Begin using the virtual frame for assignment statements of the form:...

src/codegen-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 347 matching lines @@
                                   JumpTarget* false_target,
                                   bool force_cc) {
   ASSERT(!has_cc());
 
   { CodeGenState new_state(this, typeof_state, true_target, false_target);
     Visit(x);
   }
 
   if (force_cc && frame_ != NULL && !has_cc()) {
     // Convert the TOS value to a boolean in the condition code register.
+    frame_->SpillAll();
     ToBoolean(true_target, false_target);
   }
 
   ASSERT(!force_cc || frame_ == NULL || has_cc());
 }
 
 
 void CodeGenerator::Load(Expression* x, TypeofState typeof_state) {
   JumpTarget true_target(this);
   JumpTarget false_target(this);
@@ skipping 63 matching lines @@
   if (variable != NULL && !variable->is_this() && variable->is_global()) {
     // NOTE: This is somewhat nasty. We force the compiler to load
     // the variable as if through '<global>.<variable>' to make sure we
     // do not get reference errors.
     Slot global(variable, Slot::CONTEXT, Context::GLOBAL_INDEX);
     Literal key(variable->name());
     // TODO(1241834): Fetch the position from the variable instead of using
     // no position.
     Property property(&global, &key, RelocInfo::kNoPosition);
     Load(&property);
+    frame_->SpillAll();
   } else {
     Load(x, INSIDE_TYPEOF);
+    frame_->SpillAll();
   }
 }
 
 
 Reference::Reference(CodeGenerator* cgen, Expression* expression)
     : cgen_(cgen), expression_(expression), type_(ILLEGAL) {
   cgen->LoadReference(this);
 }
 
 
 Reference::~Reference() {
   cgen_->UnloadReference(this);
 }
 
 
 void CodeGenerator::LoadReference(Reference* ref) {
   Comment cmnt(masm_, "[ LoadReference");
   Expression* e = ref->expression();
   Property* property = e->AsProperty();
   Variable* var = e->AsVariableProxy()->AsVariable();
 
   if (property != NULL) {
     // The expression is either a property or a variable proxy that rewrites
     // to a property.
     Load(property->obj());
+    frame_->SpillAll();
     // We use a named reference if the key is a literal symbol, unless it is
     // a string that can be legally parsed as an integer.  This is because
     // otherwise we will not get into the slow case code that handles [] on
     // String objects.
     Literal* literal = property->key()->AsLiteral();
     uint32_t dummy;
     if (literal != NULL &&
         literal->handle()->IsSymbol() &&
         !String::cast(*(literal->handle()))->AsArrayIndex(&dummy)) {
       ref->set_type(Reference::NAMED);
     } else {
       Load(property->key());
+      frame_->SpillAll();
       ref->set_type(Reference::KEYED);
     }
   } else if (var != NULL) {
     // The expression is a variable proxy that does not rewrite to a
     // property.  Global variables are treated as named property references.
     if (var->is_global()) {
       LoadGlobal();
       ref->set_type(Reference::NAMED);
     } else {
       ASSERT(var->slot() != NULL);
       ref->set_type(Reference::SLOT);
     }
   } else {
     // Anything else is a runtime error.
     Load(e);
+    frame_->SpillAll();
     frame_->CallRuntime(Runtime::kThrowReferenceError, 1);
   }
 }
 
 
 void CodeGenerator::UnloadReference(Reference* ref) {
   // Pop a reference from the stack while preserving TOS.
   Comment cmnt(masm_, "[ UnloadReference");
   int size = ref->size();
   if (size == 1) {
@@ skipping 702 matching lines @@
 
 
 // Call the function just below TOS on the stack with the given
 // arguments. The receiver is the TOS.
 void CodeGenerator::CallWithArguments(ZoneList<Expression*>* args,
                                       int position) {
   // Push the arguments ("left-to-right") on the stack.
   int arg_count = args->length();
   for (int i = 0; i < arg_count; i++) {
     Load(args->at(i));
+    frame_->SpillAll();
   }
 
   // Record the position for debugging purposes.
   __ RecordPosition(position);
 
   // Use the shared code stub to call the function.
   CallFunctionStub call_function(arg_count);
   frame_->CallStub(&call_function, arg_count + 1);
 
   // Restore context and pop function from the stack.
@@ skipping 77 matching lines @@
     PropertyAttributes attr = node->mode() == Variable::VAR ? NONE : READ_ONLY;
     frame_->EmitPush(Immediate(Smi::FromInt(attr)));
     // Push initial value, if any.
     // Note: For variables we must not push an initial value (such as
     // 'undefined') because we may have a (legal) redeclaration and we
     // must not destroy the current value.
     if (node->mode() == Variable::CONST) {
       frame_->EmitPush(Immediate(Factory::the_hole_value()));
     } else if (node->fun() != NULL) {
       Load(node->fun());
+      frame_->SpillAll();
     } else {
       frame_->EmitPush(Immediate(0));  // no initial value!
     }
     frame_->CallRuntime(Runtime::kDeclareContextSlot, 4);
     // Ignore the return value (declarations are statements).
     return;
   }
 
   ASSERT(!var->is_global());
 
   // If we have a function or a constant, we need to initialize the variable.
   Expression* val = NULL;
   if (node->mode() == Variable::CONST) {
     val = new Literal(Factory::the_hole_value());
   } else {
     val = node->fun();  // NULL if we don't have a function
   }
 
   if (val != NULL) {
     // Set initial value.
     Reference target(this, node->proxy());
     ASSERT(target.is_slot());
     Load(val);
+    frame_->SpillAll();
     target.SetValue(NOT_CONST_INIT);
     // Get rid of the assigned value (declarations are statements).  It's
     // safe to pop the value lying on top of the reference before unloading
     // the reference itself (which preserves the top of stack) because we
     // know that it is a zero-sized reference.
     frame_->Drop();
   }
 }
 
 
 void CodeGenerator::VisitExpressionStatement(ExpressionStatement* node) {
-  frame_->SpillAll();
   Comment cmnt(masm_, "[ ExpressionStatement");
   RecordStatementPosition(node);
   Expression* expression = node->expression();
   expression->MarkAsStatement();
   Load(expression);
   // Remove the lingering expression result from the top of stack.
   frame_->Drop();
+  // Rather than using SpillAll after all recursive calls to Visit over
+  // statements, we spill here in the only statement type that uses the
+  // virtual frame.  This is temporary.
+  frame_->SpillAll();
 }
 
 
 void CodeGenerator::VisitEmptyStatement(EmptyStatement* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "// EmptyStatement");
   // nothing to do
 }
 
 
@@ skipping 65 matching lines @@
     if (frame_ != NULL || else_.is_linked()) {
       else_.Bind();
       Visit(node->else_statement());
     }
 
   } else {
     ASSERT(!has_then_stm && !has_else_stm);
     // if (cond)
     LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &exit, &exit, false);
     if (frame_ != NULL) {
+      frame_->SpillAll();
       if (has_cc()) {
         cc_reg_ = no_condition;
       } else {
         // No cc value set up, that means the boolean was pushed.
         // Pop it again, since it is not going to be used.
         frame_->Drop();
       }
     }
   }
 
@@ skipping 26 matching lines @@
   CleanStack(break_stack_height_ - node->target()->break_stack_height());
   node->target()->break_target()->Jump();
 }
 
 
 void CodeGenerator::VisitReturnStatement(ReturnStatement* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ ReturnStatement");
   RecordStatementPosition(node);
   Load(node->expression());
+  frame_->SpillAll();
 
   // Move the function result into eax
   frame_->EmitPop(eax);
 
   // If we're inside a try statement or the return instruction
   // sequence has been generated, we just jump to that
   // point. Otherwise, we generate the return instruction sequence and
   // bind the function return label.
   if (is_inside_try_ || function_return_.is_bound()) {
     function_return_.Jump();
@@ skipping 20 matching lines @@
               __ SizeOfCodeGeneratedSince(&check_exit_codesize));
   }
 }
 
 
 void CodeGenerator::VisitWithEnterStatement(WithEnterStatement* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ WithEnterStatement");
   RecordStatementPosition(node);
   Load(node->expression());
+  frame_->SpillAll();
   frame_->CallRuntime(Runtime::kPushContext, 1);
 
   if (kDebug) {
     JumpTarget verified_true(this);
     // Verify eax and esi are the same in debug mode
     __ cmp(eax, Operand(esi));
     verified_true.Branch(equal);
     __ int3();
     verified_true.Bind();
   }
@@ skipping 91 matching lines @@
 
 
 void CodeGenerator::VisitSwitchStatement(SwitchStatement* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ SwitchStatement");
   RecordStatementPosition(node);
   node->set_break_stack_height(break_stack_height_);
   node->break_target()->set_code_generator(this);
 
   Load(node->tag());
+  frame_->SpillAll();
 
   if (TryGenerateFastCaseSwitchStatement(node)) {
     return;
   }
 
   JumpTarget next_test(this);
   JumpTarget fall_through(this);
   JumpTarget default_entry(this);
   JumpTarget default_exit(this);
   ZoneList<CaseClause*>* cases = node->cases();
   int length = cases->length();
   CaseClause* default_clause = NULL;
 
   for (int i = 0; i < length; i++) {
     CaseClause* clause = cases->at(i);
     if (clause->is_default()) {
       // Remember the default clause and compile it at the end.
       default_clause = clause;
       continue;
     }
 
     Comment cmnt(masm_, "[ Case clause");
     // Compile the test.
     next_test.Bind();
     next_test.Unuse();
     // Duplicate TOS.
     __ mov(eax, frame_->Top());
     frame_->EmitPush(eax);
     Load(clause->label());
+    frame_->SpillAll();
     Comparison(equal, true);
     Branch(false, &next_test);
 
     // Before entering the body from the test, remove the switch value from
     // the stack.
     frame_->Drop();
 
     // Label the body so that fall through is enabled.
     if (i > 0 && cases->at(i - 1)->is_default()) {
       default_exit.Bind();
@@ skipping 236 matching lines @@
   JumpTarget primitive(this);
   JumpTarget jsobject(this);
   JumpTarget fixed_array(this);
   JumpTarget entry(this);
   JumpTarget end_del_check(this);
   JumpTarget cleanup(this);
   JumpTarget exit(this);
 
   // Get the object to enumerate over (converted to JSObject).
   Load(node->enumerable());
+  frame_->SpillAll();
 
   // Both SpiderMonkey and kjs ignore null and undefined in contrast
   // to the specification.  12.6.4 mandates a call to ToObject.
   frame_->EmitPop(eax);
 
   // eax: value to be iterated over
   __ cmp(eax, Factory::undefined_value());
   exit.Branch(equal);
   __ cmp(eax, Factory::null_value());
   exit.Branch(equal);
@@ skipping 464 matching lines @@
   JumpTarget then(this);
   JumpTarget else_(this);
   JumpTarget exit(this);
   LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &then, &else_, true);
   if (frame_ != NULL) {
     Branch(false, &else_);
   }
   if (frame_ != NULL || then.is_linked()) {
     then.Bind();
     Load(node->then_expression(), typeof_state());
+    frame_->SpillAll();
     exit.Jump();
   }
   if (else_.is_linked()) {
     else_.Bind();
     Load(node->else_expression(), typeof_state());
+    frame_->SpillAll();
   }
   exit.Bind();
 }
 
 
 void CodeGenerator::LoadFromSlot(Slot* slot, TypeofState typeof_state) {
   if (slot->type() == Slot::LOOKUP) {
     ASSERT(slot->var()->mode() == Variable::DYNAMIC);
 
     // For now, just do a runtime call.
@@ skipping 23 matching lines @@
       __ mov(eax, Factory::undefined_value());
       exit.Bind();
       frame_->EmitPush(eax);
     } else {
       frame_->EmitPush(SlotOperand(slot, ecx));
     }
   }
 }
 
 
+void CodeGenerator::StoreToSlot(Slot* slot, InitState init_state) {
+  if (slot->type() == Slot::LOOKUP) {
+    ASSERT(slot->var()->mode() == Variable::DYNAMIC);
+
+    // For now, just do a runtime call.
+    frame_->SpillAll();
+    frame_->EmitPush(frame_->Context());
+    frame_->EmitPush(Immediate(slot->var()->name()));
+
+    if (init_state == CONST_INIT) {
+      // Same as the case for a normal store, but ignores attribute
+      // (e.g. READ_ONLY) of context slot so that we can initialize const
+      // properties (introduced via eval("const foo = (some expr);")). Also,
+      // uses the current function context instead of the top context.
+      //
+      // Note that we must declare the foo upon entry of eval(), via a
+      // context slot declaration, but we cannot initialize it at the same
+      // time, because the const declaration may be at the end of the eval
+      // code (sigh...) and the const variable may have been used before
+      // (where its value is 'undefined'). Thus, we can only do the
+      // initialization when we actually encounter the expression and when
+      // the expression operands are defined and valid, and thus we need the
+      // split into 2 operations: declaration of the context slot followed
+      // by initialization.
+      frame_->CallRuntime(Runtime::kInitializeConstContextSlot, 3);
+    } else {
+      frame_->CallRuntime(Runtime::kStoreContextSlot, 3);
+    }
+    // Storing a variable must keep the (new) value on the expression
+    // stack. This is necessary for compiling chained assignment
+    // expressions.
+    frame_->EmitPush(eax);
+
+  } else {
+    ASSERT(slot->var()->mode() != Variable::DYNAMIC);
+
+    JumpTarget exit(this);
+    if (init_state == CONST_INIT) {
+      ASSERT(slot->var()->mode() == Variable::CONST);
+      // Only the first const initialization must be executed (the slot
+      // still contains 'the hole' value). When the assignment is executed,
+      // the code is identical to a normal store (see below).
+      Comment cmnt(masm_, "[ Init const");
+      frame_->SpillAll();
+      __ mov(eax, SlotOperand(slot, ecx));
+      __ cmp(eax, Factory::the_hole_value());
+      exit.Branch(not_equal);
+    }
+
+    // We must execute the store.  Storing a variable must keep the (new)
+    // value on the stack. This is necessary for compiling assignment
+    // expressions.
+    //
+    // Note: We will reach here even with slot->var()->mode() ==
+    // Variable::CONST because of const declarations which will initialize
+    // consts to 'the hole' value and by doing so, end up calling this code.
+    if (slot->type() == Slot::PARAMETER) {
+      frame_->StoreToParameterAt(slot->index());
+    } else if (slot->type() == Slot::LOCAL) {
+      frame_->StoreToLocalAt(slot->index());
+    } else {
+      // The other slot types (LOOKUP and GLOBAL) cannot reach here.
+      ASSERT(slot->type() == Slot::CONTEXT);
+      frame_->SpillAll();
+      frame_->EmitPop(eax);
+      __ mov(SlotOperand(slot, ecx), eax);
+      frame_->EmitPush(eax);  // RecordWrite may destroy the value in eax.
+      int offset = FixedArray::kHeaderSize + slot->index() * kPointerSize;
+      __ RecordWrite(ecx, offset, eax, ebx);
+    }
+
+    // If we definitely did not jump over the assignment, we do not need
+    // to bind the exit label.  Doing so can defeat peephole
+    // optimization.
+    if (init_state == CONST_INIT) {
+      exit.Bind();
+    }
+  }
+}
+
+
 void CodeGenerator::VisitSlot(Slot* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ Slot");
   LoadFromSlot(node, typeof_state());
 }
 
 
 void CodeGenerator::VisitVariableProxy(VariableProxy* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ VariableProxy");
@@ skipping 11 matching lines @@
     ASSERT(frame_ != NULL);
   } else {
     ASSERT(var->is_global());
     Reference ref(this, node);
     ref.GetValue(typeof_state());
   }
 }
 
 
 void CodeGenerator::VisitLiteral(Literal* node) {
-  frame_->SpillAll();
   Comment cmnt(masm_, "[ Literal");
   if (node->handle()->IsSmi() && !IsInlineSmi(node)) {
     // To prevent long attacker-controlled byte sequences in code, larger
-    // Smis are loaded in two steps.
+    // Smis are loaded in two steps via a temporary register.

[William Hesse, 2008/11/28 10:32:45]

Is now the time for special-casing small literals, and 0?
Load 0 by xor, and load literals between -255 and 255, or 16-bit literals,
specially?  I think this would hit a majority of code literals.

[Kevin Millikin (Chromium), 2008/11/28 12:19:08]

It's only the non-"InlineSmi" literals that are loaded in two pieces---those
that don't fit in 16 bits.  Small ones hit the path to be pushed as a single
virtual frame element.

If we eventually spill literals in VirtualFrame, we use MacroAssembler::Set,
which takes care of using the xor trick for zero.

Ultimately, we can even split the literal up lazily, so if it gets
constant-folded there is no need.

+    Register temp = allocator_->Allocate();
     int bits = reinterpret_cast<int>(*node->handle());
-    __ mov(eax, bits & 0x0000FFFF);
-    __ xor_(eax, bits & 0xFFFF0000);
-    frame_->EmitPush(eax);
+    ASSERT(!temp.is(no_reg));
+    __ mov(temp, bits & 0x0000FFFF);
+    __ xor_(temp, bits & 0xFFFF0000);
+    frame_->Push(temp);
+    allocator_->Unuse(temp);
   } else {
-    frame_->EmitPush(Immediate(node->handle()));
+    frame_->Push(node->handle());
   }
 }
 
 
 class RegExpDeferred: public DeferredCode {
  public:
   RegExpDeferred(CodeGenerator* generator, RegExpLiteral* node)
       : DeferredCode(generator), node_(node) {
     set_comment("[ RegExpDeferred");
   }
@@ skipping 117 matching lines @@
     ObjectLiteral::Property* property  = node->properties()->at(i);
     switch (property->kind()) {
       case ObjectLiteral::Property::CONSTANT: break;
       case ObjectLiteral::Property::COMPUTED: {
         Handle<Object> key(property->key()->handle());
         Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_Initialize));
         if (key->IsSymbol()) {
           __ mov(eax, frame_->Top());
           frame_->EmitPush(eax);
           Load(property->value());
+          frame_->SpillAll();
           frame_->EmitPop(eax);
           __ Set(ecx, Immediate(key));
           frame_->CallCodeObject(ic, RelocInfo::CODE_TARGET, 0);
           frame_->Drop();
           // Ignore result.
           break;
         }
         // Fall through
       }
       case ObjectLiteral::Property::PROTOTYPE: {
         __ mov(eax, frame_->Top());
         frame_->EmitPush(eax);
         Load(property->key());
+        frame_->SpillAll();
         Load(property->value());
+        frame_->SpillAll();
         frame_->CallRuntime(Runtime::kSetProperty, 3);
         // Ignore result.
         break;
       }
       case ObjectLiteral::Property::SETTER: {
         // Duplicate the resulting object on the stack. The runtime
         // function will pop the three arguments passed in.
         __ mov(eax, frame_->Top());
         frame_->EmitPush(eax);
         Load(property->key());
+        frame_->SpillAll();
         frame_->EmitPush(Immediate(Smi::FromInt(1)));
         Load(property->value());
+        frame_->SpillAll();
         frame_->CallRuntime(Runtime::kDefineAccessor, 4);
         // Ignore result.
         break;
       }
       case ObjectLiteral::Property::GETTER: {
         // Duplicate the resulting object on the stack. The runtime
         // function will pop the three arguments passed in.
         __ mov(eax, frame_->Top());
         frame_->EmitPush(eax);
         Load(property->key());
+        frame_->SpillAll();
         frame_->EmitPush(Immediate(Smi::FromInt(0)));
         Load(property->value());
+        frame_->SpillAll();
         frame_->CallRuntime(Runtime::kDefineAccessor, 4);
         // Ignore result.
         break;
       }
       default: UNREACHABLE();
     }
   }
 }
 
 
@@ skipping 16 matching lines @@
   // Generate code to set the elements in the array that are not
   // literals.
   for (int i = 0; i < node->values()->length(); i++) {
     Expression* value = node->values()->at(i);
 
     // If value is literal the property value is already
     // set in the boilerplate object.
     if (value->AsLiteral() == NULL) {
       // The property must be set by generated code.
       Load(value);
+      frame_->SpillAll();
 
       // Get the value off the stack.
       frame_->EmitPop(eax);
       // Fetch the object literal while leaving on the stack.
       __ mov(ecx, frame_->Top());
       // Get the elements array.
       __ mov(ecx, FieldOperand(ecx, JSObject::kElementsOffset));
 
       // Write to the indexed properties array.
       int offset = i * kPointerSize + Array::kHeaderSize;
@@ skipping 32 matching lines @@
       Load(node->value());
 
     } else {
       target.GetValue(NOT_INSIDE_TYPEOF);
       Literal* literal = node->value()->AsLiteral();
       if (IsInlineSmi(literal)) {
         SmiOperation(node->binary_op(), node->type(), literal->handle(), false,
                      NO_OVERWRITE);
       } else {
         Load(node->value());
+        frame_->SpillAll();
         GenericBinaryOperation(node->binary_op(), node->type());
       }
     }
 
     Variable* var = node->target()->AsVariableProxy()->AsVariable();
     if (var != NULL &&
         var->mode() == Variable::CONST &&
         node->op() != Token::INIT_VAR && node->op() != Token::INIT_CONST) {
       // Assignment ignored - leave the value on the stack.
   } else {
       __ RecordPosition(node->position());
       if (node->op() == Token::INIT_CONST) {
         // Dynamic constant initializations must use the function context
         // and initialize the actual constant declared. Dynamic variable
         // initializations are simply assignments and use SetValue.
         target.SetValue(CONST_INIT);
       } else {
         target.SetValue(NOT_CONST_INIT);
       }
     }
   }
 }
 
 
 void CodeGenerator::VisitThrow(Throw* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ Throw");
 
   Load(node->exception());
+  frame_->SpillAll();
   __ RecordPosition(node->position());
   frame_->CallRuntime(Runtime::kThrow, 1);
   frame_->EmitPush(eax);
 }
 
 
 void CodeGenerator::VisitProperty(Property* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ Property");
   Reference property(this, node);
@@ skipping 32 matching lines @@
     frame_->EmitPush(Immediate(var->name()));
 
     // Pass the global object as the receiver and let the IC stub
     // patch the stack to use the global proxy as 'this' in the
     // invoked function.
     LoadGlobal();
     // Load the arguments.
     int arg_count = args->length();
     for (int i = 0; i < arg_count; i++) {
       Load(args->at(i));
+      frame_->SpillAll();
     }
 
     // Setup the receiver register and call the IC initialization code.
     Handle<Code> stub = (loop_nesting() > 0)
         ? ComputeCallInitializeInLoop(arg_count)
         : ComputeCallInitialize(arg_count);
     __ RecordPosition(node->position());
     frame_->CallCodeObject(stub, RelocInfo::CODE_TARGET_CONTEXT,
                            arg_count + 1);
     __ mov(esi, frame_->Context());
@@ skipping 25 matching lines @@
     Literal* literal = property->key()->AsLiteral();
 
     if (literal != NULL && literal->handle()->IsSymbol()) {
       // ------------------------------------------------------------------
       // JavaScript example: 'object.foo(1, 2, 3)' or 'map["key"](1, 2, 3)'
       // ------------------------------------------------------------------
 
       // Push the name of the function and the receiver onto the stack.
       frame_->EmitPush(Immediate(literal->handle()));
       Load(property->obj());
+      frame_->SpillAll();
 
       // Load the arguments.
       int arg_count = args->length();
       for (int i = 0; i < arg_count; i++) {
         Load(args->at(i));
+        frame_->SpillAll();
       }
 
       // Call the IC initialization code.
       Handle<Code> stub = (loop_nesting() > 0)
         ? ComputeCallInitializeInLoop(arg_count)
         : ComputeCallInitialize(arg_count);
       __ RecordPosition(node->position());
       frame_->CallCodeObject(stub, RelocInfo::CODE_TARGET, arg_count + 1);
       __ mov(esi, frame_->Context());
 
@@ skipping 17 matching lines @@
       CallWithArguments(args, node->position());
     }
 
   } else {
     // ----------------------------------
     // JavaScript example: 'foo(1, 2, 3)'  // foo is not global
     // ----------------------------------
 
     // Load the function.
     Load(function);
+    frame_->SpillAll();
 
     // Pass the global proxy as the receiver.
     LoadGlobalReceiver(eax);
 
     // Call the function.
     CallWithArguments(args, node->position());
   }
 }
 
 
 void CodeGenerator::VisitCallNew(CallNew* node) {
   frame_->SpillAll();
   Comment cmnt(masm_, "[ CallNew");
 
   // According to ECMA-262, section 11.2.2, page 44, the function
   // expression in new calls must be evaluated before the
   // arguments. This is different from ordinary calls, where the
   // actual function to call is resolved after the arguments have been
   // evaluated.
 
   // Compute function to call and use the global object as the
   // receiver. There is no need to use the global proxy here because
   // it will always be replaced with a newly allocated object.
   Load(node->expression());
+  frame_->SpillAll();
   LoadGlobal();
 
   // Push the arguments ("left-to-right") on the stack.
   ZoneList<Expression*>* args = node->arguments();
   int arg_count = args->length();
   for (int i = 0; i < arg_count; i++) {
     Load(args->at(i));
+    frame_->SpillAll();
   }
 
   // Constructors are called with the number of arguments in register
   // eax for now. Another option would be to have separate construct
   // call trampolines per different arguments counts encountered.
   __ Set(eax, Immediate(arg_count));
 
   // Load the function into temporary function slot as per calling
   // convention.
   __ mov(edi, frame_->ElementAt(arg_count + 1));
 
   // Call the construct call builtin that handles allocation and
   // constructor invocation.
   __ RecordPosition(node->position());
   Handle<Code> ic(Builtins::builtin(Builtins::JSConstructCall));
   frame_->CallCodeObject(ic, RelocInfo::CONSTRUCT_CALL, args->length() + 1);
   // Discard the function and "push" the newly created object.
   __ mov(frame_->Top(), eax);
 }
 
 
 void CodeGenerator::GenerateIsSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
+  frame_->SpillAll();

[iposva, 2008/12/03 07:04:40]

Is there a single call to Load in this file that is not followed by a
frame_->SpillAll()?
You should probably move the mandatory (?) spilling code into the Load function
and explain the reason for it in a good fat comment.

Style nit: we should use the accessor to get at the frame_ instead of using it
directly.

[Kevin Millikin (Chromium), 2008/12/03 15:08:38]

Actually there are two (but they are easy to miss).  one is in
VisitExpressionStatement where a value is discarded, which doesn't require a
fully spilled frame and emits no code for virtual TOS elements; and the other is
in VisitAssignment for the case of simple "=" assignments, where the RHS can
safely be a register or constant which is simply compiled to a memory move for
LHSs that are LOCAL or PARAMETER slots.

The calls to SpillAll are annoying, but temporary---ultimately they will all go
away (or be moved to more optimal places).

I don't mind using the accessor, but I'm not sure what it's buying us either.

   frame_->EmitPop(eax);
   __ test(eax, Immediate(kSmiTagMask));
   cc_reg_ = zero;
 }
 
 
 void CodeGenerator::GenerateIsNonNegativeSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
+  frame_->SpillAll();
   frame_->EmitPop(eax);
   __ test(eax, Immediate(kSmiTagMask | 0x80000000));
   cc_reg_ = zero;
 }
 
 
 // This generates code that performs a charCodeAt() call or returns
 // undefined in order to trigger the slow case, Runtime_StringCharCodeAt.
 // It can handle flat and sliced strings, 8 and 16 bit characters and
 // cons strings where the answer is found in the left hand branch of the
 // cons.  The slow case will flatten the string, which will ensure that
 // the answer is in the left hand side the next time around.
 void CodeGenerator::GenerateFastCharCodeAt(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 2);
 
   JumpTarget slow_case(this);
   JumpTarget end(this);
   JumpTarget not_a_flat_string(this);
   JumpTarget not_a_cons_string_either(this);
   JumpTarget try_again_with_new_string(this);
   JumpTarget ascii_string(this);
   JumpTarget got_char_code(this);
 
   // Load the string into eax.
   Load(args->at(0));
+  frame_->SpillAll();
   frame_->EmitPop(eax);
   // If the receiver is a smi return undefined.
   ASSERT(kSmiTag == 0);
   __ test(eax, Immediate(kSmiTagMask));
   slow_case.Branch(zero, not_taken);
 
   // Load the index into ebx.
   Load(args->at(1));
+  frame_->SpillAll();
   frame_->EmitPop(ebx);
 
   // Check for negative or non-smi index.
   ASSERT(kSmiTag == 0);
   __ test(ebx, Immediate(kSmiTagMask | 0x80000000));
   slow_case.Branch(not_zero, not_taken);
   // Get rid of the smi tag on the index.
   __ sar(ebx, kSmiTagSize);
 
   try_again_with_new_string.Bind();
@@ skipping 75 matching lines @@
   slow_case.Bind();
   frame_->EmitPush(Immediate(Factory::undefined_value()));
 
   end.Bind();
 }
 
 
 void CodeGenerator::GenerateIsArray(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
+  frame_->SpillAll();
   JumpTarget answer(this);
   // We need the CC bits to come out as not_equal in the case where the
   // object is a smi.  This can't be done with the usual test opcode so
   // we copy the object to ecx and do some destructive ops on it that
   // result in the right CC bits.
   frame_->EmitPop(eax);
   __ mov(ecx, Operand(eax));
   __ and_(ecx, kSmiTagMask);
   __ xor_(ecx, kSmiTagMask);
   answer.Branch(not_equal, not_taken);
@@ skipping 19 matching lines @@
   ArgumentsAccessStub stub(ArgumentsAccessStub::READ_LENGTH);
   frame_->CallStub(&stub, 0);
   frame_->EmitPush(eax);
 }
 
 
 void CodeGenerator::GenerateValueOf(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   JumpTarget leave(this);
   Load(args->at(0));  // Load the object.
+  frame_->SpillAll();
   __ mov(eax, frame_->Top());
   // if (object->IsSmi()) return object.
   __ test(eax, Immediate(kSmiTagMask));
   leave.Branch(zero, taken);
   // It is a heap object - get map.
   __ mov(ecx, FieldOperand(eax, HeapObject::kMapOffset));
   __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset));
   // if (!object->IsJSValue()) return object.
   __ cmp(ecx, JS_VALUE_TYPE);
   leave.Branch(not_equal, not_taken);
   __ mov(eax, FieldOperand(eax, JSValue::kValueOffset));
   __ mov(frame_->Top(), eax);
   leave.Bind();
 }
 
 
 void CodeGenerator::GenerateSetValueOf(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 2);
   JumpTarget leave(this);
   Load(args->at(0));  // Load the object.
+  frame_->SpillAll();
   Load(args->at(1));  // Load the value.
+  frame_->SpillAll();
   __ mov(eax, frame_->ElementAt(1));
   __ mov(ecx, frame_->Top());
   // if (object->IsSmi()) return object.
   __ test(eax, Immediate(kSmiTagMask));
   leave.Branch(zero, taken);
   // It is a heap object - get map.
   __ mov(ebx, FieldOperand(eax, HeapObject::kMapOffset));
   __ movzx_b(ebx, FieldOperand(ebx, Map::kInstanceTypeOffset));
   // if (!object->IsJSValue()) return object.
   __ cmp(ebx, JS_VALUE_TYPE);
   leave.Branch(not_equal, not_taken);
   // Store the value.
   __ mov(FieldOperand(eax, JSValue::kValueOffset), ecx);
   // Update the write barrier.
   __ RecordWrite(eax, JSValue::kValueOffset, ecx, ebx);
   // Leave.
   leave.Bind();
   __ mov(ecx, frame_->Top());
   frame_->Drop();
   __ mov(frame_->Top(), ecx);
 }
 
 
 void CodeGenerator::GenerateArgumentsAccess(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
 
   // Load the key onto the stack and set register eax to the formal
   // parameters count for the currently executing function.
   Load(args->at(0));
+  frame_->SpillAll();
   __ Set(eax, Immediate(Smi::FromInt(scope_->num_parameters())));
 
   // Call the shared stub to get to arguments[key].
   ArgumentsAccessStub stub(ArgumentsAccessStub::READ_ELEMENT);
   frame_->CallStub(&stub, 0);
   __ mov(frame_->Top(), eax);
 }
 
 
 void CodeGenerator::GenerateObjectEquals(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 2);
 
   // Load the two objects into registers and perform the comparison.
   Load(args->at(0));
+  frame_->SpillAll();
   Load(args->at(1));
+  frame_->SpillAll();
   frame_->EmitPop(eax);
   frame_->EmitPop(ecx);
   __ cmp(eax, Operand(ecx));
   cc_reg_ = equal;
 }
 
 
 void CodeGenerator::VisitCallRuntime(CallRuntime* node) {
   frame_->SpillAll();
   if (CheckForInlineRuntimeCall(node)) {
     return;
   }
 
   ZoneList<Expression*>* args = node->arguments();
   Comment cmnt(masm_, "[ CallRuntime");
   Runtime::Function* function = node->function();
 
   if (function == NULL) {
     // Prepare stack for calling JS runtime function.
     frame_->EmitPush(Immediate(node->name()));
     // Push the builtins object found in the current global object.
     __ mov(edx, GlobalObject());
     frame_->EmitPush(FieldOperand(edx, GlobalObject::kBuiltinsOffset));
   }
 
   // Push the arguments ("left-to-right").
   int arg_count = args->length();
   for (int i = 0; i < arg_count; i++) {
     Load(args->at(i));
+    frame_->SpillAll();
   }
 
   if (function == NULL) {
     // Call the JS runtime function.
     Handle<Code> stub = ComputeCallInitialize(arg_count);
     __ Set(eax, Immediate(args->length()));
     frame_->CallCodeObject(stub, RelocInfo::CODE_TARGET, arg_count + 1);
     __ mov(esi, frame_->Context());
     __ mov(frame_->Top(), eax);
   } else {
@@ skipping 15 matching lines @@
 
   if (op == Token::NOT) {
     LoadCondition(node->expression(), NOT_INSIDE_TYPEOF,
                   false_target(), true_target(), true);
     cc_reg_ = NegateCondition(cc_reg_);
 
   } else if (op == Token::DELETE) {
     Property* property = node->expression()->AsProperty();
     if (property != NULL) {
       Load(property->obj());
+      frame_->SpillAll();
       Load(property->key());
+      frame_->SpillAll();
       frame_->InvokeBuiltin(Builtins::DELETE, CALL_FUNCTION, 2);
       frame_->EmitPush(eax);
       return;
     }
 
     Variable* variable = node->expression()->AsVariableProxy()->AsVariable();
     if (variable != NULL) {
       Slot* slot = variable->slot();
       if (variable->is_global()) {
         LoadGlobal();
@@ skipping 15 matching lines @@
         return;
       }
 
       // Default: Result of deleting non-global, not dynamically
       // introduced variables is false.
       frame_->EmitPush(Immediate(Factory::false_value()));
 
     } else {
       // Default: Result of deleting expressions is true.
       Load(node->expression());  // may have side-effects
+      frame_->SpillAll();
       __ Set(frame_->Top(), Immediate(Factory::true_value()));
     }
 
   } else if (op == Token::TYPEOF) {
     // Special case for loading the typeof expression; see comment on
     // LoadTypeofExpression().
     LoadTypeofExpression(node->expression());
     frame_->CallRuntime(Runtime::kTypeof, 1);
     frame_->EmitPush(eax);
 
   } else {
     Load(node->expression());
+    frame_->SpillAll();
     switch (op) {
       case Token::NOT:
       case Token::DELETE:
       case Token::TYPEOF:
         UNREACHABLE();  // handled above
         break;
 
       case Token::SUB: {
         UnarySubStub stub;
         // TODO(1222589): remove dependency of TOS being cached inside stub
@@ skipping 228 matching lines @@
         Branch(false, false_target());
       }
 
       if (frame_ != NULL || is_true.is_linked()) {
         // Evaluate right side expression.
         is_true.Bind();
         LoadCondition(node->right(), NOT_INSIDE_TYPEOF, true_target(),
                       false_target(), false);
       }
     } else {
+      frame_->SpillAll();
       // We have a materialized value on the frame.
       JumpTarget pop_and_continue(this);
       JumpTarget exit(this);
 
       // Avoid popping the result if it converts to 'false' using the
       // standard ToBoolean() conversion as described in ECMA-262, section
       // 9.2, page 30.
       //
       // Duplicate the TOS value. The duplicate will be popped by ToBoolean.
       __ mov(eax, frame_->Top());
       frame_->EmitPush(eax);
       ToBoolean(&pop_and_continue, &exit);
       Branch(false, &exit);
 
       // Pop the result of evaluating the first part.
       pop_and_continue.Bind();
       frame_->Drop();
 
       // Evaluate right side expression.
       is_true.Bind();
       Load(node->right());
+      frame_->SpillAll();
 
       // Exit (always with a materialized value).
       exit.Bind();
     }
 
   } else if (op == Token::OR) {
     JumpTarget is_false(this);
     LoadCondition(node->left(), NOT_INSIDE_TYPEOF, true_target(),
                   &is_false, false);
     if (has_cc() || frame_ == NULL) {
       if (has_cc()) {
         ASSERT(frame_ != NULL);
         Branch(true, true_target());
       }
 
       if (frame_ != NULL || is_false.is_linked()) {
         // Evaluate right side expression.
         is_false.Bind();
         LoadCondition(node->right(), NOT_INSIDE_TYPEOF, true_target(),
                       false_target(), false);
       }
 
     } else {
+      frame_->SpillAll();
       // We have a materialized value on the frame.
       JumpTarget pop_and_continue(this);
       JumpTarget exit(this);
 
       // Avoid popping the result if it converts to 'true' using the
       // standard ToBoolean() conversion as described in ECMA-262,
       // section 9.2, page 30.
       // Duplicate the TOS value. The duplicate will be popped by ToBoolean.
       __ mov(eax, frame_->Top());
       frame_->EmitPush(eax);
       ToBoolean(&exit, &pop_and_continue);
       Branch(true, &exit);
 
       // Pop the result of evaluating the first part.
       pop_and_continue.Bind();
       frame_->Drop();
 
       // Evaluate right side expression.
       is_false.Bind();
       Load(node->right());
+      frame_->SpillAll();
 
       // Exit (always with a materialized value).
       exit.Bind();
     }
 
   } else {
     // NOTE: The code below assumes that the slow cases (calls to runtime)
     // never return a constant/immutable object.
     OverwriteMode overwrite_mode = NO_OVERWRITE;
     if (node->left()->AsBinaryOperation() != NULL &&
         node->left()->AsBinaryOperation()->ResultOverwriteAllowed()) {
       overwrite_mode = OVERWRITE_LEFT;
     } else if (node->right()->AsBinaryOperation() != NULL &&
                node->right()->AsBinaryOperation()->ResultOverwriteAllowed()) {
       overwrite_mode = OVERWRITE_RIGHT;
     }
 
     // Optimize for the case where (at least) one of the expressions
     // is a literal small integer.
     Literal* lliteral = node->left()->AsLiteral();
     Literal* rliteral = node->right()->AsLiteral();
 
     if (IsInlineSmi(rliteral)) {
       Load(node->left());
+      frame_->SpillAll();
       SmiOperation(node->op(), node->type(), rliteral->handle(), false,
                    overwrite_mode);
     } else if (IsInlineSmi(lliteral)) {
       Load(node->right());
+      frame_->SpillAll();
       SmiOperation(node->op(), node->type(), lliteral->handle(), true,
                    overwrite_mode);
     } else {
       Load(node->left());
+      frame_->SpillAll();
       Load(node->right());
+      frame_->SpillAll();
       GenericBinaryOperation(node->op(), node->type(), overwrite_mode);
     }
   }
 }
 
 
 void CodeGenerator::VisitThisFunction(ThisFunction* node) {
   frame_->SpillAll();
   frame_->EmitPush(frame_->Function());
 }
@@ skipping 25 matching lines @@
   // instead of calling the (very) general runtime routine for checking
   // equality.
   if (op == Token::EQ || op == Token::EQ_STRICT) {
     bool left_is_null =
         left->AsLiteral() != NULL && left->AsLiteral()->IsNull();
     bool right_is_null =
         right->AsLiteral() != NULL && right->AsLiteral()->IsNull();
     // The 'null' value can only be equal to 'null' or 'undefined'.
     if (left_is_null || right_is_null) {
       Load(left_is_null ? right : left);
+      frame_->SpillAll();
       frame_->EmitPop(eax);
       __ cmp(eax, Factory::null_value());
 
       // The 'null' value is only equal to 'undefined' if using non-strict
       // comparisons.
       if (op != Token::EQ_STRICT) {
         true_target()->Branch(equal);
 
         __ cmp(eax, Factory::undefined_value());
         true_target()->Branch(equal);
@@ skipping 125 matching lines @@
       cc = greater;
       break;
     case Token::LTE:
       cc = less_equal;
       break;
     case Token::GTE:
       cc = greater_equal;
       break;
     case Token::IN: {
       Load(left);
+      frame_->SpillAll();
       Load(right);
+      frame_->SpillAll();
       frame_->InvokeBuiltin(Builtins::IN, CALL_FUNCTION, 2);
       frame_->EmitPush(eax);  // push the result
       return;
     }
     case Token::INSTANCEOF: {
       Load(left);
+      frame_->SpillAll();
       Load(right);
+      frame_->SpillAll();
       InstanceofStub stub;
       frame_->CallStub(&stub, 2);
       __ test(eax, Operand(eax));
       cc_reg_ = zero;
       return;
     }
     default:
       UNREACHABLE();
   }
 
   // Optimize for the case where (at least) one of the expressions
   // is a literal small integer.
   if (IsInlineSmi(left->AsLiteral())) {
     Load(right);
+    frame_->SpillAll();
     SmiComparison(ReverseCondition(cc), left->AsLiteral()->handle(), strict);
     return;
   }
   if (IsInlineSmi(right->AsLiteral())) {
     Load(left);
+    frame_->SpillAll();
     SmiComparison(cc, right->AsLiteral()->handle(), strict);
     return;
   }
 
   Load(left);
+  frame_->SpillAll();
   Load(right);
+  frame_->SpillAll();
   Comparison(cc, strict);
 }
 
 
 void CodeGenerator::RecordStatementPosition(Node* node) {
   if (FLAG_debug_info) {
     int pos = node->statement_pos();
     if (pos != RelocInfo::kNoPosition) {
       __ RecordStatementPosition(pos);
     }
@@ skipping 94 matching lines @@
 void Reference::SetValue(InitState init_state) {
   ASSERT(!is_illegal());
   ASSERT(!cgen_->has_cc());
   MacroAssembler* masm = cgen_->masm();
   VirtualFrame* frame = cgen_->frame();
   switch (type_) {
     case SLOT: {
       Comment cmnt(masm, "[ Store to Slot");
       Slot* slot = expression_->AsVariableProxy()->AsVariable()->slot();
       ASSERT(slot != NULL);
-      if (slot->type() == Slot::LOOKUP) {
-        ASSERT(slot->var()->mode() == Variable::DYNAMIC);
-
-        // For now, just do a runtime call.
-        frame->EmitPush(esi);
-        frame->EmitPush(Immediate(slot->var()->name()));
-
-        if (init_state == CONST_INIT) {
-          // Same as the case for a normal store, but ignores attribute
-          // (e.g. READ_ONLY) of context slot so that we can initialize
-          // const properties (introduced via eval("const foo = (some
-          // expr);")). Also, uses the current function context instead of
-          // the top context.
-          //
-          // Note that we must declare the foo upon entry of eval(), via a
-          // context slot declaration, but we cannot initialize it at the
-          // same time, because the const declaration may be at the end of
-          // the eval code (sigh...) and the const variable may have been
-          // used before (where its value is 'undefined'). Thus, we can only
-          // do the initialization when we actually encounter the expression
-          // and when the expression operands are defined and valid, and
-          // thus we need the split into 2 operations: declaration of the
-          // context slot followed by initialization.
-          frame->CallRuntime(Runtime::kInitializeConstContextSlot, 3);
-        } else {
-          frame->CallRuntime(Runtime::kStoreContextSlot, 3);
-        }
-        // Storing a variable must keep the (new) value on the expression
-        // stack. This is necessary for compiling chained assignment
-        // expressions.
-        frame->EmitPush(eax);
-
-      } else {
-        ASSERT(slot->var()->mode() != Variable::DYNAMIC);
-
-        JumpTarget exit(cgen_);
-        if (init_state == CONST_INIT) {
-          ASSERT(slot->var()->mode() == Variable::CONST);
-          // Only the first const initialization must be executed (the slot
-          // still contains 'the hole' value). When the assignment is
-          // executed, the code is identical to a normal store (see below).
-          Comment cmnt(masm, "[ Init const");
-          __ mov(eax, cgen_->SlotOperand(slot, ecx));
-          __ cmp(eax, Factory::the_hole_value());
-          exit.Branch(not_equal);
-        }
-
-        // We must execute the store.  Storing a variable must keep the
-        // (new) value on the stack. This is necessary for compiling
-        // assignment expressions.
-        //
-        // Note: We will reach here even with slot->var()->mode() ==
-        // Variable::CONST because of const declarations which will
-        // initialize consts to 'the hole' value and by doing so, end up
-        // calling this code.
-        frame->EmitPop(eax);
-        __ mov(cgen_->SlotOperand(slot, ecx), eax);
-        frame->EmitPush(eax);  // RecordWrite may destroy the value in eax.
-        if (slot->type() == Slot::CONTEXT) {
-          // ecx is loaded with context when calling SlotOperand above.
-          int offset = FixedArray::kHeaderSize + slot->index() * kPointerSize;
-          __ RecordWrite(ecx, offset, eax, ebx);
-        }
-        // If we definitely did not jump over the assignment, we do not need
-        // to bind the exit label.  Doing so can defeat peephole
-        // optimization.
-        if (init_state == CONST_INIT) {
-          exit.Bind();
-        }
-      }
+      cgen_->StoreToSlot(slot, init_state);
       break;
     }
 
     case NAMED: {
+      frame->SpillAll();

[iposva, 2008/12/03 07:04:40]

Could this SpillAll() be moved after the EmitPop(eax)? Then you could
potentially materialize the value for eax without having to go through memory
and then spill the remainder after EmitPop().

[Kevin Millikin (Chromium), 2008/12/03 15:08:38]

Eventually when this code is reworked.  Right now the functions with "Emit" (ie,
EmitPush and EmitPop) in their names will actually emit those specific machine
instructions.  They do not do any magic with virtual frame elements, so they
require fully spilled frames.

       Comment cmnt(masm, "[ Store to named Property");
       // Call the appropriate IC code.
       Handle<String> name(GetName());
       Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_Initialize));
       // TODO(1222589): Make the IC grab the values from the stack.
       frame->EmitPop(eax);
       // Setup the name register.
       __ mov(ecx, name);
       frame->CallCodeObject(ic, RelocInfo::CODE_TARGET, 0);
       frame->EmitPush(eax);  // IC call leaves result in eax, push it out
       break;
     }
 
     case KEYED: {
+      frame->SpillAll();

[iposva, 2008/12/03 07:04:40]

ditto.

       Comment cmnt(masm, "[ Store to keyed Property");
       Property* property = expression_->AsProperty();
       ASSERT(property != NULL);
       __ RecordPosition(property->position());
       // Call IC code.
       Handle<Code> ic(Builtins::builtin(Builtins::KeyedStoreIC_Initialize));
       // TODO(1222589): Make the IC grab the values from the stack.
       frame->EmitPop(eax);
       frame->CallCodeObject(ic, RelocInfo::CODE_TARGET, 0);
       frame->EmitPush(eax);  // IC call leaves result in eax, push it out
@@ skipping 1224 matching lines @@
 
   // Slow-case: Go through the JavaScript implementation.
   __ bind(&slow);
   __ InvokeBuiltin(Builtins::INSTANCE_OF, JUMP_FUNCTION);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal