From 715be629d51174233403237bfc563cf150087dc8 Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@digia.com>
Date: Tue, 25 Sep 2012 13:02:02 +0200
Subject: Imported WebKit commit ce614b0924ba46f78d4435e28ff93c8525fbb7cc
 (http://svn.webkit.org/repository/webkit/trunk@129485)

New snapshot that includes MingW build fixes
---
 Source/JavaScriptCore/ChangeLog                    |  260 ++
 .../JavaScriptCore/JavaScriptCore.def              |    1 +
 Source/JavaScriptCore/assembler/MIPSAssembler.h    |   12 +
 .../JavaScriptCore/assembler/MacroAssemblerMIPS.h  |   75 +
 Source/JavaScriptCore/bytecode/CodeBlock.cpp       |   52 +-
 Source/JavaScriptCore/bytecode/Instruction.h       |    2 +-
 .../bytecompiler/BytecodeGenerator.cpp             |    1 +
 Source/JavaScriptCore/dfg/DFGOperations.cpp        |    7 -
 Source/JavaScriptCore/dfg/DFGOperations.h          |    1 -
 Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp    |    5 +-
 .../JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp  |   34 +-
 Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp  |   26 +-
 Source/JavaScriptCore/interpreter/AbstractPC.cpp   |    6 -
 Source/JavaScriptCore/interpreter/AbstractPC.h     |   15 -
 Source/JavaScriptCore/interpreter/CallFrame.h      |    3 -
 Source/JavaScriptCore/interpreter/Interpreter.cpp  | 3940 +-------------------
 Source/JavaScriptCore/interpreter/Interpreter.h    |   36 +-
 .../jit/ExecutableAllocatorFixedVMPool.cpp         |    2 +-
 .../llint/LowLevelInterpreter32_64.asm             |    4 +-
 .../JavaScriptCore/llint/LowLevelInterpreter64.asm |    4 +-
 Source/JavaScriptCore/offlineasm/asm.rb            |    2 +-
 Source/JavaScriptCore/offlineasm/cloop.rb          |    8 +-
 Source/JavaScriptCore/offlineasm/instructions.rb   |    8 +
 Source/JavaScriptCore/offlineasm/offsets.rb        |    1 -
 Source/JavaScriptCore/offlineasm/parser.rb         |    6 +-
 Source/JavaScriptCore/runtime/Executable.cpp       |   24 +-
 Source/JavaScriptCore/runtime/Executable.h         |   13 +-
 Source/JavaScriptCore/runtime/JSActivation.h       |   24 +-
 Source/JavaScriptCore/runtime/JSGlobalData.cpp     |   18 +-
 Source/JavaScriptCore/runtime/JSGlobalData.h       |   22 +-
 Source/JavaScriptCore/runtime/JSGlobalObject.cpp   |    2 +-
 .../runtime/JSGlobalObjectFunctions.cpp            |    8 +-
 Source/JavaScriptCore/runtime/JSObject.cpp         |   18 +-
 Source/JavaScriptCore/runtime/JSObject.h           |   32 +-
 Source/JavaScriptCore/runtime/LiteralParser.cpp    |    3 +-
 .../JavaScriptCore/runtime/ObjectConstructor.cpp   |    2 +-
 .../JavaScriptCore/runtime/SparseArrayValueMap.cpp |    4 +-
 37 files changed, 569 insertions(+), 4112 deletions(-)

(limited to 'Source/JavaScriptCore')

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 5d81031ba..403a38c70 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,263 @@
+2012-09-24  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=97530
+        Regression, freeze applied to numeric properties of non-array objects
+
+        Reviewed by Filip Pizlo.
+
+        Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
+        For now, just fall back to the generic implementation if the object has numeric properties.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorFreeze):
+            - fallback if the object has a non-zero indexed property vector length.
+
+2012-09-24  Gavin Barraclough  <barraclough@apple.com>
+
+        Bug in numeric accessors on global environment
+        https://bugs.webkit.org/show_bug.cgi?id=97526
+
+        Reviewed by Geoff Garen.
+
+        I've hit this assert in test262 in browser, but haven't yet worked out how to repro in a test case :-/
+        The sparsemap is failing to map back from the global object to the window shell.
+        A test case would need to resolve a numeric property name against the global environment.
+
+        (JSC::SparseArrayEntry::get):
+        (JSC::SparseArrayEntry::put):
+            - Add missing toThisObject calls.
+
+2012-09-24  Filip Pizlo  <fpizlo@apple.com>
+
+        SerializedScriptValue isn't aware of indexed storage, but should be
+        https://bugs.webkit.org/show_bug.cgi?id=97515
+        <rdar://problem/12361874>
+
+        Reviewed by Sam Weinig.
+
+        Export a method that WebCore now uses.
+
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+        * runtime/JSObject.h:
+        (JSObject):
+
+2012-09-24  Gavin Barraclough  <barraclough@apple.com>
+
+        Remove JSObject::unwrappedGlobalObject(), JSObject::unwrappedObject()
+        https://bugs.webkit.org/show_bug.cgi?id=97519
+
+        Reviewed by Geoff Garen.
+
+        unwrappedGlobalObject() was only needed because globalObject() doesn't always return a helpful result -
+        specifically for WebCore's window shell the structure's globalObject is set to null. We can fix this by
+        simply keeping the structure up to date as the window navigates, obviating the need for this function.
+
+        The only other use of unwrappedObject() came from globalFuncEval(), and this can be trivially removed
+        by flipping the way we perform this globalObject check (which we may also be able to remove!) - instead
+        of getting the globalObject from the provided this value & comparing to the expected globalObject, we
+        can get the this value from the expected globalObject, and compare to that provided.
+
+        * runtime/JSGlobalObject.cpp:
+            - Call globalObject() instead of unwrappedGlobalObject().
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncEval):
+            - Changed to compare this object values, instead of globalObjects -
+              this means we only need to be able to map globalObject -> this,
+              and not vice versa.
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::allowsAccessFrom):
+        (JSC::JSObject::createInheritorID):
+            - Call globalObject() instead of unwrappedGlobalObject().
+        * runtime/JSObject.h:
+        (JSObject):
+            - Removed unwrappedGlobalObject(), unwrappedObject().
+
+2012-09-24  Mark Lam  <mark.lam@apple.com>
+
+        Deleting the classic interpreter and cleaning up some build options.
+        https://bugs.webkit.org/show_bug.cgi?id=96969.
+
+        Reviewed by Geoffrey Garen.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        (JSC::CodeBlock::stronglyVisitStrongReferences):
+        (JSC):
+        * bytecode/Instruction.h:
+        (JSC::Instruction::Instruction):
+        * interpreter/AbstractPC.cpp:
+        (JSC::AbstractPC::AbstractPC):
+        * interpreter/AbstractPC.h:
+        (AbstractPC):
+        * interpreter/CallFrame.h:
+        (ExecState):
+        * interpreter/Interpreter.cpp:
+        (JSC):
+        (JSC::Interpreter::Interpreter):
+        (JSC::Interpreter::~Interpreter):
+        (JSC::Interpreter::initialize):
+        (JSC::Interpreter::isOpcode):
+        (JSC::Interpreter::unwindCallFrame):
+        (JSC::getLineNumberForCallFrame):
+        (JSC::getCallerInfo):
+        (JSC::getSourceURLFromCallFrame):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::retrieveArgumentsFromVMCode):
+        (JSC::Interpreter::retrieveCallerFromVMCode):
+        (JSC::Interpreter::retrieveLastCaller):
+        * interpreter/Interpreter.h:
+        (JSC::Interpreter::getOpcodeID):
+        (Interpreter):
+        * jit/ExecutableAllocatorFixedVMPool.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
+        * offlineasm/asm.rb:
+        * offlineasm/offsets.rb:
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::compileInternal):
+        (JSC::ProgramExecutable::compileInternal):
+        (JSC::FunctionExecutable::compileForCallInternal):
+        (JSC::FunctionExecutable::compileForConstructInternal):
+        * runtime/Executable.h:
+        (JSC::NativeExecutable::create):
+        (NativeExecutable):
+        (JSC::NativeExecutable::finishCreation):
+        * runtime/JSGlobalData.cpp:
+        (JSC):
+        (JSC::JSGlobalData::JSGlobalData):
+        (JSC::JSGlobalData::getHostFunction):
+        * runtime/JSGlobalData.h:
+        (JSGlobalData):
+        (JSC::JSGlobalData::canUseJIT):
+        (JSC::JSGlobalData::canUseRegExpJIT):
+        * runtime/Options.cpp:
+        (JSC::Options::initialize):
+
+2012-09-24  Filip Pizlo  <fpizlo@apple.com>
+
+        Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
+        https://bugs.webkit.org/show_bug.cgi?id=97508
+        <rdar://problem/12361132>
+
+        Reviewed by Sam Weinig.
+
+        We're reusing some vector for multiple iterations of a loop, but we were forgetting to clear its
+        contents from one iteration to the next. Hence if you did multiple iterations of finally unpopping
+        (like in a nested try/finally and a jump out of both of them) then you'd get a corrupted try
+        context stack afterwards.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitComplexJumpScopes):
+
+2012-09-24  Filip Pizlo  <fpizlo@apple.com>
+
+        ValueToInt32 bool case does bad things to registers
+        https://bugs.webkit.org/show_bug.cgi?id=97505
+        <rdar://problem/12356331>
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+
+2012-09-24  Mark Lam  <mark.lam@apple.com>
+
+        Add cloopDo instruction for debugging the llint C++ backend.
+        https://bugs.webkit.org/show_bug.cgi?id=97502.
+
+        Reviewed by Geoffrey Garen.
+
+        * offlineasm/cloop.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/parser.rb:
+
+2012-09-24  Filip Pizlo  <fpizlo@apple.com>
+
+        JSArray::putByIndex asserts with readonly property on prototype
+        https://bugs.webkit.org/show_bug.cgi?id=97435
+        <rdar://problem/12357084>
+
+        Reviewed by Geoffrey Garen.
+
+        Boy, there were some problems:
+        
+        - putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
+          in SlowPut mode, since that's the whole point of PutDirect.
+        
+        - We should have a fast path for putByIndex().
+        
+        - The LiteralParser should not use push(), since that may throw if we're having a bad time.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putByIndexInline):
+        (JSObject):
+        (JSC::JSObject::putDirectIndex):
+        * runtime/LiteralParser.cpp:
+        (JSC::::parse):
+
+2012-09-24  Mark Lam  <mark.lam@apple.com>
+
+        Added a missing "if VALUE_PROFILER" around an access to ArrayProfile record.
+        https://bugs.webkit.org/show_bug.cgi?id=97496.
+
+        Reviewed by Filip Pizlo.
+
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2012-09-24  Geoffrey Garen  <ggaren@apple.com>
+
+        Inlined activation tear-off in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=97487
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h: Activation tear-off is always inlined now, so I
+        removed its out-of-line implementation.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Inlined the variable copy and update
+        of JSVariableObject::m_registers. This usually turns into < 10 instructions,
+        which is close to pure win as compared to the operation function call.
+
+        * runtime/JSActivation.h:
+        (JSActivation):
+        (JSC::JSActivation::registersOffset):
+        (JSC::JSActivation::tearOff):
+        (JSC::JSActivation::isTornOff):
+        (JSC):
+        (JSC::JSActivation::storageOffset):
+        (JSC::JSActivation::storage): Tiny bit of refactoring so the JIT can
+        share the pointer math helper functions we use internally.
+
+2012-09-24  Balazs Kilvady  <kilvadyb@homejinni.com>
+
+        MIPS: store8 functions added to MacroAssembler.
+
+        MIPS store8 functions
+        https://bugs.webkit.org/show_bug.cgi?id=97243
+
+        Reviewed by Oliver Hunt.
+
+        Add MIPS store8 functions.
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::lhu): New function.
+        (MIPSAssembler):
+        (JSC::MIPSAssembler::sb): New function.
+        (JSC::MIPSAssembler::sh): New function.
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::store8): New function.
+        (MacroAssemblerMIPS):
+        (JSC::MacroAssemblerMIPS::store16): New function.
+
 2012-09-23  Geoffrey Garen  <ggaren@apple.com>
 
         PutScopedVar should not be marked as clobbering the world
diff --git a/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def b/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def
index f7c0457bf..eda306f3c 100755
--- a/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def
+++ b/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def
@@ -277,6 +277,7 @@ EXPORTS
     ?put@JSObject@JSC@@SAXPAVJSCell@2@PAVExecState@2@VPropertyName@2@VJSValue@2@AAVPutPropertySlot@2@@Z
     ?putByIndex@JSObject@JSC@@SAXPAVJSCell@2@PAVExecState@2@IVJSValue@2@_N@Z
     ?putDirectIndexBeyondVectorLength@JSObject@JSC@@AAE_NPAVExecState@2@IVJSValue@2@IW4PutDirectIndexMode@2@@Z
+    ?putDirectMayBeIndex@JSObject@JSC@@QAEXPAVExecState@2@VPropertyName@2@VJSValue@2@@Z
     ?putDirectVirtual@JSGlobalObject@JSC@@SAXPAVJSObject@2@PAVExecState@2@VPropertyName@2@VJSValue@2@I@Z
     ?putDirectVirtual@JSObject@JSC@@SAXPAV12@PAVExecState@2@VPropertyName@2@VJSValue@2@I@Z
     ?randomNumber@WTF@@YANXZ
diff --git a/Source/JavaScriptCore/assembler/MIPSAssembler.h b/Source/JavaScriptCore/assembler/MIPSAssembler.h
index 65307d950..d3f8af996 100644
--- a/Source/JavaScriptCore/assembler/MIPSAssembler.h
+++ b/Source/JavaScriptCore/assembler/MIPSAssembler.h
@@ -405,6 +405,18 @@ public:
         loadDelayNop();
     }
 
+    void sb(RegisterID rt, RegisterID rs, int offset)
+    {
+        emitInst(0xa0000000 | (rt << OP_SH_RT) | (rs << OP_SH_RS)
+                 | (offset & 0xffff));
+    }
+
+    void sh(RegisterID rt, RegisterID rs, int offset)
+    {
+        emitInst(0xa4000000 | (rt << OP_SH_RT) | (rs << OP_SH_RS)
+                 | (offset & 0xffff));
+    }
+
     void sw(RegisterID rt, RegisterID rs, int offset)
     {
         emitInst(0xac000000 | (rt << OP_SH_RT) | (rs << OP_SH_RS)
diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h b/Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h
index b3afae8df..22830a621 100644
--- a/Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h
+++ b/Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h
@@ -786,6 +786,81 @@ public:
         return dataLabel;
     }
 
+    void store8(RegisterID src, BaseIndex address)
+    {
+        if (address.offset >= -32768 && address.offset <= 32767
+            && !m_fixedWidth) {
+            /*
+                sll     addrTemp, address.index, address.scale
+                addu    addrTemp, addrTemp, address.base
+                sb      src, address.offset(addrTemp)
+            */
+            m_assembler.sll(addrTempRegister, address.index, address.scale);
+            m_assembler.addu(addrTempRegister, addrTempRegister, address.base);
+            m_assembler.sb(src, addrTempRegister, address.offset);
+        } else {
+            /*
+                sll     addrTemp, address.index, address.scale
+                addu    addrTemp, addrTemp, address.base
+                lui     immTemp, (address.offset + 0x8000) >> 16
+                addu    addrTemp, addrTemp, immTemp
+                sb      src, (address.offset & 0xffff)(at)
+            */
+            m_assembler.sll(addrTempRegister, address.index, address.scale);
+            m_assembler.addu(addrTempRegister, addrTempRegister, address.base);
+            m_assembler.lui(immTempRegister, (address.offset + 0x8000) >> 16);
+            m_assembler.addu(addrTempRegister, addrTempRegister,
+                             immTempRegister);
+            m_assembler.sb(src, addrTempRegister, address.offset);
+        }
+    }
+
+    void store8(TrustedImm32 imm, void* address)
+    {
+        /*
+            li  immTemp, imm
+            li  addrTemp, address
+            sb  src, 0(addrTemp)
+        */
+        if (!imm.m_value && !m_fixedWidth) {
+            move(TrustedImmPtr(address), addrTempRegister);
+            m_assembler.sb(MIPSRegisters::zero, addrTempRegister, 0);
+        } else {
+            move(imm, immTempRegister);
+            move(TrustedImmPtr(address), addrTempRegister);
+            m_assembler.sb(immTempRegister, addrTempRegister, 0);
+        }
+    }
+
+    void store16(RegisterID src, BaseIndex address)
+    {
+        if (address.offset >= -32768 && address.offset <= 32767
+            && !m_fixedWidth) {
+            /*
+                sll     addrTemp, address.index, address.scale
+                addu    addrTemp, addrTemp, address.base
+                sh      src, address.offset(addrTemp)
+            */
+            m_assembler.sll(addrTempRegister, address.index, address.scale);
+            m_assembler.addu(addrTempRegister, addrTempRegister, address.base);
+            m_assembler.sh(src, addrTempRegister, address.offset);
+        } else {
+            /*
+                sll     addrTemp, address.index, address.scale
+                addu    addrTemp, addrTemp, address.base
+                lui     immTemp, (address.offset + 0x8000) >> 16
+                addu    addrTemp, addrTemp, immTemp
+                sh      src, (address.offset & 0xffff)(at)
+            */
+            m_assembler.sll(addrTempRegister, address.index, address.scale);
+            m_assembler.addu(addrTempRegister, addrTempRegister, address.base);
+            m_assembler.lui(immTempRegister, (address.offset + 0x8000) >> 16);
+            m_assembler.addu(addrTempRegister, addrTempRegister,
+                             immTempRegister);
+            m_assembler.sh(src, addrTempRegister, address.offset);
+        }
+    }
+
     void store32(RegisterID src, ImplicitAddress address)
     {
         if (address.offset >= -32768 && address.offset <= 32767
diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
index 54dccb9ed..bd8bfec0d 100644
--- a/Source/JavaScriptCore/bytecode/CodeBlock.cpp
+++ b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -588,25 +588,6 @@ void CodeBlock::dump(ExecState* exec)
         } while (i < m_globalResolveInfos.size());
     }
 #endif
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!m_globalResolveInstructions.isEmpty() || !m_propertyAccessInstructions.isEmpty())
-        dataLog("\nStructures:\n");
-
-    if (!m_globalResolveInstructions.isEmpty()) {
-        size_t i = 0;
-        do {
-             printStructures(&instructions()[m_globalResolveInstructions[i]]);
-             ++i;
-        } while (i < m_globalResolveInstructions.size());
-    }
-    if (!m_propertyAccessInstructions.isEmpty()) {
-        size_t i = 0;
-        do {
-            printStructures(&instructions()[m_propertyAccessInstructions[i]]);
-             ++i;
-        } while (i < m_propertyAccessInstructions.size());
-    }
-#endif
 
     if (m_rareData && !m_rareData->m_exceptionHandlers.isEmpty()) {
         dataLog("\nException Handlers:\n");
@@ -2065,9 +2046,7 @@ void CodeBlock::finalizeUnconditionally()
 {
 #if ENABLE(LLINT)
     Interpreter* interpreter = m_globalData->interpreter;
-    // interpreter->classicEnabled() returns true if the old C++ interpreter is enabled. If that's enabled
-    // then we're not using LLInt.
-    if (!interpreter->classicEnabled() && !!numberOfInstructions()) {
+    if (!!numberOfInstructions()) {
         for (size_t size = m_propertyAccessInstructions.size(), i = 0; i < size; ++i) {
             Instruction* curInstruction = &instructions()[m_propertyAccessInstructions[i]];
             switch (interpreter->getOpcodeID(curInstruction[0].u.opcode)) {
@@ -2260,14 +2239,6 @@ void CodeBlock::stronglyVisitStrongReferences(SlotVisitor& visitor)
         visitor.append(&m_functionExprs[i]);
     for (size_t i = 0; i < m_functionDecls.size(); ++i)
         visitor.append(&m_functionDecls[i]);
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (m_globalData->interpreter->classicEnabled() && !!numberOfInstructions()) {
-        for (size_t size = m_propertyAccessInstructions.size(), i = 0; i < size; ++i)
-            visitStructures(visitor, &instructions()[m_propertyAccessInstructions[i]]);
-        for (size_t size = m_globalResolveInstructions.size(), i = 0; i < size; ++i)
-            visitStructures(visitor, &instructions()[m_globalResolveInstructions[i]]);
-    }
-#endif
 
     updateAllPredictions(Collection);
 }
@@ -2444,27 +2415,6 @@ void CodeBlock::expressionRangeForBytecodeOffset(unsigned bytecodeOffset, int& d
     return;
 }
 
-#if ENABLE(CLASSIC_INTERPRETER)
-bool CodeBlock::hasGlobalResolveInstructionAtBytecodeOffset(unsigned bytecodeOffset)
-{
-    if (m_globalResolveInstructions.isEmpty())
-        return false;
-
-    int low = 0;
-    int high = m_globalResolveInstructions.size();
-    while (low < high) {
-        int mid = low + (high - low) / 2;
-        if (m_globalResolveInstructions[mid] <= bytecodeOffset)
-            low = mid + 1;
-        else
-            high = mid;
-    }
-
-    if (!low || m_globalResolveInstructions[low - 1] != bytecodeOffset)
-        return false;
-    return true;
-}
-#endif
 #if ENABLE(JIT)
 bool CodeBlock::hasGlobalResolveInfoAtBytecodeOffset(unsigned bytecodeOffset)
 {
diff --git a/Source/JavaScriptCore/bytecode/Instruction.h b/Source/JavaScriptCore/bytecode/Instruction.h
index 6c1260abc..b276fd957 100644
--- a/Source/JavaScriptCore/bytecode/Instruction.h
+++ b/Source/JavaScriptCore/bytecode/Instruction.h
@@ -154,7 +154,7 @@ namespace JSC {
         
         Instruction(Opcode opcode)
         {
-#if !ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
+#if !ENABLE(COMPUTED_GOTO_OPCODES)
             // We have to initialize one of the pointer members to ensure that
             // the entire struct is initialized, when opcode is not a pointer.
             u.jsCell.clear();
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index 13a2defff..9e993ec65 100644
--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -2483,6 +2483,7 @@ PassRefPtr<Label> BytecodeGenerator::emitComplexJumpScopes(Label* target, Contro
                     context.start = afterFinally;
                     m_tryContextStack.append(context);
                 }
+                poppedTryContexts.clear();
             }
             if (flipLabelScopes)
                 m_labelScopes = savedLabelScopes;
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index 3452b2f0d..eaa0f47f7 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -1167,13 +1167,6 @@ JSCell* DFG_OPERATION operationCreateInlinedArguments(
     return result;
 }
 
-void DFG_OPERATION operationTearOffActivation(ExecState* exec, JSCell* activationCell)
-{
-    JSGlobalData& globalData = exec->globalData();
-    NativeCallFrameTracer tracer(&globalData, exec);
-    jsCast<JSActivation*>(activationCell)->tearOff(exec->globalData());
-}
-
 void DFG_OPERATION operationTearOffArguments(ExecState* exec, JSCell* argumentsCell, JSCell* activationCell)
 {
     ASSERT(exec->codeBlock()->usesArguments());
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.h b/Source/JavaScriptCore/dfg/DFGOperations.h
index f86f5cf1f..3b947ecbf 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.h
+++ b/Source/JavaScriptCore/dfg/DFGOperations.h
@@ -177,7 +177,6 @@ char* DFG_OPERATION operationLinkConstruct(ExecState*) WTF_INTERNAL;
 JSCell* DFG_OPERATION operationCreateActivation(ExecState*) WTF_INTERNAL;
 JSCell* DFG_OPERATION operationCreateArguments(ExecState*) WTF_INTERNAL;
 JSCell* DFG_OPERATION operationCreateInlinedArguments(ExecState*, InlineCallFrame*) WTF_INTERNAL;
-void DFG_OPERATION operationTearOffActivation(ExecState*, JSCell*) WTF_INTERNAL;
 void DFG_OPERATION operationTearOffArguments(ExecState*, JSCell*, JSCell*) WTF_INTERNAL;
 void DFG_OPERATION operationTearOffInlinedArguments(ExecState*, JSCell*, JSCell*, InlineCallFrame*) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationGetArgumentsLength(ExecState*, int32_t) WTF_INTERNAL;
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index e42752d8a..05b1e741e 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -1907,9 +1907,10 @@ void SpeculativeJIT::compileValueToInt32(Node& node)
         SpeculateBooleanOperand op1(this, node.child1());
         GPRTemporary result(this, op1);
         
-        m_jit.and32(JITCompiler::TrustedImm32(1), op1.gpr());
+        m_jit.move(op1.gpr(), result.gpr());
+        m_jit.and32(JITCompiler::TrustedImm32(1), result.gpr());
         
-        integerResult(op1.gpr(), m_compileIndex);
+        integerResult(result.gpr(), m_compileIndex);
         return;
     }
     
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 8039ad2ab..70709b52f 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -30,7 +30,7 @@
 #if ENABLE(DFG_JIT)
 
 #include "DFGSlowPathGenerator.h"
-#include "JSVariableObject.h"
+#include "JSActivation.h"
 
 namespace JSC { namespace DFG {
 
@@ -4070,16 +4070,38 @@ void SpeculativeJIT::compile(Node& node)
         
     case TearOffActivation: {
         JSValueOperand activationValue(this, node.child1());
+        GPRTemporary scratch(this);
         
         GPRReg activationValueTagGPR = activationValue.tagGPR();
         GPRReg activationValuePayloadGPR = activationValue.payloadGPR();
+        GPRReg scratchGPR = scratch.gpr();
 
-        JITCompiler::Jump created = m_jit.branch32(JITCompiler::NotEqual, activationValueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
-
-        addSlowPathGenerator(
-            slowPathCall(
-                created, this, operationTearOffActivation, NoResult, activationValuePayloadGPR));
+        JITCompiler::Jump notCreated = m_jit.branch32(JITCompiler::Equal, activationValueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
+
+        SharedSymbolTable* symbolTable = m_jit.symbolTableFor(node.codeOrigin);
+        int registersOffset = JSActivation::registersOffset(symbolTable);
+
+        int captureEnd = symbolTable->captureEnd();
+        for (int i = symbolTable->captureStart(); i < captureEnd; ++i) {
+            m_jit.loadPtr(
+                JITCompiler::Address(
+                    GPRInfo::callFrameRegister, i * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)),
+                scratchGPR);
+            m_jit.storePtr(
+                scratchGPR, JITCompiler::Address(
+                    activationValuePayloadGPR, registersOffset + i * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
+            m_jit.loadPtr(
+                JITCompiler::Address(
+                    GPRInfo::callFrameRegister, i * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)),
+                scratchGPR);
+            m_jit.storePtr(
+                scratchGPR, JITCompiler::Address(
+                    activationValuePayloadGPR, registersOffset + i * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
+        }
+        m_jit.addPtr(TrustedImm32(registersOffset), activationValuePayloadGPR, scratchGPR);
+        m_jit.storePtr(scratchGPR, JITCompiler::Address(activationValuePayloadGPR, JSActivation::offsetOfRegisters()));
         
+        notCreated.link(&m_jit);
         noResult(m_compileIndex);
         break;
     }
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index 8488d261d..d7cec27c1 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -4041,14 +4041,28 @@ void SpeculativeJIT::compile(Node& node)
         ASSERT(!node.codeOrigin.inlineCallFrame);
 
         JSValueOperand activationValue(this, node.child1());
+        GPRTemporary scratch(this);
         GPRReg activationValueGPR = activationValue.gpr();
+        GPRReg scratchGPR = scratch.gpr();
 
-        JITCompiler::Jump created = m_jit.branchTestPtr(JITCompiler::NonZero, activationValueGPR);
-        
-        addSlowPathGenerator(
-            slowPathCall(
-                created, this, operationTearOffActivation, NoResult, activationValueGPR));
-        
+        JITCompiler::Jump notCreated = m_jit.branchTestPtr(JITCompiler::Zero, activationValueGPR);
+
+        SharedSymbolTable* symbolTable = m_jit.symbolTableFor(node.codeOrigin);
+        int registersOffset = JSActivation::registersOffset(symbolTable);
+
+        int captureEnd = symbolTable->captureEnd();
+        for (int i = symbolTable->captureStart(); i < captureEnd; ++i) {
+            m_jit.loadPtr(
+                JITCompiler::Address(
+                    GPRInfo::callFrameRegister, i * sizeof(Register)), scratchGPR);
+            m_jit.storePtr(
+                scratchGPR, JITCompiler::Address(
+                    activationValueGPR, registersOffset + i * sizeof(Register)));
+        }
+        m_jit.addPtr(TrustedImm32(registersOffset), activationValueGPR, scratchGPR);
+        m_jit.storePtr(scratchGPR, JITCompiler::Address(activationValueGPR, JSActivation::offsetOfRegisters()));
+
+        notCreated.link(&m_jit);
         noResult(m_compileIndex);
         break;
     }
diff --git a/Source/JavaScriptCore/interpreter/AbstractPC.cpp b/Source/JavaScriptCore/interpreter/AbstractPC.cpp
index f986e8872..12bc3a768 100644
--- a/Source/JavaScriptCore/interpreter/AbstractPC.cpp
+++ b/Source/JavaScriptCore/interpreter/AbstractPC.cpp
@@ -45,12 +45,6 @@ AbstractPC::AbstractPC(JSGlobalData& globalData, ExecState* exec)
         return;
     }
 #endif
-    
-#if ENABLE(CLASSIC_INTERPRETER)
-    UNUSED_PARAM(globalData);
-    m_pointer = exec->returnVPC();
-    m_mode = Interpreter;
-#endif
 }
 
 } // namespace JSC
diff --git a/Source/JavaScriptCore/interpreter/AbstractPC.h b/Source/JavaScriptCore/interpreter/AbstractPC.h
index 5ed74472e..09a6db8ea 100644
--- a/Source/JavaScriptCore/interpreter/AbstractPC.h
+++ b/Source/JavaScriptCore/interpreter/AbstractPC.h
@@ -60,21 +60,6 @@ public:
     }
 #endif
 
-#if ENABLE(CLASSIC_INTERPRETER)
-    AbstractPC(Instruction* vPC)
-        : m_pointer(vPC)
-        , m_mode(Interpreter)
-    {
-    }
-    
-    bool hasInterpreterReturnAddress() const { return m_mode == Interpreter; }
-    Instruction* interpreterReturnAddress() const
-    {
-        ASSERT(hasInterpreterReturnAddress());
-        return static_cast<Instruction*>(m_pointer);
-    }
-#endif
-    
     bool isSet() const { return m_mode != None; }
     bool operator!() const { return !isSet(); }
 
diff --git a/Source/JavaScriptCore/interpreter/CallFrame.h b/Source/JavaScriptCore/interpreter/CallFrame.h
index da1222ac9..4758e5bd0 100644
--- a/Source/JavaScriptCore/interpreter/CallFrame.h
+++ b/Source/JavaScriptCore/interpreter/CallFrame.h
@@ -148,9 +148,6 @@ namespace JSC  {
             return 0;
         }
 #endif
-#if ENABLE(CLASSIC_INTERPRETER)
-        Instruction* returnVPC() const { return this[RegisterFile::ReturnPC].vPC(); }
-#endif
 #if USE(JSVALUE32_64)
         Instruction* currentVPC() const
         {
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
index 3b3409bd6..3107a5dab 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp
@@ -72,7 +72,7 @@
 #include "JIT.h"
 #endif
 
-#define WTF_USE_GCC_COMPUTED_GOTO_WORKAROUND ((ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER) || ENABLE(LLINT)) && !defined(__llvm__))
+#define WTF_USE_GCC_COMPUTED_GOTO_WORKAROUND (ENABLE(LLINT) && !defined(__llvm__))
 
 using namespace std;
 
@@ -88,14 +88,6 @@ static int depth(CodeBlock* codeBlock, JSScope* sc)
     return sc->localDepth();
 }
 
-#if ENABLE(CLASSIC_INTERPRETER) 
-static NEVER_INLINE JSValue concatenateStrings(ExecState* exec, Register* strings, unsigned count)
-{
-    return jsString(exec, strings, count);
-}
-
-#endif // ENABLE(CLASSIC_INTERPRETER)
-
 ALWAYS_INLINE CallFrame* Interpreter::slideRegisterWindowForCall(CodeBlock* newCodeBlock, RegisterFile* registerFile, CallFrame* callFrame, size_t registerOffset, int argumentCountIncludingThis)
 {
     // This ensures enough space for the worst case scenario of zero arguments passed by the caller.
@@ -123,16 +115,6 @@ ALWAYS_INLINE CallFrame* Interpreter::slideRegisterWindowForCall(CodeBlock* newC
     return newCallFrame;
 }
 
-#if ENABLE(CLASSIC_INTERPRETER)
-static NEVER_INLINE bool isInvalidParamForIn(CallFrame* callFrame, JSValue value, JSValue& exceptionData)
-{
-    if (value.isObject())
-        return false;
-    exceptionData = createInvalidParamError(callFrame, "in" , value);
-    return true;
-}
-#endif
-
 JSValue eval(CallFrame* callFrame)
 {
     if (!callFrame->argumentCount())
@@ -166,6 +148,9 @@ JSValue eval(CallFrame* callFrame)
                     return parsedObject;                
             }
         }
+        
+        // If the literal parser bailed, it should not have thrown exceptions.
+        ASSERT(!callFrame->globalData().exception);
 
         JSValue exceptionValue;
         eval = callerCodeBlock->evalCodeCache().getSlow(callFrame, callerCodeBlock->ownerExecutable(), callerCodeBlock->isStrictMode(), programSource, callerScopeChain, exceptionValue);
@@ -265,59 +250,22 @@ Interpreter::Interpreter()
 #if !ASSERT_DISABLED
     , m_initialized(false)
 #endif
-    , m_classicEnabled(false)
 {
 }
 
 Interpreter::~Interpreter()
 {
-#if ENABLE(LLINT) && ENABLE(COMPUTED_GOTO_OPCODES)
-    if (m_classicEnabled)
-        delete[] m_opcodeTable;
-#endif
 }
 
 void Interpreter::initialize(bool canUseJIT)
 {
     UNUSED_PARAM(canUseJIT);
 
-    // If we have LLInt, then we shouldn't be building any kind of classic interpreter.
-#if ENABLE(LLINT) && ENABLE(CLASSIC_INTERPRETER)
-#error "Building both LLInt and the Classic Interpreter is not supported because it doesn't make sense."
-#endif
-
-#if ENABLE(COMPUTED_GOTO_OPCODES)
-#if ENABLE(LLINT)
+#if ENABLE(COMPUTED_GOTO_OPCODES) && ENABLE(LLINT)
     m_opcodeTable = LLInt::opcodeMap();
     for (int i = 0; i < numOpcodeIDs; ++i)
         m_opcodeIDTable.add(m_opcodeTable[i], static_cast<OpcodeID>(i));
-    m_classicEnabled = false;
-
-#elif ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    if (canUseJIT) {
-        // If the JIT is present, don't use jump destinations for opcodes.
-        for (int i = 0; i < numOpcodeIDs; ++i) {
-            Opcode opcode = bitwise_cast<void*>(static_cast<uintptr_t>(i));
-            m_opcodeTable[i] = opcode;
-        }
-        m_classicEnabled = false;
-    } else {
-        privateExecute(InitializeAndReturn, 0, 0);
-        
-        for (int i = 0; i < numOpcodeIDs; ++i)
-            m_opcodeIDTable.add(m_opcodeTable[i], static_cast<OpcodeID>(i));
-        
-        m_classicEnabled = true;
-    }
-#endif // ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-
-#else // !ENABLE(COMPUTED_GOTO_OPCODES)
-#if ENABLE(CLASSIC_INTERPRETER)
-    m_classicEnabled = true;
-#else
-    m_classicEnabled = false;
 #endif
-#endif // !ENABLE(COMPUTED_GOTO_OPCODES)
 
 #if !ASSERT_DISABLED
     m_initialized = true;
@@ -431,12 +379,12 @@ bool Interpreter::isOpcode(Opcode opcode)
 {
 #if ENABLE(COMPUTED_GOTO_OPCODES)
 #if !ENABLE(LLINT)
-    if (!m_classicEnabled)
-        return static_cast<OpcodeID>(bitwise_cast<uintptr_t>(opcode)) <= op_end;
-#endif
+    return static_cast<OpcodeID>(bitwise_cast<uintptr_t>(opcode)) <= op_end;
+#else
     return opcode != HashTraits<Opcode>::emptyValue()
         && !HashTraits<Opcode>::isDeletedValue(opcode)
         && m_opcodeIDTable.contains(opcode);
+#endif
 #else
     return opcode >= 0 && opcode <= op_end;
 #endif
@@ -481,19 +429,8 @@ NEVER_INLINE bool Interpreter::unwindCallFrame(CallFrame*& callFrame, JSValue ex
     // Because of how the JIT records call site->bytecode offset
     // information the JIT reports the bytecodeOffset for the returnPC
     // to be at the beginning of the opcode that has caused the call.
-    // In the interpreter we have an actual return address, which is
-    // the beginning of next instruction to execute. To get an offset
-    // inside the call instruction that triggered the exception we
-    // have to subtract 1.
-#if ENABLE(JIT) && ENABLE(CLASSIC_INTERPRETER)
-    if (callerFrame->globalData().canUseJIT())
-        bytecodeOffset = codeBlock->bytecodeOffset(callerFrame, callFrame->returnPC());
-    else
-        bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnVPC()) - 1;
-#elif ENABLE(JIT) || ENABLE(LLINT)
+#if ENABLE(JIT) || ENABLE(LLINT)
     bytecodeOffset = codeBlock->bytecodeOffset(callerFrame, callFrame->returnPC());
-#else
-    bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnVPC()) - 1;
 #endif
 
     callFrame = callerFrame;
@@ -559,18 +496,12 @@ static int getLineNumberForCallFrame(JSGlobalData* globalData, CallFrame* callFr
     CodeBlock* codeBlock = callFrame->codeBlock();
     if (!codeBlock)
         return -1;
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!globalData->canUseJIT())
-        return codeBlock->lineNumberForBytecodeOffset(callFrame->bytecodeOffsetForNonDFGCode() - 1);
-#endif
 #if ENABLE(JIT) || ENABLE(LLINT)
 #if ENABLE(DFG_JIT)
     if (codeBlock->getJITType() == JITCode::DFGJIT)
         return codeBlock->lineNumberForBytecodeOffset(codeBlock->codeOrigin(callFrame->codeOriginIndexForDFG()).bytecodeIndex);
 #endif
     return codeBlock->lineNumberForBytecodeOffset(callFrame->bytecodeOffsetForNonDFGCode());
-#else
-    return -1;
 #endif
 }
 
@@ -601,13 +532,6 @@ static CallFrame* getCallerInfo(JSGlobalData* globalData, CallFrame* callFrame,
     if (callframeIsHost) {
         // Don't need to deal with inline callframes here as by definition we haven't
         // inlined a call with an intervening native call frame.
-#if ENABLE(CLASSIC_INTERPRETER)
-        if (!globalData->canUseJIT()) {
-            bytecodeOffset = callerFrame->bytecodeOffsetForNonDFGCode();
-            lineNumber = callerCodeBlock->lineNumberForBytecodeOffset(bytecodeOffset - 1);
-            return callerFrame;
-        }
-#endif
 #if ENABLE(JIT) || ENABLE(LLINT)
 #if ENABLE(DFG_JIT)
         if (callerCodeBlock && callerCodeBlock->getJITType() == JITCode::DFGJIT) {
@@ -618,13 +542,6 @@ static CallFrame* getCallerInfo(JSGlobalData* globalData, CallFrame* callFrame,
             bytecodeOffset = callerFrame->bytecodeOffsetForNonDFGCode();
 #endif
     } else {
-#if ENABLE(CLASSIC_INTERPRETER)
-        if (!globalData->canUseJIT()) {
-            bytecodeOffset = callerCodeBlock->bytecodeOffset(callFrame->returnVPC());
-            lineNumber = callerCodeBlock->lineNumberForBytecodeOffset(bytecodeOffset - 1);
-            return callerFrame;
-        }
-#endif
 #if ENABLE(JIT) || ENABLE(LLINT)
     #if ENABLE(DFG_JIT)
         if (callFrame->isInlineCallFrame()) {
@@ -662,16 +579,7 @@ static CallFrame* getCallerInfo(JSGlobalData* globalData, CallFrame* callFrame,
 static ALWAYS_INLINE const String getSourceURLFromCallFrame(CallFrame* callFrame)
 {
     ASSERT(!callFrame->hasHostCallFrameFlag());
-#if ENABLE(CLASSIC_INTERPRETER)
-#if ENABLE(JIT)
-    if (callFrame->globalData().canUseJIT())
-        return callFrame->codeBlock()->ownerExecutable()->sourceURL();
-#endif
-    return callFrame->codeBlock()->source()->url();
-
-#else
     return callFrame->codeBlock()->ownerExecutable()->sourceURL();
-#endif
 }
 
 static StackFrameCodeType getStackFrameCodeType(CallFrame* callFrame)
@@ -978,14 +886,9 @@ failedJSONP:
         m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
         result = LLInt::CLoop::execute(newCallFrame, llint_program_prologue);
-#else // !ENABLE(LLINT_C_LOOP)
-#if ENABLE(JIT)
-        if (!classicEnabled())
-            result = program->generatedJITCode().execute(&m_registerFile, newCallFrame, scope->globalData());
-        else
+#elif ENABLE(JIT)
+        result = program->generatedJITCode().execute(&m_registerFile, newCallFrame, scope->globalData());
 #endif // ENABLE(JIT)
-            result = privateExecute(Normal, &m_registerFile, newCallFrame);
-#endif // !ENABLE(LLINT_C_LOOP)
 
         m_reentryDepth--;
     }
@@ -1054,14 +957,9 @@ JSValue Interpreter::executeCall(CallFrame* callFrame, JSObject* function, CallT
             m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
             result = LLInt::CLoop::execute(newCallFrame, llint_function_for_call_prologue);
-#else // ENABLE(LLINT_C_LOOP)
-#if ENABLE(JIT)
-            if (!classicEnabled())
-                result = callData.js.functionExecutable->generatedJITCodeForCall().execute(&m_registerFile, newCallFrame, callDataScope->globalData());
-            else
+#elif ENABLE(JIT)
+            result = callData.js.functionExecutable->generatedJITCodeForCall().execute(&m_registerFile, newCallFrame, callDataScope->globalData());
 #endif // ENABLE(JIT)
-                result = privateExecute(Normal, &m_registerFile, newCallFrame);
-#endif // !ENABLE(LLINT_C_LOOP)
 
             m_reentryDepth--;
         }
@@ -1153,14 +1051,9 @@ JSObject* Interpreter::executeConstruct(CallFrame* callFrame, JSObject* construc
             m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
             result = LLInt::CLoop::execute(newCallFrame, llint_function_for_construct_prologue);
-#else // !ENABLE(LLINT_C_LOOP)
-#if ENABLE(JIT)
-            if (!classicEnabled())
-                result = constructData.js.functionExecutable->generatedJITCodeForConstruct().execute(&m_registerFile, newCallFrame, constructDataScope->globalData());
-            else
+#elif ENABLE(JIT)
+            result = constructData.js.functionExecutable->generatedJITCodeForConstruct().execute(&m_registerFile, newCallFrame, constructDataScope->globalData());
 #endif // ENABLE(JIT)
-                result = privateExecute(Normal, &m_registerFile, newCallFrame);
-#endif // !ENABLE(LLINT_C_LOOP)
             m_reentryDepth--;
         }
 
@@ -1260,21 +1153,9 @@ JSValue Interpreter::execute(CallFrameClosure& closure)
         m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
         result = LLInt::CLoop::execute(closure.newCallFrame, llint_function_for_call_prologue);
-#else // !ENABLE(LLINT_C_LOOP)
-#if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-        if (closure.newCallFrame->globalData().canUseJIT())
-#endif
-            result = closure.functionExecutable->generatedJITCodeForCall().execute(&m_registerFile, closure.newCallFrame, closure.globalData);
-#if ENABLE(CLASSIC_INTERPRETER)
-        else
-#endif
+#elif ENABLE(JIT)
+        result = closure.functionExecutable->generatedJITCodeForCall().execute(&m_registerFile, closure.newCallFrame, closure.globalData);
 #endif // ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-            result = privateExecute(Normal, &m_registerFile, closure.newCallFrame);
-#endif
-#endif // !ENABLE(LLINT_C_LOOP)
-
         m_reentryDepth--;
     }
 
@@ -1365,20 +1246,9 @@ JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSValue
         
 #if ENABLE(LLINT_C_LOOP)
         result = LLInt::CLoop::execute(newCallFrame, llint_eval_prologue);
-#else // !ENABLE(LLINT_C_LOOP)
-#if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-        if (callFrame->globalData().canUseJIT())
-#endif
-            result = eval->generatedJITCode().execute(&m_registerFile, newCallFrame, scope->globalData());
-#if ENABLE(CLASSIC_INTERPRETER)
-        else
-#endif
+#elif ENABLE(JIT)
+        result = eval->generatedJITCode().execute(&m_registerFile, newCallFrame, scope->globalData());
 #endif // ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-            result = privateExecute(Normal, &m_registerFile, newCallFrame);
-#endif
-#endif // !ENABLE(LLINT_C_LOOP)
         m_reentryDepth--;
     }
 
@@ -1417,3758 +1287,62 @@ NEVER_INLINE void Interpreter::debug(CallFrame* callFrame, DebugHookID debugHook
     }
 }
     
-#if ENABLE(CLASSIC_INTERPRETER)
-NEVER_INLINE JSScope* Interpreter::createNameScope(CallFrame* callFrame, const Instruction* vPC)
+JSValue Interpreter::retrieveArgumentsFromVMCode(CallFrame* callFrame, JSFunction* function) const
 {
-    CodeBlock* codeBlock = callFrame->codeBlock();
-    Identifier& property = codeBlock->identifier(vPC[1].u.operand);
-    JSValue value = callFrame->r(vPC[2].u.operand).jsValue();
-    unsigned attributes = vPC[3].u.operand;
-    JSNameScope* scope = JSNameScope::create(callFrame, property, value, attributes);
-    return scope;
+    CallFrame* functionCallFrame = findFunctionCallFrameFromVMCode(callFrame, function);
+    if (!functionCallFrame)
+        return jsNull();
+
+    Arguments* arguments = Arguments::create(functionCallFrame->globalData(), functionCallFrame);
+    arguments->tearOff(functionCallFrame);
+    return JSValue(arguments);
 }
 
-NEVER_INLINE void Interpreter::tryCachePutByID(CallFrame* callFrame, CodeBlock* codeBlock, Instruction* vPC, JSValue baseValue, const PutPropertySlot& slot)
+JSValue Interpreter::retrieveCallerFromVMCode(CallFrame* callFrame, JSFunction* function) const
 {
-    // Recursive invocation may already have specialized this instruction.
-    if (vPC[0].u.opcode != getOpcode(op_put_by_id))
-        return;
-
-    if (!baseValue.isCell())
-        return;
+    CallFrame* functionCallFrame = findFunctionCallFrameFromVMCode(callFrame, function);
 
-    // Uncacheable: give up.
-    if (!slot.isCacheable()) {
-        vPC[0] = getOpcode(op_put_by_id_generic);
-        return;
-    }
+    if (!functionCallFrame)
+        return jsNull();
     
-    JSCell* baseCell = baseValue.asCell();
-    Structure* structure = baseCell->structure();
-
-    if (structure->isUncacheableDictionary() || structure->typeInfo().prohibitsPropertyCaching()) {
-        vPC[0] = getOpcode(op_put_by_id_generic);
-        return;
-    }
-
-    // Cache miss: record Structure to compare against next time.
-    Structure* lastStructure = vPC[4].u.structure.get();
-    if (structure != lastStructure) {
-        // First miss: record Structure to compare against next time.
-        if (!lastStructure) {
-            vPC[4].u.structure.set(callFrame->globalData(), codeBlock->ownerExecutable(), structure);
-            return;
-        }
-
-        // Second miss: give up.
-        vPC[0] = getOpcode(op_put_by_id_generic);
-        return;
-    }
-
-    // Cache hit: Specialize instruction and ref Structures.
-
-    // If baseCell != slot.base(), then baseCell must be a proxy for another object.
-    if (baseCell != slot.base()) {
-        vPC[0] = getOpcode(op_put_by_id_generic);
-        return;
-    }
-
-    // Structure transition, cache transition info
-    if (slot.type() == PutPropertySlot::NewProperty) {
-        if (structure->isDictionary()) {
-            vPC[0] = getOpcode(op_put_by_id_generic);
-            return;
-        }
+    int lineNumber;
+    unsigned bytecodeOffset;
+    CallFrame* callerFrame = getCallerInfo(&callFrame->globalData(), functionCallFrame, lineNumber, bytecodeOffset);
+    if (!callerFrame)
+        return jsNull();
+    JSValue caller = callerFrame->callee();
+    if (!caller)
+        return jsNull();
 
-        // put_by_id_transition checks the prototype chain for setters.
-        normalizePrototypeChain(callFrame, baseCell);
-        JSCell* owner = codeBlock->ownerExecutable();
-        JSGlobalData& globalData = callFrame->globalData();
-        // Get the prototype here because the call to prototypeChain could cause a 
-        // GC allocation, which we don't want to happen while we're in the middle of 
-        // initializing the union.
-        StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-        vPC[0] = getOpcode(op_put_by_id_transition);
-        vPC[4].u.structure.set(globalData, owner, structure->previousID());
-        vPC[5].u.structure.set(globalData, owner, structure);
-        vPC[6].u.structureChain.set(callFrame->globalData(), codeBlock->ownerExecutable(), prototypeChain);
-        ASSERT(vPC[6].u.structureChain);
-        vPC[7] = slot.cachedOffset();
-        return;
+    // Skip over function bindings.
+    ASSERT(caller.isObject());
+    while (asObject(caller)->inherits(&JSBoundFunction::s_info)) {
+        callerFrame = getCallerInfo(&callFrame->globalData(), callerFrame, lineNumber, bytecodeOffset);
+        if (!callerFrame)
+            return jsNull();
+        caller = callerFrame->callee();
+        if (!caller)
+            return jsNull();
     }
 
-    vPC[0] = getOpcode(op_put_by_id_replace);
-    vPC[5] = slot.cachedOffset();
-}
-
-NEVER_INLINE void Interpreter::uncachePutByID(CodeBlock*, Instruction* vPC)
-{
-    vPC[0] = getOpcode(op_put_by_id);
-    vPC[4] = 0;
+    return caller;
 }
 
-NEVER_INLINE void Interpreter::tryCacheGetByID(CallFrame* callFrame, CodeBlock* codeBlock, Instruction* vPC, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot)
+void Interpreter::retrieveLastCaller(CallFrame* callFrame, int& lineNumber, intptr_t& sourceID, String& sourceURL, JSValue& function) const
 {
-    // Recursive invocation may already have specialized this instruction.
-    if (vPC[0].u.opcode != getOpcode(op_get_by_id))
-        return;
-
-    // FIXME: Cache property access for immediates.
-    if (!baseValue.isCell()) {
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
-    if (isJSArray(baseValue) && propertyName == callFrame->propertyNames().length) {
-        vPC[0] = getOpcode(op_get_array_length);
-        return;
-    }
-
-    if (isJSString(baseValue) && propertyName == callFrame->propertyNames().length) {
-        vPC[0] = getOpcode(op_get_string_length);
-        return;
-    }
-
-    // Uncacheable: give up.
-    if (!slot.isCacheable()) {
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
-    Structure* structure = baseValue.asCell()->structure();
-
-    if (structure->isUncacheableDictionary() || structure->typeInfo().prohibitsPropertyCaching()) {
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
-    // Cache miss
-    Structure* lastStructure = vPC[4].u.structure.get();
-    if (structure != lastStructure) {
-        // First miss: record Structure to compare against next time.
-        if (!lastStructure) {
-            vPC[4].u.structure.set(callFrame->globalData(), codeBlock->ownerExecutable(), structure);
-            return;
-        }
-
-        // Second miss: give up.
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
-    // Cache hit: Specialize instruction and ref Structures.
-
-    if (slot.slotBase() == baseValue) {
-        switch (slot.cachedPropertyType()) {
-        case PropertySlot::Getter:
-            vPC[0] = getOpcode(op_get_by_id_getter_self);
-            vPC[5] = slot.cachedOffset();
-            break;
-        case PropertySlot::Custom:
-            vPC[0] = getOpcode(op_get_by_id_custom_self);
-            vPC[5] = slot.customGetter();
-            break;
-        default:
-            vPC[0] = getOpcode(op_get_by_id_self);
-            vPC[5] = slot.cachedOffset();
-            break;
-        }
-        return;
-    }
-
-    if (structure->isDictionary()) {
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
-    if (slot.slotBase() == structure->prototypeForLookup(callFrame)) {
-        ASSERT(slot.slotBase().isObject());
-
-        JSObject* baseObject = asObject(slot.slotBase());
-        PropertyOffset offset = slot.cachedOffset();
-
-        // Since we're accessing a prototype in a loop, it's a good bet that it
-        // should not be treated as a dictionary.
-        if (baseObject->structure()->isDictionary()) {
-            baseObject->flattenDictionaryObject(callFrame->globalData());
-            offset = baseObject->structure()->get(callFrame->globalData(), propertyName);
-        }
+    function = JSValue();
+    lineNumber = -1;
+    sourceURL = String();
 
-        ASSERT(!baseObject->structure()->isUncacheableDictionary());
-        
-        switch (slot.cachedPropertyType()) {
-        case PropertySlot::Getter:
-            vPC[0] = getOpcode(op_get_by_id_getter_proto);
-            vPC[6] = offset;
-            break;
-        case PropertySlot::Custom:
-            vPC[0] = getOpcode(op_get_by_id_custom_proto);
-            vPC[6] = slot.customGetter();
-            break;
-        default:
-            vPC[0] = getOpcode(op_get_by_id_proto);
-            vPC[6] = offset;
-            break;
-        }
-        vPC[5].u.structure.set(callFrame->globalData(), codeBlock->ownerExecutable(), baseObject->structure());
+    CallFrame* callerFrame = callFrame->callerFrame();
+    if (callerFrame->hasHostCallFrameFlag())
         return;
-    }
 
-    PropertyOffset offset = slot.cachedOffset();
-    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase(), propertyName, offset);
-    if (!count) {
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
-    
-    StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-    switch (slot.cachedPropertyType()) {
-    case PropertySlot::Getter:
-        vPC[0] = getOpcode(op_get_by_id_getter_chain);
-        vPC[7] = offset;
-        break;
-    case PropertySlot::Custom:
-        vPC[0] = getOpcode(op_get_by_id_custom_chain);
-        vPC[7] = slot.customGetter();
-        break;
-    default:
-        vPC[0] = getOpcode(op_get_by_id_chain);
-        vPC[7] = offset;
-        break;
-    }
-    vPC[4].u.structure.set(callFrame->globalData(), codeBlock->ownerExecutable(), structure);
-    vPC[5].u.structureChain.set(callFrame->globalData(), codeBlock->ownerExecutable(), prototypeChain);
-    vPC[6] = count;
-}
-
-NEVER_INLINE void Interpreter::uncacheGetByID(CodeBlock*, Instruction* vPC)
-{
-    vPC[0] = getOpcode(op_get_by_id);
-    vPC[4] = 0;
-}
-
-#endif // ENABLE(CLASSIC_INTERPRETER)
-
-#if !ENABLE(LLINT_C_LOOP)
-
-JSValue Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registerFile, CallFrame* callFrame)
-{
-    // One-time initialization of our address tables. We have to put this code
-    // here because our labels are only in scope inside this function.
-    if (UNLIKELY(flag == InitializeAndReturn)) {
-        #if ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-            #define LIST_OPCODE_LABEL(id, length) &&id,
-                static Opcode labels[] = { FOR_EACH_OPCODE_ID(LIST_OPCODE_LABEL) };
-                for (size_t i = 0; i < WTF_ARRAY_LENGTH(labels); ++i)
-                    m_opcodeTable[i] = labels[i];
-            #undef LIST_OPCODE_LABEL
-        #endif // ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-        return JSValue();
-    }
-    
-    ASSERT(m_initialized);
-    ASSERT(m_classicEnabled);
-    
-#if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-    // Mixing Interpreter + JIT is not supported.
-    if (callFrame->globalData().canUseJIT())
-#endif
-        ASSERT_NOT_REACHED();
-#endif
-
-#if !ENABLE(CLASSIC_INTERPRETER)
-    UNUSED_PARAM(registerFile);
-    UNUSED_PARAM(callFrame);
-    return JSValue();
-#else
-
-    ASSERT(callFrame->globalData().topCallFrame == callFrame);
-
-    JSGlobalData* globalData = &callFrame->globalData();
-    JSValue exceptionValue;
-    HandlerInfo* handler = 0;
-    CallFrame** topCallFrameSlot = &globalData->topCallFrame;
-
-    CodeBlock* codeBlock = callFrame->codeBlock();
-    Instruction* vPC = codeBlock->instructions().begin();
-    unsigned tickCount = globalData->timeoutChecker.ticksUntilNextCheck();
-    JSValue functionReturnValue;
-
-#define CHECK_FOR_EXCEPTION() \
-    do { \
-        if (UNLIKELY(globalData->exception != JSValue())) { \
-            exceptionValue = globalData->exception; \
-            goto vm_throw; \
-        } \
-    } while (0)
-
-#if ENABLE(OPCODE_STATS)
-    OpcodeStats::resetLastInstruction();
-#endif
-
-#define CHECK_FOR_TIMEOUT() \
-    if (!--tickCount) { \
-        if (globalData->terminator.shouldTerminate() || globalData->timeoutChecker.didTimeOut(callFrame)) { \
-            exceptionValue = jsNull(); \
-            goto vm_throw; \
-        } \
-        tickCount = globalData->timeoutChecker.ticksUntilNextCheck(); \
-    }
-    
-#if ENABLE(OPCODE_SAMPLING)
-    #define SAMPLE(codeBlock, vPC) m_sampler->sample(codeBlock, vPC)
-#else
-    #define SAMPLE(codeBlock, vPC)
-#endif
-
-#define UPDATE_BYTECODE_OFFSET() \
-    do {\
-        callFrame->setBytecodeOffsetForNonDFGCode(vPC - codeBlock->instructions().data() + 1);\
-    } while (0)
-
-#if ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    #define NEXT_INSTRUCTION() SAMPLE(codeBlock, vPC); goto *vPC->u.opcode
-#if ENABLE(OPCODE_STATS)
-    #define DEFINE_OPCODE(opcode) \
-        opcode:\
-            OpcodeStats::recordInstruction(opcode);\
-            UPDATE_BYTECODE_OFFSET();
-#else
-    #define DEFINE_OPCODE(opcode) opcode: UPDATE_BYTECODE_OFFSET();
-#endif // !ENABLE(OPCODE_STATS)
-    NEXT_INSTRUCTION();
-#else // !ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    #define NEXT_INSTRUCTION() SAMPLE(codeBlock, vPC); goto interpreterLoopStart
-#if ENABLE(OPCODE_STATS)
-    #define DEFINE_OPCODE(opcode) \
-        case opcode:\
-            OpcodeStats::recordInstruction(opcode);\
-            UPDATE_BYTECODE_OFFSET();
-#else
-    #define DEFINE_OPCODE(opcode) case opcode: UPDATE_BYTECODE_OFFSET();
-#endif
-    while (1) { // iterator loop begins
-    interpreterLoopStart:;
-    switch (vPC->u.opcode)
-#endif // !ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    {
-    DEFINE_OPCODE(op_new_object) {
-        /* new_object dst(r)
-
-           Constructs a new empty Object instance using the original
-           constructor, and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        callFrame->uncheckedR(dst) = JSValue(constructEmptyObject(callFrame));
-
-        vPC += OPCODE_LENGTH(op_new_object);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_new_array) {
-        /* new_array dst(r) firstArg(r) argCount(n)
-
-           Constructs a new Array instance using the original
-           constructor, and puts the result in register dst.
-           The array will contain argCount elements with values
-           taken from registers starting at register firstArg.
-        */
-        int dst = vPC[1].u.operand;
-        int firstArg = vPC[2].u.operand;
-        int argCount = vPC[3].u.operand;
-        callFrame->uncheckedR(dst) = JSValue(constructArray(callFrame, reinterpret_cast<JSValue*>(&callFrame->registers()[firstArg]), argCount));
-
-        vPC += OPCODE_LENGTH(op_new_array);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_new_array_buffer) {
-        /* new_array_buffer dst(r) index(n) argCount(n)
-         
-         Constructs a new Array instance using the original
-         constructor, and puts the result in register dst.
-         The array be initialized with the values from constantBuffer[index]
-         */
-        int dst = vPC[1].u.operand;
-        int firstArg = vPC[2].u.operand;
-        int argCount = vPC[3].u.operand;
-        callFrame->uncheckedR(dst) = JSValue(constructArray(callFrame, codeBlock->constantBuffer(firstArg), argCount));
-        
-        vPC += OPCODE_LENGTH(op_new_array);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_new_regexp) {
-        /* new_regexp dst(r) regExp(re)
-
-           Constructs a new RegExp instance using the original
-           constructor from regexp regExp, and puts the result in
-           register dst.
-        */
-        int dst = vPC[1].u.operand;
-        RegExp* regExp = codeBlock->regexp(vPC[2].u.operand);
-        if (!regExp->isValid()) {
-            exceptionValue = createSyntaxError(callFrame, "Invalid flags supplied to RegExp constructor.");
-            goto vm_throw;
-        }
-        callFrame->uncheckedR(dst) = JSValue(RegExpObject::create(*globalData, callFrame->lexicalGlobalObject(), callFrame->scope()->globalObject()->regExpStructure(), regExp));
-
-        vPC += OPCODE_LENGTH(op_new_regexp);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_mov) {
-        /* mov dst(r) src(r)
-
-           Copies register src to register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        
-        callFrame->uncheckedR(dst) = callFrame->r(src);
-
-        vPC += OPCODE_LENGTH(op_mov);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_eq) {
-        /* eq dst(r) src1(r) src2(r)
-
-           Checks whether register src1 and register src2 are equal,
-           as with the ECMAScript '==' operator, and puts the result
-           as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32())
-            callFrame->uncheckedR(dst) = jsBoolean(src1.asInt32() == src2.asInt32());
-        else {
-            JSValue result = jsBoolean(JSValue::equalSlowCase(callFrame, src1, src2));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_eq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_eq_null) {
-        /* eq_null dst(r) src(r)
-
-           Checks whether register src is null, as with the ECMAScript '!='
-           operator, and puts the result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src = callFrame->r(vPC[2].u.operand).jsValue();
-
-        if (src.isUndefinedOrNull()) {
-            callFrame->uncheckedR(dst) = jsBoolean(true);
-            vPC += OPCODE_LENGTH(op_eq_null);
-            NEXT_INSTRUCTION();
-        }
-        
-        callFrame->uncheckedR(dst) = jsBoolean(src.isCell() && src.asCell()->structure()->masqueradesAsUndefined(callFrame->lexicalGlobalObject()));
-        vPC += OPCODE_LENGTH(op_eq_null);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_neq) {
-        /* neq dst(r) src1(r) src2(r)
-
-           Checks whether register src1 and register src2 are not
-           equal, as with the ECMAScript '!=' operator, and puts the
-           result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32())
-            callFrame->uncheckedR(dst) = jsBoolean(src1.asInt32() != src2.asInt32());
-        else {
-            JSValue result = jsBoolean(!JSValue::equalSlowCase(callFrame, src1, src2));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_neq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_neq_null) {
-        /* neq_null dst(r) src(r)
-
-           Checks whether register src is not null, as with the ECMAScript '!='
-           operator, and puts the result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src = callFrame->r(vPC[2].u.operand).jsValue();
-
-        if (src.isUndefinedOrNull()) {
-            callFrame->uncheckedR(dst) = jsBoolean(false);
-            vPC += OPCODE_LENGTH(op_neq_null);
-            NEXT_INSTRUCTION();
-        }
-        
-        callFrame->uncheckedR(dst) = jsBoolean(!src.isCell() || !src.asCell()->structure()->masqueradesAsUndefined(callFrame->lexicalGlobalObject()));
-        vPC += OPCODE_LENGTH(op_neq_null);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_stricteq) {
-        /* stricteq dst(r) src1(r) src2(r)
-
-           Checks whether register src1 and register src2 are strictly
-           equal, as with the ECMAScript '===' operator, and puts the
-           result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        bool result = JSValue::strictEqual(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = jsBoolean(result);
-
-        vPC += OPCODE_LENGTH(op_stricteq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_nstricteq) {
-        /* nstricteq dst(r) src1(r) src2(r)
-
-           Checks whether register src1 and register src2 are not
-           strictly equal, as with the ECMAScript '!==' operator, and
-           puts the result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        bool result = !JSValue::strictEqual(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = jsBoolean(result);
-
-        vPC += OPCODE_LENGTH(op_nstricteq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_less) {
-        /* less dst(r) src1(r) src2(r)
-
-           Checks whether register src1 is less than register src2, as
-           with the ECMAScript '<' operator, and puts the result as
-           a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        JSValue result = jsBoolean(jsLess<true>(callFrame, src1, src2));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_less);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_lesseq) {
-        /* lesseq dst(r) src1(r) src2(r)
-
-           Checks whether register src1 is less than or equal to
-           register src2, as with the ECMAScript '<=' operator, and
-           puts the result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        JSValue result = jsBoolean(jsLessEq<true>(callFrame, src1, src2));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_lesseq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_greater) {
-        /* greater dst(r) src1(r) src2(r)
-
-           Checks whether register src1 is greater than register src2, as
-           with the ECMAScript '>' operator, and puts the result as
-           a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        JSValue result = jsBoolean(jsLess<false>(callFrame, src2, src1));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_greater);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_greatereq) {
-        /* greatereq dst(r) src1(r) src2(r)
-
-           Checks whether register src1 is greater than or equal to
-           register src2, as with the ECMAScript '>=' operator, and
-           puts the result as a boolean in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        JSValue result = jsBoolean(jsLessEq<false>(callFrame, src2, src1));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_greatereq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_pre_inc) {
-        /* pre_inc srcDst(r)
-
-           Converts register srcDst to number, adds one, and puts the result
-           back in register srcDst.
-        */
-        int srcDst = vPC[1].u.operand;
-        JSValue v = callFrame->r(srcDst).jsValue();
-        if (v.isInt32() && v.asInt32() < INT_MAX)
-            callFrame->uncheckedR(srcDst) = jsNumber(v.asInt32() + 1);
-        else {
-            JSValue result = jsNumber(v.toNumber(callFrame) + 1);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(srcDst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_pre_inc);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_pre_dec) {
-        /* pre_dec srcDst(r)
-
-           Converts register srcDst to number, subtracts one, and puts the result
-           back in register srcDst.
-        */
-        int srcDst = vPC[1].u.operand;
-        JSValue v = callFrame->r(srcDst).jsValue();
-        if (v.isInt32() && v.asInt32() > INT_MIN)
-            callFrame->uncheckedR(srcDst) = jsNumber(v.asInt32() - 1);
-        else {
-            JSValue result = jsNumber(v.toNumber(callFrame) - 1);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(srcDst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_pre_dec);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_post_inc) {
-        /* post_inc dst(r) srcDst(r)
-
-           Converts register srcDst to number. The number itself is
-           written to register dst, and the number plus one is written
-           back to register srcDst.
-        */
-        int dst = vPC[1].u.operand;
-        int srcDst = vPC[2].u.operand;
-        JSValue v = callFrame->r(srcDst).jsValue();
-        if (v.isInt32() && v.asInt32() < INT_MAX) {
-            callFrame->uncheckedR(srcDst) = jsNumber(v.asInt32() + 1);
-            callFrame->uncheckedR(dst) = v;
-        } else {
-            double number = callFrame->r(srcDst).jsValue().toNumber(callFrame);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(srcDst) = jsNumber(number + 1);
-            callFrame->uncheckedR(dst) = jsNumber(number);
-        }
-
-        vPC += OPCODE_LENGTH(op_post_inc);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_post_dec) {
-        /* post_dec dst(r) srcDst(r)
-
-           Converts register srcDst to number. The number itself is
-           written to register dst, and the number minus one is written
-           back to register srcDst.
-        */
-        int dst = vPC[1].u.operand;
-        int srcDst = vPC[2].u.operand;
-        JSValue v = callFrame->r(srcDst).jsValue();
-        if (v.isInt32() && v.asInt32() > INT_MIN) {
-            callFrame->uncheckedR(srcDst) = jsNumber(v.asInt32() - 1);
-            callFrame->uncheckedR(dst) = v;
-        } else {
-            double number = callFrame->r(srcDst).jsValue().toNumber(callFrame);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(srcDst) = jsNumber(number - 1);
-            callFrame->uncheckedR(dst) = jsNumber(number);
-        }
-
-        vPC += OPCODE_LENGTH(op_post_dec);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_to_jsnumber) {
-        /* to_jsnumber dst(r) src(r)
-
-           Converts register src to number, and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-
-        JSValue srcVal = callFrame->r(src).jsValue();
-
-        if (LIKELY(srcVal.isNumber()))
-            callFrame->uncheckedR(dst) = callFrame->r(src);
-        else {
-            double number = srcVal.toNumber(callFrame);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = jsNumber(number);
-        }
-
-        vPC += OPCODE_LENGTH(op_to_jsnumber);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_negate) {
-        /* negate dst(r) src(r)
-
-           Converts register src to number, negates it, and puts the
-           result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src = callFrame->r(vPC[2].u.operand).jsValue();
-        if (src.isInt32() && (src.asInt32() & 0x7fffffff)) // non-zero and no overflow
-            callFrame->uncheckedR(dst) = jsNumber(-src.asInt32());
-        else {
-            JSValue result = jsNumber(-src.toNumber(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_negate);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_add) {
-        /* add dst(r) src1(r) src2(r)
-
-           Adds register src1 and register src2, and puts the result
-           in register dst. (JS add may be string concatenation or
-           numeric add, depending on the types of the operands.)
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32() && !((src1.asInt32() | src2.asInt32()) & 0xc0000000)) // no overflow
-            callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() + src2.asInt32());
-        else {
-            JSValue result = jsAdd(callFrame, src1, src2);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-        vPC += OPCODE_LENGTH(op_add);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_mul) {
-        /* mul dst(r) src1(r) src2(r)
-
-           Multiplies register src1 and register src2 (converted to
-           numbers), and puts the product in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32() && !(src1.asInt32() | src2.asInt32()) >> 15) // no overflow
-                callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() * src2.asInt32());
-        else {
-            JSValue result = jsNumber(src1.toNumber(callFrame) * src2.toNumber(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_mul);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_div) {
-        /* div dst(r) dividend(r) divisor(r)
-
-           Divides register dividend (converted to number) by the
-           register divisor (converted to number), and puts the
-           quotient in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue dividend = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue divisor = callFrame->r(vPC[3].u.operand).jsValue();
-
-        JSValue result = jsNumber(dividend.toNumber(callFrame) / divisor.toNumber(callFrame));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_div);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_mod) {
-        /* mod dst(r) dividend(r) divisor(r)
-
-           Divides register dividend (converted to number) by
-           register divisor (converted to number), and puts the
-           remainder in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue dividend = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue divisor = callFrame->r(vPC[3].u.operand).jsValue();
-
-        if (dividend.isInt32() && divisor.isInt32() && divisor.asInt32() != 0 && divisor.asInt32() != -1) {
-            JSValue result = jsNumber(dividend.asInt32() % divisor.asInt32());
-            ASSERT(result);
-            callFrame->uncheckedR(dst) = result;
-            vPC += OPCODE_LENGTH(op_mod);
-            NEXT_INSTRUCTION();
-        }
-
-        // Conversion to double must happen outside the call to fmod since the
-        // order of argument evaluation is not guaranteed.
-        double d1 = dividend.toNumber(callFrame);
-        double d2 = divisor.toNumber(callFrame);
-        JSValue result = jsNumber(fmod(d1, d2));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-        vPC += OPCODE_LENGTH(op_mod);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_sub) {
-        /* sub dst(r) src1(r) src2(r)
-
-           Subtracts register src2 (converted to number) from register
-           src1 (converted to number), and puts the difference in
-           register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32() && !((src1.asInt32() | src2.asInt32()) & 0xc0000000)) // no overflow
-            callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() - src2.asInt32());
-        else {
-            JSValue result = jsNumber(src1.toNumber(callFrame) - src2.toNumber(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-        vPC += OPCODE_LENGTH(op_sub);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_lshift) {
-        /* lshift dst(r) val(r) shift(r)
-
-           Performs left shift of register val (converted to int32) by
-           register shift (converted to uint32), and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue val = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue shift = callFrame->r(vPC[3].u.operand).jsValue();
-
-        if (val.isInt32() && shift.isInt32())
-            callFrame->uncheckedR(dst) = jsNumber(val.asInt32() << (shift.asInt32() & 0x1f));
-        else {
-            JSValue result = jsNumber((val.toInt32(callFrame)) << (shift.toUInt32(callFrame) & 0x1f));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_lshift);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_rshift) {
-        /* rshift dst(r) val(r) shift(r)
-
-           Performs arithmetic right shift of register val (converted
-           to int32) by register shift (converted to
-           uint32), and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue val = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue shift = callFrame->r(vPC[3].u.operand).jsValue();
-
-        if (val.isInt32() && shift.isInt32())
-            callFrame->uncheckedR(dst) = jsNumber(val.asInt32() >> (shift.asInt32() & 0x1f));
-        else {
-            JSValue result = jsNumber((val.toInt32(callFrame)) >> (shift.toUInt32(callFrame) & 0x1f));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_rshift);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_urshift) {
-        /* rshift dst(r) val(r) shift(r)
-
-           Performs logical right shift of register val (converted
-           to uint32) by register shift (converted to
-           uint32), and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue val = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue shift = callFrame->r(vPC[3].u.operand).jsValue();
-        if (val.isUInt32() && shift.isInt32())
-            callFrame->uncheckedR(dst) = jsNumber(val.asInt32() >> (shift.asInt32() & 0x1f));
-        else {
-            JSValue result = jsNumber((val.toUInt32(callFrame)) >> (shift.toUInt32(callFrame) & 0x1f));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_urshift);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_bitand) {
-        /* bitand dst(r) src1(r) src2(r)
-
-           Computes bitwise AND of register src1 (converted to int32)
-           and register src2 (converted to int32), and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32())
-            callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() & src2.asInt32());
-        else {
-            JSValue result = jsNumber(src1.toInt32(callFrame) & src2.toInt32(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_bitand);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_bitxor) {
-        /* bitxor dst(r) src1(r) src2(r)
-
-           Computes bitwise XOR of register src1 (converted to int32)
-           and register src2 (converted to int32), and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32())
-            callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() ^ src2.asInt32());
-        else {
-            JSValue result = jsNumber(src1.toInt32(callFrame) ^ src2.toInt32(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_bitxor);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_bitor) {
-        /* bitor dst(r) src1(r) src2(r)
-
-           Computes bitwise OR of register src1 (converted to int32)
-           and register src2 (converted to int32), and puts the
-           result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
-        if (src1.isInt32() && src2.isInt32())
-            callFrame->uncheckedR(dst) = jsNumber(src1.asInt32() | src2.asInt32());
-        else {
-            JSValue result = jsNumber(src1.toInt32(callFrame) | src2.toInt32(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        }
-
-        vPC += OPCODE_LENGTH(op_bitor);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_not) {
-        /* not dst(r) src(r)
-
-           Computes logical NOT of register src (converted to
-           boolean), and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        JSValue result = jsBoolean(!callFrame->r(src).jsValue().toBoolean(callFrame));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_not);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_check_has_instance) {
-        /* check_has_instance constructor(r)
-
-           Check 'constructor' is an object with the internal property
-           [HasInstance] (i.e. is a function ... *shakes head sadly at
-           JSC API*). Raises an exception if register constructor is not
-           an valid parameter for instanceof.
-        */
-        int dst = vPC[1].u.operand;
-        int value = vPC[2].u.operand;
-        int base = vPC[3].u.operand;
-        int target = vPC[4].u.operand;
-
-        JSValue baseVal = callFrame->r(base).jsValue();
-
-        if (baseVal.isObject()) {
-            TypeInfo info = asObject(baseVal)->structure()->typeInfo();
-            if (info.implementsDefaultHasInstance()) {
-                vPC += OPCODE_LENGTH(op_check_has_instance);
-                NEXT_INSTRUCTION();
-            }
-            if (info.implementsHasInstance()) {
-                JSValue baseVal = callFrame->r(base).jsValue();
-                bool result = asObject(baseVal)->methodTable()->customHasInstance(asObject(baseVal), callFrame, callFrame->r(value).jsValue());
-                CHECK_FOR_EXCEPTION();
-                callFrame->uncheckedR(dst) = jsBoolean(result);
-
-                vPC += target;
-                NEXT_INSTRUCTION();
-            }
-        }
-
-        exceptionValue = createInvalidParamError(callFrame, "instanceof" , baseVal);
-        goto vm_throw;
-    }
-    DEFINE_OPCODE(op_instanceof) {
-        /* instanceof dst(r) value(r) constructor(r) constructorProto(r)
-
-           Tests whether register value is an instance of register
-           constructor, and puts the boolean result in register
-           dst. Register constructorProto must contain the "prototype"
-           property (not the actual prototype) of the object in
-           register constructor. This lookup is separated so that
-           polymorphic inline caching can apply.
-
-           Raises an exception if register constructor is not an
-           object.
-        */
-        int dst = vPC[1].u.operand;
-        int value = vPC[2].u.operand;
-        int baseProto = vPC[3].u.operand;
-
-        bool result = JSObject::defaultHasInstance(callFrame, callFrame->r(value).jsValue(), callFrame->r(baseProto).jsValue());
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = jsBoolean(result);
-
-        vPC += OPCODE_LENGTH(op_instanceof);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_typeof) {
-        /* typeof dst(r) src(r)
-
-           Determines the type string for src according to ECMAScript
-           rules, and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        callFrame->uncheckedR(dst) = JSValue(jsTypeStringForValue(callFrame, callFrame->r(src).jsValue()));
-
-        vPC += OPCODE_LENGTH(op_typeof);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_is_undefined) {
-        /* is_undefined dst(r) src(r)
-
-           Determines whether the type string for src according to
-           the ECMAScript rules is "undefined", and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        JSValue v = callFrame->r(src).jsValue();
-        callFrame->uncheckedR(dst) = jsBoolean(v.isCell() ? v.asCell()->structure()->masqueradesAsUndefined(callFrame->lexicalGlobalObject()) : v.isUndefined());
-
-        vPC += OPCODE_LENGTH(op_is_undefined);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_is_boolean) {
-        /* is_boolean dst(r) src(r)
-
-           Determines whether the type string for src according to
-           the ECMAScript rules is "boolean", and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        callFrame->uncheckedR(dst) = jsBoolean(callFrame->r(src).jsValue().isBoolean());
-
-        vPC += OPCODE_LENGTH(op_is_boolean);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_is_number) {
-        /* is_number dst(r) src(r)
-
-           Determines whether the type string for src according to
-           the ECMAScript rules is "number", and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        callFrame->uncheckedR(dst) = jsBoolean(callFrame->r(src).jsValue().isNumber());
-
-        vPC += OPCODE_LENGTH(op_is_number);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_is_string) {
-        /* is_string dst(r) src(r)
-
-           Determines whether the type string for src according to
-           the ECMAScript rules is "string", and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        callFrame->uncheckedR(dst) = jsBoolean(callFrame->r(src).jsValue().isString());
-
-        vPC += OPCODE_LENGTH(op_is_string);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_is_object) {
-        /* is_object dst(r) src(r)
-
-           Determines whether the type string for src according to
-           the ECMAScript rules is "object", and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        callFrame->uncheckedR(dst) = jsBoolean(jsIsObjectType(callFrame, callFrame->r(src).jsValue()));
-
-        vPC += OPCODE_LENGTH(op_is_object);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_is_function) {
-        /* is_function dst(r) src(r)
-
-           Determines whether the type string for src according to
-           the ECMAScript rules is "function", and puts the result
-           in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        callFrame->uncheckedR(dst) = jsBoolean(jsIsFunctionType(callFrame->r(src).jsValue()));
-
-        vPC += OPCODE_LENGTH(op_is_function);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_in) {
-        /* in dst(r) property(r) base(r)
-
-           Tests whether register base has a property named register
-           property, and puts the boolean result in register dst.
-
-           Raises an exception if register constructor is not an
-           object.
-        */
-        int dst = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int base = vPC[3].u.operand;
-
-        JSValue baseVal = callFrame->r(base).jsValue();
-        if (isInvalidParamForIn(callFrame, baseVal, exceptionValue))
-            goto vm_throw;
-
-        JSObject* baseObj = asObject(baseVal);
-
-        JSValue propName = callFrame->r(property).jsValue();
-
-        uint32_t i;
-        if (propName.getUInt32(i))
-            callFrame->uncheckedR(dst) = jsBoolean(baseObj->hasProperty(callFrame, i));
-        else if (isName(propName))
-            callFrame->uncheckedR(dst) = jsBoolean(baseObj->hasProperty(callFrame, jsCast<NameInstance*>(propName.asCell())->privateName()));
-        else {
-            Identifier property(callFrame, propName.toString(callFrame)->value(callFrame));
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = jsBoolean(baseObj->hasProperty(callFrame, property));
-        }
-
-        vPC += OPCODE_LENGTH(op_in);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve) {
-        /* resolve dst(r) property(id)
-
-           Looks up the property named by identifier property in the
-           scope chain, and writes the resulting value to register
-           dst. If the property is not found, raises an exception.
-        */
-        int dst = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        Identifier& ident = callFrame->codeBlock()->identifier(property);
-
-        JSValue result = JSScope::resolve(callFrame, ident);
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_resolve);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve_skip) {
-        /* resolve_skip dst(r) property(id) skip(n)
-
-         Looks up the property named by identifier property in the
-         scope chain skipping the top 'skip' levels, and writes the resulting
-         value to register dst. If the property is not found, raises an exception.
-         */
-        int dst = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int skip = vPC[3].u.operand;
-        Identifier& ident = callFrame->codeBlock()->identifier(property);
-
-        JSValue result = JSScope::resolveSkip(callFrame, ident, skip);
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_resolve_skip);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve_global) {
-        /* resolve_skip dst(r) globalObject(c) property(id) structure(sID) offset(n)
-         
-           Performs a dynamic property lookup for the given property, on the provided
-           global object.  If structure matches the Structure of the global then perform
-           a fast lookup using the case offset, otherwise fall back to a full resolve and
-           cache the new structure and offset
-         */
-        int dst = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        Identifier& ident = callFrame->codeBlock()->identifier(property);
-
-        JSValue result = JSScope::resolveGlobal(
-            callFrame,
-            ident,
-            callFrame->lexicalGlobalObject(),
-            &vPC[3].u.structure,
-            &vPC[4].u.operand
-        );
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_resolve_global);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve_global_dynamic) {
-        /* resolve_skip dst(r) globalObject(c) property(id) structure(sID) offset(n), depth(n)
-         
-         Performs a dynamic property lookup for the given property, on the provided
-         global object.  If structure matches the Structure of the global then perform
-         a fast lookup using the case offset, otherwise fall back to a full resolve and
-         cache the new structure and offset.
-         
-         This walks through n levels of the scope chain to verify that none of those levels
-         in the scope chain include dynamically added properties.
-         */
-        int dst = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int skip = vPC[5].u.operand;
-        Identifier& ident = callFrame->codeBlock()->identifier(property);
-
-        JSValue result = JSScope::resolveGlobalDynamic(callFrame, ident, skip, &vPC[3].u.structure, &vPC[4].u.operand);
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_resolve_global_dynamic);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_global_var) {
-        /* get_global_var dst(r) globalObject(c) registerPointer(n)
-
-           Gets the global var at global slot index and places it in register dst.
-         */
-        int dst = vPC[1].u.operand;
-        WriteBarrier<Unknown>* registerPointer = vPC[2].u.registerPointer;
-
-        callFrame->uncheckedR(dst) = registerPointer->get();
-        vPC += OPCODE_LENGTH(op_get_global_var);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_global_var_watchable) {
-        /* get_global_var_watchable dst(r) globalObject(c) registerPointer(n)
-
-           Gets the global var at global slot index and places it in register dst.
-         */
-        int dst = vPC[1].u.operand;
-        WriteBarrier<Unknown>* registerPointer = vPC[2].u.registerPointer;
-
-        callFrame->uncheckedR(dst) = registerPointer->get();
-        vPC += OPCODE_LENGTH(op_get_global_var_watchable);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_init_global_const)
-    DEFINE_OPCODE(op_put_global_var) {
-        /* put_global_var globalObject(c) registerPointer(n) value(r)
-         
-           Puts value into global slot index.
-         */
-        JSGlobalObject* scope = codeBlock->globalObject();
-        ASSERT(scope->isGlobalObject());
-        WriteBarrier<Unknown>* registerPointer = vPC[1].u.registerPointer;
-        int value = vPC[2].u.operand;
-        
-        registerPointer->set(*globalData, scope, callFrame->r(value).jsValue());
-        vPC += OPCODE_LENGTH(op_put_global_var);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_init_global_const_check)
-    DEFINE_OPCODE(op_put_global_var_check) {
-        /* put_global_var_check globalObject(c) registerPointer(n) value(r)
-         
-           Puts value into global slot index. In JIT configurations this will
-           perform a watchpoint check. If we're running with the old interpreter,
-           this is not necessary; the interpreter never uses these watchpoints.
-         */
-        JSGlobalObject* scope = codeBlock->globalObject();
-        ASSERT(scope->isGlobalObject());
-        WriteBarrier<Unknown>* registerPointer = vPC[1].u.registerPointer;
-        int value = vPC[2].u.operand;
-        
-        registerPointer->set(*globalData, scope, callFrame->r(value).jsValue());
-        vPC += OPCODE_LENGTH(op_put_global_var_check);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_scoped_var) {
-        /* get_scoped_var dst(r) index(n) skip(n)
-
-         Loads the contents of the index-th local from the scope skip nodes from
-         the top of the scope chain, and places it in register dst.
-         */
-        int dst = vPC[1].u.operand;
-        int index = vPC[2].u.operand;
-        int skip = vPC[3].u.operand;
-
-        JSScope* scope = callFrame->scope();
-        ScopeChainIterator iter = scope->begin();
-        ScopeChainIterator end = scope->end();
-        ASSERT_UNUSED(end, iter != end);
-        ASSERT(codeBlock == callFrame->codeBlock());
-        bool checkTopLevel = codeBlock->codeType() == FunctionCode && codeBlock->needsFullScopeChain();
-        ASSERT(skip || !checkTopLevel);
-        if (checkTopLevel && skip--) {
-            if (callFrame->r(codeBlock->activationRegister()).jsValue())
-                ++iter;
-        }
-        while (skip--) {
-            ++iter;
-            ASSERT_UNUSED(end, iter != end);
-        }
-        ASSERT(iter->isVariableObject());
-        JSVariableObject* variableObject = jsCast<JSVariableObject*>(iter.get());
-        callFrame->uncheckedR(dst) = variableObject->registerAt(index).get();
-        ASSERT(callFrame->r(dst).jsValue());
-        vPC += OPCODE_LENGTH(op_get_scoped_var);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_put_scoped_var) {
-        /* put_scoped_var index(n) skip(n) value(r)
-
-         */
-        int index = vPC[1].u.operand;
-        int skip = vPC[2].u.operand;
-        int value = vPC[3].u.operand;
-
-        JSScope* scope = callFrame->scope();
-        ScopeChainIterator iter = scope->begin();
-        ScopeChainIterator end = scope->end();
-        ASSERT(codeBlock == callFrame->codeBlock());
-        ASSERT_UNUSED(end, iter != end);
-        bool checkTopLevel = codeBlock->codeType() == FunctionCode && codeBlock->needsFullScopeChain();
-        ASSERT(skip || !checkTopLevel);
-        if (checkTopLevel && skip--) {
-            if (callFrame->r(codeBlock->activationRegister()).jsValue())
-                ++iter;
-        }
-        while (skip--) {
-            ++iter;
-            ASSERT_UNUSED(end, iter != end);
-        }
-
-        ASSERT(iter->isVariableObject());
-        JSVariableObject* variableObject = jsCast<JSVariableObject*>(iter.get());
-        ASSERT(callFrame->r(value).jsValue());
-        variableObject->registerAt(index).set(*globalData, variableObject, callFrame->r(value).jsValue());
-        vPC += OPCODE_LENGTH(op_put_scoped_var);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve_base) {
-        /* resolve_base dst(r) property(id) isStrict(bool)
-
-           Searches the scope chain for an object containing
-           identifier property, and if one is found, writes it to
-           register dst. If none is found and isStrict is false, the
-           outermost scope (which will be the global object) is
-           stored in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        bool isStrict = vPC[3].u.operand;
-        Identifier& ident = callFrame->codeBlock()->identifier(property);
-
-        JSValue result = JSScope::resolveBase(callFrame, ident, isStrict);
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-
-        vPC += OPCODE_LENGTH(op_resolve_base);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_ensure_property_exists) {
-        /* ensure_property_exists base(r) property(id)
-
-           Throws an exception if property does not exist on base
-         */
-        int base = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        Identifier& ident = codeBlock->identifier(property);
-        
-        JSValue baseVal = callFrame->r(base).jsValue();
-        JSObject* baseObject = asObject(baseVal);
-        PropertySlot slot(baseVal);
-        if (!baseObject->getPropertySlot(callFrame, ident, slot)) {
-            exceptionValue = createErrorForInvalidGlobalAssignment(callFrame, ident.string());
-            goto vm_throw;
-        }
-
-        vPC += OPCODE_LENGTH(op_ensure_property_exists);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve_with_base) {
-        /* resolve_with_base baseDst(r) propDst(r) property(id)
-
-           Searches the scope chain for an object containing
-           identifier property, and if one is found, writes it to
-           register srcDst, and the retrieved property value to register
-           propDst. If the property is not found, raises an exception.
-
-           This is more efficient than doing resolve_base followed by
-           resolve, or resolve_base followed by get_by_id, as it
-           avoids duplicate hash lookups.
-        */
-        int baseDst = vPC[1].u.operand;
-        int propDst = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-        Identifier& ident = codeBlock->identifier(property);
-
-        JSValue prop = JSScope::resolveWithBase(callFrame, ident, &callFrame->uncheckedR(baseDst));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(propDst) = prop;
-
-        vPC += OPCODE_LENGTH(op_resolve_with_base);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_resolve_with_this) {
-        /* resolve_with_this thisDst(r) propDst(r) property(id)
-
-           Searches the scope chain for an object containing
-           identifier property, and if one is found, writes the
-           retrieved property value to register propDst, and the
-           this object to pass in a call to thisDst.
-
-           If the property is not found, raises an exception.
-        */
-        int thisDst = vPC[1].u.operand;
-        int propDst = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-        Identifier& ident = codeBlock->identifier(property);
-
-        JSValue prop = JSScope::resolveWithThis(callFrame, ident, &callFrame->uncheckedR(thisDst));
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(propDst) = prop;
-
-        vPC += OPCODE_LENGTH(op_resolve_with_this);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_by_id_out_of_line)
-    DEFINE_OPCODE(op_get_by_id) {
-        /* get_by_id dst(r) base(r) property(id) structure(sID) nop(n) nop(n) nop(n)
-
-           Generic property access: Gets the property named by identifier
-           property from the value base, and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-
-        Identifier& ident = codeBlock->identifier(property);
-        JSValue baseValue = callFrame->r(base).jsValue();
-        PropertySlot slot(baseValue);
-        JSValue result = baseValue.get(callFrame, ident, slot);
-        CHECK_FOR_EXCEPTION();
-
-        tryCacheGetByID(callFrame, codeBlock, vPC, baseValue, ident, slot);
-
-        callFrame->uncheckedR(dst) = result;
-        vPC += OPCODE_LENGTH(op_get_by_id);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_by_id_self) {
-        /* op_get_by_id_self dst(r) base(r) property(id) structure(sID) offset(n) nop(n) nop(n)
-
-           Cached property access: Attempts to get a cached property from the
-           value base. If the cache misses, op_get_by_id_self reverts to
-           op_get_by_id.
-        */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(baseCell->isObject());
-                JSObject* baseObject = asObject(baseCell);
-                int dst = vPC[1].u.operand;
-                int offset = vPC[5].u.operand;
-
-                ASSERT(baseObject->get(callFrame, codeBlock->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
-                callFrame->uncheckedR(dst) = JSValue(baseObject->getDirectOffset(offset));
-
-                vPC += OPCODE_LENGTH(op_get_by_id_self);
-                NEXT_INSTRUCTION();
-            }
-        }
-
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_by_id_proto) {
-        /* op_get_by_id_proto dst(r) base(r) property(id) structure(sID) prototypeStructure(sID) offset(n) nop(n)
-
-           Cached property access: Attempts to get a cached property from the
-           value base's prototype. If the cache misses, op_get_by_id_proto
-           reverts to op_get_by_id.
-        */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(structure->prototypeForLookup(callFrame).isObject());
-                JSObject* protoObject = asObject(structure->prototypeForLookup(callFrame));
-                Structure* prototypeStructure = vPC[5].u.structure.get();
-
-                if (LIKELY(protoObject->structure() == prototypeStructure)) {
-                    int dst = vPC[1].u.operand;
-                    int offset = vPC[6].u.operand;
-
-                    ASSERT(protoObject->get(callFrame, codeBlock->identifier(vPC[3].u.operand)) == protoObject->getDirectOffset(offset));
-                    ASSERT(baseValue.get(callFrame, codeBlock->identifier(vPC[3].u.operand)) == protoObject->getDirectOffset(offset));
-                    callFrame->uncheckedR(dst) = JSValue(protoObject->getDirectOffset(offset));
-
-                    vPC += OPCODE_LENGTH(op_get_by_id_proto);
-                    NEXT_INSTRUCTION();
-                }
-            }
-        }
-
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    goto *(&&skip_id_getter_proto);
-#endif
-    DEFINE_OPCODE(op_get_by_id_getter_proto) {
-        /* op_get_by_id_getter_proto dst(r) base(r) property(id) structure(sID) prototypeStructure(sID) offset(n) nop(n)
-         
-         Cached property access: Attempts to get a cached getter property from the
-         value base's prototype. If the cache misses, op_get_by_id_getter_proto
-         reverts to op_get_by_id.
-         */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(structure->prototypeForLookup(callFrame).isObject());
-                JSObject* protoObject = asObject(structure->prototypeForLookup(callFrame));
-                Structure* prototypeStructure = vPC[5].u.structure.get();
-                
-                if (LIKELY(protoObject->structure() == prototypeStructure)) {
-                    int dst = vPC[1].u.operand;
-                    int offset = vPC[6].u.operand;
-                    if (GetterSetter* getterSetter = asGetterSetter(protoObject->getDirectOffset(offset).asCell())) {
-                        JSObject* getter = getterSetter->getter();
-                        CallData callData;
-                        CallType callType = getter->methodTable()->getCallData(getter, callData);
-                        JSValue result = call(callFrame, getter, callType, callData, asObject(baseCell), ArgList());
-                        CHECK_FOR_EXCEPTION();
-                        callFrame->uncheckedR(dst) = result;
-                    } else
-                        callFrame->uncheckedR(dst) = jsUndefined();
-                    vPC += OPCODE_LENGTH(op_get_by_id_getter_proto);
-                    NEXT_INSTRUCTION();
-                }
-            }
-        }
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_id_getter_proto:
-#endif
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    goto *(&&skip_id_custom_proto);
-#endif
-    DEFINE_OPCODE(op_get_by_id_custom_proto) {
-        /* op_get_by_id_custom_proto dst(r) base(r) property(id) structure(sID) prototypeStructure(sID) offset(n) nop(n)
-         
-         Cached property access: Attempts to use a cached named property getter
-         from the value base's prototype. If the cache misses, op_get_by_id_custom_proto
-         reverts to op_get_by_id.
-         */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(structure->prototypeForLookup(callFrame).isObject());
-                JSObject* protoObject = asObject(structure->prototypeForLookup(callFrame));
-                Structure* prototypeStructure = vPC[5].u.structure.get();
-                
-                if (LIKELY(protoObject->structure() == prototypeStructure)) {
-                    int dst = vPC[1].u.operand;
-                    int property = vPC[3].u.operand;
-                    Identifier& ident = codeBlock->identifier(property);
-                    
-                    PropertySlot::GetValueFunc getter = vPC[6].u.getterFunc;
-                    JSValue result = getter(callFrame, protoObject, ident);
-                    CHECK_FOR_EXCEPTION();
-                    callFrame->uncheckedR(dst) = result;
-                    vPC += OPCODE_LENGTH(op_get_by_id_custom_proto);
-                    NEXT_INSTRUCTION();
-                }
-            }
-        }
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_id_custom_proto:
-#endif
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    goto *(&&skip_get_by_id_chain);
-#endif
-    DEFINE_OPCODE(op_get_by_id_chain) {
-        /* op_get_by_id_chain dst(r) base(r) property(id) structure(sID) structureChain(chain) count(n) offset(n)
-
-           Cached property access: Attempts to get a cached property from the
-           value base's prototype chain. If the cache misses, op_get_by_id_chain
-           reverts to op_get_by_id.
-        */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-
-            if (LIKELY(baseCell->structure() == structure)) {
-                WriteBarrier<Structure>* it = vPC[5].u.structureChain->head();
-                size_t count = vPC[6].u.operand;
-                WriteBarrier<Structure>* end = it + count;
-
-                while (true) {
-                    JSObject* baseObject = asObject(baseCell->structure()->prototypeForLookup(callFrame));
-
-                    if (UNLIKELY(baseObject->structure() != (*it).get()))
-                        break;
-
-                    if (++it == end) {
-                        int dst = vPC[1].u.operand;
-                        int offset = vPC[7].u.operand;
-
-                        ASSERT(baseObject->get(callFrame, codeBlock->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
-                        ASSERT(baseValue.get(callFrame, codeBlock->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
-                        callFrame->uncheckedR(dst) = JSValue(baseObject->getDirectOffset(offset));
-
-                        vPC += OPCODE_LENGTH(op_get_by_id_chain);
-                        NEXT_INSTRUCTION();
-                    }
-
-                    // Update baseCell, so that next time around the loop we'll pick up the prototype's prototype.
-                    baseCell = baseObject;
-                }
-            }
-        }
-
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_get_by_id_chain:
-    goto *(&&skip_id_getter_self);
-#endif
-    DEFINE_OPCODE(op_get_by_id_getter_self) {
-        /* op_get_by_id_self dst(r) base(r) property(id) structure(sID) offset(n) nop(n) nop(n)
-         
-         Cached property access: Attempts to get a cached property from the
-         value base. If the cache misses, op_get_by_id_getter_self reverts to
-         op_get_by_id.
-         */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(baseCell->isObject());
-                JSObject* baseObject = asObject(baseCell);
-                int dst = vPC[1].u.operand;
-                int offset = vPC[5].u.operand;
-
-                if (GetterSetter* getterSetter = asGetterSetter(baseObject->getDirectOffset(offset).asCell())) {
-                    JSObject* getter = getterSetter->getter();
-                    CallData callData;
-                    CallType callType = getter->methodTable()->getCallData(getter, callData);
-                    JSValue result = call(callFrame, getter, callType, callData, baseObject, ArgList());
-                    CHECK_FOR_EXCEPTION();
-                    callFrame->uncheckedR(dst) = result;
-                } else
-                    callFrame->uncheckedR(dst) = jsUndefined();
-
-                vPC += OPCODE_LENGTH(op_get_by_id_getter_self);
-                NEXT_INSTRUCTION();
-            }
-        }
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_id_getter_self:
-#endif
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    goto *(&&skip_id_custom_self);
-#endif
-    DEFINE_OPCODE(op_get_by_id_custom_self) {
-        /* op_get_by_id_custom_self dst(r) base(r) property(id) structure(sID) offset(n) nop(n) nop(n)
-         
-         Cached property access: Attempts to use a cached named property getter
-         from the value base. If the cache misses, op_get_by_id_custom_self reverts to
-         op_get_by_id.
-         */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(baseCell->isObject());
-                int dst = vPC[1].u.operand;
-                int property = vPC[3].u.operand;
-                Identifier& ident = codeBlock->identifier(property);
-
-                PropertySlot::GetValueFunc getter = vPC[5].u.getterFunc;
-                JSValue result = getter(callFrame, baseValue, ident);
-                CHECK_FOR_EXCEPTION();
-                callFrame->uncheckedR(dst) = result;
-                vPC += OPCODE_LENGTH(op_get_by_id_custom_self);
-                NEXT_INSTRUCTION();
-            }
-        }
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-skip_id_custom_self:
-#endif
-    DEFINE_OPCODE(op_get_by_id_generic) {
-        /* op_get_by_id_generic dst(r) base(r) property(id) nop(sID) nop(n) nop(n) nop(n)
-
-           Generic property access: Gets the property named by identifier
-           property from the value base, and puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-
-        Identifier& ident = codeBlock->identifier(property);
-        JSValue baseValue = callFrame->r(base).jsValue();
-        PropertySlot slot(baseValue);
-        JSValue result = baseValue.get(callFrame, ident, slot);
-        CHECK_FOR_EXCEPTION();
-
-        callFrame->uncheckedR(dst) = result;
-        vPC += OPCODE_LENGTH(op_get_by_id_generic);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    goto *(&&skip_id_getter_chain);
-#endif
-    DEFINE_OPCODE(op_get_by_id_getter_chain) {
-        /* op_get_by_id_getter_chain dst(r) base(r) property(id) structure(sID) structureChain(chain) count(n) offset(n)
-         
-         Cached property access: Attempts to get a cached property from the
-         value base's prototype chain. If the cache misses, op_get_by_id_getter_chain
-         reverts to op_get_by_id.
-         */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == structure)) {
-                WriteBarrier<Structure>* it = vPC[5].u.structureChain->head();
-                size_t count = vPC[6].u.operand;
-                WriteBarrier<Structure>* end = it + count;
-                
-                while (true) {
-                    JSObject* baseObject = asObject(baseCell->structure()->prototypeForLookup(callFrame));
-                    
-                    if (UNLIKELY(baseObject->structure() != (*it).get()))
-                        break;
-                    
-                    if (++it == end) {
-                        int dst = vPC[1].u.operand;
-                        int offset = vPC[7].u.operand;
-                        if (GetterSetter* getterSetter = asGetterSetter(baseObject->getDirectOffset(offset).asCell())) {
-                            JSObject* getter = getterSetter->getter();
-                            CallData callData;
-                            CallType callType = getter->methodTable()->getCallData(getter, callData);
-                            JSValue result = call(callFrame, getter, callType, callData, baseValue, ArgList());
-                            CHECK_FOR_EXCEPTION();
-                            callFrame->uncheckedR(dst) = result;
-                        } else
-                            callFrame->uncheckedR(dst) = jsUndefined();
-                        vPC += OPCODE_LENGTH(op_get_by_id_getter_chain);
-                        NEXT_INSTRUCTION();
-                    }
-                    
-                    // Update baseCell, so that next time around the loop we'll pick up the prototype's prototype.
-                    baseCell = baseObject;
-                }
-            }
-        }
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_id_getter_chain:
-#endif
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    goto *(&&skip_id_custom_chain);
-#endif
-    DEFINE_OPCODE(op_get_by_id_custom_chain) {
-        /* op_get_by_id_custom_chain dst(r) base(r) property(id) structure(sID) structureChain(chain) count(n) offset(n)
-         
-         Cached property access: Attempts to use a cached named property getter on the
-         value base's prototype chain. If the cache misses, op_get_by_id_custom_chain
-         reverts to op_get_by_id.
-         */
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == structure)) {
-                WriteBarrier<Structure>* it = vPC[5].u.structureChain->head();
-                size_t count = vPC[6].u.operand;
-                WriteBarrier<Structure>* end = it + count;
-                
-                while (true) {
-                    JSObject* baseObject = asObject(baseCell->structure()->prototypeForLookup(callFrame));
-                    
-                    if (UNLIKELY(baseObject->structure() != (*it).get()))
-                        break;
-                    
-                    if (++it == end) {
-                        int dst = vPC[1].u.operand;
-                        int property = vPC[3].u.operand;
-                        Identifier& ident = codeBlock->identifier(property);
-                        
-                        PropertySlot::GetValueFunc getter = vPC[7].u.getterFunc;
-                        JSValue result = getter(callFrame, baseObject, ident);
-                        CHECK_FOR_EXCEPTION();
-                        callFrame->uncheckedR(dst) = result;
-                        vPC += OPCODE_LENGTH(op_get_by_id_custom_chain);
-                        NEXT_INSTRUCTION();
-                    }
-                    
-                    // Update baseCell, so that next time around the loop we'll pick up the prototype's prototype.
-                    baseCell = baseObject;
-                }
-            }
-        }
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_id_custom_chain:
-    goto *(&&skip_get_array_length);
-#endif
-    DEFINE_OPCODE(op_get_array_length) {
-        /* op_get_array_length dst(r) base(r) property(id) nop(sID) nop(n) nop(n) nop(n)
-
-           Cached property access: Gets the length of the array in register base,
-           and puts the result in register dst. If register base does not hold
-           an array, op_get_array_length reverts to op_get_by_id.
-        */
-
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        if (LIKELY(isJSArray(baseValue))) {
-            int dst = vPC[1].u.operand;
-            callFrame->uncheckedR(dst) = jsNumber(asArray(baseValue)->length());
-            vPC += OPCODE_LENGTH(op_get_array_length);
-            NEXT_INSTRUCTION();
-        }
-
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_get_array_length:
-    goto *(&&skip_get_string_length);
-#endif
-    DEFINE_OPCODE(op_get_string_length) {
-        /* op_get_string_length dst(r) base(r) property(id) nop(sID) nop(n) nop(n) nop(n)
-
-           Cached property access: Gets the length of the string in register base,
-           and puts the result in register dst. If register base does not hold
-           a string, op_get_string_length reverts to op_get_by_id.
-        */
-
-        int base = vPC[2].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        if (LIKELY(isJSString(baseValue))) {
-            int dst = vPC[1].u.operand;
-            callFrame->uncheckedR(dst) = jsNumber(asString(baseValue)->length());
-            vPC += OPCODE_LENGTH(op_get_string_length);
-            NEXT_INSTRUCTION();
-        }
-
-        uncacheGetByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-    skip_get_string_length:
-    goto *(&&skip_put_by_id);
-#endif
-    DEFINE_OPCODE(op_put_by_id_out_of_line)
-    DEFINE_OPCODE(op_put_by_id) {
-        /* put_by_id base(r) property(id) value(r) nop(n) nop(n) nop(n) nop(n) direct(b)
-
-           Generic property access: Sets the property named by identifier
-           property, belonging to register base, to register value.
-
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-
-           The "direct" flag should only be set this put_by_id is to initialize
-           an object literal.
-        */
-
-        int base = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int value = vPC[3].u.operand;
-        int direct = vPC[8].u.operand;
-
-        JSValue baseValue = callFrame->r(base).jsValue();
-        Identifier& ident = codeBlock->identifier(property);
-        PutPropertySlot slot(codeBlock->isStrictMode());
-        if (direct) {
-            ASSERT(baseValue.isObject());
-            asObject(baseValue)->putDirect(*globalData, ident, callFrame->r(value).jsValue(), slot);
-        } else
-            baseValue.put(callFrame, ident, callFrame->r(value).jsValue(), slot);
-        CHECK_FOR_EXCEPTION();
-
-        tryCachePutByID(callFrame, codeBlock, vPC, baseValue, slot);
-
-        vPC += OPCODE_LENGTH(op_put_by_id);
-        NEXT_INSTRUCTION();
-    }
-#if USE(GCC_COMPUTED_GOTO_WORKAROUND)
-      skip_put_by_id:
-#endif
-    DEFINE_OPCODE(op_put_by_id_transition_direct)
-    DEFINE_OPCODE(op_put_by_id_transition_normal)
-    DEFINE_OPCODE(op_put_by_id_transition_direct_out_of_line)
-    DEFINE_OPCODE(op_put_by_id_transition_normal_out_of_line)
-    DEFINE_OPCODE(op_put_by_id_transition) {
-        /* op_put_by_id_transition base(r) property(id) value(r) oldStructure(sID) newStructure(sID) structureChain(chain) offset(n) direct(b)
-         
-           Cached property access: Attempts to set a new property with a cached transition
-           property named by identifier property, belonging to register base,
-           to register value. If the cache misses, op_put_by_id_transition
-           reverts to op_put_by_id_generic.
-         
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-         */
-        int base = vPC[1].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-        
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* oldStructure = vPC[4].u.structure.get();
-            Structure* newStructure = vPC[5].u.structure.get();
-            
-            if (LIKELY(baseCell->structure() == oldStructure)) {
-                ASSERT(baseCell->isObject());
-                JSObject* baseObject = asObject(baseCell);
-                int direct = vPC[8].u.operand;
-                
-                if (!direct) {
-                    WriteBarrier<Structure>* it = vPC[6].u.structureChain->head();
-
-                    JSValue proto = baseObject->structure()->prototypeForLookup(callFrame);
-                    while (!proto.isNull()) {
-                        if (UNLIKELY(asObject(proto)->structure() != (*it).get())) {
-                            uncachePutByID(codeBlock, vPC);
-                            NEXT_INSTRUCTION();
-                        }
-                        ++it;
-                        proto = asObject(proto)->structure()->prototypeForLookup(callFrame);
-                    }
-                }
-                baseObject->setStructureAndReallocateStorageIfNecessary(*globalData, newStructure);
-
-                int value = vPC[3].u.operand;
-                int offset = vPC[7].u.operand;
-                ASSERT(baseObject->offsetForLocation(baseObject->getDirectLocation(*globalData, codeBlock->identifier(vPC[2].u.operand))) == offset);
-                baseObject->putDirectOffset(callFrame->globalData(), offset, callFrame->r(value).jsValue());
-
-                vPC += OPCODE_LENGTH(op_put_by_id_transition);
-                NEXT_INSTRUCTION();
-            }
-        }
-        
-        uncachePutByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_put_by_id_replace) {
-        /* op_put_by_id_replace base(r) property(id) value(r) structure(sID) offset(n) nop(n) nop(n) direct(b)
-
-           Cached property access: Attempts to set a pre-existing, cached
-           property named by identifier property, belonging to register base,
-           to register value. If the cache misses, op_put_by_id_replace
-           reverts to op_put_by_id.
-
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-        */
-        int base = vPC[1].u.operand;
-        JSValue baseValue = callFrame->r(base).jsValue();
-
-        if (LIKELY(baseValue.isCell())) {
-            JSCell* baseCell = baseValue.asCell();
-            Structure* structure = vPC[4].u.structure.get();
-
-            if (LIKELY(baseCell->structure() == structure)) {
-                ASSERT(baseCell->isObject());
-                JSObject* baseObject = asObject(baseCell);
-                int value = vPC[3].u.operand;
-                int offset = vPC[5].u.operand;
-                
-                ASSERT(baseObject->offsetForLocation(baseObject->getDirectLocation(*globalData, codeBlock->identifier(vPC[2].u.operand))) == offset);
-                baseObject->putDirectOffset(callFrame->globalData(), offset, callFrame->r(value).jsValue());
-
-                vPC += OPCODE_LENGTH(op_put_by_id_replace);
-                NEXT_INSTRUCTION();
-            }
-        }
-
-        uncachePutByID(codeBlock, vPC);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_put_by_id_generic) {
-        /* op_put_by_id_generic base(r) property(id) value(r) nop(n) nop(n) nop(n) nop(n) direct(b)
-
-           Generic property access: Sets the property named by identifier
-           property, belonging to register base, to register value.
-
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-        */
-        int base = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int value = vPC[3].u.operand;
-        int direct = vPC[8].u.operand;
-
-        JSValue baseValue = callFrame->r(base).jsValue();
-        Identifier& ident = codeBlock->identifier(property);
-        PutPropertySlot slot(codeBlock->isStrictMode());
-        if (direct) {
-            ASSERT(baseValue.isObject());
-            asObject(baseValue)->putDirect(*globalData, ident, callFrame->r(value).jsValue(), slot);
-        } else
-            baseValue.put(callFrame, ident, callFrame->r(value).jsValue(), slot);
-        CHECK_FOR_EXCEPTION();
-
-        vPC += OPCODE_LENGTH(op_put_by_id_generic);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_del_by_id) {
-        /* del_by_id dst(r) base(r) property(id)
-
-           Converts register base to Object, deletes the property
-           named by identifier property from the object, and writes a
-           boolean indicating success (if true) or failure (if false)
-           to register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-
-        JSObject* baseObj = callFrame->r(base).jsValue().toObject(callFrame);
-        Identifier& ident = codeBlock->identifier(property);
-        bool result = baseObj->methodTable()->deleteProperty(baseObj, callFrame, ident);
-        if (!result && codeBlock->isStrictMode()) {
-            exceptionValue = createTypeError(callFrame, "Unable to delete property.");
-            goto vm_throw;
-        }
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = jsBoolean(result);
-        vPC += OPCODE_LENGTH(op_del_by_id);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_by_pname) {
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-        int expected = vPC[4].u.operand;
-        int iter = vPC[5].u.operand;
-        int i = vPC[6].u.operand;
-
-        JSValue baseValue = callFrame->r(base).jsValue();
-        JSPropertyNameIterator* it = callFrame->r(iter).propertyNameIterator();
-        JSValue subscript = callFrame->r(property).jsValue();
-        JSValue expectedSubscript = callFrame->r(expected).jsValue();
-        int index = callFrame->r(i).i() - 1;
-        JSValue result;
-        PropertyOffset offset = 0;
-        if (subscript == expectedSubscript && baseValue.isCell() && (baseValue.asCell()->structure() == it->cachedStructure()) && it->getOffset(index, offset)) {
-            callFrame->uncheckedR(dst) = JSValue(asObject(baseValue)->getDirectOffset(offset));
-            vPC += OPCODE_LENGTH(op_get_by_pname);
-            NEXT_INSTRUCTION();
-        }
-        {
-            Identifier propertyName(callFrame, subscript.toString(callFrame)->value(callFrame));
-            result = baseValue.get(callFrame, propertyName);
-        }
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-        vPC += OPCODE_LENGTH(op_get_by_pname);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_arguments_length) {
-        int dst = vPC[1].u.operand;
-        int argumentsRegister = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-        JSValue arguments = callFrame->r(argumentsRegister).jsValue();
-        if (arguments) {
-            Identifier& ident = codeBlock->identifier(property);
-            PropertySlot slot(arguments);
-            JSValue result = arguments.get(callFrame, ident, slot);
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(dst) = result;
-        } else
-            callFrame->uncheckedR(dst) = jsNumber(callFrame->argumentCount());
-
-        vPC += OPCODE_LENGTH(op_get_arguments_length);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_argument_by_val) {
-        int dst = vPC[1].u.operand;
-        int argumentsRegister = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-        JSValue arguments = callFrame->r(argumentsRegister).jsValue();
-        JSValue subscript = callFrame->r(property).jsValue();
-        if (!arguments && subscript.isUInt32() && subscript.asUInt32() < callFrame->argumentCount()) {
-            callFrame->uncheckedR(dst) = callFrame->argument(subscript.asUInt32());
-            vPC += OPCODE_LENGTH(op_get_argument_by_val);
-            NEXT_INSTRUCTION();
-        }
-        if (!arguments) {
-            Arguments* arguments = Arguments::create(*globalData, callFrame);
-            callFrame->uncheckedR(argumentsRegister) = JSValue(arguments);
-            callFrame->uncheckedR(unmodifiedArgumentsRegister(argumentsRegister)) = JSValue(arguments);
-        }
-        // fallthrough
-    }
-    DEFINE_OPCODE(op_get_by_val) {
-        /* get_by_val dst(r) base(r) property(r)
-
-           Converts register base to Object, gets the property named
-           by register property from the object, and puts the result
-           in register dst. property is nominally converted to string
-           but numbers are treated more efficiently.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-        
-        JSValue baseValue = callFrame->r(base).jsValue();
-        JSValue subscript = callFrame->r(property).jsValue();
-
-        JSValue result;
-
-        if (LIKELY(subscript.isUInt32())) {
-            uint32_t i = subscript.asUInt32();
-            if (isJSArray(baseValue)) {
-                JSArray* jsArray = asArray(baseValue);
-                if (jsArray->canGetIndexQuickly(i))
-                    result = jsArray->getIndexQuickly(i);
-                else
-                    result = jsArray->JSArray::get(callFrame, i);
-            } else if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
-                result = asString(baseValue)->getIndex(callFrame, i);
-            else
-                result = baseValue.get(callFrame, i);
-        } else if (isName(subscript))
-            result = baseValue.get(callFrame, jsCast<NameInstance*>(subscript.asCell())->privateName());
-        else {
-            Identifier property(callFrame, subscript.toString(callFrame)->value(callFrame));
-            result = baseValue.get(callFrame, property);
-        }
-
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = result;
-        vPC += OPCODE_LENGTH(op_get_by_val);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_put_by_val) {
-        /* put_by_val base(r) property(r) value(r)
-
-           Sets register value on register base as the property named
-           by register property. Base is converted to object
-           first. register property is nominally converted to string
-           but numbers are treated more efficiently.
-
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-        */
-        int base = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int value = vPC[3].u.operand;
-
-        JSValue baseValue = callFrame->r(base).jsValue();
-        JSValue subscript = callFrame->r(property).jsValue();
-
-        if (LIKELY(subscript.isUInt32())) {
-            uint32_t i = subscript.asUInt32();
-            if (isJSArray(baseValue)) {
-                JSArray* jsArray = asArray(baseValue);
-                if (jsArray->canSetIndexQuickly(i))
-                    jsArray->setIndexQuickly(*globalData, i, callFrame->r(value).jsValue());
-                else
-                    jsArray->JSArray::putByIndex(jsArray, callFrame, i, callFrame->r(value).jsValue(), codeBlock->isStrictMode());
-            } else
-                baseValue.putByIndex(callFrame, i, callFrame->r(value).jsValue(), codeBlock->isStrictMode());
-        } else if (isName(subscript)) {
-            PutPropertySlot slot(codeBlock->isStrictMode());
-            baseValue.put(callFrame, jsCast<NameInstance*>(subscript.asCell())->privateName(), callFrame->r(value).jsValue(), slot);
-        } else {
-            Identifier property(callFrame, subscript.toString(callFrame)->value(callFrame));
-            if (!globalData->exception) { // Don't put to an object if toString threw an exception.
-                PutPropertySlot slot(codeBlock->isStrictMode());
-                baseValue.put(callFrame, property, callFrame->r(value).jsValue(), slot);
-            }
-        }
-
-        CHECK_FOR_EXCEPTION();
-        vPC += OPCODE_LENGTH(op_put_by_val);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_del_by_val) {
-        /* del_by_val dst(r) base(r) property(r)
-
-           Converts register base to Object, deletes the property
-           named by register property from the object, and writes a
-           boolean indicating success (if true) or failure (if false)
-           to register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int property = vPC[3].u.operand;
-
-        JSObject* baseObj = callFrame->r(base).jsValue().toObject(callFrame); // may throw
-
-        JSValue subscript = callFrame->r(property).jsValue();
-        bool result;
-        uint32_t i;
-        if (subscript.getUInt32(i))
-            result = baseObj->methodTable()->deletePropertyByIndex(baseObj, callFrame, i);
-        else if (isName(subscript))
-            result = baseObj->methodTable()->deleteProperty(baseObj, callFrame, jsCast<NameInstance*>(subscript.asCell())->privateName());
-        else {
-            CHECK_FOR_EXCEPTION();
-            Identifier property(callFrame, subscript.toString(callFrame)->value(callFrame));
-            CHECK_FOR_EXCEPTION();
-            result = baseObj->methodTable()->deleteProperty(baseObj, callFrame, property);
-        }
-        if (!result && codeBlock->isStrictMode()) {
-            exceptionValue = createTypeError(callFrame, "Unable to delete property.");
-            goto vm_throw;
-        }
-        CHECK_FOR_EXCEPTION();
-        callFrame->uncheckedR(dst) = jsBoolean(result);
-        vPC += OPCODE_LENGTH(op_del_by_val);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_put_by_index) {
-        /* put_by_index base(r) property(n) value(r)
-
-           Sets register value on register base as the property named
-           by the immediate number property. Base is converted to
-           object first.
-
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-
-           This opcode is mainly used to initialize array literals.
-        */
-        int base = vPC[1].u.operand;
-        unsigned property = vPC[2].u.operand;
-        int value = vPC[3].u.operand;
-
-        JSValue arrayValue = callFrame->r(base).jsValue();
-        ASSERT(isJSArray(arrayValue));
-        asArray(arrayValue)->putDirectIndex(callFrame, property, callFrame->r(value).jsValue());
-
-        vPC += OPCODE_LENGTH(op_put_by_index);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop) {
-        /* loop target(offset)
-         
-           Jumps unconditionally to offset target from the current
-           instruction.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-         */
-#if ENABLE(OPCODE_STATS)
-        OpcodeStats::resetLastInstruction();
-#endif
-        int target = vPC[1].u.operand;
-        CHECK_FOR_TIMEOUT();
-        vPC += target;
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jmp) {
-        /* jmp target(offset)
-
-           Jumps unconditionally to offset target from the current
-           instruction.
-        */
-#if ENABLE(OPCODE_STATS)
-        OpcodeStats::resetLastInstruction();
-#endif
-        int target = vPC[1].u.operand;
-
-        vPC += target;
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_hint) {
-        // This is a no-op unless we intend on doing OSR from the interpreter.
-        vPC += OPCODE_LENGTH(op_loop_hint);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_if_true) {
-        /* loop_if_true cond(r) target(offset)
-         
-           Jumps to offset target from the current instruction, if and
-           only if register cond converts to boolean as true.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-         */
-        int cond = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-        if (callFrame->r(cond).jsValue().toBoolean(callFrame)) {
-            vPC += target;
-            CHECK_FOR_TIMEOUT();
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_loop_if_true);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_if_false) {
-        /* loop_if_true cond(r) target(offset)
-         
-           Jumps to offset target from the current instruction, if and
-           only if register cond converts to boolean as false.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-         */
-        int cond = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-        if (!callFrame->r(cond).jsValue().toBoolean(callFrame)) {
-            vPC += target;
-            CHECK_FOR_TIMEOUT();
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_loop_if_true);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jtrue) {
-        /* jtrue cond(r) target(offset)
-
-           Jumps to offset target from the current instruction, if and
-           only if register cond converts to boolean as true.
-        */
-        int cond = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-        if (callFrame->r(cond).jsValue().toBoolean(callFrame)) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jtrue);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jfalse) {
-        /* jfalse cond(r) target(offset)
-
-           Jumps to offset target from the current instruction, if and
-           only if register cond converts to boolean as false.
-        */
-        int cond = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-        if (!callFrame->r(cond).jsValue().toBoolean(callFrame)) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jfalse);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jeq_null) {
-        /* jeq_null src(r) target(offset)
-
-           Jumps to offset target from the current instruction, if and
-           only if register src is null.
-        */
-        int src = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-        JSValue srcValue = callFrame->r(src).jsValue();
-
-        if (srcValue.isUndefinedOrNull() || (srcValue.isCell() && srcValue.asCell()->structure()->masqueradesAsUndefined(callFrame->lexicalGlobalObject()))) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jeq_null);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jneq_null) {
-        /* jneq_null src(r) target(offset)
-
-           Jumps to offset target from the current instruction, if and
-           only if register src is not null.
-        */
-        int src = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-        JSValue srcValue = callFrame->r(src).jsValue();
-
-        if (!srcValue.isUndefinedOrNull() && (!srcValue.isCell() || !(srcValue.asCell()->structure()->masqueradesAsUndefined(callFrame->lexicalGlobalObject())))) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jneq_null);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jneq_ptr) {
-        /* jneq_ptr src(r) ptr(jsCell) target(offset)
-         
-           Jumps to offset target from the current instruction, if the value r is equal
-           to ptr, using pointer equality.
-         */
-        int src = vPC[1].u.operand;
-        int target = vPC[3].u.operand;
-        JSValue srcValue = callFrame->r(src).jsValue();
-        if (srcValue != vPC[2].u.jsCell.get()) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jneq_ptr);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_if_less) {
-        /* loop_if_less src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than register src2, as
-           with the ECMAScript '<' operator, and then jumps to offset
-           target from the current instruction, if and only if the 
-           result of the comparison is true.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-         */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-        
-        bool result = jsLess<true>(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            CHECK_FOR_TIMEOUT();
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_loop_if_less);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_if_lesseq) {
-        /* loop_if_lesseq src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than or equal to register
-           src2, as with the ECMAScript '<=' operator, and then jumps to
-           offset target from the current instruction, if and only if the 
-           result of the comparison is true.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-        
-        bool result = jsLessEq<true>(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            CHECK_FOR_TIMEOUT();
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_loop_if_lesseq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_if_greater) {
-        /* loop_if_greater src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is greater than register src2, as
-           with the ECMAScript '>' operator, and then jumps to offset
-           target from the current instruction, if and only if the 
-           result of the comparison is true.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-         */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-        
-        bool result = jsLess<false>(callFrame, src2, src1);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            CHECK_FOR_TIMEOUT();
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_loop_if_greater);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_loop_if_greatereq) {
-        /* loop_if_greatereq src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is greater than or equal to register
-           src2, as with the ECMAScript '>=' operator, and then jumps to
-           offset target from the current instruction, if and only if the 
-           result of the comparison is true.
-
-           Additionally this loop instruction may terminate JS execution is
-           the JS timeout is reached.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-        
-        bool result = jsLessEq<false>(callFrame, src2, src1);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            CHECK_FOR_TIMEOUT();
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_loop_if_greatereq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jless) {
-        /* jless src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than register src2, as
-           with the ECMAScript '<' operator, and then jumps to offset
-           target from the current instruction, if and only if the 
-           result of the comparison is true.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLess<true>(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jless);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jlesseq) {
-        /* jlesseq src1(r) src2(r) target(offset)
-         
-         Checks whether register src1 is less than or equal to
-         register src2, as with the ECMAScript '<=' operator,
-         and then jumps to offset target from the current instruction,
-         if and only if the result of the comparison is true.
-         */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-        
-        bool result = jsLessEq<true>(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_jlesseq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jgreater) {
-        /* jgreater src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is greater than register src2, as
-           with the ECMAScript '>' operator, and then jumps to offset
-           target from the current instruction, if and only if the 
-           result of the comparison is true.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLess<false>(callFrame, src2, src1);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jgreater);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jgreatereq) {
-        /* jgreatereq src1(r) src2(r) target(offset)
-         
-         Checks whether register src1 is greater than or equal to
-         register src2, as with the ECMAScript '>=' operator,
-         and then jumps to offset target from the current instruction,
-         if and only if the result of the comparison is true.
-         */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-        
-        bool result = jsLessEq<false>(callFrame, src2, src1);
-        CHECK_FOR_EXCEPTION();
-        
-        if (result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-        
-        vPC += OPCODE_LENGTH(op_jgreatereq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jnless) {
-        /* jnless src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than register src2, as
-           with the ECMAScript '<' operator, and then jumps to offset
-           target from the current instruction, if and only if the 
-           result of the comparison is false.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLess<true>(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (!result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jnless);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jnlesseq) {
-        /* jnlesseq src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than or equal to
-           register src2, as with the ECMAScript '<=' operator,
-           and then jumps to offset target from the current instruction,
-           if and only if theresult of the comparison is false.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLessEq<true>(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (!result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jnlesseq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jngreater) {
-        /* jngreater src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is greater than register src2, as
-           with the ECMAScript '>' operator, and then jumps to offset
-           target from the current instruction, if and only if the 
-           result of the comparison is false.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLess<false>(callFrame, src2, src1);
-        CHECK_FOR_EXCEPTION();
-        
-        if (!result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jngreater);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jngreatereq) {
-        /* jngreatereq src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is greater than or equal to
-           register src2, as with the ECMAScript '>=' operator,
-           and then jumps to offset target from the current instruction,
-           if and only if theresult of the comparison is false.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLessEq<false>(callFrame, src2, src1);
-        CHECK_FOR_EXCEPTION();
-        
-        if (!result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jngreatereq);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_switch_imm) {
-        /* switch_imm tableIndex(n) defaultOffset(offset) scrutinee(r)
-
-           Performs a range checked switch on the scrutinee value, using
-           the tableIndex-th immediate switch jump table.  If the scrutinee value
-           is an immediate number in the range covered by the referenced jump
-           table, and the value at jumpTable[scrutinee value] is non-zero, then
-           that value is used as the jump offset, otherwise defaultOffset is used.
-         */
-        int tableIndex = vPC[1].u.operand;
-        int defaultOffset = vPC[2].u.operand;
-        JSValue scrutinee = callFrame->r(vPC[3].u.operand).jsValue();
-        if (scrutinee.isInt32())
-            vPC += codeBlock->immediateSwitchJumpTable(tableIndex).offsetForValue(scrutinee.asInt32(), defaultOffset);
-        else if (scrutinee.isDouble() && scrutinee.asDouble() == static_cast<int32_t>(scrutinee.asDouble()))
-            vPC += codeBlock->immediateSwitchJumpTable(tableIndex).offsetForValue(static_cast<int32_t>(scrutinee.asDouble()), defaultOffset);
-        else
-            vPC += defaultOffset;
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_switch_char) {
-        /* switch_char tableIndex(n) defaultOffset(offset) scrutinee(r)
-
-           Performs a range checked switch on the scrutinee value, using
-           the tableIndex-th character switch jump table.  If the scrutinee value
-           is a single character string in the range covered by the referenced jump
-           table, and the value at jumpTable[scrutinee value] is non-zero, then
-           that value is used as the jump offset, otherwise defaultOffset is used.
-         */
-        int tableIndex = vPC[1].u.operand;
-        int defaultOffset = vPC[2].u.operand;
-        JSValue scrutinee = callFrame->r(vPC[3].u.operand).jsValue();
-        if (!scrutinee.isString())
-            vPC += defaultOffset;
-        else {
-            StringImpl* value = asString(scrutinee)->value(callFrame).impl();
-            if (value->length() != 1)
-                vPC += defaultOffset;
-            else
-                vPC += codeBlock->characterSwitchJumpTable(tableIndex).offsetForValue((*value)[0], defaultOffset);
-        }
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_switch_string) {
-        /* switch_string tableIndex(n) defaultOffset(offset) scrutinee(r)
-
-           Performs a sparse hashmap based switch on the value in the scrutinee
-           register, using the tableIndex-th string switch jump table.  If the 
-           scrutinee value is a string that exists as a key in the referenced 
-           jump table, then the value associated with the string is used as the 
-           jump offset, otherwise defaultOffset is used.
-         */
-        int tableIndex = vPC[1].u.operand;
-        int defaultOffset = vPC[2].u.operand;
-        JSValue scrutinee = callFrame->r(vPC[3].u.operand).jsValue();
-        if (!scrutinee.isString())
-            vPC += defaultOffset;
-        else 
-            vPC += codeBlock->stringSwitchJumpTable(tableIndex).offsetForValue(asString(scrutinee)->value(callFrame).impl(), defaultOffset);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_new_func) {
-        /* new_func dst(r) func(f)
-
-           Constructs a new Function instance from function func and
-           the current scope chain using the original Function
-           constructor, using the rules for function declarations, and
-           puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int func = vPC[2].u.operand;
-        int shouldCheck = vPC[3].u.operand;
-        ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsFullScopeChain() || callFrame->r(codeBlock->activationRegister()).jsValue());
-        if (!shouldCheck || !callFrame->r(dst).jsValue())
-            callFrame->uncheckedR(dst) = JSValue(JSFunction::create(callFrame, codeBlock->functionDecl(func), callFrame->scope()));
-
-        vPC += OPCODE_LENGTH(op_new_func);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_new_func_exp) {
-        /* new_func_exp dst(r) func(f)
-
-           Constructs a new Function instance from function func and
-           the current scope chain using the original Function
-           constructor, using the rules for function expressions, and
-           puts the result in register dst.
-        */
-        int dst = vPC[1].u.operand;
-        int funcIndex = vPC[2].u.operand;
-        
-        ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsFullScopeChain() || callFrame->r(codeBlock->activationRegister()).jsValue());
-        FunctionExecutable* function = codeBlock->functionExpr(funcIndex);
-        JSFunction* func = JSFunction::create(callFrame, function, callFrame->scope());
-
-        callFrame->uncheckedR(dst) = JSValue(func);
-
-        vPC += OPCODE_LENGTH(op_new_func_exp);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_call_eval) {
-        /* call_eval func(r) argCount(n) registerOffset(n)
-
-           Call a function named "eval" with no explicit "this" value
-           (which may therefore be the eval operator). If register
-           thisVal is the global object, and register func contains
-           that global object's original global eval function, then
-           perform the eval operator in local scope (interpreting
-           the argument registers as for the "call"
-           opcode). Otherwise, act exactly as the "call" opcode would.
-         */
-
-        int func = vPC[1].u.operand;
-        int argCount = vPC[2].u.operand;
-        int registerOffset = vPC[3].u.operand;
-        
-        ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsFullScopeChain() || callFrame->r(codeBlock->activationRegister()).jsValue());
-        JSValue funcVal = callFrame->r(func).jsValue();
-
-        if (isHostFunction(funcVal, globalFuncEval)) {
-            CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset);
-            newCallFrame->init(0, vPC + OPCODE_LENGTH(op_call_eval), callFrame->scope(), callFrame, argCount, jsCast<JSFunction*>(funcVal));
-
-            JSValue result = eval(newCallFrame);
-            if ((exceptionValue = globalData->exception))
-                goto vm_throw;
-            functionReturnValue = result;
-
-            vPC += OPCODE_LENGTH(op_call_eval);
-            NEXT_INSTRUCTION();
-        }
-
-        // We didn't find the blessed version of eval, so process this
-        // instruction as a normal function call.
-        // fall through to op_call
-    }
-    DEFINE_OPCODE(op_call) {
-        /* call func(r) argCount(n) registerOffset(n)
-
-           Perform a function call.
-           
-           registerOffset is the distance the callFrame pointer should move
-           before the VM initializes the new call frame's header.
-           
-           dst is where op_ret should store its result.
-         */
-
-        int func = vPC[1].u.operand;
-        int argCount = vPC[2].u.operand;
-        int registerOffset = vPC[3].u.operand;
-
-        JSValue v = callFrame->r(func).jsValue();
-
-        CallData callData;
-        CallType callType = getCallData(v, callData);
-
-        if (callType == CallTypeJS) {
-            JSScope* callDataScope = callData.js.scope;
-
-            JSObject* error = callData.js.functionExecutable->compileForCall(callFrame, callDataScope);
-            if (UNLIKELY(!!error)) {
-                exceptionValue = error;
-                goto vm_throw;
-            }
-
-            CallFrame* previousCallFrame = callFrame;
-            CodeBlock* newCodeBlock = &callData.js.functionExecutable->generatedBytecodeForCall();
-            callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
-            if (UNLIKELY(!callFrame)) {
-                callFrame = previousCallFrame;
-                exceptionValue = createStackOverflowError(callFrame);
-                goto vm_throw;
-            }
-
-            callFrame->init(newCodeBlock, vPC + OPCODE_LENGTH(op_call), callDataScope, previousCallFrame, argCount, jsCast<JSFunction*>(v));
-            codeBlock = newCodeBlock;
-            ASSERT(codeBlock == callFrame->codeBlock());
-            *topCallFrameSlot = callFrame;
-            vPC = newCodeBlock->instructions().begin();
-
-#if ENABLE(OPCODE_STATS)
-            OpcodeStats::resetLastInstruction();
-#endif
-
-            NEXT_INSTRUCTION();
-        }
-
-        if (callType == CallTypeHost) {
-            JSScope* scope = callFrame->scope();
-            CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset);
-            newCallFrame->init(0, vPC + OPCODE_LENGTH(op_call), scope, callFrame, argCount, asObject(v));
-            JSValue returnValue;
-            {
-                *topCallFrameSlot = newCallFrame;
-                SamplingTool::HostCallRecord callRecord(m_sampler.get());
-                returnValue = JSValue::decode(callData.native.function(newCallFrame));
-                *topCallFrameSlot = callFrame;
-            }
-            CHECK_FOR_EXCEPTION();
-
-            functionReturnValue = returnValue;
-
-            vPC += OPCODE_LENGTH(op_call);
-            NEXT_INSTRUCTION();
-        }
-
-        ASSERT(callType == CallTypeNone);
-
-        exceptionValue = createNotAFunctionError(callFrame, v);
-        goto vm_throw;
-    }
-    DEFINE_OPCODE(op_call_varargs) {
-        /* call_varargs callee(r) thisValue(r) arguments(r) firstFreeRegister(n)
-         
-         Perform a function call with a dynamic set of arguments.
-         
-         registerOffset is the distance the callFrame pointer should move
-         before the VM initializes the new call frame's header, excluding
-         space for arguments.
-         
-         dst is where op_ret should store its result.
-         */
-        
-        JSValue v = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue thisValue = callFrame->r(vPC[2].u.operand).jsValue();
-        JSValue arguments = callFrame->r(vPC[3].u.operand).jsValue();
-        int firstFreeRegister = vPC[4].u.operand;
-
-        CallFrame* newCallFrame = loadVarargs(callFrame, registerFile, thisValue, arguments, firstFreeRegister);
-        if ((exceptionValue = globalData->exception))
-            goto vm_throw;
-        int argCount = newCallFrame->argumentCountIncludingThis();
-
-        CallData callData;
-        CallType callType = getCallData(v, callData);
-        
-        if (callType == CallTypeJS) {
-            JSScope* callDataScope = callData.js.scope;
-
-            JSObject* error = callData.js.functionExecutable->compileForCall(callFrame, callDataScope);
-            if (UNLIKELY(!!error)) {
-                exceptionValue = error;
-                goto vm_throw;
-            }
-
-            CodeBlock* newCodeBlock = &callData.js.functionExecutable->generatedBytecodeForCall();
-            newCallFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, newCallFrame, 0, argCount);
-            if (UNLIKELY(!newCallFrame)) {
-                exceptionValue = createStackOverflowError(callFrame);
-                goto vm_throw;
-            }
-
-            newCallFrame->init(newCodeBlock, vPC + OPCODE_LENGTH(op_call_varargs), callDataScope, callFrame, argCount, jsCast<JSFunction*>(v));
-            codeBlock = newCodeBlock;
-            callFrame = newCallFrame;
-            ASSERT(codeBlock == callFrame->codeBlock());
-            *topCallFrameSlot = callFrame;
-            vPC = newCodeBlock->instructions().begin();
-
-#if ENABLE(OPCODE_STATS)
-            OpcodeStats::resetLastInstruction();
-#endif
-            
-            NEXT_INSTRUCTION();
-        }
-        
-        if (callType == CallTypeHost) {
-            JSScope* scope = callFrame->scope();
-            newCallFrame->init(0, vPC + OPCODE_LENGTH(op_call_varargs), scope, callFrame, argCount, asObject(v));
-            
-            JSValue returnValue;
-            {
-                *topCallFrameSlot = newCallFrame;
-                SamplingTool::HostCallRecord callRecord(m_sampler.get());
-                returnValue = JSValue::decode(callData.native.function(newCallFrame));
-                *topCallFrameSlot = callFrame;
-            }
-            CHECK_FOR_EXCEPTION();
-            
-            functionReturnValue = returnValue;
-            
-            vPC += OPCODE_LENGTH(op_call_varargs);
-            NEXT_INSTRUCTION();
-        }
-        
-        ASSERT(callType == CallTypeNone);
-        
-        exceptionValue = createNotAFunctionError(callFrame, v);
-        goto vm_throw;
-    }
-    DEFINE_OPCODE(op_tear_off_activation) {
-        /* tear_off_activation activation(r)
-
-           Copy locals and named parameters from the register file to the heap.
-           Point the bindings in 'activation' to this new backing store.
-
-           This opcode appears before op_ret in functions that require full scope chains.
-        */
-
-        int activation = vPC[1].u.operand;
-        ASSERT(codeBlock->needsFullScopeChain());
-        JSValue activationValue = callFrame->r(activation).jsValue();
-        if (activationValue)
-            asActivation(activationValue)->tearOff(*globalData);
-
-        vPC += OPCODE_LENGTH(op_tear_off_activation);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_tear_off_arguments) {
-        /* tear_off_arguments arguments(r) activation(r)
-
-           Copy named parameters from the register file to the heap. Point the
-           bindings in 'arguments' to this new backing store. (If 'activation'
-           was also copied to the heap, 'arguments' will point to its storage.)
-
-           This opcode appears before op_ret in functions that don't require full
-           scope chains, but do use 'arguments'.
-        */
-
-        int arguments = vPC[1].u.operand;
-        int activation = vPC[2].u.operand;
-        ASSERT(codeBlock->usesArguments());
-        if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
-            if (JSValue activationValue = callFrame->r(activation).jsValue())
-                asArguments(argumentsValue)->didTearOffActivation(callFrame, asActivation(activationValue));
-            else
-                asArguments(argumentsValue)->tearOff(callFrame);
-        }
-
-        vPC += OPCODE_LENGTH(op_tear_off_arguments);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_ret) {
-        /* ret result(r)
-           
-           Return register result as the return value of the current
-           function call, writing it into functionReturnValue.
-           In addition, unwind one call frame and restore the scope
-           chain, code block instruction pointer and register base
-           to those of the calling function.
-        */
-
-        int result = vPC[1].u.operand;
-
-        JSValue returnValue = callFrame->r(result).jsValue();
-
-        vPC = callFrame->returnVPC();
-        callFrame = callFrame->callerFrame();
-
-        if (callFrame->hasHostCallFrameFlag())
-            return returnValue;
-
-        *topCallFrameSlot = callFrame;
-        functionReturnValue = returnValue;
-        codeBlock = callFrame->codeBlock();
-        ASSERT(codeBlock == callFrame->codeBlock());
-
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_call_put_result) {
-        /* op_call_put_result result(r)
-           
-           Move call result from functionReturnValue to caller's
-           expected return value register.
-        */
-
-        callFrame->uncheckedR(vPC[1].u.operand) = functionReturnValue;
-
-        vPC += OPCODE_LENGTH(op_call_put_result);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_ret_object_or_this) {
-        /* ret result(r)
-           
-           Return register result as the return value of the current
-           function call, writing it into the caller's expected return
-           value register. In addition, unwind one call frame and
-           restore the scope chain, code block instruction pointer and
-           register base to those of the calling function.
-        */
-
-        int result = vPC[1].u.operand;
-
-        JSValue returnValue = callFrame->r(result).jsValue();
-
-        if (UNLIKELY(!returnValue.isObject()))
-            returnValue = callFrame->r(vPC[2].u.operand).jsValue();
-
-        vPC = callFrame->returnVPC();
-        callFrame = callFrame->callerFrame();
-
-        if (callFrame->hasHostCallFrameFlag())
-            return returnValue;
-
-        *topCallFrameSlot = callFrame;
-        functionReturnValue = returnValue;
-        codeBlock = callFrame->codeBlock();
-        ASSERT(codeBlock == callFrame->codeBlock());
-
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_enter) {
-        /* enter
-
-           Initializes local variables to undefined. If the code block requires
-           an activation, enter_with_activation is used instead.
-
-           This opcode appears only at the beginning of a code block.
-        */
-
-        size_t i = 0;
-        for (size_t count = codeBlock->m_numVars; i < count; ++i)
-            callFrame->uncheckedR(i) = jsUndefined();
-
-        vPC += OPCODE_LENGTH(op_enter);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_create_activation) {
-        /* create_activation dst(r)
-
-           If the activation object for this callframe has not yet been created,
-           this creates it and writes it back to dst.
-        */
-
-        int activationReg = vPC[1].u.operand;
-        if (!callFrame->r(activationReg).jsValue()) {
-            JSActivation* activation = JSActivation::create(*globalData, callFrame, static_cast<FunctionExecutable*>(codeBlock->ownerExecutable()));
-            callFrame->r(activationReg) = JSValue(activation);
-            callFrame->setScope(activation);
-        }
-        vPC += OPCODE_LENGTH(op_create_activation);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_create_this) {
-        /* op_create_this this(r) proto(r)
-
-           Allocate an object as 'this', fr use in construction.
-
-           This opcode should only be used at the beginning of a code
-           block.
-        */
-
-        int thisRegister = vPC[1].u.operand;
-
-        JSFunction* constructor = jsCast<JSFunction*>(callFrame->callee());
-#if !ASSERT_DISABLED
-        ConstructData constructData;
-        ASSERT(constructor->methodTable()->getConstructData(constructor, constructData) == ConstructTypeJS);
-#endif
-
-        Structure* structure = constructor->cachedInheritorID(callFrame);
-        callFrame->uncheckedR(thisRegister) = constructEmptyObject(callFrame, structure);
-
-        vPC += OPCODE_LENGTH(op_create_this);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_convert_this) {
-        /* convert_this this(r)
-
-           Takes the value in the 'this' register, converts it to a
-           value that is suitable for use as the 'this' value, and
-           stores it in the 'this' register. This opcode is emitted
-           to avoid doing the conversion in the caller unnecessarily.
-
-           This opcode should only be used at the beginning of a code
-           block.
-        */
-
-        int thisRegister = vPC[1].u.operand;
-        JSValue thisVal = callFrame->r(thisRegister).jsValue();
-        if (thisVal.isPrimitive())
-            callFrame->uncheckedR(thisRegister) = JSValue(thisVal.toThisObject(callFrame));
-
-        vPC += OPCODE_LENGTH(op_convert_this);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_init_lazy_reg) {
-        /* init_lazy_reg dst(r)
-
-           Initialises dst(r) to JSValue().
-
-           This opcode appears only at the beginning of a code block.
-         */
-        int dst = vPC[1].u.operand;
-
-        callFrame->uncheckedR(dst) = JSValue();
-        vPC += OPCODE_LENGTH(op_init_lazy_reg);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_create_arguments) {
-        /* create_arguments dst(r)
-
-           Creates the 'arguments' object and places it in both the
-           'arguments' call frame slot and the local 'arguments'
-           register, if it has not already been initialised.
-         */
-        
-        int dst = vPC[1].u.operand;
-
-        if (!callFrame->r(dst).jsValue()) {
-            Arguments* arguments = Arguments::create(*globalData, callFrame);
-            callFrame->uncheckedR(dst) = JSValue(arguments);
-            callFrame->uncheckedR(unmodifiedArgumentsRegister(dst)) = JSValue(arguments);
-        }
-        vPC += OPCODE_LENGTH(op_create_arguments);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_construct) {
-        /* construct func(r) argCount(n) registerOffset(n) proto(r) thisRegister(r)
-
-           Invoke register "func" as a constructor. For JS
-           functions, the calling convention is exactly as for the
-           "call" opcode, except that the "this" value is a newly
-           created Object. For native constructors, no "this"
-           value is passed. In either case, the argCount and registerOffset
-           registers are interpreted as for the "call" opcode.
-
-           Register proto must contain the prototype property of
-           register func. This is to enable polymorphic inline
-           caching of this lookup.
-        */
-
-        int func = vPC[1].u.operand;
-        int argCount = vPC[2].u.operand;
-        int registerOffset = vPC[3].u.operand;
-
-        JSValue v = callFrame->r(func).jsValue();
-
-        ConstructData constructData;
-        ConstructType constructType = getConstructData(v, constructData);
-
-        if (constructType == ConstructTypeJS) {
-            JSScope* callDataScope = constructData.js.scope;
-
-            JSObject* error = constructData.js.functionExecutable->compileForConstruct(callFrame, callDataScope);
-            if (UNLIKELY(!!error)) {
-                exceptionValue = error;
-                goto vm_throw;
-            }
-
-            CallFrame* previousCallFrame = callFrame;
-            CodeBlock* newCodeBlock = &constructData.js.functionExecutable->generatedBytecodeForConstruct();
-            callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
-            if (UNLIKELY(!callFrame)) {
-                callFrame = previousCallFrame;
-                exceptionValue = createStackOverflowError(callFrame);
-                goto vm_throw;
-            }
-
-            callFrame->init(newCodeBlock, vPC + OPCODE_LENGTH(op_construct), callDataScope, previousCallFrame, argCount, jsCast<JSFunction*>(v));
-            codeBlock = newCodeBlock;
-            *topCallFrameSlot = callFrame;
-            vPC = newCodeBlock->instructions().begin();
-#if ENABLE(OPCODE_STATS)
-            OpcodeStats::resetLastInstruction();
-#endif
-
-            NEXT_INSTRUCTION();
-        }
-
-        if (constructType == ConstructTypeHost) {
-            JSScope* scope = callFrame->scope();
-            CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset);
-            newCallFrame->init(0, vPC + OPCODE_LENGTH(op_construct), scope, callFrame, argCount, asObject(v));
-
-            JSValue returnValue;
-            {
-                *topCallFrameSlot = newCallFrame;
-                SamplingTool::HostCallRecord callRecord(m_sampler.get());
-                returnValue = JSValue::decode(constructData.native.function(newCallFrame));
-                *topCallFrameSlot = callFrame;
-            }
-            CHECK_FOR_EXCEPTION();
-            functionReturnValue = returnValue;
-
-            vPC += OPCODE_LENGTH(op_construct);
-            NEXT_INSTRUCTION();
-        }
-
-        ASSERT(constructType == ConstructTypeNone);
-
-        exceptionValue = createNotAConstructorError(callFrame, v);
-        goto vm_throw;
-    }
-    DEFINE_OPCODE(op_strcat) {
-        /* strcat dst(r) src(r) count(n)
-
-           Construct a new String instance using the original
-           constructor, and puts the result in register dst.
-           The string will be the result of concatenating count
-           strings with values taken from registers starting at
-           register src.
-        */
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-        int count = vPC[3].u.operand;
-
-        callFrame->uncheckedR(dst) = concatenateStrings(callFrame, &callFrame->registers()[src], count);
-        CHECK_FOR_EXCEPTION();
-        vPC += OPCODE_LENGTH(op_strcat);
-
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_to_primitive) {
-        int dst = vPC[1].u.operand;
-        int src = vPC[2].u.operand;
-
-        callFrame->uncheckedR(dst) = callFrame->r(src).jsValue().toPrimitive(callFrame);
-        vPC += OPCODE_LENGTH(op_to_primitive);
-
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_push_with_scope) {
-        /* push_with_scope scope(r)
-
-           Converts register scope to object, and pushes it onto the top
-           of the scope chain.
-        */
-        int scope = vPC[1].u.operand;
-        JSValue v = callFrame->r(scope).jsValue();
-        JSObject* o = v.toObject(callFrame);
-        CHECK_FOR_EXCEPTION();
-
-        callFrame->setScope(JSWithScope::create(callFrame, o));
-
-        vPC += OPCODE_LENGTH(op_push_with_scope);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_pop_scope) {
-        /* pop_scope
-
-           Removes the top item from the current scope chain.
-        */
-        callFrame->setScope(callFrame->scope()->next());
-
-        vPC += OPCODE_LENGTH(op_pop_scope);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_get_pnames) {
-        /* get_pnames dst(r) base(r) i(n) size(n) breakTarget(offset)
-
-           Creates a property name list for register base and puts it
-           in register dst, initializing i and size for iteration. If
-           base is undefined or null, jumps to breakTarget.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int i = vPC[3].u.operand;
-        int size = vPC[4].u.operand;
-        int breakTarget = vPC[5].u.operand;
-
-        JSValue v = callFrame->r(base).jsValue();
-        if (v.isUndefinedOrNull()) {
-            vPC += breakTarget;
-            NEXT_INSTRUCTION();
-        }
-
-        JSObject* o = v.toObject(callFrame);
-        Structure* structure = o->structure();
-        JSPropertyNameIterator* jsPropertyNameIterator = structure->enumerationCache();
-        if (!jsPropertyNameIterator || jsPropertyNameIterator->cachedPrototypeChain() != structure->prototypeChain(callFrame))
-            jsPropertyNameIterator = JSPropertyNameIterator::create(callFrame, o);
-
-        callFrame->uncheckedR(dst) = jsPropertyNameIterator;
-        callFrame->uncheckedR(base) = JSValue(o);
-        callFrame->uncheckedR(i) = Register::withInt(0);
-        callFrame->uncheckedR(size) = Register::withInt(jsPropertyNameIterator->size());
-        vPC += OPCODE_LENGTH(op_get_pnames);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_next_pname) {
-        /* next_pname dst(r) base(r) i(n) size(n) iter(r) target(offset)
-
-           Copies the next name from the property name list in
-           register iter to dst, then jumps to offset target. If there are no
-           names left, invalidates the iterator and continues to the next
-           instruction.
-        */
-        int dst = vPC[1].u.operand;
-        int base = vPC[2].u.operand;
-        int i = vPC[3].u.operand;
-        int size = vPC[4].u.operand;
-        int iter = vPC[5].u.operand;
-        int target = vPC[6].u.operand;
-
-        JSPropertyNameIterator* it = callFrame->r(iter).propertyNameIterator();
-        while (callFrame->r(i).i() != callFrame->r(size).i()) {
-            JSValue key = it->get(callFrame, asObject(callFrame->r(base).jsValue()), callFrame->r(i).i());
-            CHECK_FOR_EXCEPTION();
-            callFrame->uncheckedR(i) = Register::withInt(callFrame->r(i).i() + 1);
-            if (key) {
-                CHECK_FOR_TIMEOUT();
-                callFrame->uncheckedR(dst) = key;
-                vPC += target;
-                NEXT_INSTRUCTION();
-            }
-        }
-
-        vPC += OPCODE_LENGTH(op_next_pname);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jmp_scopes) {
-        /* jmp_scopes count(n) target(offset)
-
-           Removes the a number of items from the current scope chain
-           specified by immediate number count, then jumps to offset
-           target.
-        */
-        int count = vPC[1].u.operand;
-        int target = vPC[2].u.operand;
-
-        JSScope* tmp = callFrame->scope();
-        while (count--)
-            tmp = tmp->next();
-        callFrame->setScope(tmp);
-
-        vPC += target;
-        NEXT_INSTRUCTION();
-    }
-#if ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    // Appease GCC
-    goto *(&&skip_new_scope);
-#endif
-    DEFINE_OPCODE(op_push_name_scope) {
-        /* new_scope property(id) value(r) attributes(unsigned)
-         
-           Constructs a name scope of the form { property<attributes>: value },
-           and pushes it onto the scope chain.
-         */
-        callFrame->setScope(createNameScope(callFrame, vPC));
-
-        vPC += OPCODE_LENGTH(op_push_name_scope);
-        NEXT_INSTRUCTION();
-    }
-#if ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    skip_new_scope:
-#endif
-    DEFINE_OPCODE(op_catch) {
-        /* catch ex(r)
-
-           Retrieves the VM's current exception and puts it in register
-           ex. This is only valid after an exception has been raised,
-           and usually forms the beginning of an exception handler.
-        */
-        ASSERT(exceptionValue);
-        ASSERT(!globalData->exception);
-        int ex = vPC[1].u.operand;
-        callFrame->uncheckedR(ex) = exceptionValue;
-        exceptionValue = JSValue();
-
-        vPC += OPCODE_LENGTH(op_catch);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_throw) {
-        /* throw ex(r)
-
-           Throws register ex as an exception. This involves three
-           steps: first, it is set as the current exception in the
-           VM's internal state, then the stack is unwound until an
-           exception handler or a native code boundary is found, and
-           then control resumes at the exception handler if any or
-           else the script returns control to the nearest native caller.
-        */
-
-        int ex = vPC[1].u.operand;
-        exceptionValue = callFrame->r(ex).jsValue();
-
-        handler = throwException(callFrame, exceptionValue, vPC - codeBlock->instructions().begin());
-        if (!handler)
-            return throwError(callFrame, exceptionValue);
-
-        codeBlock = callFrame->codeBlock();
-        vPC = codeBlock->instructions().begin() + handler->target;
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_throw_reference_error) {
-        /* op_throw_reference_error message(k)
-
-           Constructs a new reference Error instance using the
-           original constructor, using constant message as the
-           message string. The result is thrown.
-        */
-        String message = callFrame->r(vPC[1].u.operand).jsValue().toString(callFrame)->value(callFrame);
-        exceptionValue = JSValue(createReferenceError(callFrame, message));
-        goto vm_throw;
-    }
-    DEFINE_OPCODE(op_end) {
-        /* end result(r)
-           
-           Return register result as the value of a global or eval
-           program. Return control to the calling native code.
-        */
-
-        int result = vPC[1].u.operand;
-        return callFrame->r(result).jsValue();
-    }
-    DEFINE_OPCODE(op_put_getter_setter) {
-        /* put_getter_setter base(r) property(id) getter(r) setter(r)
-
-           Puts accessor descriptor to register base as the named
-           identifier property. Base and function may be objects
-           or undefined, this op should only be used for accessors
-           defined in object literal form.
-
-           Unlike many opcodes, this one does not write any output to
-           the register file.
-        */
-        int base = vPC[1].u.operand;
-        int property = vPC[2].u.operand;
-        int getterReg = vPC[3].u.operand;
-        int setterReg = vPC[4].u.operand;
-
-        ASSERT(callFrame->r(base).jsValue().isObject());
-        JSObject* baseObj = asObject(callFrame->r(base).jsValue());
-        Identifier& ident = codeBlock->identifier(property);
-
-        GetterSetter* accessor = GetterSetter::create(callFrame);
-
-        JSValue getter = callFrame->r(getterReg).jsValue();
-        JSValue setter = callFrame->r(setterReg).jsValue();
-        ASSERT(getter.isObject() || getter.isUndefined());
-        ASSERT(setter.isObject() || setter.isUndefined());
-        ASSERT(getter.isObject() || setter.isObject());
-
-        if (!getter.isUndefined())
-            accessor->setGetter(callFrame->globalData(), asObject(getter));
-        if (!setter.isUndefined())
-            accessor->setSetter(callFrame->globalData(), asObject(setter));
-        baseObj->putDirectAccessor(callFrame, ident, accessor, Accessor);
-
-        vPC += OPCODE_LENGTH(op_put_getter_setter);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_method_check) {
-        vPC++;
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_debug) {
-        /* debug debugHookID(n) firstLine(n) lastLine(n) column(n)
-
-         Notifies the debugger of the current state of execution. This opcode
-         is only generated while the debugger is attached.
-        */
-        int debugHookID = vPC[1].u.operand;
-        int firstLine = vPC[2].u.operand;
-        int lastLine = vPC[3].u.operand;
-        int column = vPC[4].u.operand;
-
-
-        debug(callFrame, static_cast<DebugHookID>(debugHookID), firstLine, lastLine, column);
-
-        vPC += OPCODE_LENGTH(op_debug);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_profile_will_call) {
-        /* op_profile_will_call function(r)
-
-         Notifies the profiler of the beginning of a function call. This opcode
-         is only generated if developer tools are enabled.
-        */
-        int function = vPC[1].u.operand;
-
-        if (Profiler* profiler = globalData->enabledProfiler())
-            profiler->willExecute(callFrame, callFrame->r(function).jsValue());
-
-        vPC += OPCODE_LENGTH(op_profile_will_call);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_profile_did_call) {
-        /* op_profile_did_call function(r)
-
-         Notifies the profiler of the end of a function call. This opcode
-         is only generated if developer tools are enabled.
-        */
-        int function = vPC[1].u.operand;
-
-        if (Profiler* profiler = globalData->enabledProfiler())
-            profiler->didExecute(callFrame, callFrame->r(function).jsValue());
-
-        vPC += OPCODE_LENGTH(op_profile_did_call);
-        NEXT_INSTRUCTION();
-    }
-    vm_throw: {
-        globalData->exception = JSValue();
-        if (!tickCount) {
-            // The exceptionValue is a lie! (GCC produces bad code for reasons I 
-            // cannot fathom if we don't assign to the exceptionValue before branching)
-            exceptionValue = createInterruptedExecutionException(globalData);
-        }
-        JSGlobalObject* globalObject = callFrame->lexicalGlobalObject();
-        handler = throwException(callFrame, exceptionValue, vPC - codeBlock->instructions().begin());
-        if (!handler) {
-            // Can't use the callframe at this point as the scopechain, etc have
-            // been released.
-            return throwError(globalObject->globalExec(), exceptionValue);
-        }
-
-        codeBlock = callFrame->codeBlock();
-        vPC = codeBlock->instructions().begin() + handler->target;
-        NEXT_INSTRUCTION();
-    }
-    }
-#if !ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-    } // iterator loop ends
-#endif
-    #undef NEXT_INSTRUCTION
-    #undef DEFINE_OPCODE
-    #undef CHECK_FOR_EXCEPTION
-    #undef CHECK_FOR_TIMEOUT
-#endif // ENABLE(CLASSIC_INTERPRETER)
-}
-
-#endif // !ENABLE(LLINT_C_LOOP)
-
-
-JSValue Interpreter::retrieveArgumentsFromVMCode(CallFrame* callFrame, JSFunction* function) const
-{
-    CallFrame* functionCallFrame = findFunctionCallFrameFromVMCode(callFrame, function);
-    if (!functionCallFrame)
-        return jsNull();
-
-    Arguments* arguments = Arguments::create(functionCallFrame->globalData(), functionCallFrame);
-    arguments->tearOff(functionCallFrame);
-    return JSValue(arguments);
-}
-
-JSValue Interpreter::retrieveCallerFromVMCode(CallFrame* callFrame, JSFunction* function) const
-{
-    CallFrame* functionCallFrame = findFunctionCallFrameFromVMCode(callFrame, function);
-
-    if (!functionCallFrame)
-        return jsNull();
-    
-    int lineNumber;
-    unsigned bytecodeOffset;
-    CallFrame* callerFrame = getCallerInfo(&callFrame->globalData(), functionCallFrame, lineNumber, bytecodeOffset);
-    if (!callerFrame)
-        return jsNull();
-    JSValue caller = callerFrame->callee();
-    if (!caller)
-        return jsNull();
-
-    // Skip over function bindings.
-    ASSERT(caller.isObject());
-    while (asObject(caller)->inherits(&JSBoundFunction::s_info)) {
-        callerFrame = getCallerInfo(&callFrame->globalData(), callerFrame, lineNumber, bytecodeOffset);
-        if (!callerFrame)
-            return jsNull();
-        caller = callerFrame->callee();
-        if (!caller)
-            return jsNull();
-    }
-
-    return caller;
-}
-
-void Interpreter::retrieveLastCaller(CallFrame* callFrame, int& lineNumber, intptr_t& sourceID, String& sourceURL, JSValue& function) const
-{
-    function = JSValue();
-    lineNumber = -1;
-    sourceURL = String();
-
-    CallFrame* callerFrame = callFrame->callerFrame();
-    if (callerFrame->hasHostCallFrameFlag())
-        return;
-
-    CodeBlock* callerCodeBlock = callerFrame->codeBlock();
-    if (!callerCodeBlock)
+    CodeBlock* callerCodeBlock = callerFrame->codeBlock();
+    if (!callerCodeBlock)
         return;
     unsigned bytecodeOffset = 0;
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!callerFrame->globalData().canUseJIT())
-        bytecodeOffset = callerCodeBlock->bytecodeOffset(callFrame->returnVPC());
-#if ENABLE(JIT)
-    else
-        bytecodeOffset = callerCodeBlock->bytecodeOffset(callerFrame, callFrame->returnPC());
-#endif
-#else
     bytecodeOffset = callerCodeBlock->bytecodeOffset(callerFrame, callFrame->returnPC());
-#endif
     lineNumber = callerCodeBlock->lineNumberForBytecodeOffset(bytecodeOffset - 1);
     sourceID = callerCodeBlock->ownerExecutable()->sourceID();
     sourceURL = callerCodeBlock->ownerExecutable()->sourceURL();
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.h b/Source/JavaScriptCore/interpreter/Interpreter.h
index 464056bc1..f27ae8206 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.h
+++ b/Source/JavaScriptCore/interpreter/Interpreter.h
@@ -204,27 +204,14 @@ namespace JSC {
         OpcodeID getOpcodeID(Opcode opcode)
         {
             ASSERT(m_initialized);
-#if ENABLE(COMPUTED_GOTO_OPCODES)
-#if ENABLE(LLINT)
-            ASSERT(isOpcode(opcode));
-            return m_opcodeIDTable.get(opcode);
-#elif ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
+#if ENABLE(COMPUTED_GOTO_OPCODES) && ENABLE(LLINT)
             ASSERT(isOpcode(opcode));
-            if (!m_classicEnabled)
-                return static_cast<OpcodeID>(bitwise_cast<uintptr_t>(opcode));
-
             return m_opcodeIDTable.get(opcode);
-#endif // ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-#else // !ENABLE(COMPUTED_GOTO_OPCODES)
+#else
             return opcode;
-#endif // !ENABLE(COMPUTED_GOTO_OPCODES)
+#endif
         }
         
-        bool classicEnabled()
-        {
-            return m_classicEnabled;
-        }
-
         bool isOpcode(Opcode);
 
         JSValue execute(ProgramExecutable*, CallFrame*, JSObject* thisObj);
@@ -260,15 +247,6 @@ namespace JSC {
         void endRepeatCall(CallFrameClosure&);
         JSValue execute(CallFrameClosure&);
 
-#if ENABLE(CLASSIC_INTERPRETER)
-        NEVER_INLINE JSScope* createNameScope(CallFrame*, const Instruction* vPC);
-
-        void tryCacheGetByID(CallFrame*, CodeBlock*, Instruction*, JSValue baseValue, const Identifier& propertyName, const PropertySlot&);
-        void uncacheGetByID(CodeBlock*, Instruction* vPC);
-        void tryCachePutByID(CallFrame*, CodeBlock*, Instruction*, JSValue baseValue, const PutPropertySlot&);
-        void uncachePutByID(CodeBlock*, Instruction* vPC);        
-#endif // ENABLE(CLASSIC_INTERPRETER)
-
         NEVER_INLINE bool unwindCallFrame(CallFrame*&, JSValue, unsigned& bytecodeOffset, CodeBlock*&);
 
         static ALWAYS_INLINE CallFrame* slideRegisterWindowForCall(CodeBlock*, RegisterFile*, CallFrame*, size_t registerOffset, int argc);
@@ -291,20 +269,14 @@ namespace JSC {
 
         RegisterFile m_registerFile;
         
-#if ENABLE(COMPUTED_GOTO_OPCODES)
-#if ENABLE(LLINT)
+#if ENABLE(COMPUTED_GOTO_OPCODES) && ENABLE(LLINT)
         Opcode* m_opcodeTable; // Maps OpcodeID => Opcode for compiling
         HashMap<Opcode, OpcodeID> m_opcodeIDTable; // Maps Opcode => OpcodeID for decompiling
-#elif ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER)
-        Opcode m_opcodeTable[numOpcodeIDs]; // Maps OpcodeID => Opcode for compiling
-        HashMap<Opcode, OpcodeID> m_opcodeIDTable; // Maps Opcode => OpcodeID for decompiling
 #endif
-#endif // ENABLE(COMPUTED_GOTO_OPCODES)
 
 #if !ASSERT_DISABLED
         bool m_initialized;
 #endif
-        bool m_classicEnabled;
     };
 
     // This value must not be an object that would require this conversion (WebCore's global object).
diff --git a/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp b/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
index 7a53b8e2e..2123f5a67 100644
--- a/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
+++ b/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
@@ -54,7 +54,7 @@ public:
         : MetaAllocator(jitAllocationGranule) // round up all allocations to 32 bytes
     {
         m_reservation = PageReservation::reserveWithGuardPages(fixedExecutableMemoryPoolSize, OSAllocator::JSJITCodePages, EXECUTABLE_POOL_WRITABLE, true);
-#if !(ENABLE(CLASSIC_INTERPRETER) || ENABLE(LLINT))
+#if !ENABLE(LLINT)
         if (!m_reservation)
             CRASH();
 #endif
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
index 53da6424b..83abf380c 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -1398,7 +1398,9 @@ _llint_op_put_by_val:
     dispatch(5)
 
 .opPutByValEmpty:
-    storeb 1, ArrayProfile::m_mayStoreToHole[t3]
+    if VALUE_PROFILER
+        storeb 1, ArrayProfile::m_mayStoreToHole[t3]
+    end
     addi 1, ArrayStorage::m_numValuesInVector[t0]
     bib t2, -sizeof IndexingHeader + IndexingHeader::m_publicLength[t0], .opPutByValStoreResult
     addi 1, t2, t1
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index f4ff5c464..4d614f51f 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -1241,7 +1241,9 @@ _llint_op_put_by_val:
     dispatch(5)
 
 .opPutByValEmpty:
-    storeb 1, ArrayProfile::m_mayStoreToHole[t3]
+    if VALUE_PROFILER
+        storeb 1, ArrayProfile::m_mayStoreToHole[t3]
+    end
     addi 1, ArrayStorage::m_numValuesInVector[t0]
     bib t2, -sizeof IndexingHeader + IndexingHeader::m_publicLength[t0], .opPutByValStoreResult
     addi 1, t2, t1
diff --git a/Source/JavaScriptCore/offlineasm/asm.rb b/Source/JavaScriptCore/offlineasm/asm.rb
index 14d616442..4d44c5e91 100644
--- a/Source/JavaScriptCore/offlineasm/asm.rb
+++ b/Source/JavaScriptCore/offlineasm/asm.rb
@@ -225,7 +225,7 @@ $stderr.puts "offlineasm: Parsing #{asmFile} and #{offsetsFile} and creating ass
 begin
     configurationList = offsetsAndConfigurationIndex(offsetsFile)
 rescue MissingMagicValuesException
-    $stderr.puts "offlineasm: No magic values found. Skipping assembly file generation assuming the classic interpreter is enabled."
+    $stderr.puts "offlineasm: No magic values found. Skipping assembly file generation."
     exit 0
 end
 
diff --git a/Source/JavaScriptCore/offlineasm/cloop.rb b/Source/JavaScriptCore/offlineasm/cloop.rb
index 9975e0767..b3e319c4d 100644
--- a/Source/JavaScriptCore/offlineasm/cloop.rb
+++ b/Source/JavaScriptCore/offlineasm/cloop.rb
@@ -507,7 +507,7 @@ end
 class Instruction
     def lowerC_LOOP
         $asm.codeOrigin codeOriginString if $enableCodeOriginComments
-        $asm.annotation annotation if $enableInstrAnnotations
+        $asm.annotation annotation if $enableInstrAnnotations && (opcode != "cloopDo")
 
         case opcode
         when "addi"
@@ -981,6 +981,12 @@ class Instruction
         when "cloopCallSlowPath"
             cloopEmitCallSlowPath(operands)
 
+        # For debugging only. This is used to insert instrumentation into the
+        # generated LLIntAssembly.h during llint development only. Do not use
+        # for production code.
+        when "cloopDo"
+            $asm.putc "#{annotation}"
+
         else
             lowerDefault
         end
diff --git a/Source/JavaScriptCore/offlineasm/instructions.rb b/Source/JavaScriptCore/offlineasm/instructions.rb
index d046bee6f..ddb1bb90f 100644
--- a/Source/JavaScriptCore/offlineasm/instructions.rb
+++ b/Source/JavaScriptCore/offlineasm/instructions.rb
@@ -227,6 +227,14 @@ CXX_INSTRUCTIONS =
      "cloopCallJSFunction",  # operands: callee
      "cloopCallNative",      # operands: callee
      "cloopCallSlowPath",    # operands: callTarget, currentFrame, currentPC
+
+     # For debugging only:
+     # Takes no operands but simply emits whatever follows in // comments as
+     # a line of C++ code in the generated LLIntAssembly.h file. This can be
+     # used to insert instrumentation into the interpreter loop to inspect
+     # variables of interest. Do not leave these instructions in production
+     # code.
+     "cloopDo",              # no operands
     ]
 
 INSTRUCTIONS = MACRO_INSTRUCTIONS + X86_INSTRUCTIONS + ARMv7_INSTRUCTIONS + CXX_INSTRUCTIONS
diff --git a/Source/JavaScriptCore/offlineasm/offsets.rb b/Source/JavaScriptCore/offlineasm/offsets.rb
index 627183dc8..d9266d9a3 100644
--- a/Source/JavaScriptCore/offlineasm/offsets.rb
+++ b/Source/JavaScriptCore/offlineasm/offsets.rb
@@ -38,7 +38,6 @@ OFFSET_MAGIC_NUMBERS = [ to32Bit(0xec577ac7), to32Bit(0x0ff5e755) ]
 # MissingMagicValuesException
 #
 # Thrown when magic values are missing from the binary.
-# This is usually an indication that the classic interpreter is enabled.
 #
 
 class MissingMagicValuesException < Exception
diff --git a/Source/JavaScriptCore/offlineasm/parser.rb b/Source/JavaScriptCore/offlineasm/parser.rb
index 70b03cf70..76eea522f 100644
--- a/Source/JavaScriptCore/offlineasm/parser.rb
+++ b/Source/JavaScriptCore/offlineasm/parser.rb
@@ -103,7 +103,11 @@ def lex(str, fileName)
             annotationType = whitespaceFound ? :local : :global
         when /\A\n/
             # We've found a '\n'.  Emit the last comment recorded if appropriate:
-            if $enableInstrAnnotations and annotation
+            # We need to parse annotations regardless of whether the backend does
+            # anything with them or not. This is because the C++ backend may make
+            # use of this for its cloopDo debugging utility even if
+            # enableInstrAnnotations is not enabled.
+            if annotation
                 result << Annotation.new(CodeOrigin.new(fileName, lineNumber),
                                          annotationType, annotation)
                 annotation = nil
diff --git a/Source/JavaScriptCore/runtime/Executable.cpp b/Source/JavaScriptCore/runtime/Executable.cpp
index d7327d564..0a453eea0 100644
--- a/Source/JavaScriptCore/runtime/Executable.cpp
+++ b/Source/JavaScriptCore/runtime/Executable.cpp
@@ -231,11 +231,6 @@ JSObject* EvalExecutable::compileInternal(ExecState* exec, JSScope* scope, JITCo
 #endif
 
 #if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!m_jitCodeForCall)
-        Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_evalCodeBlock));
-    else
-#endif
     Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_evalCodeBlock) + m_jitCodeForCall.size());
 #else
     Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_evalCodeBlock));
@@ -356,12 +351,7 @@ JSObject* ProgramExecutable::compileInternal(ExecState* exec, JSScope* scope, JI
 #endif
 
 #if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!m_jitCodeForCall)
-        Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_programCodeBlock));
-    else
-#endif
-        Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_programCodeBlock) + m_jitCodeForCall.size());
+    Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_programCodeBlock) + m_jitCodeForCall.size());
 #else
     Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_programCodeBlock));
 #endif
@@ -534,12 +524,7 @@ JSObject* FunctionExecutable::compileForCallInternal(ExecState* exec, JSScope* s
 #endif
 
 #if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!m_jitCodeForCall)
-        Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForCall));
-    else
-#endif
-        Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForCall) + m_jitCodeForCall.size());
+    Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForCall) + m_jitCodeForCall.size());
 #else
     Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForCall));
 #endif
@@ -576,11 +561,6 @@ JSObject* FunctionExecutable::compileForConstructInternal(ExecState* exec, JSSco
 #endif
 
 #if ENABLE(JIT)
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!m_jitCodeForConstruct)
-        Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForConstruct));
-    else
-#endif
     Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForConstruct) + m_jitCodeForConstruct.size());
 #else
     Heap::heap(this)->reportExtraMemoryCost(sizeof(*m_codeBlockForConstruct));
diff --git a/Source/JavaScriptCore/runtime/Executable.h b/Source/JavaScriptCore/runtime/Executable.h
index 808c78fba..6eeda3a82 100644
--- a/Source/JavaScriptCore/runtime/Executable.h
+++ b/Source/JavaScriptCore/runtime/Executable.h
@@ -266,7 +266,6 @@ namespace JSC {
 #if ENABLE(JIT)
         static NativeExecutable* create(JSGlobalData& globalData, MacroAssemblerCodeRef callThunk, NativeFunction function, MacroAssemblerCodeRef constructThunk, NativeFunction constructor, Intrinsic intrinsic)
         {
-            ASSERT(!globalData.interpreter->classicEnabled());
             NativeExecutable* executable;
             if (!callThunk) {
                 executable = new (NotNull, allocateCell<NativeExecutable>(globalData.heap)) NativeExecutable(globalData, function, constructor);
@@ -279,7 +278,7 @@ namespace JSC {
         }
 #endif
 
-#if ENABLE(CLASSIC_INTERPRETER) || ENABLE(LLINT_C_LOOP)
+#if ENABLE(LLINT_C_LOOP)
         static NativeExecutable* create(JSGlobalData& globalData, NativeFunction function, NativeFunction constructor)
         {
             ASSERT(!globalData.canUseJIT());
@@ -306,7 +305,6 @@ namespace JSC {
 #if ENABLE(JIT)
         void finishCreation(JSGlobalData& globalData, JITCode callThunk, JITCode constructThunk, Intrinsic intrinsic)
         {
-            ASSERT(!globalData.interpreter->classicEnabled());
             Base::finishCreation(globalData);
             m_jitCodeForCall = callThunk;
             m_jitCodeForConstruct = constructThunk;
@@ -316,15 +314,6 @@ namespace JSC {
         }
 #endif
 
-#if ENABLE(CLASSIC_INTERPRETER)
-        void finishCreation(JSGlobalData& globalData)
-        {
-            ASSERT(!globalData.canUseJIT());
-            Base::finishCreation(globalData);
-            m_intrinsic = NoIntrinsic;
-        }
-#endif
-
     private:
         NativeExecutable(JSGlobalData& globalData, NativeFunction function, NativeFunction constructor)
             : ExecutableBase(globalData, globalData.nativeExecutableStructure.get(), NUM_PARAMETERS_IS_HOST)
diff --git a/Source/JavaScriptCore/runtime/JSActivation.h b/Source/JavaScriptCore/runtime/JSActivation.h
index 442941335..fa2291813 100644
--- a/Source/JavaScriptCore/runtime/JSActivation.h
+++ b/Source/JavaScriptCore/runtime/JSActivation.h
@@ -84,6 +84,8 @@ namespace JSC {
         bool isValidIndex(int) const;
         bool isValid(const SymbolTableEntry&) const;
         bool isTornOff();
+        int registersOffset();
+        static int registersOffset(SharedSymbolTable*);
 
     protected:
         static const unsigned StructureFlags = OverridesGetOwnPropertySlot | OverridesVisitChildren | OverridesGetPropertyNames | Base::StructureFlags;
@@ -99,8 +101,8 @@ namespace JSC {
         NEVER_INLINE PropertySlot::GetValueFunc getArgumentsGetter();
 
         static size_t allocationSize(SharedSymbolTable*);
+        static size_t storageOffset();
 
-        int registerOffset();
         WriteBarrier<Unknown>* storage(); // captureCount() number of registers.
     };
 
@@ -141,17 +143,17 @@ namespace JSC {
         return false;
     }
 
-    inline int JSActivation::registerOffset()
+    inline int JSActivation::registersOffset(SharedSymbolTable* symbolTable)
     {
-        return -symbolTable()->captureStart();
+        return storageOffset() - (symbolTable->captureStart() * sizeof(WriteBarrier<Unknown>));
     }
 
     inline void JSActivation::tearOff(JSGlobalData& globalData)
     {
         ASSERT(!isTornOff());
 
-        int registerOffset = this->registerOffset();
-        WriteBarrierBase<Unknown>* dst = storage() + registerOffset;
+        WriteBarrierBase<Unknown>* dst = reinterpret_cast<WriteBarrierBase<Unknown>*>(
+            reinterpret_cast<char*>(this) + registersOffset(symbolTable()));
         WriteBarrierBase<Unknown>* src = m_registers;
 
         int captureEnd = symbolTable()->captureEnd();
@@ -164,15 +166,19 @@ namespace JSC {
 
     inline bool JSActivation::isTornOff()
     {
-        return m_registers == storage() + registerOffset();
+        return m_registers == reinterpret_cast<WriteBarrierBase<Unknown>*>(
+            reinterpret_cast<char*>(this) + registersOffset(symbolTable()));
+    }
+
+    inline size_t JSActivation::storageOffset()
+    {
+        return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(JSActivation));
     }
 
     inline WriteBarrier<Unknown>* JSActivation::storage()
     {
         return reinterpret_cast<WriteBarrier<Unknown>*>(
-            reinterpret_cast<char*>(this) +
-                WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(JSActivation))
-        );
+            reinterpret_cast<char*>(this) + storageOffset());
     }
 
     inline size_t JSActivation::allocationSize(SharedSymbolTable* symbolTable)
diff --git a/Source/JavaScriptCore/runtime/JSGlobalData.cpp b/Source/JavaScriptCore/runtime/JSGlobalData.cpp
index 26f2b8616..e30a7913d 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalData.cpp
+++ b/Source/JavaScriptCore/runtime/JSGlobalData.cpp
@@ -97,7 +97,11 @@ extern const HashTable regExpPrototypeTable;
 extern const HashTable stringTable;
 extern const HashTable stringConstructorTable;
 
-#if ENABLE(ASSEMBLER) && (ENABLE(CLASSIC_INTERPRETER) || ENABLE(LLINT))
+// Note: Platform.h will enforce that ENABLE(ASSEMBLER) is true if either
+// ENABLE(JIT) or ENABLE(YARR_JIT) or both are enabled. The code below
+// just checks for ENABLE(JIT) or ENABLE(YARR_JIT) with this premise in mind.
+
+#if ENABLE(ASSEMBLER)
 static bool enableAssembler(ExecutableAllocator& executableAllocator)
 {
     if (!executableAllocator.isValid() || (!Options::useJIT() && !Options::useRegExpJIT()))
@@ -124,7 +128,7 @@ static bool enableAssembler(ExecutableAllocator& executableAllocator)
     return true;
 #endif
 }
-#endif
+#endif // ENABLE(!ASSEMBLER)
 
 JSGlobalData::JSGlobalData(GlobalDataType globalDataType, ThreadStackType threadStackType, HeapType heapType)
     :
@@ -180,9 +184,13 @@ JSGlobalData::JSGlobalData(GlobalDataType globalDataType, ThreadStackType thread
     , m_timeoutCount(512)
 #endif
     , m_newStringsSinceLastHashConst(0)
-#if ENABLE(ASSEMBLER) && (ENABLE(CLASSIC_INTERPRETER) || ENABLE(LLINT))
+#if ENABLE(ASSEMBLER)
     , m_canUseAssembler(enableAssembler(executableAllocator))
+#endif
+#if ENABLE(JIT)
     , m_canUseJIT(m_canUseAssembler && Options::useJIT())
+#endif
+#if ENABLE(YARR_JIT)
     , m_canUseRegExpJIT(m_canUseAssembler && Options::useRegExpJIT())
 #endif
 #if ENABLE(GC_VALIDATION)
@@ -370,10 +378,6 @@ static ThunkGenerator thunkGeneratorForIntrinsic(Intrinsic intrinsic)
 
 NativeExecutable* JSGlobalData::getHostFunction(NativeFunction function, NativeFunction constructor)
 {
-#if ENABLE(CLASSIC_INTERPRETER)
-    if (!canUseJIT())
-        return NativeExecutable::create(*this, function, constructor);
-#endif
     return jitStubs->hostFunctionStub(this, function, constructor);
 }
 NativeExecutable* JSGlobalData::getHostFunction(NativeFunction function, Intrinsic intrinsic)
diff --git a/Source/JavaScriptCore/runtime/JSGlobalData.h b/Source/JavaScriptCore/runtime/JSGlobalData.h
index 68e0e25d1..603f9f82a 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalData.h
+++ b/Source/JavaScriptCore/runtime/JSGlobalData.h
@@ -280,20 +280,18 @@ namespace JSC {
             return m_enabledProfiler;
         }
 
-#if !ENABLE(JIT)
-        bool canUseJIT() { return false; } // interpreter only
-#elif !ENABLE(CLASSIC_INTERPRETER) && !ENABLE(LLINT)
+#if ENABLE(JIT) && ENABLE(LLINT)
+        bool canUseJIT() { return m_canUseJIT; }
+#elif ENABLE(JIT)
         bool canUseJIT() { return true; } // jit only
 #else
-        bool canUseJIT() { return m_canUseJIT; }
+        bool canUseJIT() { return false; } // interpreter only
 #endif
 
-#if !ENABLE(YARR_JIT)
-        bool canUseRegExpJIT() { return false; } // interpreter only
-#elif !ENABLE(CLASSIC_INTERPRETER) && !ENABLE(LLINT)
-        bool canUseRegExpJIT() { return true; } // jit only
-#else
+#if ENABLE(YARR_JIT)
         bool canUseRegExpJIT() { return m_canUseRegExpJIT; }
+#else
+        bool canUseRegExpJIT() { return false; } // interpreter only
 #endif
 
         PrivateName m_inheritorIDKey;
@@ -440,9 +438,13 @@ namespace JSC {
         JSGlobalData(GlobalDataType, ThreadStackType, HeapType);
         static JSGlobalData*& sharedInstanceInternal();
         void createNativeThunk();
-#if ENABLE(ASSEMBLER) && (ENABLE(CLASSIC_INTERPRETER) || ENABLE(LLINT))
+#if ENABLE(ASSEMBLER)
         bool m_canUseAssembler;
+#endif
+#if ENABLE(JIT)
         bool m_canUseJIT;
+#endif
+#if ENABLE(YARR_JIT)
         bool m_canUseRegExpJIT;
 #endif
 #if ENABLE(GC_VALIDATION)
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
index 3d643a266..b0a0e8122 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
@@ -373,7 +373,7 @@ void ObjectsWithBrokenIndexingFinder::operator()(JSCell* cell)
     // a different global object that have prototypes from our global object.
     bool foundGlobalObject = false;
     for (JSObject* current = object; ;) {
-        if (current->unwrappedGlobalObject() == m_globalObject) {
+        if (current->globalObject() == m_globalObject) {
             foundGlobalObject = true;
             break;
         }
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
index e9a3e2836..c85965060 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
+++ b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
@@ -498,8 +498,8 @@ static double parseFloat(const String& s)
 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
 {
     JSObject* thisObject = exec->hostThisValue().toThisObject(exec);
-    JSObject* unwrappedObject = thisObject->unwrappedObject();
-    if (!unwrappedObject->isGlobalObject() || jsCast<JSGlobalObject*>(unwrappedObject)->evalFunction() != exec->callee())
+    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
+    if (thisObject != exec->callee()->globalObject()->globalThis())
         return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated")));
 
     JSValue x = exec->argument(0);
@@ -519,11 +519,11 @@ EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
     }
 
     EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false);
-    JSObject* error = eval->compile(exec, jsCast<JSGlobalObject*>(unwrappedObject));
+    JSObject* error = eval->compile(exec, calleeGlobalObject);
     if (error)
         return throwVMError(exec, error);
 
-    return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, jsCast<JSGlobalObject*>(unwrappedObject)));
+    return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject));
 }
 
 EncodedJSValue JSC_HOST_CALL globalFuncParseInt(ExecState* exec)
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index acff8a6ae..7bf12b67e 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -601,7 +601,7 @@ Structure* JSObject::inheritorID(JSGlobalData& globalData)
 
 bool JSObject::allowsAccessFrom(ExecState* exec)
 {
-    JSGlobalObject* globalObject = unwrappedGlobalObject();
+    JSGlobalObject* globalObject = this->globalObject();
     return globalObject->globalObjectMethodTable()->allowsAccessFrom(globalObject, exec);
 }
 
@@ -924,13 +924,6 @@ JSObject* JSObject::toThisObject(JSCell* cell, ExecState*)
     return jsCast<JSObject*>(cell);
 }
 
-JSObject* JSObject::unwrappedObject()
-{
-    if (isGlobalThis())
-        return jsCast<JSGlobalThis*>(this)->unwrappedObject();
-    return this;
-}
-
 void JSObject::seal(JSGlobalData& globalData)
 {
     if (isSealed(globalData))
@@ -954,13 +947,6 @@ void JSObject::preventExtensions(JSGlobalData& globalData)
         setStructure(globalData, Structure::preventExtensionsTransition(globalData, structure()));
 }
 
-JSGlobalObject* JSObject::unwrappedGlobalObject()
-{
-    if (isGlobalThis())
-        return jsCast<JSGlobalThis*>(this)->unwrappedObject();
-    return structure()->globalObject();
-}
-
 // This presently will flatten to an uncachable dictionary; this is suitable
 // for use in delete, we may want to do something different elsewhere.
 void JSObject::reifyStaticFunctionsForDelete(ExecState* exec)
@@ -1052,7 +1038,7 @@ void JSObject::notifyUsedAsPrototype(JSGlobalData& globalData)
 
 Structure* JSObject::createInheritorID(JSGlobalData& globalData)
 {
-    Structure* inheritorID = createEmptyObjectStructure(globalData, unwrappedGlobalObject(), this);
+    Structure* inheritorID = createEmptyObjectStructure(globalData, globalObject(), this);
     ASSERT(inheritorID->isEmpty());
 
     PutPropertySlot slot;
diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h
index bb59eb32b..16efeba5e 100644
--- a/Source/JavaScriptCore/runtime/JSObject.h
+++ b/Source/JavaScriptCore/runtime/JSObject.h
@@ -172,6 +172,15 @@ namespace JSC {
         JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
         JS_EXPORT_PRIVATE static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
         
+        void putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
+        {
+            if (canSetIndexQuickly(propertyName)) {
+                setIndexQuickly(exec->globalData(), propertyName, value);
+                return;
+            }
+            methodTable()->putByIndex(this, exec, propertyName, value, shouldThrow);
+        }
+        
         // This is similar to the putDirect* methods:
         //  - the prototype chain is not consulted
         //  - accessors are not called.
@@ -179,7 +188,7 @@ namespace JSC {
         // This method creates a property with attributes writable, enumerable and configurable all set to true.
         bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
         {
-            if (!attributes && canSetIndexQuickly(propertyName)) {
+            if (!attributes && canSetIndexQuicklyForPutDirect(propertyName)) {
                 setIndexQuickly(exec->globalData(), propertyName, value);
                 return true;
             }
@@ -191,7 +200,7 @@ namespace JSC {
         }
 
         // A non-throwing version of putDirect and putDirectIndex.
-        void putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
+        JS_EXPORT_PRIVATE void putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
         
         bool canGetIndexQuickly(unsigned i)
         {
@@ -235,6 +244,19 @@ namespace JSC {
             }
         }
         
+        bool canSetIndexQuicklyForPutDirect(unsigned i)
+        {
+            switch (structure()->indexingType()) {
+            case ALL_BLANK_INDEXING_TYPES:
+                return false;
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+                return i < m_butterfly->arrayStorage()->vectorLength();
+            default:
+                ASSERT_NOT_REACHED();
+                return false;
+            }
+        }
+        
         void setIndexQuickly(JSGlobalData& globalData, unsigned i, JSValue v)
         {
             switch (structure()->indexingType()) {
@@ -321,7 +343,6 @@ namespace JSC {
         // NOTE: JSObject and its subclasses must be able to gracefully handle ExecState* = 0,
         // because this call may come from inside the compiler.
         JS_EXPORT_PRIVATE static JSObject* toThisObject(JSCell*, ExecState*);
-        JSObject* unwrappedObject();
 
         bool getPropertySpecificValue(ExecState*, PropertyName, JSCell*& specificFunction) const;
 
@@ -460,11 +481,6 @@ namespace JSC {
             return structure()->globalObject();
         }
         
-        // Does everything possible to return the global object. If it encounters an object
-        // that does not have a global object, it returns 0 instead (for example
-        // JSNotAnObject).
-        JSGlobalObject* unwrappedGlobalObject();
-        
         void switchToSlowPutArrayStorage(JSGlobalData&);
         
         // The receiver is the prototype in this case. The following:
diff --git a/Source/JavaScriptCore/runtime/LiteralParser.cpp b/Source/JavaScriptCore/runtime/LiteralParser.cpp
index 732d818bd..cd854417b 100644
--- a/Source/JavaScriptCore/runtime/LiteralParser.cpp
+++ b/Source/JavaScriptCore/runtime/LiteralParser.cpp
@@ -570,7 +570,8 @@ JSValue LiteralParser<CharType>::parse(ParserState initialState)
                 goto startParseExpression;
             }
             case DoParseArrayEndExpression: {
-                 asArray(objectStack.last())->push(m_exec, lastValue);
+                JSArray* array = asArray(objectStack.last());
+                array->putDirectIndex(m_exec, array->length(), lastValue);
                 
                 if (m_lexer.currentToken().type == TokComma)
                     goto doParseArrayStartExpression;
diff --git a/Source/JavaScriptCore/runtime/ObjectConstructor.cpp b/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
index 5ac2d8788..8614b9c45 100644
--- a/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
@@ -404,7 +404,7 @@ EncodedJSValue JSC_HOST_CALL objectConstructorFreeze(ExecState* exec)
         return throwVMError(exec, createTypeError(exec, ASCIILiteral("Object.freeze can only be called on Objects.")));
     JSObject* object = asObject(obj);
 
-    if (isJSFinalObject(object)) {
+    if (isJSFinalObject(object) && !hasIndexedProperties(object->structure()->indexingType())) {
         object->freeze(exec->globalData());
         return JSValue::encode(obj);
     }
diff --git a/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp b/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
index 3f709b0a7..b9ba25735 100644
--- a/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
+++ b/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
@@ -159,7 +159,7 @@ JSValue SparseArrayEntry::get(ExecState* exec, JSObject* array) const
 
     CallData callData;
     CallType callType = getter->methodTable()->getCallData(getter, callData);
-    return call(exec, getter, callType, callData, array, exec->emptyList());
+    return call(exec, getter, callType, callData, array->methodTable()->toThisObject(array, exec), exec->emptyList());
 }
 
 void SparseArrayEntry::put(ExecState* exec, JSValue thisValue, SparseArrayValueMap* map, JSValue value, bool shouldThrow)
@@ -189,6 +189,8 @@ void SparseArrayEntry::put(ExecState* exec, JSValue thisValue, SparseArrayValueM
     CallType callType = setter->methodTable()->getCallData(setter, callData);
     MarkedArgumentBuffer args;
     args.append(value);
+    if (thisValue.isObject())
+        thisValue = asObject(thisValue)->methodTable()->toThisObject(asObject(thisValue), exec);
     call(exec, setter, callType, callData, thisValue, args);
 }
 
-- 
cgit v1.2.1