));
-    __ push(r0);
+    frame_->Push(r0);
     // Push the builtins object found in the current global object.
     __ ldr(r1, GlobalObject());
     __ ldr(r0, FieldMemOperand(r1, GlobalObject::kBuiltinsOffset));
-    __ push(r0);
+    frame_->Push(r0);
 
     for (int i = 0; i < args->length(); i++) Load(args->at(i));
 
     // Call the JS runtime function.
     Handle<Code> stub = ComputeCallInitialize(args->length());
     __ Call(stub, RelocInfo::CODE_TARGET);
-    __ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
-    __ pop();
-    __ push(r0);
+    __ ldr(cp, frame_->Context());
+    frame_->Pop();
+    frame_->Push(r0);
   }
 }
 
 
 void CodeGenerator::VisitUnaryOperation(UnaryOperation* node) {
   Comment cmnt(masm_, "[ UnaryOperation");
 
   Token::Value op = node->op();
 
   if (op == Token::NOT) {
@@ skipping 11 matching lines @@
       Load(property->obj());
       Load(property->key());
       __ mov(r0, Operand(1));  // not counting receiver
       __ InvokeBuiltin(Builtins::DELETE, CALL_JS);
 
     } else if (variable != NULL) {
       Slot* slot = variable->slot();
       if (variable->is_global()) {
         LoadGlobal();
         __ mov(r0, Operand(variable->name()));
-        __ push(r0);
+        frame_->Push(r0);
         __ mov(r0, Operand(1));  // not counting receiver
         __ InvokeBuiltin(Builtins::DELETE, CALL_JS);
 
       } else if (slot != NULL && slot->type() == Slot::LOOKUP) {
         // lookup the context holding the named variable
-        __ push(cp);
+        frame_->Push(cp);
         __ mov(r0, Operand(variable->name()));
-        __ push(r0);
+        frame_->Push(r0);
         __ CallRuntime(Runtime::kLookupContext, 2);
         // r0: context
-        __ push(r0);
+        frame_->Push(r0);
         __ mov(r0, Operand(variable->name()));
-        __ push(r0);
+        frame_->Push(r0);
         __ mov(r0, Operand(1));  // not counting receiver
         __ InvokeBuiltin(Builtins::DELETE, CALL_JS);
 
       } else {
         // Default: Result of deleting non-global, not dynamically
         // introduced variables is false.
         __ mov(r0, Operand(Factory::false_value()));
       }
 
     } else {
       // Default: Result of deleting expressions is true.
       Load(node->expression());  // may have side-effects
-      __ pop();
+      frame_->Pop();
       __ mov(r0, Operand(Factory::true_value()));
     }
-    __ push(r0);
+    frame_->Push(r0);
 
   } else if (op == Token::TYPEOF) {
     // Special case for loading the typeof expression; see comment on
     // LoadTypeofExpression().
     LoadTypeofExpression(node->expression());
     __ CallRuntime(Runtime::kTypeof, 1);
-    __ push(r0);  // r0 has result
+    frame_->Push(r0);  // r0 has result
 
   } else {
     Load(node->expression());
-    __ pop(r0);
+    frame_->Pop(r0);
     switch (op) {
       case Token::NOT:
       case Token::DELETE:
       case Token::TYPEOF:
         UNREACHABLE();  // handled above
         break;
 
       case Token::SUB: {
         UnarySubStub stub;
         __ CallStub(&stub);
         break;
       }
 
       case Token::BIT_NOT: {
         // smi check
         Label smi_label;
         Label continue_label;
         __ tst(r0, Operand(kSmiTagMask));
         __ b(eq, &smi_label);
 
-        __ push(r0);
+        frame_->Push(r0);
         __ mov(r0, Operand(0));  // not counting receiver
         __ InvokeBuiltin(Builtins::BIT_NOT, CALL_JS);
 
         __ b(&continue_label);
         __ bind(&smi_label);
         __ mvn(r0, Operand(r0));
         __ bic(r0, r0, Operand(kSmiTagMask));  // bit-clear inverted smi-tag
         __ bind(&continue_label);
         break;
       }
 
       case Token::VOID:
         // since the stack top is cached in r0, popping and then
         // pushing a value can be done by just writing to r0.
         __ mov(r0, Operand(Factory::undefined_value()));
         break;
 
       case Token::ADD: {
         // Smi check.
         Label continue_label;
         __ tst(r0, Operand(kSmiTagMask));
         __ b(eq, &continue_label);
-        __ push(r0);
+        frame_->Push(r0);
         __ mov(r0, Operand(0));  // not counting receiver
         __ InvokeBuiltin(Builtins::TO_NUMBER, CALL_JS);
         __ bind(&continue_label);
         break;
       }
       default:
         UNREACHABLE();
     }
-    __ push(r0);  // r0 has result
+    frame_->Push(r0);  // r0 has result
   }
 }
 
 
 void CodeGenerator::VisitCountOperation(CountOperation* node) {
   Comment cmnt(masm_, "[ CountOperation");
 
   bool is_postfix = node->is_postfix();
   bool is_increment = node->op() == Token::INC;
 
   Variable* var = node->expression()->AsVariableProxy()->AsVariable();
   bool is_const = (var != NULL && var->mode() == Variable::CONST);
 
   // Postfix: Make room for the result.
   if (is_postfix) {
      __ mov(r0, Operand(0));
-     __ push(r0);
+     frame_->Push(r0);
   }
 
   { Reference target(this, node->expression());
     if (target.is_illegal()) return;
     target.GetValue(NOT_INSIDE_TYPEOF);
-    __ pop(r0);
+    frame_->Pop(r0);
 
     Label slow, exit;
 
     // Load the value (1) into register r1.
     __ mov(r1, Operand(Smi::FromInt(1)));
 
     // Check for smi operand.
     __ tst(r0, Operand(kSmiTagMask));
     __ b(ne, &slow);
 
     // Postfix: Store the old value as the result.
-    if (is_postfix) __ str(r0, MemOperand(sp, target.size() * kPointerSize));
+    if (is_postfix) {
+      __ str(r0, frame_->Element(target.size()));
+    }
 
     // Perform optimistic increment/decrement.
     if (is_increment) {
       __ add(r0, r0, Operand(r1), SetCC);
     } else {
       __ sub(r0, r0, Operand(r1), SetCC);
     }
 
     // If the increment/decrement didn't overflow, we're done.
     __ b(vc, &exit);
 
     // Revert optimistic increment/decrement.
     if (is_increment) {
       __ sub(r0, r0, Operand(r1));
     } else {
       __ add(r0, r0, Operand(r1));
     }
 
     // Slow case: Convert to number.
     __ bind(&slow);
 
     // Postfix: Convert the operand to a number and store it as the result.
     if (is_postfix) {
       InvokeBuiltinStub stub(InvokeBuiltinStub::ToNumber, 2);
       __ CallStub(&stub);
       // Store to result (on the stack).
-      __ str(r0, MemOperand(sp, target.size() * kPointerSize));
+      __ str(r0, frame_->Element(target.size()));
     }
 
     // Compute the new value by calling the right JavaScript native.
     if (is_increment) {
       InvokeBuiltinStub stub(InvokeBuiltinStub::Inc, 1);
       __ CallStub(&stub);
     } else {
       InvokeBuiltinStub stub(InvokeBuiltinStub::Dec, 1);
       __ CallStub(&stub);
     }
 
     // Store the new value in the target if not const.
     __ bind(&exit);
-    __ push(r0);
+    frame_->Push(r0);
     if (!is_const) target.SetValue(NOT_CONST_INIT);
   }
 
   // Postfix: Discard the new value and use the old.
-  if (is_postfix) __ pop(r0);
+  if (is_postfix) frame_->Pop(r0);
 }
 
 
 void CodeGenerator::VisitBinaryOperation(BinaryOperation* node) {
   Comment cmnt(masm_, "[ BinaryOperation");
   Token::Value op = node->op();
 
   // According to ECMA-262 section 11.11, page 58, the binary logical
   // operators must yield the result of one of the two expressions
   // before any ToBoolean() conversions. This means that the value
@@ skipping 20 matching lines @@
       __ bind(&is_true);
       LoadCondition(node->right(),
                     NOT_INSIDE_TYPEOF,
                     true_target(),
                     false_target(),
                     false);
 
     } else {
       Label pop_and_continue, exit;
 
-      __ ldr(r0, MemOperand(sp, 0));  // dup the stack top
-      __ push(r0);
+      __ ldr(r0, frame_->Top());  // dup the stack top
+      frame_->Push(r0);
       // Avoid popping the result if it converts to 'false' using the
       // standard ToBoolean() conversion as described in ECMA-262,
       // section 9.2, page 30.
       ToBoolean(&pop_and_continue, &exit);
       Branch(false, &exit);
 
       // Pop the result of evaluating the first part.
       __ bind(&pop_and_continue);
-      __ pop(r0);
+      frame_->Pop(r0);
 
       // Evaluate right side expression.
       __ bind(&is_true);
       Load(node->right());
 
       // Exit (always with a materialized value).
       __ bind(&exit);
     }
 
   } else if (op == Token::OR) {
@@ skipping 10 matching lines @@
       __ bind(&is_false);
       LoadCondition(node->right(),
                     NOT_INSIDE_TYPEOF,
                     true_target(),
                     false_target(),
                     false);
 
     } else {
       Label pop_and_continue, exit;
 
-      __ ldr(r0, MemOperand(sp, 0));
-      __ push(r0);
+      __ ldr(r0, frame_->Top());
+      frame_->Push(r0);
       // Avoid popping the result if it converts to 'true' using the
       // standard ToBoolean() conversion as described in ECMA-262,
       // section 9.2, page 30.
       ToBoolean(&exit, &pop_and_continue);
       Branch(true, &exit);
 
       // Pop the result of evaluating the first part.
       __ bind(&pop_and_continue);
-      __ pop(r0);
+      frame_->Pop(r0);
 
       // Evaluate right side expression.
       __ bind(&is_false);
       Load(node->right());
 
       // Exit (always with a materialized value).
       __ bind(&exit);
     }
 
   } else {
     // Optimize for the case where (at least) one of the expressions
     // is a literal small integer.
     Literal* lliteral = node->left()->AsLiteral();
     Literal* rliteral = node->right()->AsLiteral();
 
     if (rliteral != NULL && rliteral->handle()->IsSmi()) {
       Load(node->left());
       SmiOperation(node->op(), rliteral->handle(), false);
 
     } else if (lliteral != NULL && lliteral->handle()->IsSmi()) {
       Load(node->right());
       SmiOperation(node->op(), lliteral->handle(), true);
 
     } else {
       Load(node->left());
       Load(node->right());
       GenericBinaryOperation(node->op());
     }
-    __ push(r0);
+    frame_->Push(r0);
   }
 }
 
 
 void CodeGenerator::VisitThisFunction(ThisFunction* node) {
-  __ ldr(r0, FunctionOperand());
-  __ push(r0);
+  __ ldr(r0, frame_->Function());
+  frame_->Push(r0);
 }
 
 
 void CodeGenerator::VisitCompareOperation(CompareOperation* node) {
   Comment cmnt(masm_, "[ CompareOperation");
 
   // Get the expressions from the node.
   Expression* left = node->left();
   Expression* right = node->right();
   Token::Value op = node->op();
 
-  // NOTE: To make null checks efficient, we check if either left or
-  // right is the literal 'null'. If so, we optimize the code by
-  // inlining a null check instead of calling the (very) general
-  // runtime routine for checking equality.
-
+  // To make null checks efficient, we check if either left or right is the
+  // literal 'null'. If so, we optimize the code by inlining a null check
+  // instead of calling the (very) general runtime routine for checking
+  // equality.
   if (op == Token::EQ || op == Token::EQ_STRICT) {
     bool left_is_null =
-      left->AsLiteral() != NULL && left->AsLiteral()->IsNull();
+        left->AsLiteral() != NULL && left->AsLiteral()->IsNull();
     bool right_is_null =
-      right->AsLiteral() != NULL && right->AsLiteral()->IsNull();
-    // The 'null' value is only equal to 'null' or 'undefined'.
+        right->AsLiteral() != NULL && right->AsLiteral()->IsNull();
+    // The 'null' value can only be equal to 'null' or 'undefined'.
     if (left_is_null || right_is_null) {
       Load(left_is_null ? right : left);
-      Label exit, undetectable;
-      __ pop(r0);
+      frame_->Pop(r0);
       __ cmp(r0, Operand(Factory::null_value()));
 
-      // The 'null' value is only equal to 'undefined' if using
-      // non-strict comparisons.
+      // The 'null' value is only equal to 'undefined' if using non-strict
+      // comparisons.
       if (op != Token::EQ_STRICT) {
-        __ b(eq, &exit);
+        __ b(eq, true_target());
+
         __ cmp(r0, Operand(Factory::undefined_value()));
+        __ b(eq, true_target());
 
-        // NOTE: it can be undetectable object.
-        __ b(eq, &exit);
         __ tst(r0, Operand(kSmiTagMask));
+        __ b(eq, false_target());
 
-        __ b(ne, &undetectable);
-        __ b(false_target());
-
-        __ bind(&undetectable);
-        __ ldr(r1, FieldMemOperand(r0, HeapObject::kMapOffset));
-        __ ldrb(r2, FieldMemOperand(r1, Map::kBitFieldOffset));
-        __ and_(r2, r2, Operand(1 << Map::kIsUndetectable));
-        __ cmp(r2, Operand(1 << Map::kIsUndetectable));
+        // It can be an undetectable object.
+        __ ldr(r0, FieldMemOperand(r0, HeapObject::kMapOffset));
+        __ ldrb(r0, FieldMemOperand(r0, Map::kBitFieldOffset));
+        __ and_(r0, r0, Operand(1 << Map::kIsUndetectable));
+        __ cmp(r0, Operand(1 << Map::kIsUndetectable));
       }
 
-      __ bind(&exit);
-
       cc_reg_ = eq;
       return;
     }
   }
 
-
-  // NOTE: To make typeof testing for natives implemented in
-  // JavaScript really efficient, we generate special code for
-  // expressions of the form: 'typeof <expression> == <string>'.
-
+  // To make typeof testing for natives implemented in JavaScript really
+  // efficient, we generate special code for expressions of the form:
+  // 'typeof <expression> == <string>'.
   UnaryOperation* operation = left->AsUnaryOperation();
   if ((op == Token::EQ || op == Token::EQ_STRICT) &&
       (operation != NULL && operation->op() == Token::TYPEOF) &&
       (right->AsLiteral() != NULL &&
        right->AsLiteral()->handle()->IsString())) {
     Handle<String> check(String::cast(*right->AsLiteral()->handle()));
 
     // Load the operand, move it to register r1.
     LoadTypeofExpression(operation->expression());
-    __ pop(r1);
+    frame_->Pop(r1);
 
     if (check->Equals(Heap::number_symbol())) {
       __ tst(r1, Operand(kSmiTagMask));
       __ b(eq, true_target());
       __ ldr(r1, FieldMemOperand(r1, HeapObject::kMapOffset));
       __ cmp(r1, Operand(Factory::heap_number_map()));
       cc_reg_ = eq;
 
     } else if (check->Equals(Heap::string_symbol())) {
       __ tst(r1, Operand(kSmiTagMask));
       __ b(eq, false_target());
 
       __ ldr(r1, FieldMemOperand(r1, HeapObject::kMapOffset));
 
-      // NOTE: it might be an undetectable string object
+      // It can be an undetectable string object.
       __ ldrb(r2, FieldMemOperand(r1, Map::kBitFieldOffset));
       __ and_(r2, r2, Operand(1 << Map::kIsUndetectable));
       __ cmp(r2, Operand(1 << Map::kIsUndetectable));
       __ b(eq, false_target());
 
       __ ldrb(r2, FieldMemOperand(r1, Map::kInstanceTypeOffset));
       __ cmp(r2, Operand(FIRST_NONSTRING_TYPE));
       cc_reg_ = lt;
 
     } else if (check->Equals(Heap::boolean_symbol())) {
       __ cmp(r1, Operand(Factory::true_value()));
       __ b(eq, true_target());
       __ cmp(r1, Operand(Factory::false_value()));
       cc_reg_ = eq;
 
     } else if (check->Equals(Heap::undefined_symbol())) {
       __ cmp(r1, Operand(Factory::undefined_value()));
       __ b(eq, true_target());
 
       __ tst(r1, Operand(kSmiTagMask));
       __ b(eq, false_target());
 
-      // NOTE: it can be undetectable object.
+      // It can be an undetectable object.
       __ ldr(r1, FieldMemOperand(r1, HeapObject::kMapOffset));
       __ ldrb(r2, FieldMemOperand(r1, Map::kBitFieldOffset));
       __ and_(r2, r2, Operand(1 << Map::kIsUndetectable));
       __ cmp(r2, Operand(1 << Map::kIsUndetectable));
 
       cc_reg_ = eq;
 
     } else if (check->Equals(Heap::function_symbol())) {
       __ tst(r1, Operand(kSmiTagMask));
       __ b(eq, false_target());
       __ ldr(r1, FieldMemOperand(r1, HeapObject::kMapOffset));
       __ ldrb(r1, FieldMemOperand(r1, Map::kInstanceTypeOffset));
       __ cmp(r1, Operand(JS_FUNCTION_TYPE));
       cc_reg_ = eq;
 
     } else if (check->Equals(Heap::object_symbol())) {
       __ tst(r1, Operand(kSmiTagMask));
       __ b(eq, false_target());
 
       __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
       __ cmp(r1, Operand(Factory::null_value()));
       __ b(eq, true_target());
 
-      // NOTE: it might be an undetectable object.
+      // It can be an undetectable object.
       __ ldrb(r1, FieldMemOperand(r2, Map::kBitFieldOffset));
       __ and_(r1, r1, Operand(1 << Map::kIsUndetectable));
       __ cmp(r1, Operand(1 << Map::kIsUndetectable));
       __ b(eq, false_target());
 
       __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
       __ cmp(r2, Operand(FIRST_JS_OBJECT_TYPE));
       __ b(lt, false_target());
       __ cmp(r2, Operand(LAST_JS_OBJECT_TYPE));
       cc_reg_ = le;
 
     } else {
-      // Uncommon case: Typeof testing against a string literal that
-      // is never returned from the typeof operator.
+      // Uncommon case: typeof testing against a string literal that is
+      // never returned from the typeof operator.
       __ b(false_target());
     }
     return;
   }
 
   Load(left);
   Load(right);
   switch (op) {
     case Token::EQ:
       Comparison(eq, false);
@@ skipping 15 matching lines @@
       Comparison(ge);
       break;
 
     case Token::EQ_STRICT:
       Comparison(eq, true);
       break;
 
     case Token::IN:
       __ mov(r0, Operand(1));  // not counting receiver
       __ InvokeBuiltin(Builtins::IN, CALL_JS);
-      __ push(r0);
+      frame_->Push(r0);
       break;
 
     case Token::INSTANCEOF:
       __ mov(r0, Operand(1));  // not counting receiver
       __ InvokeBuiltin(Builtins::INSTANCE_OF, CALL_JS);
       __ tst(r0, Operand(r0));
       cc_reg_ = eq;
       break;
 
     default:
       UNREACHABLE();
   }
 }
 
 
 void CodeGenerator::RecordStatementPosition(Node* node) {
   if (FLAG_debug_info) {
     int statement_pos = node->statement_pos();
     if (statement_pos == RelocInfo::kNoPosition) return;
     __ RecordStatementPosition(statement_pos);
   }
 }
 
 
-void CodeGenerator::EnterJSFrame() {
-#if defined(DEBUG)
-  { Label done, fail;
-    __ tst(r1, Operand(kSmiTagMask));
-    __ b(eq, &fail);
-    __ ldr(r2, FieldMemOperand(r1, HeapObject::kMapOffset));
-    __ ldrb(r2, FieldMemOperand(r2, Map::kInstanceTypeOffset));
-    __ cmp(r2, Operand(JS_FUNCTION_TYPE));
-    __ b(eq, &done);
-    __ bind(&fail);
-    __ stop("CodeGenerator::EnterJSFrame - r1 not a function");
-    __ bind(&done);
-  }
-#endif  // DEBUG
-
-  __ stm(db_w, sp, r1.bit() | cp.bit() | fp.bit() | lr.bit());
-  __ add(fp, sp, Operand(2 * kPointerSize));  // Adjust FP to point to saved FP.
-}
-
-
-void CodeGenerator::ExitJSFrame() {
-  // Drop the execution stack down to the frame pointer and restore the caller
-  // frame pointer and return address.
-  __ mov(sp, fp);
-  __ ldm(ia_w, sp, fp.bit() | lr.bit());
-}
-
-
 #undef __
 #define __ masm->
 
 Handle<String> Reference::GetName() {
   ASSERT(type_ == NAMED);
   Property* property = expression_->AsProperty();
   if (property == NULL) {
     // Global variable reference treated as a named property reference.
     VariableProxy* proxy = expression_->AsVariableProxy();
     ASSERT(proxy->AsVariable() != NULL);
     ASSERT(proxy->AsVariable()->is_global());
     return proxy->name();
   } else {
     Literal* raw_name = property->key()->AsLiteral();
     ASSERT(raw_name != NULL);
     return Handle<String>(String::cast(*raw_name->handle()));
   }
 }
 
 
 void Reference::GetValue(TypeofState typeof_state) {
   ASSERT(!is_illegal());
   ASSERT(!cgen_->has_cc());
   MacroAssembler* masm = cgen_->masm();
+  VirtualFrame* frame = cgen_->frame();
   Property* property = expression_->AsProperty();
   if (property != NULL) {
     __ RecordPosition(property->position());
   }
 
   switch (type_) {
     case SLOT: {
       Comment cmnt(masm, "[ Load from Slot");
       Slot* slot = expression_->AsVariableProxy()->AsVariable()->slot();
       ASSERT(slot != NULL);
@@ skipping 13 matching lines @@
       __ mov(r2, Operand(name));
       Handle<Code> ic(Builtins::builtin(Builtins::LoadIC_Initialize));
 
       Variable* var = expression_->AsVariableProxy()->AsVariable();
       if (var != NULL) {
         ASSERT(var->is_global());
         __ Call(ic, RelocInfo::CODE_TARGET_CONTEXT);
       } else {
         __ Call(ic, RelocInfo::CODE_TARGET);
       }
-      __ push(r0);
+      frame->Push(r0);
       break;
     }
 
     case KEYED: {
       // TODO(1241834): Make sure that this it is safe to ignore the
       // distinction between expressions in a typeof and not in a typeof.
       Comment cmnt(masm, "[ Load from keyed Property");
       ASSERT(property != NULL);
-      // TODO(1224671): Implement inline caching for keyed loads as on ia32.
-      GetPropertyStub stub;
-      __ CallStub(&stub);
-      __ push(r0);
+      Handle<Code> ic(Builtins::builtin(Builtins::KeyedLoadIC_Initialize));
+
+      Variable* var = expression_->AsVariableProxy()->AsVariable();
+      if (var != NULL) {
+        ASSERT(var->is_global());
+        __ Call(ic, RelocInfo::CODE_TARGET_CONTEXT);
+      } else {
+        __ Call(ic, RelocInfo::CODE_TARGET);
+      }
+      frame->Push(r0);
       break;
     }
 
     default:
       UNREACHABLE();
   }
 }
 
 
 void Reference::SetValue(InitState init_state) {
   ASSERT(!is_illegal());
   ASSERT(!cgen_->has_cc());
   MacroAssembler* masm = cgen_->masm();
+  VirtualFrame* frame = cgen_->frame();
   Property* property = expression_->AsProperty();
   if (property != NULL) {
     __ RecordPosition(property->position());
   }
 
   switch (type_) {
     case SLOT: {
       Comment cmnt(masm, "[ Store to Slot");
       Slot* slot = expression_->AsVariableProxy()->AsVariable()->slot();
       ASSERT(slot != NULL);
       if (slot->type() == Slot::LOOKUP) {
         ASSERT(slot->var()->mode() == Variable::DYNAMIC);
 
         // For now, just do a runtime call.
-        __ push(cp);
+        frame->Push(cp);
         __ mov(r0, Operand(slot->var()->name()));
-        __ push(r0);
+        frame->Push(r0);
 
         if (init_state == CONST_INIT) {
           // Same as the case for a normal store, but ignores attribute
           // (e.g. READ_ONLY) of context slot so that we can initialize
           // const properties (introduced via eval("const foo = (some
           // expr);")). Also, uses the current function context instead of
           // the top context.
           //
           // Note that we must declare the foo upon entry of eval(), via a
           // context slot declaration, but we cannot initialize it at the
           // same time, because the const declaration may be at the end of
           // the eval code (sigh...) and the const variable may have been
           // used before (where its value is 'undefined'). Thus, we can only
           // do the initialization when we actually encounter the expression
           // and when the expression operands are defined and valid, and
           // thus we need the split into 2 operations: declaration of the
           // context slot followed by initialization.
           __ CallRuntime(Runtime::kInitializeConstContextSlot, 3);
         } else {
           __ CallRuntime(Runtime::kStoreContextSlot, 3);
         }
         // Storing a variable must keep the (new) value on the expression
         // stack. This is necessary for compiling assignment expressions.
-        __ push(r0);
+        frame->Push(r0);
 
       } else {
         ASSERT(slot->var()->mode() != Variable::DYNAMIC);
 
         Label exit;
         if (init_state == CONST_INIT) {
           ASSERT(slot->var()->mode() == Variable::CONST);
           // Only the first const initialization must be executed (the slot
           // still contains 'the hole' value). When the assignment is
           // executed, the code is identical to a normal store (see below).
           Comment cmnt(masm, "[ Init const");
           __ ldr(r2, cgen_->SlotOperand(slot, r2));
           __ cmp(r2, Operand(Factory::the_hole_value()));
           __ b(ne, &exit);
         }
 
         // We must execute the store.  Storing a variable must keep the
         // (new) value on the stack. This is necessary for compiling
         // assignment expressions.
         //
         // Note: We will reach here even with slot->var()->mode() ==
         // Variable::CONST because of const declarations which will
         // initialize consts to 'the hole' value and by doing so, end up
         // calling this code.  r2 may be loaded with context; used below in
         // RecordWrite.
-        __ pop(r0);
+        frame->Pop(r0);
         __ str(r0, cgen_->SlotOperand(slot, r2));
-        __ push(r0);
+        frame->Push(r0);
         if (slot->type() == Slot::CONTEXT) {
           // Skip write barrier if the written value is a smi.
           __ tst(r0, Operand(kSmiTagMask));
           __ b(eq, &exit);
           // r2 is loaded with context when calling SlotOperand above.
           int offset = FixedArray::kHeaderSize + slot->index() * kPointerSize;
           __ mov(r3, Operand(offset));
           __ RecordWrite(r2, r3, r1);
         }
         // If we definitely did not jump over the assignment, we do not need
         // to bind the exit label.  Doing so can defeat peephole
         // optimization.
         if (init_state == CONST_INIT || slot->type() == Slot::CONTEXT) {
           __ bind(&exit);
         }
       }
       break;
     }
 
     case NAMED: {
       Comment cmnt(masm, "[ Store to named Property");
       // Call the appropriate IC code.
-      __ pop(r0);  // value
+      frame->Pop(r0);  // value
       // Setup the name register.
       Handle<String> name(GetName());
       __ mov(r2, Operand(name));
       Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_Initialize));
       __ Call(ic, RelocInfo::CODE_TARGET);
-      __ push(r0);
+      frame->Push(r0);
       break;
     }
 
     case KEYED: {
       Comment cmnt(masm, "[ Store to keyed Property");
       Property* property = expression_->AsProperty();
       ASSERT(property != NULL);
       __ RecordPosition(property->position());
-      __ pop(r0);  // value
-      SetPropertyStub stub;
-      __ CallStub(&stub);
-      __ push(r0);
+
+      // Call IC code.
+      Handle<Code> ic(Builtins::builtin(Builtins::KeyedStoreIC_Initialize));
+      // TODO(1222589): Make the IC grab the values from the stack.
+      frame->Pop(r0);  // value
+      __ Call(ic, RelocInfo::CODE_TARGET);
+      frame->Push(r0);
       break;
     }
 
     default:
       UNREACHABLE();
   }
 }
 
 
 void GetPropertyStub::Generate(MacroAssembler* masm) {
@@ skipping 464 matching lines @@
 
   // Set pending exception and r0 to out of memory exception.
   Failure* out_of_memory = Failure::OutOfMemoryException();
   __ mov(r0, Operand(reinterpret_cast<int32_t>(out_of_memory)));
   __ mov(r2, Operand(ExternalReference(Top::k_pending_exception_address)));
   __ str(r0, MemOperand(r2));
 
   // Restore the stack to the address of the ENTRY handler
   __ mov(sp, Operand(r3));
 
-  // restore parameter- and frame-pointer and pop state.
-  __ ldm(ia_w, sp, r3.bit() | pp.bit() | fp.bit());
+  // Stack layout at this point. See also PushTryHandler
+  // r3, sp ->   next handler
+  //             state (ENTRY)
+  //             pp
+  //             fp
+  //             lr
+
+  // Discard ENTRY state (r2 is not used), and restore parameter-
+  // and frame-pointer and pop state.
+  __ ldm(ia_w, sp, r2.bit() | r3.bit() | pp.bit() | fp.bit());
   // Before returning we restore the context from the frame pointer if not NULL.
   // The frame pointer is NULL in the exception handler of a JS entry frame.
   __ cmp(fp, Operand(0));
   // Set cp to NULL if fp is NULL.
   __ mov(cp, Operand(0), LeaveCC, eq);
   // Restore cp otherwise.
   __ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset), ne);
   if (kDebug && FLAG_debug_code) __ mov(lr, Operand(pc));
   __ pop(pc);
 }
@@ skipping 209 matching lines @@
 
   // Call a faked try-block that does the invoke.
   __ bl(&invoke);
 
   // Caught exception: Store result (exception) in the pending
   // exception field in the JSEnv and return a failure sentinel.
   // Coming in here the fp will be invalid because the PushTryHandler below
   // sets it to 0 to signal the existence of the JSEntry frame.
   __ mov(ip, Operand(Top::pending_exception_address()));
   __ str(r0, MemOperand(ip));
-  __ mov(r0, Operand(Handle<Failure>(Failure::Exception())));
+  __ mov(r0, Operand(reinterpret_cast<int32_t>(Failure::Exception())));
   __ b(&exit);
 
   // Invoke: Link this frame into the handler chain.
   __ bind(&invoke);
   // Must preserve r0-r4, r5-r7 are available.
   __ PushTryHandler(IN_JS_ENTRY, JS_ENTRY_HANDLER);
   // If an exception not caught by another handler occurs, this handler returns
   // control to the code after the bl(&invoke) above, which restores all
   // kCalleeSaved registers (including cp, pp and fp) to their saved values
   // before returning a failure to C.
@@ skipping 164 matching lines @@
   __ b(ne, &slow);
 
   // Fast-case: Invoke the function now.
   // r1: pushed function
   ParameterCount actual(argc_);
   __ InvokeFunction(r1, actual, JUMP_FUNCTION);
 
   // Slow-case: Non-function called.
   __ bind(&slow);
   __ mov(r0, Operand(argc_));  // Setup the number of arguments.
-  __ InvokeBuiltin(Builtins::CALL_NON_FUNCTION, JUMP_JS);
+  __ mov(r2, Operand(0));
+  __ GetBuiltinEntry(r3, Builtins::CALL_NON_FUNCTION);
+  __ Jump(Handle<Code>(Builtins::builtin(Builtins::ArgumentsAdaptorTrampoline)),
+          RelocInfo::CODE_TARGET);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal