Reshuffle registers in JSConstructStub to avoid trashing costructor and new.target on fast path (so…

src/arm/builtins-arm.cc

Index: src/arm/builtins-arm.cc
diff --git a/src/arm/builtins-arm.cc b/src/arm/builtins-arm.cc
index 50c8ff21d613b968a75e5d0c158d519b8f241508..611fa056caa263abcb248d1599a349bd9b5d4973 100644
--- a/src/arm/builtins-arm.cc
+++ b/src/arm/builtins-arm.cc
@@ -362,9 +362,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     __ push(r0);
 
     if (create_implicit_receiver) {
-      __ push(r1);
-      __ push(r3);
-
       // Try to allocate the object without transitioning into C code. If any of
       // the preconditions is not met, the code bails out to the runtime call.
       Label rt_call, allocated;
@@ -392,6 +389,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
         // initial map's instance type would be JS_FUNCTION_TYPE.
         // r1: constructor function
         // r2: initial map
+        // r3: new target
         __ CompareInstanceType(r2, r5, JS_FUNCTION_TYPE);
         __ b(eq, &rt_call);
 
@@ -400,22 +398,24 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
           MemOperand bit_field3 = FieldMemOperand(r2, Map::kBitField3Offset);
           // Check if slack tracking is enabled.
           __ ldr(r4, bit_field3);
-          __ DecodeField<Map::Counter>(r3, r4);
-          __ cmp(r3, Operand(Map::kSlackTrackingCounterEnd));
+          __ DecodeField<Map::Counter>(r0, r4);
+          __ cmp(r0, Operand(Map::kSlackTrackingCounterEnd));
           __ b(lt, &allocate);
           // Decrease generous allocation count.
           __ sub(r4, r4, Operand(1 << Map::Counter::kShift));
           __ str(r4, bit_field3);
-          __ cmp(r3, Operand(Map::kSlackTrackingCounterEnd));
+          __ cmp(r0, Operand(Map::kSlackTrackingCounterEnd));
           __ b(ne, &allocate);
 
-          __ Push(r1, r2);
+          // Push the constructor, new_target and map to the stack, and
+          // the map again as an argument to the runtime call.
+          __ Push(r1, r3, r2);
 
-          __ push(r2);  // r2 = intial map
+          __ push(r2);
           __ CallRuntime(Runtime::kFinalizeInstanceSize, 1);
 
-          __ pop(r2);
-          __ pop(r1);
+          __ Pop(r1, r3, r2);
+          __ mov(r0, Operand(Map::kSlackTrackingCounterEnd - 1));
 
           __ bind(&allocate);
         }
@@ -423,17 +423,20 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
         // Now allocate the JSObject on the heap.
         // r1: constructor function
         // r2: initial map
-        Label rt_call_reload_new_target;
-        __ ldrb(r3, FieldMemOperand(r2, Map::kInstanceSizeOffset));
+        // r3: new target
+        // r0: slack tracking counter (non-API function case)
+        __ ldrb(r9, FieldMemOperand(r2, Map::kInstanceSizeOffset));
 
-        __ Allocate(r3, r4, r3, r6, &rt_call_reload_new_target, SIZE_IN_WORDS);
+        __ Allocate(r9, r4, r9, r6, &rt_call, SIZE_IN_WORDS);
 
         // Allocated the JSObject, now initialize the fields. Map is set to
         // initial map and properties and elements are set to empty fixed array.
         // r1: constructor function
         // r2: initial map
+        // r3: new target
         // r4: JSObject (not tagged)
-        // r3: start of next object
+        // r9: start of next object
+        // r0: slack tracking counter (non-API function case)
         __ LoadRoot(r6, Heap::kEmptyFixedArrayRootIndex);
         __ mov(r5, r4);
         STATIC_ASSERT(0 * kPointerSize == JSObject::kMapOffset);
@@ -442,56 +445,49 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
         __ str(r6, MemOperand(r5, kPointerSize, PostIndex));
         STATIC_ASSERT(2 * kPointerSize == JSObject::kElementsOffset);
         __ str(r6, MemOperand(r5, kPointerSize, PostIndex));
+        STATIC_ASSERT(3 * kPointerSize == JSObject::kHeaderSize);
 
         // Fill all the in-object properties with the appropriate filler.
-        // r1: constructor function
-        // r2: initial map
-        // r4: JSObject (not tagged)
-        // r3: start of next object
         // r5: First in-object property of JSObject (not tagged)
-        DCHECK_EQ(3 * kPointerSize, JSObject::kHeaderSize);
         __ LoadRoot(r6, Heap::kUndefinedValueRootIndex);
 
         if (!is_api_function) {
           Label no_inobject_slack_tracking;
 
           // Check if slack tracking is enabled.
-          __ ldr(ip, FieldMemOperand(r2, Map::kBitField3Offset));
-          __ DecodeField<Map::Counter>(ip);
-          __ cmp(ip, Operand(Map::kSlackTrackingCounterEnd));
+          __ cmp(r0, Operand(Map::kSlackTrackingCounterEnd));
           __ b(lt, &no_inobject_slack_tracking);
 
           // Allocate object with a slack.
           __ ldr(r2, FieldMemOperand(r2, Map::kInstanceAttributesOffset));
           __ Ubfx(r2, r2, Map::kUnusedPropertyFieldsByte * kBitsPerByte,
                   kBitsPerByte);
-          __ sub(r0, r3, Operand(r2, LSL, kPointerSizeLog2));
+          __ sub(r0, r9, Operand(r2, LSL, kPointerSizeLog2));
           // r0: offset of first field after pre-allocated fields
           if (FLAG_debug_code) {
             __ cmp(r5, r0);
             __ Assert(le, kUnexpectedNumberOfPreAllocatedPropertyFields);
           }
           __ InitializeFieldsWithFiller(r5, r0, r6);
-          // To allow for truncation.
+
+          // To allow truncation fill the remaining fields with one pointer
+          // filler map.
           __ LoadRoot(r6, Heap::kOnePointerFillerMapRootIndex);
-          // Fill the remaining fields with one pointer filler map.
 
           __ bind(&no_inobject_slack_tracking);
         }
 
-        __ InitializeFieldsWithFiller(r5, r3, r6);
+        __ InitializeFieldsWithFiller(r5, r9, r6);
 
         // Add the object tag to make the JSObject real, so that we can continue
         // and jump into the continuation code at any time from now on.
         __ add(r4, r4, Operand(kHeapObjectTag));
 
         // Continue with JSObject being successfully allocated
+        // r1: constructor function
+        // r3: new target
         // r4: JSObject
         __ jmp(&allocated);
-
-        // Reload the new target and fall-through.
-        __ bind(&rt_call_reload_new_target);
-        __ ldr(r3, MemOperand(sp, 0 * kPointerSize));
       }
 
       // Allocate the new receiver object using the runtime call.
@@ -499,19 +495,20 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       // r3: new target
       __ bind(&rt_call);
 
-      __ push(r1);  // constructor function
-      __ push(r3);  // new target
+      // Push the constructor and new_target twice, second pair as arguments
+      // to the runtime call.
+      __ Push(r1, r3);
+      __ Push(r1, r3);  // constructor function, new target
       __ CallRuntime(Runtime::kNewObject, 2);
       __ mov(r4, r0);
+      __ Pop(r1, r3);
 
       // Receiver for constructor call allocated.
+      // r1: constructor function
+      // r3: new target
       // r4: JSObject
       __ bind(&allocated);
 
-      // Restore the parameters.
-      __ pop(r3);
-      __ pop(r1);
-
       // Retrieve smi-tagged arguments count from the stack.
       __ ldr(r0, MemOperand(sp));
     }