[builtins] Fix crash on stack overflow in CheckSpreadAndPushToStack.

src/builtins/x87/builtins-x87.cc

Index: src/builtins/x87/builtins-x87.cc
diff --git a/src/builtins/x87/builtins-x87.cc b/src/builtins/x87/builtins-x87.cc
index f3f09226ef62d010d462c2ca2c4499c666826507..b8ca5304f72c996bc4455147fe7eecaf28bb1af2 100644
--- a/src/builtins/x87/builtins-x87.cc
+++ b/src/builtins/x87/builtins-x87.cc
@@ -2804,7 +2804,6 @@ static void CheckSpreadAndPushToStack(MacroAssembler* masm) {
     __ lea(esp, Operand(esp, 2 * kFloatSize));
   }
 
-  Register return_address = edi;
   {
     // Calculate the new nargs including the result of the spread.
     __ mov(spread_len, FieldOperand(spread, FixedArray::kLengthOffset));
@@ -2813,10 +2812,6 @@ static void CheckSpreadAndPushToStack(MacroAssembler* masm) {
     __ bind(&push_args);
     // argc += spread_len - 1. Subtract 1 for the spread itself.
     __ lea(argc, Operand(argc, spread_len, times_1, -1));
-
-    // Pop the return address and spread argument.
-    __ PopReturnAddressTo(return_address);
-    __ Pop(scratch);
   }
 
   // Check for stack overflow.
@@ -2839,6 +2834,11 @@ static void CheckSpreadAndPushToStack(MacroAssembler* masm) {
 
   // Put the evaluated spread onto the stack as additional arguments.
   {
+    Register return_address = edi;
+    // Pop the return address and spread argument.
+    __ PopReturnAddressTo(return_address);
+    __ Pop(scratch);
+
     Register scratch2 = esi;
     // Save esi to stX0, edx/edi in stX1/stX2 now.
     __ push(esi);