Experimental: improve the code generated for possibly boolean-valued...

src/codegen-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 27 matching lines @@
 #define __ masm_->
 
 // -------------------------------------------------------------------------
 // CodeGenState implementation.
 
 CodeGenState::CodeGenState(CodeGenerator* owner)
     : owner_(owner),
       typeof_state_(NOT_INSIDE_TYPEOF),
       true_target_(NULL),
       false_target_(NULL),
+      fall_through_(NULL),
       previous_(NULL) {
   owner_->set_state(this);
 }
 
 
 CodeGenState::CodeGenState(CodeGenerator* owner,
                            TypeofState typeof_state,
                            JumpTarget* true_target,
-                           JumpTarget* false_target)
+                           JumpTarget* false_target,
+                           JumpTarget* fall_through)
     : owner_(owner),
       typeof_state_(typeof_state),
       true_target_(true_target),
       false_target_(false_target),
+      fall_through_(fall_through),
       previous_(owner->state()) {
   owner_->set_state(this);
 }
 
 
 CodeGenState::~CodeGenState() {
   ASSERT(owner_->state() == this);
   owner_->set_state(previous_);
 }
 
@@ skipping 320 matching lines @@
 
 
 // Loads a value on TOS. If the result is a boolean value it may have
 // been translated into control flow to the true and/or false targets.
 // If force_control is true, control flow is forced and the function
 // exits without a valid frame.
 void CodeGenerator::LoadCondition(Expression* x,
                                   TypeofState typeof_state,
                                   JumpTarget* true_target,
                                   JumpTarget* false_target,
+                                  JumpTarget* fall_through,
                                   bool force_control) {
   ASSERT(!in_spilled_code());
+  ASSERT(!fall_through->is_bound());
 #ifdef DEBUG
   int original_height = frame_->height();
 #endif
-  { CodeGenState new_state(this, typeof_state, true_target, false_target);
+  JumpTarget* non_fall_through =
+      (false_target == fall_through) ? true_target : false_target;
+  bool backward = non_fall_through->is_bound();
+  { CodeGenState new_state(this, typeof_state, true_target, false_target,
+                           fall_through);
     Visit(x);
   }
+  // There are four possibilities for the code generated by a call to
+  // Visit on an expression:
+  //
+  // 1. Conditional control flow to both control destinations by
+  //    branching to the non-fall-through destination and binding the
+  //    fall-through destination for the very next instruction to be
+  //    generated.
+  //
+  // 2. Unconditional control flow to the fall-through destination by
+  //    binding it (and not generating a branch or jump to the
+  //    non-fall-through destination).
+  //
+  // 3. Unconditional control flow to the non-fall-through destination
+  //    by jumping backward to it (if it was already bound) or binding
+  //    it.
+  //
+  // 4. No control flow and a result on top of the virtual frame.  In
+  //    this case there can still be dangling jumps to the true and
+  //    false labels (eg, from subexpressions of the short-circuited
+  //    boolean operators).
+  bool got_control = fall_through->is_bound() ||
+      (backward && !has_valid_frame()) ||
+      (!backward && non_fall_through->is_bound());
 
-  if (force_control && has_valid_frame()) {
+  if (force_control && !got_control) {
     // Convert the TOS value to a boolean in the condition code register.
-    ToBoolean(true_target, false_target);
+    ToBoolean(true_target, false_target, fall_through);
   }
 
-  ASSERT(!(force_control && has_valid_frame()));
-  ASSERT(!has_valid_frame() || frame_->height() == original_height + 1);
+#ifdef DEBUG
+  // ToBoolean will always bind the fall-through destination.
+  got_control = got_control || fall_through->is_bound();
+#endif
+  ASSERT(!force_control || got_control);
+  ASSERT(got_control || frame_->height() == original_height + 1);
+  ASSERT(!got_control ||
+         fall_through->is_bound() ||
+         (!fall_through->is_bound() && backward && !has_valid_frame()) ||
+         (!fall_through->is_bound() && !backward &&
+          non_fall_through->is_bound()));
 }
 
 
 void CodeGenerator::Load(Expression* x, TypeofState typeof_state) {
 #ifdef DEBUG
   int original_height = frame_->height();
 #endif
   ASSERT(!in_spilled_code());
   JumpTarget true_target(this);
   JumpTarget false_target(this);
-  LoadCondition(x, typeof_state, &true_target, &false_target, false);
+  LoadCondition(x, typeof_state, &true_target, &false_target,
+                &true_target, false);
 
-  if (true_target.is_linked() || false_target.is_linked()) {
-    // We have at least one condition value that has been "translated" into
-    // a branch, thus it needs to be loaded explicitly.
-    JumpTarget loaded(this);
-    if (has_valid_frame()) {
+  if (true_target.is_bound()) {
+    // We have control flow to the fall-through destination and
+    // possibly the non-fall-through.
+    frame_->Push(Factory::true_value());
+    if (false_target.is_linked()) {
+      JumpTarget loaded(this);
+      loaded.Jump();
+      false_target.Bind();
+      frame_->Push(Factory::false_value());
+      loaded.Bind();
+    }
+  } else if (false_target.is_bound()) {
+    // We fell through to the label that was not our preferred fall
+    // through (ie, the expression was unconditionally false.
+    frame_->Push(Factory::false_value());
+  } else {
+    // We have a valid value on top of the frame, but we still may
+    // have dangling jumps to the true and false target from nested
+    // subexpressions (eg, the left subexpressions of the
+    // short-circuited boolean operators).
+    ASSERT(has_valid_frame());
+    if (true_target.is_linked() || false_target.is_linked()) {
+      JumpTarget loaded(this);
       loaded.Jump();  // Don't lose the current TOS.
+      if (true_target.is_linked()) {
+        true_target.Bind();
+        frame_->Push(Factory::true_value());
+        if (false_target.is_linked()) {
+          loaded.Jump();
+        }
+      }
+      if (false_target.is_linked()) {
+        false_target.Bind();
+        frame_->Push(Factory::false_value());
+      }
+      loaded.Bind();
     }
-    bool both = true_target.is_linked() && false_target.is_linked();
-    // Load "true" if necessary.
-    if (true_target.is_linked()) {
-      true_target.Bind();
-      VirtualFrame::SpilledScope spilled_scope(this);
-      frame_->EmitPush(Immediate(Factory::true_value()));
-    }
-    // If both "true" and "false" need to be reincarnated jump across the
-    // code for "false".
-    if (both) {
-      loaded.Jump();
-    }
-    // Load "false" if necessary.
-    if (false_target.is_linked()) {
-      false_target.Bind();
-      VirtualFrame::SpilledScope spilled_scope(this);
-      frame_->EmitPush(Immediate(Factory::false_value()));
-    }
-    // A value is loaded on all paths reaching this point.
-    loaded.Bind();
   }
   ASSERT(has_valid_frame());
   ASSERT(frame_->height() == original_height + 1);
 }
 
 
 void CodeGenerator::LoadGlobal() {
   if (in_spilled_code()) {
     frame_->EmitPush(GlobalObject());
   } else {
@@ skipping 96 matching lines @@
 }
 
 
 void CodeGenerator::UnloadReference(Reference* ref) {
   // Pop a reference from the stack while preserving TOS.
   Comment cmnt(masm_, "[ UnloadReference");
   frame_->Nip(ref->size());
 }
 
 
+void CodeGenerator::Branch(Condition cc,
+                           JumpTarget* true_target,
+                           JumpTarget* false_target,
+                           JumpTarget* fall_through) {
+  ASSERT(!fall_through->is_bound());
+  if (fall_through == false_target) {
+    true_target->Branch(cc);
+    false_target->Bind();
+  } else {
+    ASSERT(fall_through == true_target);
+    false_target->Branch(NegateCondition(cc));
+    true_target->Bind();
+  }
+}
+
+
 class ToBooleanStub: public CodeStub {
  public:
   ToBooleanStub() { }
 
   void Generate(MacroAssembler* masm);
 
  private:
   Major MajorKey() { return ToBoolean; }
   int MinorKey() { return 0; }
 };
 
 
 // ECMA-262, section 9.2, page 30: ToBoolean(). Pop the top of stack and
 // convert it to a boolean in the condition code register or jump to
 // 'false_target'/'true_target' as appropriate.
 void CodeGenerator::ToBoolean(JumpTarget* true_target,
-                              JumpTarget* false_target) {
+                              JumpTarget* false_target,
+                              JumpTarget* fall_through) {
   Comment cmnt(masm_, "[ ToBoolean");
 
   // The value to convert should be popped from the stack.
   Result value = frame_->Pop();
   value.ToRegister();
   // Fast case checks.
 
   // 'false' => false.
   __ cmp(value.reg(), Factory::false_value());
   false_target->Branch(equal);
@@ skipping 13 matching lines @@
   __ test(value.reg(), Immediate(kSmiTagMask));
   true_target->Branch(zero);
 
   // Call the stub for all other cases.
   frame_->Push(&value);  // Undo the Pop() from above.
   ToBooleanStub stub;
   Result temp = frame_->CallStub(&stub, 1);
   // Convert the result to a condition code.
   __ test(temp.reg(), Operand(temp.reg()));
   temp.Unuse();
-  true_target->Branch(not_equal);
-  false_target->Jump();
+  Branch(not_equal, true_target, false_target, fall_through);
 }
 
 
 class FloatingPointHelper : public AllStatic {
  public:
   // Code pattern for loading floating point values. Input values must
   // be either smi or heap number objects (fp values). Requirements:
   // operand_1 on TOS+1 , operand_2 on TOS+2; Returns operands as
   // floating point numbers on FPU stack.
   static void LoadFloatOperands(MacroAssembler* masm, Register scratch);
@@ skipping 608 matching lines @@
            static_cast<int>(cc_),
            strict_ ? "true" : "false");
   }
 #endif
 };
 
 
 void CodeGenerator::Comparison(Condition cc,
                                bool strict,
                                JumpTarget* true_target,
-                               JumpTarget* false_target) {
+                               JumpTarget* false_target,
+                               JumpTarget* fall_through) {
   // Strict only makes sense for equality comparisons.
   ASSERT(!strict || cc == equal);
 
   Result left_side(this);
   Result right_side(this);
   // Implement '>' and '<=' by reversal to obtain ECMA-262 conversion order.
   if (cc == greater || cc == less_equal) {
     cc = ReverseCondition(cc);
     left_side = frame_->Pop();
     right_side = frame_->Pop();
@@ skipping 40 matching lines @@
   answer.Unuse();
   true_target->Branch(cc);
   false_target->Jump();
 
   is_smi.Bind(&left_side, &right_side);
   left_side.ToRegister();
   right_side.ToRegister();
   __ cmp(left_side.reg(), Operand(right_side.reg()));
   right_side.Unuse();
   left_side.Unuse();
-  true_target->Branch(cc);
-  false_target->Jump();
+  Branch(cc, true_target, false_target, fall_through);
 }
 
 
 void CodeGenerator::SmiComparison(Condition cc,
                                   Handle<Object> smi_value,
                                   bool strict) {
   // Strict only makes sense for equality comparisons.
   ASSERT(!strict || cc == equal);
   ASSERT(is_intn(Smi::cast(*smi_value)->value(), kMaxSmiInlinedBits));
 
@@ skipping 15 matching lines @@
   __ cmp(result.reg(), 0);
   result.Unuse();
   true_target()->Branch(cc);
   false_target()->Jump();
 
   is_smi.Bind(&comparee);
   comparee.ToRegister();
   // Test smi equality and comparison by signed int comparison.
   __ cmp(Operand(comparee.reg()), Immediate(smi_value));
   comparee.Unuse();
-  true_target()->Branch(cc);
-  false_target()->Jump();
+  Branch(cc);
 }
 
 
 class CallFunctionStub: public CodeStub {
  public:
   explicit CallFunctionStub(int argc) : argc_(argc) { }
 
   void Generate(MacroAssembler* masm);
 
  private:
@@ skipping 185 matching lines @@
   // Generate different code depending on which parts of the if statement
   // are present or not.
   bool has_then_stm = node->HasThenStatement();
   bool has_else_stm = node->HasElseStatement();
 
   CodeForStatementPosition(node);
   JumpTarget exit(this);
   if (has_then_stm && has_else_stm) {
     JumpTarget then(this);
     JumpTarget else_(this);
-    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &then, &else_, true);
-    if (then.is_linked()) {
-      then.Bind();
+    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF,
+                  &then, &else_, &then, true);
+    if (then.is_bound()) {
       Visit(node->then_statement());
-      if (has_valid_frame() && else_.is_linked()) {
-        // We have fallen through from the then block and we need to compile
-        // the else block.  Emit an unconditional jump around it.
-        exit.Jump();
+      if (else_.is_linked()) {
+        if (has_valid_frame()) {
+          exit.Jump();
+        }
+        else_.Bind();
       }
     }
-    if (else_.is_linked()) {
-      else_.Bind();
+    if (else_.is_bound()) {
       Visit(node->else_statement());
     }
 
   } else if (has_then_stm) {
     ASSERT(!has_else_stm);
     JumpTarget then(this);
-    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &then, &exit, true);
-    if (then.is_linked()) {
-      then.Bind();
+    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF,
+                  &then, &exit, &then, true);
+    if (then.is_bound()) {
       Visit(node->then_statement());
     }
 
   } else if (has_else_stm) {
     ASSERT(!has_then_stm);
     JumpTarget else_(this);
-    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &exit, &else_, true);
-    if (else_.is_linked()) {
-      else_.Bind();
+    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF,
+                  &exit, &else_, &else_, true);
+    if (else_.is_bound()) {
       Visit(node->else_statement());
     }
 
   } else {
     ASSERT(!has_then_stm && !has_else_stm);
     // We only care about the condition's side effects (not its value
     // or control flow effect).  LoadCondition is called without
     // forcing control flow.
-    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &exit, &exit, false);
-    if (has_valid_frame()) {
-      // Control flow can fall off the end of the condition with a
-      // value on the frame.
+    LoadCondition(node->condition(), NOT_INSIDE_TYPEOF,
+                  &exit, &exit, &exit, false);
+    if (!exit.is_bound()) {
       frame_->Drop();
     }
   }
 
   exit.Bind();
 }
 
 
 void CodeGenerator::CleanStack(int num_bytes) {
   ASSERT(num_bytes % kPointerSize == 0);
@@ skipping 282 matching lines @@
     // Label and compile the test.
     if (next_test.is_linked()) {
       // Recycle the same label for each test.
       next_test.Bind();
       next_test.Unuse();
     }
     // Duplicate the switch value.
     frame_->Dup();
     Load(clause->label());
     JumpTarget enter_body(this);
-    Comparison(equal, true, &enter_body, &next_test);
+    Comparison(equal, true, &enter_body, &next_test, &enter_body);
 
     // Before entering the body from the test remove the switch value from
     // the frame.
-    enter_body.Bind();
     frame_->Drop();
 
     // Label the body so that fall through is enabled.
     if (i > 0 && cases->at(i - 1)->is_default()) {
       // The previous case was the default.  This will be the target of a
       // possible backward edge.
       default_exit.Bind();
     } else if (fall_through.is_linked()) {
       // Recycle the same label for each fall through except for the default
       // case.
@@ skipping 92 matching lines @@
       } else if (info == ALWAYS_FALSE) {
         // If we had a continue in the body we have to bind its jump target.
         node->continue_target()->Bind();
       } else {
         ASSERT(info == DONT_KNOW);
         // We have to compile the test expression if it can be reached by
         // control flow falling out of the body or via continue.
         node->continue_target()->Bind();
         if (has_valid_frame()) {
           LoadCondition(node->cond(), NOT_INSIDE_TYPEOF,
-                        &body, node->break_target(), true);
+                        &body, node->break_target(), node->break_target(),
+                        true);
         }
       }
       break;
     }
 
     case LoopStatement::WHILE_LOOP: {
       IncrementLoopNesting();
 
       // If the test is never true and has no side effects there is no need
       // to compile the test or body.
       if (info == ALWAYS_FALSE) break;
 
       // Label the top of the loop with the continue target for the backward
       // CFG edge.
       node->continue_target()->Initialize(this, JumpTarget::BIDIRECTIONAL);
       node->continue_target()->Bind();
 
       // If the test is always true and has no side effects there is no need
       // to compile it.  We only compile the test when we do not know its
       // outcome or it may have side effects.
       if (info == DONT_KNOW) {
         JumpTarget body(this);
         LoadCondition(node->cond(), NOT_INSIDE_TYPEOF,
-                      &body, node->break_target(), true);
-        body.Bind();
+                      &body, node->break_target(), &body, true);
       }
 
-      if (has_valid_frame()) {
+      if (!node->break_target()->is_bound()) {
         CheckStack();  // TODO(1222600): ignore if body contains calls.
         Visit(node->body());
 
         // If control flow can fall out of the body, jump back to the top.
         if (has_valid_frame()) {
           node->continue_target()->Jump();
         }
       }
       break;
     }
@@ skipping 18 matching lines @@
         node->continue_target()->Initialize(this);
         loop.Bind();
       }
 
       // If the test is always true and has no side effects there is no need
       // to compile it.  We only compile the test when we do not know its
       // outcome or it has side effects.
       if (info == DONT_KNOW) {
         JumpTarget body(this);
         LoadCondition(node->cond(), NOT_INSIDE_TYPEOF,
-                      &body, node->break_target(), true);
-        body.Bind();
+                      &body, node->break_target(), &body, true);
       }
 
-      if (has_valid_frame()) {
+      if (!node->break_target()->is_bound()) {
         CheckStack();  // TODO(1222600): ignore if body contains calls.
         Visit(node->body());
 
         if (node->next() == NULL) {
           // If there is no update statement and control flow can fall out
           // of the loop, jump to the continue label.
           if (has_valid_frame()) {
             node->continue_target()->Jump();
           }
         } else {
@@ skipping 10 matching lines @@
             Visit(node->next());
             loop.Jump();
           }
         }
       }
       break;
     }
   }
 
   DecrementLoopNesting();
-  node->break_target()->Bind();
+  // The break target may have been bound in the condition of a do
+  // loop, or in the conditions of the other loops if they are
+  // unconditionally false.  Avoid rebinding it.
+  if (node->break_target()->is_linked()) {
+    node->break_target()->Bind();
+  }
 }
 
 
 void CodeGenerator::VisitForInStatement(ForInStatement* node) {
   ASSERT(!in_spilled_code());
   VirtualFrame::SpilledScope spilled_scope(this);
   Comment cmnt(masm_, "[ ForInStatement");
   CodeForStatementPosition(node);
 
   // We keep stuff on the stack while the body is executing.
@@ skipping 518 matching lines @@
   Comment cmnt(masm_, "[ FunctionBoilerplateLiteral");
   InstantiateBoilerplate(node->boilerplate());
 }
 
 
 void CodeGenerator::VisitConditional(Conditional* node) {
   Comment cmnt(masm_, "[ Conditional");
   JumpTarget then(this);
   JumpTarget else_(this);
   JumpTarget exit(this);
-  LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &then, &else_, true);
-  if (then.is_linked()) {
-    then.Bind();
+  LoadCondition(node->condition(), NOT_INSIDE_TYPEOF,
+                &then, &else_, &then, true);
+  if (then.is_bound()) {
     Load(node->then_expression(), typeof_state());
     if (else_.is_linked()) {
       exit.Jump();
+      else_.Bind();
     }
   }
-
-  if (else_.is_linked()) {
-    else_.Bind();
+  if (else_.is_bound()) {
     Load(node->else_expression(), typeof_state());
   }
-
   exit.Bind();
 }
 
 
 void CodeGenerator::LoadFromSlot(Slot* slot, TypeofState typeof_state) {
   if (slot->type() == Slot::LOOKUP) {
     ASSERT(slot->var()->mode() == Variable::DYNAMIC);
 
     // For now, just do a runtime call.
     frame_->Push(esi);
@@ skipping 134 matching lines @@
   Comment cmnt(masm_, "[ Slot");
   LoadFromSlot(node, typeof_state());
 }
 
 
 void CodeGenerator::VisitVariableProxy(VariableProxy* node) {
   Comment cmnt(masm_, "[ VariableProxy");
   Variable* var = node->var();
   Expression* expr = var->rewrite();
   if (expr != NULL) {
-    // We have to be wary of calling Visit directly on expressions.  Because
-    // of special casing comparisons of the form typeof<expr> === "string",
-    // we can return from a call from Visit (to a comparison or a unary
-    // operation) without a virtual frame; which will probably crash if we
-    // try to emit frame code before reestablishing a frame.  Here we're
-    // safe as long as variable proxies can't rewrite into typeof
-    // comparisons or unary logical not expressions.
     Visit(expr);
-    ASSERT(has_valid_frame());
   } else {
     ASSERT(var->is_global());
     Reference ref(this, node);
     ref.GetValue(typeof_state());
   }
 }
 
 
 void CodeGenerator::VisitLiteral(Literal* node) {
   Comment cmnt(masm_, "[ Literal");
@@ skipping 599 matching lines @@
 
 
 void CodeGenerator::GenerateIsSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
   Result value = frame_->Pop();
   value.ToRegister();
   ASSERT(value.is_valid());
   __ test(value.reg(), Immediate(kSmiTagMask));
   value.Unuse();
-  true_target()->Branch(zero);
-  false_target()->Jump();
+  Branch(zero);
 }
 
 
 void CodeGenerator::GenerateLog(ZoneList<Expression*>* args) {
   // Conditionally generate a log call.
   // Args:
   //   0 (literal string): The type of logging (corresponds to the flags).
   //     This is used to determine whether or not to generate the log call.
   //   1 (string): Format string.  Access the string at argument index 2
   //     with '%2s' (see Logger::LogRuntime for all the formats).
@@ skipping 12 matching lines @@
 
 
 void CodeGenerator::GenerateIsNonNegativeSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
   Result value = frame_->Pop();
   value.ToRegister();
   ASSERT(value.is_valid());
   __ test(value.reg(), Immediate(kSmiTagMask | 0x80000000));
   value.Unuse();
-  true_target()->Branch(zero);
-  false_target()->Jump();
+  Branch(zero);
 }
 
 
 // This generates code that performs a charCodeAt() call or returns
 // undefined in order to trigger the slow case, Runtime_StringCharCodeAt.
 // It can handle flat and sliced strings, 8 and 16 bit characters and
 // cons strings where the answer is found in the left hand branch of the
 // cons.  The slow case will flatten the string, which will ensure that
 // the answer is in the left hand side the next time around.
 void CodeGenerator::GenerateFastCharCodeAt(ZoneList<Expression*>* args) {
@@ skipping 140 matching lines @@
   false_target()->Branch(equal);
   // It is a heap object - get map.
   Result temp = allocator()->Allocate();
   ASSERT(temp.is_valid());
   __ mov(temp.reg(), FieldOperand(value.reg(), HeapObject::kMapOffset));
   __ movzx_b(temp.reg(), FieldOperand(temp.reg(), Map::kInstanceTypeOffset));
   // Check if the object is a JS array or not.
   __ cmp(temp.reg(), JS_ARRAY_TYPE);
   value.Unuse();
   temp.Unuse();
-  true_target()->Branch(equal);
-  false_target()->Jump();
+  Branch(equal);
 }
 
 
 void CodeGenerator::GenerateArgumentsLength(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 0);
   Result initial_value = allocator()->Allocate(eax);
   ASSERT(initial_value.is_valid());
   __ Set(initial_value.reg(),
          Immediate(Smi::FromInt(scope_->num_parameters())));
   // ArgumentsAccessStub takes the parameter count as an input argument
@@ skipping 84 matching lines @@
   // Load the two objects into registers and perform the comparison.
   Load(args->at(0));
   Load(args->at(1));
   Result right = frame_->Pop();
   Result left = frame_->Pop();
   right.ToRegister();
   left.ToRegister();
   __ cmp(right.reg(), Operand(left.reg()));
   right.Unuse();
   left.Unuse();
-  true_target()->Branch(equal);
-  false_target()->Jump();
+  Branch(equal);
 }
 
 
 void CodeGenerator::VisitCallRuntime(CallRuntime* node) {
   if (CheckForInlineRuntimeCall(node)) {
     return;
   }
 
   ZoneList<Expression*>* args = node->arguments();
   Comment cmnt(masm_, "[ CallRuntime");
@@ skipping 38 matching lines @@
 void CodeGenerator::VisitUnaryOperation(UnaryOperation* node) {
   // Note that because of NOT and an optimization in comparison of a typeof
   // expression to a literal string, this function can fail to leave a value
   // on top of the frame or in the cc register.
   Comment cmnt(masm_, "[ UnaryOperation");
 
   Token::Value op = node->op();
 
   if (op == Token::NOT) {
     LoadCondition(node->expression(), NOT_INSIDE_TYPEOF,
-                  false_target(), true_target(), true);
+                  false_target(), true_target(), fall_through(), true);
 
   } else if (op == Token::DELETE) {
     Property* property = node->expression()->AsProperty();
     if (property != NULL) {
       Load(property->obj());
       Load(property->key());
       Result answer = frame_->InvokeBuiltin(Builtins::DELETE, CALL_FUNCTION, 2);
       frame_->Push(&answer);
       return;
     }
@@ skipping 314 matching lines @@
 
   // NOTE: If the left hand side produces a materialized value (not in
   // the CC register), we force the right hand side to do the
   // same. This is necessary because we may have to branch to the exit
   // after evaluating the left hand side (due to the shortcut
   // semantics), but the compiler must (statically) know if the result
   // of compiling the binary operation is materialized or not.
 
   if (op == Token::AND) {
     JumpTarget is_true(this);
+    bool backward = false_target()->is_bound();
     LoadCondition(node->left(), NOT_INSIDE_TYPEOF,
-                  &is_true, false_target(), false);
-    if (!has_valid_frame()) {
-      if (is_true.is_linked()) {
-        // Evaluate right side expression.
-        is_true.Bind();
-        LoadCondition(node->right(), NOT_INSIDE_TYPEOF,
-                      true_target(), false_target(), false);
-      }
-    } else {
+                  &is_true, false_target(), &is_true, false);
+    if (is_true.is_bound()) {
+      LoadCondition(node->right(), NOT_INSIDE_TYPEOF,
+                    true_target(), false_target(), fall_through(),
+                    false);
+    } else if (!backward && false_target()->is_bound()) {
+      // If the false target became bound due to the left operand,
+      // then that operand was unconditionally false.
+      return;
+    } else if (has_valid_frame()) {
       // We have a materialized value on the frame.
       JumpTarget pop_and_continue(this);
       JumpTarget exit(this);
 
       // Avoid popping the result if it converts to 'false' using the
       // standard ToBoolean() conversion as described in ECMA-262, section
       // 9.2, page 30.
       //
       // Duplicate the TOS value. The duplicate will be popped by ToBoolean.
       frame_->Dup();
-      ToBoolean(&pop_and_continue, &exit);
+      ToBoolean(&pop_and_continue, &exit, &pop_and_continue);
 
       // Pop the result of evaluating the first part.
-      pop_and_continue.Bind();
       frame_->Drop();
 
       // Evaluate right side expression.
       is_true.Bind();
       Load(node->right());
 
       // Exit (always with a materialized value).
       exit.Bind();
     }
 
   } else if (op == Token::OR) {
     JumpTarget is_false(this);
+    bool backward = true_target()->is_bound();
     LoadCondition(node->left(), NOT_INSIDE_TYPEOF,
-                  true_target(), &is_false, false);
-    if (!has_valid_frame()) {
-      if (is_false.is_linked()) {
-        // Evaluate right side expression.
-        is_false.Bind();
-        LoadCondition(node->right(), NOT_INSIDE_TYPEOF,
-                      true_target(), false_target(), false);
-      }
+                  true_target(), &is_false, &is_false, false);
+    if (is_false.is_bound()) {
+      LoadCondition(node->right(), NOT_INSIDE_TYPEOF,
+                    true_target(), false_target(), fall_through(),
+                    false);
+    } else if (!backward && true_target()->is_bound()) {
+      // If the true target became bound due to the left operand, then
+      // that operand was unconditionally true.
+      return;
     } else {
       // We have a materialized value on the frame.
       JumpTarget pop_and_continue(this);
       JumpTarget exit(this);
 
       // Avoid popping the result if it converts to 'true' using the
       // standard ToBoolean() conversion as described in ECMA-262,
       // section 9.2, page 30.
       // Duplicate the TOS value. The duplicate will be popped by ToBoolean.
       frame_->Dup();
-      ToBoolean(&exit, &pop_and_continue);
+      ToBoolean(&exit, &pop_and_continue, &pop_and_continue);
 
       // Pop the result of evaluating the first part.
-      pop_and_continue.Bind();
       frame_->Drop();
 
       // Evaluate right side expression.
       is_false.Bind();
       Load(node->right());
 
       // Exit (always with a materialized value).
       exit.Bind();
     }
 
@@ skipping 87 matching lines @@
         // Use a scratch register in preference to spilling operand.reg().
         Result temp = allocator()->Allocate();
         ASSERT(temp.is_valid());
         __ mov(temp.reg(),
                FieldOperand(operand.reg(), HeapObject::kMapOffset));
         __ movzx_b(temp.reg(),
                    FieldOperand(temp.reg(), Map::kBitFieldOffset));
         __ test(temp.reg(), Immediate(1 << Map::kIsUndetectable));
         cc = not_zero;
       }
+
       operand.Unuse();
-      true_target()->Branch(cc);
-      false_target()->Jump();
+      Branch(cc);
       return;
     }
   }
 
   // To make typeof testing for natives implemented in JavaScript really
   // efficient, we generate special code for expressions of the form:
   // 'typeof <expression> == <string>'.
   UnaryOperation* operation = left->AsUnaryOperation();
   if ((op == Token::EQ || op == Token::EQ_STRICT) &&
       (operation != NULL && operation->op() == Token::TYPEOF) &&
       (right->AsLiteral() != NULL &&
        right->AsLiteral()->handle()->IsString())) {
     Handle<String> check(String::cast(*right->AsLiteral()->handle()));
 
     // Load the operand and move it to a register.
     LoadTypeofExpression(operation->expression());
     Result answer = frame_->Pop();
     answer.ToRegister();
 
     if (check->Equals(Heap::number_symbol())) {
       __ test(answer.reg(), Immediate(kSmiTagMask));
       true_target()->Branch(zero);
       frame_->Spill(answer.reg());
       __ mov(answer.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ cmp(answer.reg(), Factory::heap_number_map());
       answer.Unuse();
-      true_target()->Branch(equal);
-      false_target()->Jump();
+      Branch(equal);
 
     } else if (check->Equals(Heap::string_symbol())) {
       __ test(answer.reg(), Immediate(kSmiTagMask));
       false_target()->Branch(zero);
 
       // It can be an undetectable string object.
       Result temp = allocator()->Allocate();
       ASSERT(temp.is_valid());
       __ mov(temp.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ movzx_b(temp.reg(), FieldOperand(temp.reg(), Map::kBitFieldOffset));
       __ test(temp.reg(), Immediate(1 << Map::kIsUndetectable));
       false_target()->Branch(not_zero);
       __ mov(temp.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ movzx_b(temp.reg(),
                  FieldOperand(temp.reg(), Map::kInstanceTypeOffset));
       __ cmp(temp.reg(), FIRST_NONSTRING_TYPE);
       temp.Unuse();
       answer.Unuse();
-      true_target()->Branch(less);
-      false_target()->Jump();
+      Branch(less);
 
     } else if (check->Equals(Heap::boolean_symbol())) {
       __ cmp(answer.reg(), Factory::true_value());
       true_target()->Branch(equal);
       __ cmp(answer.reg(), Factory::false_value());
       answer.Unuse();
-      true_target()->Branch(equal);
-      false_target()->Jump();
+      Branch(equal);
 
     } else if (check->Equals(Heap::undefined_symbol())) {
       __ cmp(answer.reg(), Factory::undefined_value());
       true_target()->Branch(equal);
 
       __ test(answer.reg(), Immediate(kSmiTagMask));
       false_target()->Branch(zero);
 
       // It can be an undetectable object.
       frame_->Spill(answer.reg());
       __ mov(answer.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ movzx_b(answer.reg(),
                  FieldOperand(answer.reg(), Map::kBitFieldOffset));
       __ test(answer.reg(), Immediate(1 << Map::kIsUndetectable));
       answer.Unuse();
-      true_target()->Branch(not_zero);
-      false_target()->Jump();
+      Branch(not_zero);
 
     } else if (check->Equals(Heap::function_symbol())) {
       __ test(answer.reg(), Immediate(kSmiTagMask));
       false_target()->Branch(zero);
       frame_->Spill(answer.reg());
       __ mov(answer.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ movzx_b(answer.reg(),
                  FieldOperand(answer.reg(), Map::kInstanceTypeOffset));
       __ cmp(answer.reg(), JS_FUNCTION_TYPE);
       answer.Unuse();
-      true_target()->Branch(equal);
-      false_target()->Jump();
+      Branch(equal);
 
     } else if (check->Equals(Heap::object_symbol())) {
       __ test(answer.reg(), Immediate(kSmiTagMask));
       false_target()->Branch(zero);
       __ cmp(answer.reg(), Factory::null_value());
       true_target()->Branch(equal);
 
       // It can be an undetectable object.
       Result map = allocator()->Allocate();
       ASSERT(map.is_valid());
       __ mov(map.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ movzx_b(map.reg(), FieldOperand(map.reg(), Map::kBitFieldOffset));
       __ test(map.reg(), Immediate(1 << Map::kIsUndetectable));
       false_target()->Branch(not_zero);
       __ mov(map.reg(), FieldOperand(answer.reg(), HeapObject::kMapOffset));
       __ movzx_b(map.reg(), FieldOperand(map.reg(), Map::kInstanceTypeOffset));
       __ cmp(map.reg(), FIRST_JS_OBJECT_TYPE);
       false_target()->Branch(less);
       __ cmp(map.reg(), LAST_JS_OBJECT_TYPE);
       answer.Unuse();
       map.Unuse();
-      true_target()->Branch(less_equal);
-      false_target()->Jump();
+      Branch(less_equal);
     } else {
       // Uncommon case: typeof testing against a string literal that is
       // never returned from the typeof operator.
       answer.Unuse();
-      false_target()->Jump();
+      if (false_target()->is_bound()) {
+        false_target()->Jump();
+      } else {
+        false_target()->Bind();
+      }
     }
     return;
   }
 
   Condition cc = no_condition;
   bool strict = false;
   switch (op) {
     case Token::EQ_STRICT:
       strict = true;
       // Fall through
@@ skipping 20 matching lines @@
       return;
     }
     case Token::INSTANCEOF: {
       Load(left);
       Load(right);
       InstanceofStub stub;
       Result answer = frame_->CallStub(&stub, 2);
       answer.ToRegister();
       __ test(answer.reg(), Operand(answer.reg()));
       answer.Unuse();
-      true_target()->Branch(zero);
-      false_target()->Jump();
+      Branch(zero);
       return;
     }
     default:
       UNREACHABLE();
   }
 
   // Optimize for the case where (at least) one of the expressions
   // is a literal small integer.
   if (IsInlineSmi(left->AsLiteral())) {
     Load(right);
     SmiComparison(ReverseCondition(cc), left->AsLiteral()->handle(), strict);
   } else if (IsInlineSmi(right->AsLiteral())) {
     Load(left);
     SmiComparison(cc, right->AsLiteral()->handle(), strict);
   } else {
     Load(left);
     Load(right);
-    Comparison(cc, strict, true_target(), false_target());
+    Comparison(cc, strict, true_target(), false_target(), fall_through());
   }
 }
 
 
 #ifdef DEBUG
 bool CodeGenerator::HasValidEntryRegisters() {
   return (allocator()->count(eax) == frame()->register_count(eax))
       && (allocator()->count(ebx) == frame()->register_count(ebx))
       && (allocator()->count(ecx) == frame()->register_count(ecx))
       && (allocator()->count(edx) == frame()->register_count(edx))
@@ skipping 1794 matching lines @@
 
   // Slow-case: Go through the JavaScript implementation.
   __ bind(&slow);
   __ InvokeBuiltin(Builtins::INSTANCE_OF, JUMP_FUNCTION);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal