Imported WebKit commit 7e538425aa020340619e927792f3d895061fb54b (http://svn.webkit.org/repository/webkit/trunk@116286)

6 files changed, 173 insertions, 119 deletions

diff --git a/Source/JavaScriptCore/llint/LLIntExceptions.cpp b/Source/JavaScriptCore/llint/LLIntExceptions.cpp
index a7d1a965a..20b0db3d9 100644
--- a/Source/JavaScriptCore/llint/LLIntExceptions.cpp
+++ b/Source/JavaScriptCore/llint/LLIntExceptions.cpp
@@ -40,6 +40,7 @@ namespace JSC { namespace LLInt {
 void interpreterThrowInCaller(ExecState* exec, ReturnAddressPtr pc)
 {
     JSGlobalData* globalData = &exec->globalData();
+    NativeCallFrameTracer tracer(globalData, exec);
 #if LLINT_SLOW_PATH_TRACING
     dataLog("Throwing exception %s.\n", globalData->exception.description());
 #endif
@@ -56,6 +57,7 @@ Instruction* returnToThrowForThrownException(ExecState* exec)
 Instruction* returnToThrow(ExecState* exec, Instruction* pc)
 {
     JSGlobalData* globalData = &exec->globalData();
+    NativeCallFrameTracer tracer(globalData, exec);
 #if LLINT_SLOW_PATH_TRACING
     dataLog("Throwing exception %s (returnToThrow).\n", globalData->exception.description());
 #endif
@@ -67,6 +69,7 @@ Instruction* returnToThrow(ExecState* exec, Instruction* pc)
 void* callToThrow(ExecState* exec, Instruction* pc)
 {
     JSGlobalData* globalData = &exec->globalData();
+    NativeCallFrameTracer tracer(globalData, exec);
 #if LLINT_SLOW_PATH_TRACING
     dataLog("Throwing exception %s (callToThrow).\n", globalData->exception.description());
 #endif
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
index b6bb664bc..2b5161f7b 100644
--- a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -37,7 +37,6 @@
 #include "JIT.h"
 #include "JITDriver.h"
 #include "JSActivation.h"
-#include "JSByteArray.h"
 #include "JSGlobalObjectFunctions.h"
 #include "JSPropertyNameIterator.h"
 #include "JSStaticScopeObject.h"
@@ -189,7 +188,7 @@ LLINT_SLOW_PATH_DECL(trace_prologue)
 
 static void traceFunctionPrologue(ExecState* exec, const char* comment, CodeSpecializationKind kind)
 {
-    JSFunction* callee = asFunction(exec->callee());
+    JSFunction* callee = jsCast<JSFunction*>(exec->callee());
     FunctionExecutable* executable = callee->jsExecutable();
     CodeBlock* codeBlock = &executable->generatedBytecodeFor(kind);
     dataLog("%p / %p: in %s of function %p, executable %p; numVars = %u, numParameters = %u, numCalleeRegisters = %u, caller = %p.\n",
@@ -316,22 +315,22 @@ LLINT_SLOW_PATH_DECL(entry_osr)
 
 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call)
 {
-    return entryOSR(exec, pc, &asFunction(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForCall), "entry_osr_function_for_call", Prologue);
+    return entryOSR(exec, pc, &jsCast<JSFunction*>(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForCall), "entry_osr_function_for_call", Prologue);
 }
 
 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct)
 {
-    return entryOSR(exec, pc, &asFunction(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForConstruct), "entry_osr_function_for_construct", Prologue);
+    return entryOSR(exec, pc, &jsCast<JSFunction*>(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForConstruct), "entry_osr_function_for_construct", Prologue);
 }
 
 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call_arityCheck)
 {
-    return entryOSR(exec, pc, &asFunction(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForCall), "entry_osr_function_for_call_arityCheck", ArityCheck);
+    return entryOSR(exec, pc, &jsCast<JSFunction*>(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForCall), "entry_osr_function_for_call_arityCheck", ArityCheck);
 }
 
 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct_arityCheck)
 {
-    return entryOSR(exec, pc, &asFunction(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForConstruct), "entry_osr_function_for_construct_arityCheck", ArityCheck);
+    return entryOSR(exec, pc, &jsCast<JSFunction*>(exec->callee())->jsExecutable()->generatedBytecodeFor(CodeForConstruct), "entry_osr_function_for_construct_arityCheck", ArityCheck);
 }
 
 LLINT_SLOW_PATH_DECL(loop_osr)
@@ -452,7 +451,7 @@ LLINT_SLOW_PATH_DECL(slow_path_create_arguments)
 LLINT_SLOW_PATH_DECL(slow_path_create_this)
 {
     LLINT_BEGIN();
-    JSFunction* constructor = asFunction(exec->callee());
+    JSFunction* constructor = jsCast<JSFunction*>(exec->callee());
     
 #if !ASSERT_DISABLED
     ConstructData constructData;
@@ -702,31 +701,6 @@ LLINT_SLOW_PATH_DECL(slow_path_typeof)
     LLINT_RETURN(jsTypeStringForValue(exec, LLINT_OP_C(2).jsValue()));
 }
 
-LLINT_SLOW_PATH_DECL(slow_path_is_undefined)
-{
-    LLINT_BEGIN();
-    JSValue v = LLINT_OP_C(2).jsValue();
-    LLINT_RETURN(jsBoolean(v.isCell() ? v.asCell()->structure()->typeInfo().masqueradesAsUndefined() : v.isUndefined()));
-}
-
-LLINT_SLOW_PATH_DECL(slow_path_is_boolean)
-{
-    LLINT_BEGIN();
-    LLINT_RETURN(jsBoolean(LLINT_OP_C(2).jsValue().isBoolean()));
-}
-
-LLINT_SLOW_PATH_DECL(slow_path_is_number)
-{
-    LLINT_BEGIN();
-    LLINT_RETURN(jsBoolean(LLINT_OP_C(2).jsValue().isNumber()));
-}
-
-LLINT_SLOW_PATH_DECL(slow_path_is_string)
-{
-    LLINT_BEGIN();
-    LLINT_RETURN(jsBoolean(isJSString(LLINT_OP_C(2).jsValue())));
-}
-
 LLINT_SLOW_PATH_DECL(slow_path_is_object)
 {
     LLINT_BEGIN();
@@ -982,9 +956,6 @@ inline JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript)
         if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
             return asString(baseValue)->getIndex(exec, i);
         
-        if (isJSByteArray(baseValue) && asByteArray(baseValue)->canAccessIndex(i))
-            return asByteArray(baseValue)->getIndex(exec, i);
-        
         return baseValue.get(exec, i);
     }
     
@@ -1015,7 +986,7 @@ LLINT_SLOW_PATH_DECL(slow_path_get_argument_by_val)
 LLINT_SLOW_PATH_DECL(slow_path_get_by_pname)
 {
     LLINT_BEGIN();
-    LLINT_RETURN(getByVal(exec, LLINT_OP(2).jsValue(), LLINT_OP(3).jsValue()));
+    LLINT_RETURN(getByVal(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(3).jsValue()));
 }
 
 LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
@@ -1036,18 +1007,6 @@ LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
                 JSArray::putByIndex(jsArray, exec, i, value, exec->codeBlock()->isStrictMode());
             LLINT_END();
         }
-        if (isJSByteArray(baseValue)
-            && asByteArray(baseValue)->canAccessIndex(i)) {
-            JSByteArray* jsByteArray = asByteArray(baseValue);
-            if (value.isInt32()) {
-                jsByteArray->setIndex(i, value.asInt32());
-                LLINT_END();
-            }
-            if (value.isNumber()) {
-                jsByteArray->setIndex(i, value.asNumber());
-                LLINT_END();
-            }
-        }
         baseValue.putByIndex(exec, i, value, exec->codeBlock()->isStrictMode());
         LLINT_END();
     }
@@ -1254,7 +1213,7 @@ static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc,
 {
     ExecState* exec = execCallee->callerFrame();
     JSGlobalData& globalData = exec->globalData();
-    
+
     execCallee->setScopeChain(exec->scopeChain());
     execCallee->setCodeBlock(0);
     execCallee->clearReturnPC();
@@ -1266,6 +1225,8 @@ static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc,
         ASSERT(callType != CallTypeJS);
     
         if (callType == CallTypeHost) {
+            NativeCallFrameTracer tracer(&globalData, execCallee);
+            execCallee->setCallee(asObject(callee));
             globalData.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
             
             LLINT_CALL_RETURN(execCallee, pc, reinterpret_cast<void*>(getHostCallReturnValue));
@@ -1287,6 +1248,8 @@ static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc,
     ASSERT(constructType != ConstructTypeJS);
     
     if (constructType == ConstructTypeHost) {
+        NativeCallFrameTracer tracer(&globalData, execCallee);
+        execCallee->setCallee(asObject(callee));
         globalData.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
 
         LLINT_CALL_RETURN(execCallee, pc, reinterpret_cast<void*>(getHostCallReturnValue));
@@ -1310,7 +1273,7 @@ inline SlowPathReturnType setUpCall(ExecState* execCallee, Instruction* pc, Code
     if (!calleeAsFunctionCell)
         return handleHostCall(execCallee, pc, calleeAsValue, kind);
     
-    JSFunction* callee = asFunction(calleeAsFunctionCell);
+    JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
     ScopeChainNode* scope = callee->scopeUnchecked();
     JSGlobalData& globalData = *scope->globalData;
     execCallee->setScopeChain(scope);
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.h b/Source/JavaScriptCore/llint/LLIntSlowPaths.h
index 334070a07..a91cf797e 100644
--- a/Source/JavaScriptCore/llint/LLIntSlowPaths.h
+++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.h
@@ -39,20 +39,20 @@ struct Instruction;
 namespace LLInt {
 
 #if USE(JSVALUE64)
+// According to C++ rules, a type used for the return signature of function with C linkage (i.e.
+// 'extern "C"') needs to be POD; hence putting any constructors into it could cause either compiler
+// warnings, or worse, a change in the ABI used to return these types.
 struct SlowPathReturnType {
     void* a;
     void* b;
-    
-    SlowPathReturnType(void* a, void* b)
-        : a(a)
-        , b(b)
-    {
-    }
 };
 
 inline SlowPathReturnType encodeResult(void* a, void* b)
 {
-    return SlowPathReturnType(a, b);
+    SlowPathReturnType result;
+    result.a = a;
+    result.b = b;
+    return result;
 }
 #else
 typedef int64_t SlowPathReturnType;
@@ -132,10 +132,6 @@ LLINT_SLOW_PATH_DECL(slow_path_bitxor);
 LLINT_SLOW_PATH_DECL(slow_path_check_has_instance);
 LLINT_SLOW_PATH_DECL(slow_path_instanceof);
 LLINT_SLOW_PATH_DECL(slow_path_typeof);
-LLINT_SLOW_PATH_DECL(slow_path_is_undefined);
-LLINT_SLOW_PATH_DECL(slow_path_is_boolean);
-LLINT_SLOW_PATH_DECL(slow_path_is_number);
-LLINT_SLOW_PATH_DECL(slow_path_is_string);
 LLINT_SLOW_PATH_DECL(slow_path_is_object);
 LLINT_SLOW_PATH_DECL(slow_path_is_function);
 LLINT_SLOW_PATH_DECL(slow_path_in);
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
index 9af91bef2..bbfa859f2 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
@@ -291,17 +291,21 @@ macro allocateBasicJSObject(sizeClassIndex, classInfoOffset, structure, result,
             MarkedSpace::Subspace::preciseAllocators +
             sizeClassIndex * sizeof MarkedAllocator
         
+        const offsetOfFirstFreeCell = 
+            MarkedAllocator::m_freeList + 
+            MarkedBlock::FreeList::head
+
         # FIXME: we can get the global data in one load from the stack.
         loadp CodeBlock[cfr], scratch1
         loadp CodeBlock::m_globalData[scratch1], scratch1
         
-        # Get the object from the free list.    
-        loadp offsetOfMySizeClass + MarkedAllocator::m_firstFreeCell[scratch1], result
+        # Get the object from the free list.   
+        loadp offsetOfMySizeClass + offsetOfFirstFreeCell[scratch1], result
         btpz result, slowCase
         
         # Remove the object from the free list.
         loadp [result], scratch2
-        storep scratch2, offsetOfMySizeClass + MarkedAllocator::m_firstFreeCell[scratch1]
+        storep scratch2, offsetOfMySizeClass + offsetOfFirstFreeCell[scratch1]
     
         # Initialize the object.
         loadp classInfoOffset[scratch1], scratch2
@@ -423,30 +427,6 @@ _llint_op_typeof:
     dispatch(3)
 
 
-_llint_op_is_undefined:
-    traceExecution()
-    callSlowPath(_llint_slow_path_is_undefined)
-    dispatch(3)
-
-
-_llint_op_is_boolean:
-    traceExecution()
-    callSlowPath(_llint_slow_path_is_boolean)
-    dispatch(3)
-
-
-_llint_op_is_number:
-    traceExecution()
-    callSlowPath(_llint_slow_path_is_number)
-    dispatch(3)
-
-
-_llint_op_is_string:
-    traceExecution()
-    callSlowPath(_llint_slow_path_is_string)
-    dispatch(3)
-
-
 _llint_op_is_object:
     traceExecution()
     callSlowPath(_llint_slow_path_is_object)
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
index 46c6226e5..42ab4c1e4 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -200,6 +200,19 @@ macro loadConstantOrVariable(index, tag, payload)
 .done:
 end
 
+macro loadConstantOrVariableTag(index, tag)
+    bigteq index, FirstConstantRegisterIndex, .constant
+    loadi TagOffset[cfr, index, 8], tag
+    jmp .done
+.constant:
+    loadp CodeBlock[cfr], tag
+    loadp CodeBlock::m_constantRegisters + VectorBufferOffset[tag], tag
+    # There is a bit of evil here: if the index contains a value >= FirstConstantRegisterIndex,
+    # then value << 3 will be equal to (value - FirstConstantRegisterIndex) << 3.
+    loadp TagOffset[tag, index, 8], tag
+.done:
+end
+
 # Index and payload may be the same register. Index may be clobbered.
 macro loadConstantOrVariable2Reg(index, tag, payload)
     bigteq index, FirstConstantRegisterIndex, .constant
@@ -862,6 +875,62 @@ _llint_op_instanceof:
     dispatch(5)
 
 
+_llint_op_is_undefined:
+    traceExecution()
+    loadi 8[PC], t1
+    loadi 4[PC], t0
+    loadConstantOrVariable(t1, t2, t3)
+    storei BooleanTag, TagOffset[cfr, t0, 8]
+    bieq t2, CellTag, .opIsUndefinedCell
+    cieq t2, UndefinedTag, t3
+    storei t3, PayloadOffset[cfr, t0, 8]
+    dispatch(3)
+.opIsUndefinedCell:
+    loadp JSCell::m_structure[t3], t1
+    tbnz Structure::m_typeInfo + TypeInfo::m_flags[t1], MasqueradesAsUndefined, t1
+    storei t1, PayloadOffset[cfr, t0, 8]
+    dispatch(3)
+
+
+_llint_op_is_boolean:
+    traceExecution()
+    loadi 8[PC], t1
+    loadi 4[PC], t2
+    loadConstantOrVariableTag(t1, t0)
+    cieq t0, BooleanTag, t0
+    storei BooleanTag, TagOffset[cfr, t2, 8]
+    storei t0, PayloadOffset[cfr, t2, 8]
+    dispatch(3)
+
+
+_llint_op_is_number:
+    traceExecution()
+    loadi 8[PC], t1
+    loadi 4[PC], t2
+    loadConstantOrVariableTag(t1, t0)
+    storei BooleanTag, TagOffset[cfr, t2, 8]
+    addi 1, t0
+    cib t0, LowestTag + 1, t1
+    storei t1, PayloadOffset[cfr, t2, 8]
+    dispatch(3)
+
+
+_llint_op_is_string:
+    traceExecution()
+    loadi 8[PC], t1
+    loadi 4[PC], t2
+    loadConstantOrVariable(t1, t0, t3)
+    storei BooleanTag, TagOffset[cfr, t2, 8]
+    bineq t0, CellTag, .opIsStringNotCell
+    loadp JSCell::m_structure[t3], t0
+    cbeq Structure::m_typeInfo + TypeInfo::m_type[t0], StringType, t1
+    storei t1, PayloadOffset[cfr, t2, 8]
+    dispatch(3)
+.opIsStringNotCell:
+    storep 0, PayloadOffset[cfr, t2, 8]
+    dispatch(3)
+
+
 macro resolveGlobal(size, slow)
     # Operands are as follows:
     # 4[PC]   Destination for the load.
@@ -1571,21 +1640,6 @@ _llint_op_catch:
     dispatch(2)
 
 
-_llint_op_jsr:
-    traceExecution()
-    loadi 4[PC], t0
-    addi 3 * 4, PC, t1
-    storei t1, [cfr, t0, 8]
-    dispatchBranch(8[PC])
-
-
-_llint_op_sret:
-    traceExecution()
-    loadi 4[PC], t0
-    loadp [cfr, t0, 8], PC
-    dispatch(0)
-
-
 _llint_op_end:
     traceExecution()
     checkSwitchToJITForEpilogue()
@@ -1619,6 +1673,8 @@ macro nativeCallTrampoline(executableOffsetToFunction)
     storei CellTag, ScopeChain + TagOffset[cfr]
     storei t1, ScopeChain + PayloadOffset[cfr]
     if X86
+        loadp JITStackFrame::globalData + 4[sp], t0 # Additional offset for return address
+        storep cfr, JSGlobalData::topCallFrame[t0]
         peek 0, t1
         storep t1, ReturnPC[cfr]
         move cfr, t2  # t2 = ecx
@@ -1630,6 +1686,8 @@ macro nativeCallTrampoline(executableOffsetToFunction)
         addp 16 - 4, sp
         loadp JITStackFrame::globalData + 4[sp], t3
     elsif ARMv7
+        loadp JITStackFrame::globalData[sp], t1
+        storep cfr, JSGlobalData::topCallFrame[t1]
         move t0, t2
         preserveReturnAddressAfterCall(t3)
         storep t3, ReturnPC[cfr]
@@ -1647,6 +1705,7 @@ macro nativeCallTrampoline(executableOffsetToFunction)
     ret
 .exception:
     preserveReturnAddressAfterCall(t1) # This is really only needed on X86
+    loadi ArgumentCount + TagOffset[cfr], PC
     callSlowPath(_llint_throw_from_native_call)
     jmp _llint_throw_from_slow_path_trampoline
 end
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index d8c931fa0..b28051f33 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -117,7 +117,8 @@ macro checkSwitchToJITForLoop()
             btpz t0, .recover
             jmp t0
         .recover:
-            loadp ArgumentCount + TagOffset[cfr], PC
+            move t3, PB
+            loadi ArgumentCount + TagOffset[cfr], PC
         end)
 end
 
@@ -594,6 +595,9 @@ _llint_op_div:
         macro (left, right, slow, index)
             # Assume t3 is scratchable.
             btiz left, slow
+            bineq left, -1, .notNeg2TwoThe31DivByNeg1
+            bieq right, -2147483648, .slow
+        .notNeg2TwoThe31DivByNeg1:
             btinz right, .intOK
             bilt left, 0, slow
         .intOK:
@@ -728,6 +732,63 @@ _llint_op_instanceof:
     dispatch(5)
 
 
+_llint_op_is_undefined:
+    traceExecution()
+    loadis 16[PB, PC, 8], t1
+    loadis 8[PB, PC, 8], t2
+    loadConstantOrVariable(t1, t0)
+    btpz t0, tagMask, .opIsUndefinedCell
+    cpeq t0, ValueUndefined, t3
+    orp ValueFalse, t3
+    storep t3, [cfr, t2, 8]
+    dispatch(3)
+.opIsUndefinedCell:
+    loadp JSCell::m_structure[t0], t0
+    tbnz Structure::m_typeInfo + TypeInfo::m_flags[t0], MasqueradesAsUndefined, t1
+    orp ValueFalse, t1
+    storep t1, [cfr, t2, 8]
+    dispatch(3)
+
+
+_llint_op_is_boolean:
+    traceExecution()
+    loadis 16[PB, PC, 8], t1
+    loadis 8[PB, PC, 8], t2
+    loadConstantOrVariable(t1, t0)
+    xorp ValueFalse, t0
+    tpz t0, ~1, t0
+    orp ValueFalse, t0
+    storep t0, [cfr, t2, 8]
+    dispatch(3)
+
+
+_llint_op_is_number:
+    traceExecution()
+    loadis 16[PB, PC, 8], t1
+    loadis 8[PB, PC, 8], t2
+    loadConstantOrVariable(t1, t0)
+    tpnz t0, tagTypeNumber, t1
+    orp ValueFalse, t1
+    storep t1, [cfr, t2, 8]
+    dispatch(3)
+
+
+_llint_op_is_string:
+    traceExecution()
+    loadis 16[PB, PC, 8], t1
+    loadis 8[PB, PC, 8], t2
+    loadConstantOrVariable(t1, t0)
+    btpnz t0, tagMask, .opIsStringNotCell
+    loadp JSCell::m_structure[t0], t0
+    cbeq Structure::m_typeInfo + TypeInfo::m_type[t0], StringType, t1
+    orp ValueFalse, t1
+    storep t1, [cfr, t2, 8]
+    dispatch(3)
+.opIsStringNotCell:
+    storep ValueFalse, [cfr, t2, 8]
+    dispatch(3)
+
+
 macro resolveGlobal(size, slow)
     # Operands are as follows:
     # 8[PB, PC, 8]   Destination for the load.
@@ -1425,21 +1486,6 @@ _llint_op_catch:
     dispatch(2)
 
 
-_llint_op_jsr:
-    traceExecution()
-    loadis 8[PB, PC, 8], t0
-    addi 3, PC, t1
-    storei t1, [cfr, t0, 8]
-    dispatchInt(16[PB, PC, 8])
-
-
-_llint_op_sret:
-    traceExecution()
-    loadis 8[PB, PC, 8], t0
-    loadi [cfr, t0, 8], PC
-    dispatch(0)
-
-
 _llint_op_end:
     traceExecution()
     checkSwitchToJITForEpilogue()
@@ -1467,6 +1513,8 @@ _llint_throw_during_call_trampoline:
 
 macro nativeCallTrampoline(executableOffsetToFunction)
     storep 0, CodeBlock[cfr]
+    loadp JITStackFrame::globalData + 8[sp], t0
+    storep cfr, JSGlobalData::topCallFrame[t0]
     loadp CallerFrame[cfr], t0
     loadp ScopeChain[t0], t1
     storep t1, ScopeChain[cfr]
@@ -1484,6 +1532,11 @@ macro nativeCallTrampoline(executableOffsetToFunction)
     ret
 .exception:
     preserveReturnAddressAfterCall(t1)
+    loadi ArgumentCount + TagOffset[cfr], PC
+    loadp CodeBlock[cfr], PB
+    loadp CodeBlock::m_instructions[PB], PB
+    loadp JITStackFrame::globalData[sp], t0
+    storep cfr, JSGlobalData::topCallFrame[t0]
     callSlowPath(_llint_throw_from_native_call)
     jmp _llint_throw_from_slow_path_trampoline
 end