Experimental: allow the register allocator to work for for...in...

src/codegen-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 1470 matching lines @@
         ExternalReference::address_of_stack_guard_limit();
     __ cmp(esp, Operand::StaticVariable(stack_guard_limit));
     deferred->enter()->Branch(below, not_taken);
     deferred->exit()->Bind();
   }
 }
 
 
 void CodeGenerator::VisitStatements(ZoneList<Statement*>* statements) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   for (int i = 0; has_valid_frame() && i < statements->length(); i++) {
     Visit(statements->at(i));
   }
 }
 
 
 void CodeGenerator::VisitBlock(Block* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Block");
   CodeForStatementPosition(node);
   node->set_break_stack_height(break_stack_height_);
   node->break_target()->Initialize(this);
   VisitStatements(node->statements());
   if (node->break_target()->is_linked()) {
     node->break_target()->Bind();
   }
 }
 
 
 void CodeGenerator::DeclareGlobals(Handle<FixedArray> pairs) {
+  ASSERT(HasValidEntryRegisters());
   frame_->Push(pairs);
 
   // Duplicate the context register.
   Result context(esi, this);
   frame_->Push(&context);
 
   frame_->Push(Smi::FromInt(is_eval() ? 1 : 0));
   Result ignored = frame_->CallRuntime(Runtime::kDeclareGlobals, 3);
   // Return value is ignored.
 }
 
 
 void CodeGenerator::VisitDeclaration(Declaration* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Declaration");
   CodeForStatementPosition(node);
   Variable* var = node->proxy()->var();
   ASSERT(var != NULL);  // must have been resolved
   Slot* slot = var->slot();
 
   // If it was not possible to allocate the variable at compile time,
   // we need to "declare" it at runtime to make sure it actually
   // exists in the local context.
   if (slot != NULL && slot->type() == Slot::LOOKUP) {
@@ skipping 44 matching lines @@
       // it goes out of scope.
     }
     // Get rid of the assigned value (declarations are statements).
     frame_->Drop();
   }
 }
 
 
 void CodeGenerator::VisitExpressionStatement(ExpressionStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ ExpressionStatement");
   CodeForStatementPosition(node);
   Expression* expression = node->expression();
   expression->MarkAsStatement();
   Load(expression);
   // Remove the lingering expression result from the top of stack.
   frame_->Drop();
 }
 
 
 void CodeGenerator::VisitEmptyStatement(EmptyStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "// EmptyStatement");
   CodeForStatementPosition(node);
   // nothing to do
 }
 
 
 void CodeGenerator::VisitIfStatement(IfStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ IfStatement");
   // Generate different code depending on which parts of the if statement
   // are present or not.
   bool has_then_stm = node->HasThenStatement();
   bool has_else_stm = node->HasElseStatement();
 
   CodeForStatementPosition(node);
   JumpTarget exit(this);
   if (has_then_stm && has_else_stm) {
     JumpTarget then(this);
@@ skipping 83 matching lines @@
 
 
 void CodeGenerator::CleanStack(int num_bytes) {
   ASSERT(num_bytes % kPointerSize == 0);
   frame_->Drop(num_bytes / kPointerSize);
 }
 
 
 void CodeGenerator::VisitContinueStatement(ContinueStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ ContinueStatement");
   CodeForStatementPosition(node);
   CleanStack(break_stack_height_ - node->target()->break_stack_height());
   node->target()->continue_target()->Jump();
 }
 
 
 void CodeGenerator::VisitBreakStatement(BreakStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ BreakStatement");
   CodeForStatementPosition(node);
   CleanStack(break_stack_height_ - node->target()->break_stack_height());
   node->target()->break_target()->Jump();
 }
 
 
 void CodeGenerator::VisitReturnStatement(ReturnStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ ReturnStatement");
 
   if (function_return_is_shadowed_) {
     // If the function return is shadowed, we spill all information
     // and just jump to the label.
     VirtualFrame::SpilledScope spilled_scope(this);
     CodeForStatementPosition(node);
     LoadAndSpill(node->expression());
     frame_->EmitPop(eax);
     function_return_.Jump();
@@ skipping 48 matching lines @@
 
   // Check that the size of the code used for returning matches what is
   // expected by the debugger.
   ASSERT_EQ(Debug::kIa32JSReturnSequenceLength,
             __ SizeOfCodeGeneratedSince(&check_exit_codesize));
 }
 
 
 void CodeGenerator::VisitWithEnterStatement(WithEnterStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ WithEnterStatement");
   CodeForStatementPosition(node);
   Load(node->expression());
   Result context(this);
   if (node->is_catch_block()) {
     context = frame_->CallRuntime(Runtime::kPushCatchContext, 1);
   } else {
     context = frame_->CallRuntime(Runtime::kPushContext, 1);
   }
 
   // Update context local.
   frame_->SaveContextRegister();
 
   if (kDebug) {
     JumpTarget verified_true(this);
     // Verify that the result of the runtime call and the esi register are
     // the same in debug mode.
     __ cmp(context.reg(), Operand(esi));
     context.Unuse();
     verified_true.Branch(equal);
     frame_->SpillAll();
     __ int3();
     verified_true.Bind();
   }
 }
 
 
 void CodeGenerator::VisitWithExitStatement(WithExitStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ WithExitStatement");
   CodeForStatementPosition(node);
   // Pop context.
   __ mov(esi, ContextOperand(esi, Context::PREVIOUS_INDEX));
   // Update context local.
   frame_->SaveContextRegister();
 }
 
 
 int CodeGenerator::FastCaseSwitchMaxOverheadFactor() {
@@ skipping 116 matching lines @@
       __ WriteInternalReference(entry_pos, *case_targets[i]);
     }
   }
 
   delete start_frame;
 }
 
 
 void CodeGenerator::VisitSwitchStatement(SwitchStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ SwitchStatement");
   CodeForStatementPosition(node);
   node->set_break_stack_height(break_stack_height_);
   node->break_target()->Initialize(this);
 
   Load(node->tag());
   if (TryGenerateFastCaseSwitchStatement(node)) {
     return;
   }
 
@@ skipping 121 matching lines @@
     fall_through.Bind();
   }
   if (node->break_target()->is_linked()) {
     node->break_target()->Bind();
   }
 }
 
 
 void CodeGenerator::VisitLoopStatement(LoopStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ LoopStatement");
   CodeForStatementPosition(node);
   node->set_break_stack_height(break_stack_height_);
   node->break_target()->Initialize(this);
 
   // Simple condition analysis.  ALWAYS_TRUE and ALWAYS_FALSE represent a
   // known result for the test expression, with no side effects.
   enum { ALWAYS_TRUE, ALWAYS_FALSE, DONT_KNOW } info = DONT_KNOW;
   if (node->cond() == NULL) {
     ASSERT(node->type() == LoopStatement::FOR_LOOP);
@@ skipping 194 matching lines @@
       break;
     }
   }
 
   DecrementLoopNesting();
 }
 
 
 void CodeGenerator::VisitForInStatement(ForInStatement* node) {
   ASSERT(!in_spilled_code());
-  VirtualFrame::SpilledScope spilled_scope(this);
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ ForInStatement");
   CodeForStatementPosition(node);
 
   // We keep stuff on the stack while the body is executing.
   // Record it, so that a break/continue crossing this statement
   // can restore the stack.
   const int kForInStackSize = 5 * kPointerSize;
   break_stack_height_ += kForInStackSize;
   node->set_break_stack_height(break_stack_height_);
   node->break_target()->Initialize(this);
   node->continue_target()->Initialize(this);
 
+  // Stack layout in body (from the top of the frame downward).
+  // [iteration counter (smi)] <- element 0
+  // [length of array (smi)]   <- element 1
+  // [FixedArray]              <- element 2
+  // [Map or 0]                <- element 3
+  // [Object being iterated]   <- element 4
+
   JumpTarget primitive(this);
   JumpTarget jsobject(this);
   JumpTarget fixed_array(this);
-  JumpTarget entry(this, JumpTarget::BIDIRECTIONAL);
+  JumpTarget condition(this, JumpTarget::BIDIRECTIONAL);
   JumpTarget end_del_check(this);
   JumpTarget exit(this);
 
-  // Get the object to enumerate over (converted to JSObject).
-  LoadAndSpill(node->enumerable());
+  // Get the object to iterate over.
+  Load(node->enumerable());
 
   // Both SpiderMonkey and kjs ignore null and undefined in contrast
   // to the specification.  12.6.4 mandates a call to ToObject.
-  frame_->EmitPop(eax);
-
-  // eax: value to be iterated over
-  __ cmp(eax, Factory::undefined_value());
+  Result object = frame_->Pop();
+  object.ToRegister();
+  __ cmp(object.reg(), Factory::undefined_value());
   exit.Branch(equal);
-  __ cmp(eax, Factory::null_value());
+  __ cmp(object.reg(), Factory::null_value());
   exit.Branch(equal);
 
-  // Stack layout in body:
-  // [iteration counter (smi)] <- slot 0
-  // [length of array]         <- slot 1
-  // [FixedArray]              <- slot 2
-  // [Map or 0]                <- slot 3
-  // [Object]                  <- slot 4
-
   // Check if enumerable is already a JSObject
-  // eax: value to be iterated over
-  __ test(eax, Immediate(kSmiTagMask));
-  primitive.Branch(zero);
-  __ mov(ecx, FieldOperand(eax, HeapObject::kMapOffset));
-  __ movzx_b(ecx, FieldOperand(ecx, Map::kInstanceTypeOffset));
-  __ cmp(ecx, FIRST_JS_OBJECT_TYPE);
-  jsobject.Branch(above_equal);
-
-  primitive.Bind();
-  frame_->EmitPush(eax);
-  frame_->InvokeBuiltin(Builtins::TO_OBJECT, CALL_FUNCTION, 1);
-  // function call returns the value in eax, which is where we want it below
-
-  jsobject.Bind();
+  __ test(object.reg(), Immediate(kSmiTagMask));
+  primitive.Branch(zero, &object);
+
+  // Use a temporary register to check the instance type.
+  Result temp = allocator_->Allocate();
+  ASSERT(temp.is_valid());
+  __ mov(temp.reg(), FieldOperand(object.reg(), HeapObject::kMapOffset));
+  __ movzx_b(temp.reg(), FieldOperand(temp.reg(), Map::kInstanceTypeOffset));
+  __ cmp(temp.reg(), FIRST_JS_OBJECT_TYPE);
+  temp.Unuse();
+  jsobject.Branch(above_equal, &object);
+
+  primitive.Bind(&object);
+  // Live results:
+  // object: the object being iterated over
+  frame_->Push(&object);
+  object = frame_->InvokeBuiltin(Builtins::TO_OBJECT, CALL_FUNCTION, 1);
+
+  jsobject.Bind(&object);
+  // Live results:
+  // object: the object being iterated over
   // Get the set of properties (as a FixedArray or Map).
-  // eax: value to be iterated over
-  frame_->EmitPush(eax);  // push the object being iterated over (slot 4)
-
-  frame_->EmitPush(eax);  // push the Object (slot 4) for the runtime call
-  frame_->CallRuntime(Runtime::kGetPropertyNamesFast, 1);
-
-  // If we got a Map, we can do a fast modification check.
-  // Otherwise, we got a FixedArray, and we have to do a slow check.
-  // eax: map or fixed array (result from call to
-  // Runtime::kGetPropertyNamesFast)
-  __ mov(edx, Operand(eax));
-  __ mov(ecx, FieldOperand(edx, HeapObject::kMapOffset));
-  __ cmp(ecx, Factory::meta_map());
-  fixed_array.Branch(not_equal);
-
-  // Get enum cache
-  // eax: map (result from call to Runtime::kGetPropertyNamesFast)
-  __ mov(ecx, Operand(eax));
-  __ mov(ecx, FieldOperand(ecx, Map::kInstanceDescriptorsOffset));
+  frame_->Push(&object);  // Push the object being iterated over (slot 4).
+
+  frame_->Dup();  // Duplicate it for the runtime call.
+  Result properties = frame_->CallRuntime(Runtime::kGetPropertyNamesFast, 1);
+
+  // If we got a Map, we can do a fast modification check.  Otherwise,
+  // we got a FixedArray, and we have to do a slow check.  Use a fresh
+  // temporary register to check the map.
+  temp = allocator_->Allocate();
+  ASSERT(temp.is_valid());
+  __ mov(temp.reg(), FieldOperand(properties.reg(), HeapObject::kMapOffset));
+  __ cmp(temp.reg(), Factory::meta_map());
+  // Do not unuse the temp register, we will need one after the branch.
+  fixed_array.Branch(not_equal, &properties);
+
+  // Get enum cache.  Properties is a map (from the call to
+  // Runtime::kGetPropertyNamesFast) and temp is a live register
+  // reference (distinct from properties).
+  __ mov(temp.reg(),
+         FieldOperand(properties.reg(), Map::kInstanceDescriptorsOffset));
   // Get the bridge array held in the enumeration index field.
-  __ mov(ecx, FieldOperand(ecx, DescriptorArray::kEnumerationIndexOffset));
+  __ mov(temp.reg(),
+         FieldOperand(temp.reg(), DescriptorArray::kEnumerationIndexOffset));
   // Get the cache from the bridge array.
-  __ mov(edx, FieldOperand(ecx, DescriptorArray::kEnumCacheBridgeCacheOffset));
-
-  frame_->EmitPush(eax);  // <- slot 3
-  frame_->EmitPush(edx);  // <- slot 2
-  __ mov(eax, FieldOperand(edx, FixedArray::kLengthOffset));
-  __ shl(eax, kSmiTagSize);
-  frame_->EmitPush(eax);  // <- slot 1
-  frame_->EmitPush(Immediate(Smi::FromInt(0)));  // <- slot 0
-  entry.Jump();
-
-  fixed_array.Bind();
-  // eax: fixed array (result from call to Runtime::kGetPropertyNamesFast)
-  frame_->EmitPush(Immediate(Smi::FromInt(0)));  // <- slot 3
-  frame_->EmitPush(eax);  // <- slot 2
-
-  // Push the length of the array and the initial index onto the stack.
-  __ mov(eax, FieldOperand(eax, FixedArray::kLengthOffset));
-  __ shl(eax, kSmiTagSize);
-  frame_->EmitPush(eax);  // <- slot 1
-  frame_->EmitPush(Immediate(Smi::FromInt(0)));  // <- slot 0
-
-  // Condition.
-  entry.Bind();
-  __ mov(eax, frame_->ElementAt(0));  // load the current count
-  __ cmp(eax, frame_->ElementAt(1));  // compare to the array length
+  __ mov(temp.reg(),
+         FieldOperand(temp.reg(),
+                      DescriptorArray::kEnumCacheBridgeCacheOffset));
+
+  frame_->Push(&properties);  // <- slot 3
+  // Duplicate the enum cache so we can fetch the length from it.
+  Result cache = temp;
+  frame_->Push(&temp);  // <- slot 2
+
+  // Use a fresh temp register to fetch the length.
+  temp = allocator_->Allocate();
+  ASSERT(temp.is_valid());
+  __ mov(temp.reg(), FieldOperand(cache.reg(), FixedArray::kLengthOffset));
+  cache.Unuse();
+  __ shl(temp.reg(), kSmiTagSize);
+  frame_->Push(&temp);  // <- slot 1
+  frame_->Push(Smi::FromInt(0));  // <- slot 0
+  condition.Jump();
+
+  fixed_array.Bind(&properties);
+  // Live results:
+  // properties: the set of properties as a fixed array (from the call
+  // to Runtime::kGetPropertyNamesFast).
+  frame_->Push(Smi::FromInt(0));  // <- slot 3
+  // Use a fresh temporary register to fetch the length from the
+  // properties array.
+  temp = allocator_->Allocate();
+  ASSERT(temp.is_valid());
+  properties.ToRegister();
+  __ mov(temp.reg(),
+         FieldOperand(properties.reg(), FixedArray::kLengthOffset));
+  __ shl(temp.reg(), kSmiTagSize);
+
+  frame_->Push(&properties);  // <- slot 2
+  frame_->Push(&temp);  // <- slot 1
+  frame_->Push(Smi::FromInt(0));  // <- slot 0
+
+  condition.Bind();
+  // Live results: none.
+  // Compare the current count (frame element 0) to the array length
+  // (frame element 1).
+  frame_->Dup();
+  Result count = frame_->Pop();
+
+  frame_->PushElementAt(1);
+  Result length = frame_->Pop();
+
+  count.ToRegister();
+  if (length.is_register()) {
+    // Count and length can be the same register, which is OK here.
+    __ cmp(count.reg(), Operand(length.reg()));
+  } else {
+    ASSERT(length.is_constant());
+    __ cmp(count.reg(), length.handle());
+  }
+  length.Unuse();
   node->break_target()->Branch(above_equal);
 
   // Get the i'th entry of the array.
-  __ mov(edx, frame_->ElementAt(2));
-  __ mov(ebx, Operand(edx, eax, times_2,
-                      FixedArray::kHeaderSize - kHeapObjectTag));
-
-  // Get the expected map from the stack or a zero map in the
-  // permanent slow case eax: current iteration count ebx: i'th entry
-  // of the enum cache
-  __ mov(edx, frame_->ElementAt(3));
+  frame_->PushElementAt(2);
+  Result entry = frame_->Pop();
+  entry.ToRegister();
+  frame_->Spill(entry.reg());
+  // Entry and count can be the same register.  That's OK here because
+  // they will both be absent from the frame after spilling entry and
+  // count is not needed after being read (before entry is written).
+  __ mov(entry.reg(), Operand(entry.reg(),
+                              count.reg(),
+                              times_2,
+                              FixedArray::kHeaderSize - kHeapObjectTag));
+  count.Unuse();
+
   // Check if the expected map still matches that of the enumerable.
   // If not, we have to filter the key.
-  // eax: current iteration count
-  // ebx: i'th entry of the enum cache
-  // edx: expected map value
-  __ mov(ecx, frame_->ElementAt(4));
-  __ mov(ecx, FieldOperand(ecx, HeapObject::kMapOffset));
-  __ cmp(ecx, Operand(edx));
-  end_del_check.Branch(equal);
+
+  // Begin with the enumerable and fetch its map.
+  frame_->PushElementAt(4);
+  temp = frame_->Pop();
+  temp.ToRegister();
+  // We will write to temp.  If it is the same register as entry we
+  // will allocate a fresh register.  Otherwise we can just spill it
+  // from the frame.
+  if (temp.reg().is(entry.reg())) {

[William Hesse, 2009/02/18 10:33:28]

This cannot happen because entry.reg() is spilled above before creating temp. 
Assert that it can't happen.

+    Result fresh = allocator_->Allocate();
+    ASSERT(fresh.is_valid());
+    __ mov(fresh.reg(), temp.reg());
+    temp = fresh;
+  } else {
+    frame_->Spill(temp.reg());
+  }
+  __ mov(temp.reg(), FieldOperand(temp.reg(), HeapObject::kMapOffset));
+
+  // Get the expected map from the stack or a zero map in the
+  // permanent slow case.
+  frame_->PushElementAt(3);
+  Result expected_map = frame_->Pop();
+  if (expected_map.is_register()) {
+    __ cmp(temp.reg(), Operand(expected_map.reg()));
+  } else {
+    ASSERT(expected_map.is_constant());
+    __ cmp(temp.reg(), expected_map.handle());
+  }
+  expected_map.Unuse();
+  temp.Unuse();
+  end_del_check.Branch(equal, &entry);
 
   // Convert the entry to a string (or null if it isn't a property anymore).
-  frame_->EmitPush(frame_->ElementAt(4));  // push enumerable
-  frame_->EmitPush(ebx);  // push entry
-  frame_->InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION, 2);
-  __ mov(ebx, Operand(eax));
+  frame_->PushElementAt(4);  // Duplicate the enumerable.
+  frame_->Push(&entry);  // Push the entry.
+  entry = frame_->InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION, 2);
 
   // If the property has been removed while iterating, we just skip it.
-  __ cmp(ebx, Factory::null_value());
+  __ cmp(entry.reg(), Factory::null_value());
   node->continue_target()->Branch(equal);
 
-  end_del_check.Bind();
-  // Store the entry in the 'each' expression and take another spin in the
-  // loop.  edx: i'th entry of the enum cache (or string there of)
-  frame_->EmitPush(ebx);
+  end_del_check.Bind(&entry);
+  // Live results:
+  // entry: the i'th entry of the enum cache.
+  // Store the entry in the 'each' expression and take another spin in
+  // the loop.
+  //
+  // Push the entry before loading the reference, because loading a
+  // reference can visit code (requiring all non-reserved registers to
+  // be held by the frame).
+  frame_->Push(&entry);
+  bool entry_was_duplicated = false;
   { Reference each(this, node->each());
-    // Loading a reference may leave the frame in an unspilled state.
-    frame_->SpillAll();
     if (!each.is_illegal()) {
-      if (each.size() > 0) {
-        frame_->EmitPush(frame_->ElementAt(each.size()));
-      }
-      // If the reference was to a slot we rely on the convenient property
-      // that it doesn't matter whether a value (eg, ebx pushed above) is
-      // right on top of or right underneath a zero-sized reference.
+      // Duplicate the entry and store to the reference.
+      frame_->PushElementAt(each.size());
+      entry_was_duplicated = true;
       each.SetValue(NOT_CONST_INIT);
-      if (each.size() > 0) {
-        // It's safe to pop the value lying on top of the reference before
-        // unloading the reference itself (which preserves the top of stack,
-        // ie, now the topmost value of the non-zero sized reference), since
-        // we will discard the top of stack after unloading the reference
-        // anyway.
-        frame_->Drop();
-      }
     }
   }
-  // Unloading a reference may leave the frame in an unspilled state.
-  frame_->SpillAll();
-
-  // Discard the i'th entry pushed above or else the remainder of the
-  // reference, whichever is currently on top of the stack.
-  frame_->Drop();
+  // Discard the i'th entry (and its duplicate if it was duplicated).
+  frame_->Drop(entry_was_duplicated ? 2 : 1);
 
   // Body.
   CheckStack();  // TODO(1222600): ignore if body contains calls.
-  VisitAndSpill(node->body());
+  Visit(node->body());
 
   // Next.
   node->continue_target()->Bind();
-  frame_->EmitPop(eax);
-  __ add(Operand(eax), Immediate(Smi::FromInt(1)));
-  frame_->EmitPush(eax);
-  entry.Jump();
+  // Live results: none.
+  count = frame_->Pop();
+  count.ToRegister();
+  frame_->Spill(count.reg());
+  __ add(Operand(count.reg()), Immediate(Smi::FromInt(1)));
+  frame_->Push(&count);
+  condition.Jump();
 
   // Cleanup.
   node->break_target()->Bind();
+  // Live results: none.
   frame_->Drop(5);
 
   // Exit.
   exit.Bind();
 
   break_stack_height_ -= kForInStackSize;
 }
 
 
 void CodeGenerator::VisitTryCatch(TryCatch* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   VirtualFrame::SpilledScope spilled_scope(this);
   Comment cmnt(masm_, "[ TryCatch");
   CodeForStatementPosition(node);
 
   JumpTarget try_block(this);
   JumpTarget exit(this);
 
   try_block.Call();
   // --- Catch block ---
   frame_->EmitPush(eax);
@@ skipping 109 matching lines @@
       shadows[i]->other_target()->Jump();
     }
   }
 
   exit.Bind();
 }
 
 
 void CodeGenerator::VisitTryFinally(TryFinally* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   VirtualFrame::SpilledScope spilled_scope(this);
   Comment cmnt(masm_, "[ TryFinally");
   CodeForStatementPosition(node);
 
   // State: Used to keep track of reason for entering the finally
   // block. Should probably be extended to hold information for
   // break/continue from within the try block.
   enum { FALLING, THROWING, JUMPING };
 
   JumpTarget unlink(this);
@@ skipping 149 matching lines @@
     frame_->CallRuntime(Runtime::kReThrow, 1);
 
     // Done.
     exit.Bind();
   }
 }
 
 
 void CodeGenerator::VisitDebuggerStatement(DebuggerStatement* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ DebuggerStatement");
   CodeForStatementPosition(node);
   // Spill everything, even constants, to the frame.
   frame_->SpillAll();
   frame_->CallRuntime(Runtime::kDebugBreak, 0);
   // Ignore the return value.
 }
 
 
 void CodeGenerator::InstantiateBoilerplate(Handle<JSFunction> boilerplate) {
   ASSERT(boilerplate->IsBoilerplate());
 
   // Push the boilerplate on the stack.
   frame_->Push(boilerplate);
 
   // Create a new closure.
   frame_->Push(esi);
   Result result = frame_->CallRuntime(Runtime::kNewClosure, 2);
   frame_->Push(&result);
 }
 
 
 void CodeGenerator::VisitFunctionLiteral(FunctionLiteral* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ FunctionLiteral");
 
   // Build the function boilerplate and instantiate it.
   Handle<JSFunction> boilerplate = BuildBoilerplate(node);
   // Check for stack-overflow exception.
   if (HasStackOverflow()) return;
   InstantiateBoilerplate(boilerplate);
 }
 
 
 void CodeGenerator::VisitFunctionBoilerplateLiteral(
     FunctionBoilerplateLiteral* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ FunctionBoilerplateLiteral");
   InstantiateBoilerplate(node->boilerplate());
 }
 
 
 void CodeGenerator::VisitConditional(Conditional* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Conditional");
   JumpTarget then(this);
   JumpTarget else_(this);
   JumpTarget exit(this);
   ControlDestination dest(&then, &else_, true);
   LoadCondition(node->condition(), NOT_INSIDE_TYPEOF, &dest, true);
 
   if (dest.false_was_fall_through()) {
     // The else target was bound, so we compile the else part first.
     Load(node->else_expression(), typeof_state());
@@ skipping 161 matching lines @@
       // The results start, value, and temp are unused by going out of
       // scope.
     }
 
     exit.Bind();
   }
 }
 
 
 void CodeGenerator::VisitSlot(Slot* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Slot");
   LoadFromSlot(node, typeof_state());
 }
 
 
 void CodeGenerator::VisitVariableProxy(VariableProxy* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ VariableProxy");
   Variable* var = node->var();
   Expression* expr = var->rewrite();
   if (expr != NULL) {
     Visit(expr);
   } else {
     ASSERT(var->is_global());
     Reference ref(this, node);
     ref.GetValue(typeof_state());
   }
 }
 
 
 void CodeGenerator::VisitLiteral(Literal* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Literal");
   if (node->handle()->IsSmi() && !IsInlineSmi(node)) {
     // To prevent long attacker-controlled byte sequences in code, larger
     // Smis are loaded in two steps via a temporary register.
     Result temp = allocator_->Allocate();
     ASSERT(temp.is_valid());
     int bits = reinterpret_cast<int>(*node->handle());
     __ Set(temp.reg(), Immediate(bits & 0x0000FFFF));
     __ xor_(temp.reg(), bits & 0xFFFF0000);
     frame_->Push(&temp);
@@ skipping 32 matching lines @@
   frame->Push(node_->pattern());
   // RegExp flags (3).
   frame->Push(node_->flags());
   Result boilerplate =
       frame->CallRuntime(Runtime::kMaterializeRegExpLiteral, 4);
   exit()->Jump(&boilerplate);
 }
 
 
 void CodeGenerator::VisitRegExpLiteral(RegExpLiteral* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ RegExp Literal");
   DeferredRegExpLiteral* deferred = new DeferredRegExpLiteral(this, node);
 
   // Retrieve the literals array and check the allocated entry.  Begin
   // with a writable copy of the function of this activation in a
   // register.
   frame_->PushFunction();
   Result literals = frame_->Pop();
   literals.ToRegister();
   frame_->Spill(literals.reg());
@@ skipping 55 matching lines @@
   frame->Push(Smi::FromInt(node_->literal_index()));
   // Constant properties (2).
   frame->Push(node_->constant_properties());
   Result boilerplate =
       frame->CallRuntime(Runtime::kCreateObjectLiteralBoilerplate, 3);
   exit()->Jump(&boilerplate);
 }
 
 
 void CodeGenerator::VisitObjectLiteral(ObjectLiteral* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ ObjectLiteral");
   DeferredObjectLiteral* deferred = new DeferredObjectLiteral(this, node);
 
   // Retrieve the literals array and check the allocated entry.  Begin
   // with a writable copy of the function of this activation in a
   // register.
   frame_->PushFunction();
   Result literals = frame_->Pop();
   literals.ToRegister();
   frame_->Spill(literals.reg());
@@ skipping 81 matching lines @@
         // Ignore the result.
         break;
       }
       default: UNREACHABLE();
     }
   }
 }
 
 
 void CodeGenerator::VisitArrayLiteral(ArrayLiteral* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ ArrayLiteral");
 
   // Call the runtime to create the array literal.
   frame_->Push(node->literals());
   // Load the literals array of the current function.
   frame_->PushFunction();
   Result literals = frame_->Pop();
   literals.ToRegister();
   frame_->Spill(literals.reg());  // Make it writable.
   __ mov(literals.reg(),
@@ skipping 38 matching lines @@
       Result scratch = allocator_->Allocate();
       ASSERT(scratch.is_valid());
       __ RecordWrite(elements.reg(), offset, prop_value.reg(), scratch.reg());
     }
   }
 }
 
 
 void CodeGenerator::VisitCatchExtensionObject(CatchExtensionObject* node) {
   ASSERT(!in_spilled_code());
+  ASSERT(HasValidEntryRegisters());
   // Call runtime routine to allocate the catch extension object and
   // assign the exception value to the catch variable.
   Comment cmnt(masm_, "[ CatchExtensionObject");
   Load(node->key());
   Load(node->value());
   Result result =
       frame_->CallRuntime(Runtime::kCreateCatchExtensionObject, 2);
   frame_->Push(&result);
 }
 
 
 bool CodeGenerator::IsInlineSmi(Literal* literal) {
   if (literal == NULL || !literal->handle()->IsSmi()) return false;
   int int_value = Smi::cast(*literal->handle())->value();
   return is_intn(int_value, kMaxSmiInlinedBits);
 }
 
 
 void CodeGenerator::VisitAssignment(Assignment* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Assignment");
   CodeForStatementPosition(node);
 
   { Reference target(this, node->target());
     if (target.is_illegal()) {
       // Fool the virtual frame into thinking that we left the assignment's
       // value on the frame.
       frame_->Push(Smi::FromInt(0));
       return;
     }
@@ skipping 38 matching lines @@
         target.SetValue(CONST_INIT);
       } else {
         target.SetValue(NOT_CONST_INIT);
       }
     }
   }
 }
 
 
 void CodeGenerator::VisitThrow(Throw* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Throw");
   CodeForStatementPosition(node);
 
   Load(node->exception());
   Result result = frame_->CallRuntime(Runtime::kThrow, 1);
   frame_->Push(&result);
 }
 
 
 void CodeGenerator::VisitProperty(Property* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Property");
   Reference property(this, node);
   property.GetValue(typeof_state());
 }
 
 
 void CodeGenerator::VisitCall(Call* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ Call");
 
   ZoneList<Expression*>* args = node->arguments();
 
   CodeForStatementPosition(node);
 
   // Check if the function is a variable or a property.
   Expression* function = node->expression();
   Variable* var = function->AsVariableProxy()->AsVariable();
   Property* property = function->AsProperty();
@@ skipping 119 matching lines @@
     // Pass the global proxy as the receiver.
     LoadGlobalReceiver();
 
     // Call the function.
     CallWithArguments(args, node->position());
   }
 }
 
 
 void CodeGenerator::VisitCallNew(CallNew* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ CallNew");
   CodeForStatementPosition(node);
 
   // According to ECMA-262, section 11.2.2, page 44, the function
   // expression in new calls must be evaluated before the
   // arguments. This is different from ordinary calls, where the
   // actual function to call is resolved after the arguments have been
   // evaluated.
 
   // Compute function to call and use the global object as the
@@ skipping 32 matching lines @@
                                          &num_args,
                                          &function,
                                          arg_count + 1);
 
   // Replace the function on the stack with the result.
   frame_->SetElementAt(0, &result);
 }
 
 
 void CodeGenerator::VisitCallEval(CallEval* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ CallEval");
 
   // In a call to eval, we first call %ResolvePossiblyDirectEval to resolve
   // the function we need to call and the receiver of the call.
   // Then we call the resolved function using the given arguments.
 
   ZoneList<Expression*>* args = node->arguments();
   Expression* function = node->expression();
 
   CodeForStatementPosition(node);
@@ skipping 367 matching lines @@
   right.ToRegister();
   left.ToRegister();
   __ cmp(right.reg(), Operand(left.reg()));
   right.Unuse();
   left.Unuse();
   destination()->Split(equal);
 }
 
 
 void CodeGenerator::VisitCallRuntime(CallRuntime* node) {
+  ASSERT(HasValidEntryRegisters());
   if (CheckForInlineRuntimeCall(node)) {
     return;
   }
 
   ZoneList<Expression*>* args = node->arguments();
   Comment cmnt(masm_, "[ CallRuntime");
   Runtime::Function* function = node->function();
 
   if (function == NULL) {
     // Prepare stack for calling JS runtime function.
@@ skipping 25 matching lines @@
     frame_->SetElementAt(0, &answer);
   } else {
     // Call the C runtime function.
     Result answer = frame_->CallRuntime(function, arg_count);
     frame_->Push(&answer);
   }
 }
 
 
 void CodeGenerator::VisitUnaryOperation(UnaryOperation* node) {
+  ASSERT(HasValidEntryRegisters());
   // Note that because of NOT and an optimization in comparison of a typeof
   // expression to a literal string, this function can fail to leave a value
   // on top of the frame or in the cc register.
   Comment cmnt(masm_, "[ UnaryOperation");
 
   Token::Value op = node->op();
 
   if (op == Token::NOT) {
     // Swap the true and false targets but keep the same actual label
     // as the fall through.
@@ skipping 212 matching lines @@
     value = generator()->frame()->CallStub(&to_number_stub, &value, 0);
   }
 
   CounterOpStub stub(result_offset_, is_postfix_, is_increment_);
   value = generator()->frame()->CallStub(&stub, &value, 0);
   exit()->Jump(&value);
 }
 
 
 void CodeGenerator::VisitCountOperation(CountOperation* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ CountOperation");
 
   bool is_postfix = node->is_postfix();
   bool is_increment = node->op() == Token::INC;
 
   Variable* var = node->expression()->AsVariableProxy()->AsVariable();
   bool is_const = (var != NULL && var->mode() == Variable::CONST);
 
   // Postfix: Make room for the result.
   if (is_postfix) {
@@ skipping 76 matching lines @@
   }
 
   // Postfix: Discard the new value and use the old.
   if (is_postfix) {
     frame_->Drop();
   }
 }
 
 
 void CodeGenerator::VisitBinaryOperation(BinaryOperation* node) {
+  ASSERT(HasValidEntryRegisters());
   // Note that due to an optimization in comparison operations (typeof
   // compared to a string literal), we can evaluate a binary expression such
   // as AND or OR and not leave a value on the frame or in the cc register.
   Comment cmnt(masm_, "[ BinaryOperation");
   Token::Value op = node->op();
 
   // According to ECMA-262 section 11.11, page 58, the binary logical
   // operators must yield the result of one of the two expressions
   // before any ToBoolean() conversions. This means that the value
   // produced by a && or || operator is not necessarily a boolean.
@@ skipping 122 matching lines @@
     } else {
       Load(node->left());
       Load(node->right());
       GenericBinaryOperation(node->op(), node->type(), overwrite_mode);
     }
   }
 }
 
 
 void CodeGenerator::VisitThisFunction(ThisFunction* node) {
+  ASSERT(HasValidEntryRegisters());
   frame_->PushFunction();
 }
 
 
 class InstanceofStub: public CodeStub {
  public:
   InstanceofStub() { }
 
   void Generate(MacroAssembler* masm);
 
  private:
   Major MajorKey() { return Instanceof; }
   int MinorKey() { return 0; }
 };
 
 
 void CodeGenerator::VisitCompareOperation(CompareOperation* node) {
+  ASSERT(HasValidEntryRegisters());
   Comment cmnt(masm_, "[ CompareOperation");
 
   // Get the expressions from the node.
   Expression* left = node->left();
   Expression* right = node->right();
   Token::Value op = node->op();
 
   // To make null checks efficient, we check if either left or right is the
   // literal 'null'. If so, we optimize the code by inlining a null check
   // instead of calling the (very) general runtime routine for checking
@@ skipping 2008 matching lines @@
 
   // Slow-case: Go through the JavaScript implementation.
   __ bind(&slow);
   __ InvokeBuiltin(Builtins::INSTANCE_OF, JUMP_FUNCTION);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal