therubyracer 0.9.0beta2 → 0.9.0beta3

data/ext/v8/upstream/v8/src/ic-inl.h

@@ -0,0 +1,130 @@
+// Copyright 2006-2008 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#ifndef V8_IC_INL_H_
+#define V8_IC_INL_H_
+
+#include "ic.h"
+#include "debug.h"
+#include "macro-assembler.h"
+
+namespace v8 {
+namespace internal {
+
+
+Address IC::address() {
+  // Get the address of the call.
+  Address result = pc() - Assembler::kCallTargetAddressOffset;
+
+#ifdef ENABLE_DEBUGGER_SUPPORT
+  Debug* debug = Isolate::Current()->debug();
+  // First check if any break points are active if not just return the address
+  // of the call.
+  if (!debug->has_break_points()) return result;
+
+  // At least one break point is active perform additional test to ensure that
+  // break point locations are updated correctly.
+  if (debug->IsDebugBreak(Assembler::target_address_at(result))) {
+    // If the call site is a call to debug break then return the address in
+    // the original code instead of the address in the running code. This will
+    // cause the original code to be updated and keeps the breakpoint active in
+    // the running code.
+    return OriginalCodeAddress();
+  } else {
+    // No break point here just return the address of the call.
+    return result;
+  }
+#else
+  return result;
+#endif
+}
+
+
+Code* IC::GetTargetAtAddress(Address address) {
+  // Get the target address of the IC.
+  Address target = Assembler::target_address_at(address);
+  // Convert target address to the code object. Code::GetCodeFromTargetAddress
+  // is safe for use during GC where the map might be marked.
+  Code* result = Code::GetCodeFromTargetAddress(target);
+  ASSERT(result->is_inline_cache_stub());
+  return result;
+}
+
+
+void IC::SetTargetAtAddress(Address address, Code* target) {
+  ASSERT(target->is_inline_cache_stub() || target->is_compare_ic_stub());
+#ifdef DEBUG
+  // STORE_IC and KEYED_STORE_IC use Code::extra_ic_state() to mark
+  // ICs as strict mode. The strict-ness of the IC must be preserved.
+  Code* old_target = GetTargetAtAddress(address);
+  if (old_target->kind() == Code::STORE_IC ||
+      old_target->kind() == Code::KEYED_STORE_IC) {
+    ASSERT(old_target->extra_ic_state() == target->extra_ic_state());
+  }
+#endif
+  Assembler::set_target_address_at(address, target->instruction_start());
+}
+
+
+InlineCacheHolderFlag IC::GetCodeCacheForObject(Object* object,
+                                                JSObject* holder) {
+  if (object->IsJSObject()) {
+    return GetCodeCacheForObject(JSObject::cast(object), holder);
+  }
+  // If the object is a value, we use the prototype map for the cache.
+  ASSERT(object->IsString() || object->IsNumber() || object->IsBoolean());
+  return PROTOTYPE_MAP;
+}
+
+
+InlineCacheHolderFlag IC::GetCodeCacheForObject(JSObject* object,
+                                                JSObject* holder) {
+  // Fast-properties and global objects store stubs in their own maps.
+  // Slow properties objects use prototype's map (unless the property is its own
+  // when holder == object). It works because slow properties objects having
+  // the same prototype (or a prototype with the same map) and not having
+  // the property are interchangeable for such a stub.
+  if (holder != object &&
+      !object->HasFastProperties() &&
+      !object->IsJSGlobalProxy() &&
+      !object->IsJSGlobalObject()) {
+    return PROTOTYPE_MAP;
+  }
+  return OWN_MAP;
+}
+
+
+JSObject* IC::GetCodeCacheHolder(Object* object, InlineCacheHolderFlag holder) {
+  Object* map_owner = (holder == OWN_MAP ? object : object->GetPrototype());
+  ASSERT(map_owner->IsJSObject());
+  return JSObject::cast(map_owner);
+}
+
+
+} }  // namespace v8::internal
+
+#endif  // V8_IC_INL_H_

data/ext/v8/upstream/v8/src/ic.cc

@@ -0,0 +1,2389 @@
+// Copyright 2006-2009 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "v8.h"
+
+#include "accessors.h"
+#include "api.h"
+#include "arguments.h"
+#include "codegen.h"
+#include "execution.h"
+#include "ic-inl.h"
+#include "runtime.h"
+#include "stub-cache.h"
+
+namespace v8 {
+namespace internal {
+
+#ifdef DEBUG
+static char TransitionMarkFromState(IC::State state) {
+  switch (state) {
+    case UNINITIALIZED: return '0';
+    case PREMONOMORPHIC: return 'P';
+    case MONOMORPHIC: return '1';
+    case MONOMORPHIC_PROTOTYPE_FAILURE: return '^';
+    case MEGAMORPHIC: return 'N';
+
+    // We never see the debugger states here, because the state is
+    // computed from the original code - not the patched code. Let
+    // these cases fall through to the unreachable code below.
+    case DEBUG_BREAK: break;
+    case DEBUG_PREPARE_STEP_IN: break;
+  }
+  UNREACHABLE();
+  return 0;
+}
+
+void IC::TraceIC(const char* type,
+                 Handle<Object> name,
+                 State old_state,
+                 Code* new_target,
+                 const char* extra_info) {
+  if (FLAG_trace_ic) {
+    State new_state = StateFrom(new_target,
+                                HEAP->undefined_value(),
+                                HEAP->undefined_value());
+    PrintF("[%s (%c->%c)%s", type,
+           TransitionMarkFromState(old_state),
+           TransitionMarkFromState(new_state),
+           extra_info);
+    name->Print();
+    PrintF("]\n");
+  }
+}
+#endif
+
+
+IC::IC(FrameDepth depth, Isolate* isolate) : isolate_(isolate) {
+  ASSERT(isolate == Isolate::Current());
+  // To improve the performance of the (much used) IC code, we unfold
+  // a few levels of the stack frame iteration code. This yields a
+  // ~35% speedup when running DeltaBlue with the '--nouse-ic' flag.
+  const Address entry =
+      Isolate::c_entry_fp(isolate->thread_local_top());
+  Address* pc_address =
+      reinterpret_cast<Address*>(entry + ExitFrameConstants::kCallerPCOffset);
+  Address fp = Memory::Address_at(entry + ExitFrameConstants::kCallerFPOffset);
+  // If there's another JavaScript frame on the stack, we need to look
+  // one frame further down the stack to find the frame pointer and
+  // the return address stack slot.
+  if (depth == EXTRA_CALL_FRAME) {
+    const int kCallerPCOffset = StandardFrameConstants::kCallerPCOffset;
+    pc_address = reinterpret_cast<Address*>(fp + kCallerPCOffset);
+    fp = Memory::Address_at(fp + StandardFrameConstants::kCallerFPOffset);
+  }
+#ifdef DEBUG
+  StackFrameIterator it;
+  for (int i = 0; i < depth + 1; i++) it.Advance();
+  StackFrame* frame = it.frame();
+  ASSERT(fp == frame->fp() && pc_address == frame->pc_address());
+#endif
+  fp_ = fp;
+  pc_address_ = pc_address;
+}
+
+
+#ifdef ENABLE_DEBUGGER_SUPPORT
+Address IC::OriginalCodeAddress() {
+  HandleScope scope;
+  // Compute the JavaScript frame for the frame pointer of this IC
+  // structure. We need this to be able to find the function
+  // corresponding to the frame.
+  StackFrameIterator it;
+  while (it.frame()->fp() != this->fp()) it.Advance();
+  JavaScriptFrame* frame = JavaScriptFrame::cast(it.frame());
+  // Find the function on the stack and both the active code for the
+  // function and the original code.
+  JSFunction* function = JSFunction::cast(frame->function());
+  Handle<SharedFunctionInfo> shared(function->shared());
+  Code* code = shared->code();
+  ASSERT(Debug::HasDebugInfo(shared));
+  Code* original_code = Debug::GetDebugInfo(shared)->original_code();
+  ASSERT(original_code->IsCode());
+  // Get the address of the call site in the active code. This is the
+  // place where the call to DebugBreakXXX is and where the IC
+  // normally would be.
+  Address addr = pc() - Assembler::kCallTargetAddressOffset;
+  // Return the address in the original code. This is the place where
+  // the call which has been overwritten by the DebugBreakXXX resides
+  // and the place where the inline cache system should look.
+  intptr_t delta =
+      original_code->instruction_start() - code->instruction_start();
+  return addr + delta;
+}
+#endif
+
+
+static bool HasNormalObjectsInPrototypeChain(Isolate* isolate,
+                                             LookupResult* lookup,
+                                             Object* receiver) {
+  Object* end = lookup->IsProperty()
+      ? lookup->holder() : isolate->heap()->null_value();
+  for (Object* current = receiver;
+       current != end;
+       current = current->GetPrototype()) {
+    if (current->IsJSObject() &&
+        !JSObject::cast(current)->HasFastProperties() &&
+        !current->IsJSGlobalProxy() &&
+        !current->IsJSGlobalObject()) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+
+static bool TryRemoveInvalidPrototypeDependentStub(Code* target,
+                                                   Object* receiver,
+                                                   Object* name) {
+  InlineCacheHolderFlag cache_holder =
+      Code::ExtractCacheHolderFromFlags(target->flags());
+
+  if (cache_holder == OWN_MAP && !receiver->IsJSObject()) {
+    // The stub was generated for JSObject but called for non-JSObject.
+    // IC::GetCodeCacheHolder is not applicable.
+    return false;
+  } else if (cache_holder == PROTOTYPE_MAP &&
+             receiver->GetPrototype()->IsNull()) {
+    // IC::GetCodeCacheHolder is not applicable.
+    return false;
+  }
+  Map* map = IC::GetCodeCacheHolder(receiver, cache_holder)->map();
+
+  // Decide whether the inline cache failed because of changes to the
+  // receiver itself or changes to one of its prototypes.
+  //
+  // If there are changes to the receiver itself, the map of the
+  // receiver will have changed and the current target will not be in
+  // the receiver map's code cache.  Therefore, if the current target
+  // is in the receiver map's code cache, the inline cache failed due
+  // to prototype check failure.
+  int index = map->IndexInCodeCache(name, target);
+  if (index >= 0) {
+    map->RemoveFromCodeCache(String::cast(name), target, index);
+    return true;
+  }
+
+  return false;
+}
+
+
+IC::State IC::StateFrom(Code* target, Object* receiver, Object* name) {
+  IC::State state = target->ic_state();
+
+  if (state != MONOMORPHIC || !name->IsString()) return state;
+  if (receiver->IsUndefined() || receiver->IsNull()) return state;
+
+  // For keyed load/store/call, the most likely cause of cache failure is
+  // that the key has changed.  We do not distinguish between
+  // prototype and non-prototype failures for keyed access.
+  Code::Kind kind = target->kind();
+  if (kind == Code::KEYED_LOAD_IC ||
+      kind == Code::KEYED_STORE_IC ||
+      kind == Code::KEYED_CALL_IC) {
+    return MONOMORPHIC;
+  }
+
+  // Remove the target from the code cache if it became invalid
+  // because of changes in the prototype chain to avoid hitting it
+  // again.
+  // Call stubs handle this later to allow extra IC state
+  // transitions.
+  if (kind != Code::CALL_IC &&
+      TryRemoveInvalidPrototypeDependentStub(target, receiver, name)) {
+    return MONOMORPHIC_PROTOTYPE_FAILURE;
+  }
+
+  // The builtins object is special.  It only changes when JavaScript
+  // builtins are loaded lazily.  It is important to keep inline
+  // caches for the builtins object monomorphic.  Therefore, if we get
+  // an inline cache miss for the builtins object after lazily loading
+  // JavaScript builtins, we return uninitialized as the state to
+  // force the inline cache back to monomorphic state.
+  if (receiver->IsJSBuiltinsObject()) {
+    return UNINITIALIZED;
+  }
+
+  return MONOMORPHIC;
+}
+
+
+RelocInfo::Mode IC::ComputeMode() {
+  Address addr = address();
+  Code* code = Code::cast(isolate()->heap()->FindCodeObject(addr));
+  for (RelocIterator it(code, RelocInfo::kCodeTargetMask);
+       !it.done(); it.next()) {
+    RelocInfo* info = it.rinfo();
+    if (info->pc() == addr) return info->rmode();
+  }
+  UNREACHABLE();
+  return RelocInfo::NONE;
+}
+
+
+Failure* IC::TypeError(const char* type,
+                       Handle<Object> object,
+                       Handle<Object> key) {
+  HandleScope scope(isolate());
+  Handle<Object> args[2] = { key, object };
+  Handle<Object> error = isolate()->factory()->NewTypeError(
+      type, HandleVector(args, 2));
+  return isolate()->Throw(*error);
+}
+
+
+Failure* IC::ReferenceError(const char* type, Handle<String> name) {
+  HandleScope scope(isolate());
+  Handle<Object> error = isolate()->factory()->NewReferenceError(
+      type, HandleVector(&name, 1));
+  return isolate()->Throw(*error);
+}
+
+
+void IC::Clear(Address address) {
+  Code* target = GetTargetAtAddress(address);
+
+  // Don't clear debug break inline cache as it will remove the break point.
+  if (target->ic_state() == DEBUG_BREAK) return;
+
+  switch (target->kind()) {
+    case Code::LOAD_IC: return LoadIC::Clear(address, target);
+    case Code::KEYED_LOAD_IC:
+    case Code::KEYED_EXTERNAL_ARRAY_LOAD_IC:
+      return KeyedLoadIC::Clear(address, target);
+    case Code::STORE_IC: return StoreIC::Clear(address, target);
+    case Code::KEYED_STORE_IC:
+    case Code::KEYED_EXTERNAL_ARRAY_STORE_IC:
+      return KeyedStoreIC::Clear(address, target);
+    case Code::CALL_IC: return CallIC::Clear(address, target);
+    case Code::KEYED_CALL_IC:  return KeyedCallIC::Clear(address, target);
+    case Code::BINARY_OP_IC:
+    case Code::TYPE_RECORDING_BINARY_OP_IC:
+    case Code::COMPARE_IC:
+      // Clearing these is tricky and does not
+      // make any performance difference.
+      return;
+    default: UNREACHABLE();
+  }
+}
+
+
+void CallICBase::Clear(Address address, Code* target) {
+  State state = target->ic_state();
+  if (state == UNINITIALIZED) return;
+  Code* code =
+      Isolate::Current()->stub_cache()->FindCallInitialize(
+          target->arguments_count(),
+          target->ic_in_loop(),
+          target->kind());
+  SetTargetAtAddress(address, code);
+}
+
+
+void KeyedLoadIC::ClearInlinedVersion(Address address) {
+  // Insert null as the map to check for to make sure the map check fails
+  // sending control flow to the IC instead of the inlined version.
+  PatchInlinedLoad(address, HEAP->null_value());
+}
+
+
+void KeyedLoadIC::Clear(Address address, Code* target) {
+  if (target->ic_state() == UNINITIALIZED) return;
+  // Make sure to also clear the map used in inline fast cases.  If we
+  // do not clear these maps, cached code can keep objects alive
+  // through the embedded maps.
+  ClearInlinedVersion(address);
+  SetTargetAtAddress(address, initialize_stub());
+}
+
+
+void LoadIC::ClearInlinedVersion(Address address) {
+  // Reset the map check of the inlined inobject property load (if
+  // present) to guarantee failure by holding an invalid map (the null
+  // value).  The offset can be patched to anything.
+  Heap* heap = HEAP;
+  PatchInlinedLoad(address, heap->null_value(), 0);
+  PatchInlinedContextualLoad(address,
+                             heap->null_value(),
+                             heap->null_value(),
+                             true);
+}
+
+
+void LoadIC::Clear(Address address, Code* target) {
+  if (target->ic_state() == UNINITIALIZED) return;
+  ClearInlinedVersion(address);
+  SetTargetAtAddress(address, initialize_stub());
+}
+
+
+void StoreIC::ClearInlinedVersion(Address address) {
+  // Reset the map check of the inlined inobject property store (if
+  // present) to guarantee failure by holding an invalid map (the null
+  // value).  The offset can be patched to anything.
+  PatchInlinedStore(address, HEAP->null_value(), 0);
+}
+
+
+void StoreIC::Clear(Address address, Code* target) {
+  if (target->ic_state() == UNINITIALIZED) return;
+  ClearInlinedVersion(address);
+  SetTargetAtAddress(address,
+      (target->extra_ic_state() == kStrictMode)
+        ? initialize_stub_strict()
+        : initialize_stub());
+}
+
+
+void KeyedStoreIC::ClearInlinedVersion(Address address) {
+  // Insert null as the elements map to check for.  This will make
+  // sure that the elements fast-case map check fails so that control
+  // flows to the IC instead of the inlined version.
+  PatchInlinedStore(address, HEAP->null_value());
+}
+
+
+void KeyedStoreIC::RestoreInlinedVersion(Address address) {
+  // Restore the fast-case elements map check so that the inlined
+  // version can be used again.
+  PatchInlinedStore(address, HEAP->fixed_array_map());
+}
+
+
+void KeyedStoreIC::Clear(Address address, Code* target) {
+  if (target->ic_state() == UNINITIALIZED) return;
+  SetTargetAtAddress(address,
+      (target->extra_ic_state() == kStrictMode)
+        ? initialize_stub_strict()
+        : initialize_stub());
+}
+
+
+static bool HasInterceptorGetter(JSObject* object) {
+  return !object->GetNamedInterceptor()->getter()->IsUndefined();
+}
+
+
+static void LookupForRead(Object* object,
+                          String* name,
+                          LookupResult* lookup) {
+  AssertNoAllocation no_gc;  // pointers must stay valid
+
+  // Skip all the objects with named interceptors, but
+  // without actual getter.
+  while (true) {
+    object->Lookup(name, lookup);
+    // Besides normal conditions (property not found or it's not
+    // an interceptor), bail out if lookup is not cacheable: we won't
+    // be able to IC it anyway and regular lookup should work fine.
+    if (!lookup->IsFound()
+        || (lookup->type() != INTERCEPTOR)
+        || !lookup->IsCacheable()) {
+      return;
+    }
+
+    JSObject* holder = lookup->holder();
+    if (HasInterceptorGetter(holder)) {
+      return;
+    }
+
+    holder->LocalLookupRealNamedProperty(name, lookup);
+    if (lookup->IsProperty()) {
+      ASSERT(lookup->type() != INTERCEPTOR);
+      return;
+    }
+
+    Object* proto = holder->GetPrototype();
+    if (proto->IsNull()) {
+      lookup->NotFound();
+      return;
+    }
+
+    object = proto;
+  }
+}
+
+
+Object* CallICBase::TryCallAsFunction(Object* object) {
+  HandleScope scope(isolate());
+  Handle<Object> target(object, isolate());
+  Handle<Object> delegate = Execution::GetFunctionDelegate(target);
+
+  if (delegate->IsJSFunction()) {
+    // Patch the receiver and use the delegate as the function to
+    // invoke. This is used for invoking objects as if they were
+    // functions.
+    const int argc = this->target()->arguments_count();
+    StackFrameLocator locator;
+    JavaScriptFrame* frame = locator.FindJavaScriptFrame(0);
+    int index = frame->ComputeExpressionsCount() - (argc + 1);
+    frame->SetExpression(index, *target);
+  }
+
+  return *delegate;
+}
+
+
+void CallICBase::ReceiverToObjectIfRequired(Handle<Object> callee,
+                                            Handle<Object> object) {
+  if (callee->IsJSFunction()) {
+    Handle<JSFunction> function = Handle<JSFunction>::cast(callee);
+    if (function->shared()->strict_mode() || function->IsBuiltin()) {
+      // Do not wrap receiver for strict mode functions or for builtins.
+      return;
+    }
+  }
+
+  // And only wrap string, number or boolean.
+  if (object->IsString() || object->IsNumber() || object->IsBoolean()) {
+    // Change the receiver to the result of calling ToObject on it.
+    const int argc = this->target()->arguments_count();
+    StackFrameLocator locator;
+    JavaScriptFrame* frame = locator.FindJavaScriptFrame(0);
+    int index = frame->ComputeExpressionsCount() - (argc + 1);
+    frame->SetExpression(index, *isolate()->factory()->ToObject(object));
+  }
+}
+
+
+MaybeObject* CallICBase::LoadFunction(State state,
+                                      Code::ExtraICState extra_ic_state,
+                                      Handle<Object> object,
+                                      Handle<String> name) {
+  // If the object is undefined or null it's illegal to try to get any
+  // of its properties; throw a TypeError in that case.
+  if (object->IsUndefined() || object->IsNull()) {
+    return TypeError("non_object_property_call", object, name);
+  }
+
+  // Check if the name is trivially convertible to an index and get
+  // the element if so.
+  uint32_t index;
+  if (name->AsArrayIndex(&index)) {
+    Object* result;
+    { MaybeObject* maybe_result = object->GetElement(index);
+      if (!maybe_result->ToObject(&result)) return maybe_result;
+    }
+
+    if (result->IsJSFunction()) return result;
+
+    // Try to find a suitable function delegate for the object at hand.
+    result = TryCallAsFunction(result);
+    if (result->IsJSFunction()) return result;
+
+    // Otherwise, it will fail in the lookup step.
+  }
+
+  // Lookup the property in the object.
+  LookupResult lookup;
+  LookupForRead(*object, *name, &lookup);
+
+  if (!lookup.IsProperty()) {
+    // If the object does not have the requested property, check which
+    // exception we need to throw.
+    if (IsContextual(object)) {
+      return ReferenceError("not_defined", name);
+    }
+    return TypeError("undefined_method", object, name);
+  }
+
+  // Lookup is valid: Update inline cache and stub cache.
+  if (FLAG_use_ic) {
+    UpdateCaches(&lookup, state, extra_ic_state, object, name);
+  }
+
+  // Get the property.
+  PropertyAttributes attr;
+  Object* result;
+  { MaybeObject* maybe_result =
+        object->GetProperty(*object, &lookup, *name, &attr);
+    if (!maybe_result->ToObject(&result)) return maybe_result;
+  }
+
+  if (lookup.type() == INTERCEPTOR) {
+    // If the object does not have the requested property, check which
+    // exception we need to throw.
+    if (attr == ABSENT) {
+      if (IsContextual(object)) {
+        return ReferenceError("not_defined", name);
+      }
+      return TypeError("undefined_method", object, name);
+    }
+  }
+
+  ASSERT(!result->IsTheHole());
+
+  HandleScope scope(isolate());
+  // Wrap result in a handle because ReceiverToObjectIfRequired may allocate
+  // new object and cause GC.
+  Handle<Object> result_handle(result);
+  // Make receiver an object if the callee requires it. Strict mode or builtin
+  // functions do not wrap the receiver, non-strict functions and objects
+  // called as functions do.
+  ReceiverToObjectIfRequired(result_handle, object);
+
+  if (result_handle->IsJSFunction()) {
+#ifdef ENABLE_DEBUGGER_SUPPORT
+    // Handle stepping into a function if step into is active.
+    Debug* debug = isolate()->debug();
+    if (debug->StepInActive()) {
+      // Protect the result in a handle as the debugger can allocate and might
+      // cause GC.
+      Handle<JSFunction> function(JSFunction::cast(*result_handle), isolate());
+      debug->HandleStepIn(function, object, fp(), false);
+      return *function;
+    }
+#endif
+
+    return *result_handle;
+  }
+
+  // Try to find a suitable function delegate for the object at hand.
+  result_handle = Handle<Object>(TryCallAsFunction(*result_handle));
+  if (result_handle->IsJSFunction()) return *result_handle;
+
+  return TypeError("property_not_function", object, name);
+}
+
+
+bool CallICBase::TryUpdateExtraICState(LookupResult* lookup,
+                                       Handle<Object> object,
+                                       Code::ExtraICState* extra_ic_state) {
+  ASSERT(kind_ == Code::CALL_IC);
+  if (lookup->type() != CONSTANT_FUNCTION) return false;
+  JSFunction* function = lookup->GetConstantFunction();
+  if (!function->shared()->HasBuiltinFunctionId()) return false;
+
+  // Fetch the arguments passed to the called function.
+  const int argc = target()->arguments_count();
+  Address entry = isolate()->c_entry_fp(isolate()->thread_local_top());
+  Address fp = Memory::Address_at(entry + ExitFrameConstants::kCallerFPOffset);
+  Arguments args(argc + 1,
+                 &Memory::Object_at(fp +
+                                    StandardFrameConstants::kCallerSPOffset +
+                                    argc * kPointerSize));
+  switch (function->shared()->builtin_function_id()) {
+    case kStringCharCodeAt:
+    case kStringCharAt:
+      if (object->IsString()) {
+        String* string = String::cast(*object);
+        // Check there's the right string value or wrapper in the receiver slot.
+        ASSERT(string == args[0] || string == JSValue::cast(args[0])->value());
+        // If we're in the default (fastest) state and the index is
+        // out of bounds, update the state to record this fact.
+        if (*extra_ic_state == DEFAULT_STRING_STUB &&
+            argc >= 1 && args[1]->IsNumber()) {
+          double index;
+          if (args[1]->IsSmi()) {
+            index = Smi::cast(args[1])->value();
+          } else {
+            ASSERT(args[1]->IsHeapNumber());
+            index = DoubleToInteger(HeapNumber::cast(args[1])->value());
+          }
+          if (index < 0 || index >= string->length()) {
+            *extra_ic_state = STRING_INDEX_OUT_OF_BOUNDS;
+            return true;
+          }
+        }
+      }
+      break;
+    default:
+      return false;
+  }
+  return false;
+}
+
+
+MaybeObject* CallICBase::ComputeMonomorphicStub(
+    LookupResult* lookup,
+    State state,
+    Code::ExtraICState extra_ic_state,
+    Handle<Object> object,
+    Handle<String> name) {
+  int argc = target()->arguments_count();
+  InLoopFlag in_loop = target()->ic_in_loop();
+  MaybeObject* maybe_code = NULL;
+  switch (lookup->type()) {
+    case FIELD: {
+      int index = lookup->GetFieldIndex();
+      maybe_code = isolate()->stub_cache()->ComputeCallField(argc,
+                                                             in_loop,
+                                                             kind_,
+                                                             *name,
+                                                             *object,
+                                                             lookup->holder(),
+                                                             index);
+      break;
+    }
+    case CONSTANT_FUNCTION: {
+      // Get the constant function and compute the code stub for this
+      // call; used for rewriting to monomorphic state and making sure
+      // that the code stub is in the stub cache.
+      JSFunction* function = lookup->GetConstantFunction();
+      maybe_code =
+          isolate()->stub_cache()->ComputeCallConstant(argc,
+                                                       in_loop,
+                                                       kind_,
+                                                       extra_ic_state,
+                                                       *name,
+                                                       *object,
+                                                       lookup->holder(),
+                                                       function);
+      break;
+    }
+    case NORMAL: {
+      if (!object->IsJSObject()) return NULL;
+      Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+
+      if (lookup->holder()->IsGlobalObject()) {
+        GlobalObject* global = GlobalObject::cast(lookup->holder());
+        JSGlobalPropertyCell* cell =
+            JSGlobalPropertyCell::cast(global->GetPropertyCell(lookup));
+        if (!cell->value()->IsJSFunction()) return NULL;
+        JSFunction* function = JSFunction::cast(cell->value());
+        maybe_code = isolate()->stub_cache()->ComputeCallGlobal(argc,
+                                                                in_loop,
+                                                                kind_,
+                                                                *name,
+                                                                *receiver,
+                                                                global,
+                                                                cell,
+                                                                function);
+      } else {
+        // There is only one shared stub for calling normalized
+        // properties. It does not traverse the prototype chain, so the
+        // property must be found in the receiver for the stub to be
+        // applicable.
+        if (lookup->holder() != *receiver) return NULL;
+        maybe_code = isolate()->stub_cache()->ComputeCallNormal(argc,
+                                                                in_loop,
+                                                                kind_,
+                                                                *name,
+                                                                *receiver);
+      }
+      break;
+    }
+    case INTERCEPTOR: {
+      ASSERT(HasInterceptorGetter(lookup->holder()));
+      maybe_code = isolate()->stub_cache()->ComputeCallInterceptor(
+          argc,
+          kind_,
+          *name,
+          *object,
+          lookup->holder());
+      break;
+    }
+    default:
+      maybe_code = NULL;
+      break;
+  }
+  return maybe_code;
+}
+
+
+void CallICBase::UpdateCaches(LookupResult* lookup,
+                              State state,
+                              Code::ExtraICState extra_ic_state,
+                              Handle<Object> object,
+                              Handle<String> name) {
+  // Bail out if we didn't find a result.
+  if (!lookup->IsProperty() || !lookup->IsCacheable()) return;
+
+  if (lookup->holder() != *object &&
+      HasNormalObjectsInPrototypeChain(
+          isolate(), lookup, object->GetPrototype())) {
+    // Suppress optimization for prototype chains with slow properties objects
+    // in the middle.
+    return;
+  }
+
+  // Compute the number of arguments.
+  int argc = target()->arguments_count();
+  InLoopFlag in_loop = target()->ic_in_loop();
+  MaybeObject* maybe_code = NULL;
+  bool had_proto_failure = false;
+  if (state == UNINITIALIZED) {
+    // This is the first time we execute this inline cache.
+    // Set the target to the pre monomorphic stub to delay
+    // setting the monomorphic state.
+    maybe_code = isolate()->stub_cache()->ComputeCallPreMonomorphic(argc,
+                                                                    in_loop,
+                                                                    kind_);
+  } else if (state == MONOMORPHIC) {
+    if (kind_ == Code::CALL_IC &&
+        TryUpdateExtraICState(lookup, object, &extra_ic_state)) {
+      maybe_code = ComputeMonomorphicStub(lookup,
+                                          state,
+                                          extra_ic_state,
+                                          object,
+                                          name);
+    } else if (kind_ == Code::CALL_IC &&
+               TryRemoveInvalidPrototypeDependentStub(target(),
+                                                      *object,
+                                                      *name)) {
+      had_proto_failure = true;
+      maybe_code = ComputeMonomorphicStub(lookup,
+                                          state,
+                                          extra_ic_state,
+                                          object,
+                                          name);
+    } else {
+      maybe_code = isolate()->stub_cache()->ComputeCallMegamorphic(argc,
+                                                                   in_loop,
+                                                                   kind_);
+    }
+  } else {
+    maybe_code = ComputeMonomorphicStub(lookup,
+                                        state,
+                                        extra_ic_state,
+                                        object,
+                                        name);
+  }
+
+  // If we're unable to compute the stub (not enough memory left), we
+  // simply avoid updating the caches.
+  Object* code;
+  if (maybe_code == NULL || !maybe_code->ToObject(&code)) return;
+
+  // Patch the call site depending on the state of the cache.
+  if (state == UNINITIALIZED ||
+      state == PREMONOMORPHIC ||
+      state == MONOMORPHIC ||
+      state == MONOMORPHIC_PROTOTYPE_FAILURE) {
+    set_target(Code::cast(code));
+  } else if (state == MEGAMORPHIC) {
+    // Cache code holding map should be consistent with
+    // GenerateMonomorphicCacheProbe. It is not the map which holds the stub.
+    Map* map = JSObject::cast(object->IsJSObject() ? *object :
+                              object->GetPrototype())->map();
+
+    // Update the stub cache.
+    isolate()->stub_cache()->Set(*name, map, Code::cast(code));
+  }
+
+  USE(had_proto_failure);
+#ifdef DEBUG
+  if (had_proto_failure) state = MONOMORPHIC_PROTOTYPE_FAILURE;
+  TraceIC(kind_ == Code::CALL_IC ? "CallIC" : "KeyedCallIC",
+      name, state, target(), in_loop ? " (in-loop)" : "");
+#endif
+}
+
+
+MaybeObject* KeyedCallIC::LoadFunction(State state,
+                                       Handle<Object> object,
+                                       Handle<Object> key) {
+  if (key->IsSymbol()) {
+    return CallICBase::LoadFunction(state,
+                                    Code::kNoExtraICState,
+                                    object,
+                                    Handle<String>::cast(key));
+  }
+
+  if (object->IsUndefined() || object->IsNull()) {
+    return TypeError("non_object_property_call", object, key);
+  }
+
+  if (FLAG_use_ic && state != MEGAMORPHIC && !object->IsAccessCheckNeeded()) {
+    int argc = target()->arguments_count();
+    InLoopFlag in_loop = target()->ic_in_loop();
+    MaybeObject* maybe_code = isolate()->stub_cache()->ComputeCallMegamorphic(
+        argc, in_loop, Code::KEYED_CALL_IC);
+    Object* code;
+    if (maybe_code->ToObject(&code)) {
+      set_target(Code::cast(code));
+#ifdef DEBUG
+      TraceIC(
+          "KeyedCallIC", key, state, target(), in_loop ? " (in-loop)" : "");
+#endif
+    }
+  }
+
+  HandleScope scope(isolate());
+  Handle<Object> result = GetProperty(object, key);
+  RETURN_IF_EMPTY_HANDLE(isolate(), result);
+
+  // Make receiver an object if the callee requires it. Strict mode or builtin
+  // functions do not wrap the receiver, non-strict functions and objects
+  // called as functions do.
+  ReceiverToObjectIfRequired(result, object);
+
+  if (result->IsJSFunction()) return *result;
+  result = Handle<Object>(TryCallAsFunction(*result));
+  if (result->IsJSFunction()) return *result;
+
+  return TypeError("property_not_function", object, key);
+}
+
+
+#ifdef DEBUG
+#define TRACE_IC_NAMED(msg, name) \
+  if (FLAG_trace_ic) PrintF(msg, *(name)->ToCString())
+#else
+#define TRACE_IC_NAMED(msg, name)
+#endif
+
+
+MaybeObject* LoadIC::Load(State state,
+                          Handle<Object> object,
+                          Handle<String> name) {
+  // If the object is undefined or null it's illegal to try to get any
+  // of its properties; throw a TypeError in that case.
+  if (object->IsUndefined() || object->IsNull()) {
+    return TypeError("non_object_property_load", object, name);
+  }
+
+  if (FLAG_use_ic) {
+    Code* non_monomorphic_stub =
+        (state == UNINITIALIZED) ? pre_monomorphic_stub() : megamorphic_stub();
+
+    // Use specialized code for getting the length of strings and
+    // string wrapper objects.  The length property of string wrapper
+    // objects is read-only and therefore always returns the length of
+    // the underlying string value.  See ECMA-262 15.5.5.1.
+    if ((object->IsString() || object->IsStringWrapper()) &&
+        name->Equals(isolate()->heap()->length_symbol())) {
+      HandleScope scope(isolate());
+#ifdef DEBUG
+      if (FLAG_trace_ic) PrintF("[LoadIC : +#length /string]\n");
+#endif
+      if (state == PREMONOMORPHIC) {
+        if (object->IsString()) {
+          Map* map = HeapObject::cast(*object)->map();
+          const int offset = String::kLengthOffset;
+          PatchInlinedLoad(address(), map, offset);
+          set_target(isolate()->builtins()->builtin(
+              Builtins::kLoadIC_StringLength));
+        } else {
+          set_target(isolate()->builtins()->builtin(
+              Builtins::kLoadIC_StringWrapperLength));
+        }
+      } else if (state == MONOMORPHIC && object->IsStringWrapper()) {
+        set_target(isolate()->builtins()->builtin(
+            Builtins::kLoadIC_StringWrapperLength));
+      } else {
+        set_target(non_monomorphic_stub);
+      }
+      // Get the string if we have a string wrapper object.
+      if (object->IsJSValue()) {
+        object = Handle<Object>(Handle<JSValue>::cast(object)->value(),
+                                isolate());
+      }
+      return Smi::FromInt(String::cast(*object)->length());
+    }
+
+    // Use specialized code for getting the length of arrays.
+    if (object->IsJSArray() &&
+        name->Equals(isolate()->heap()->length_symbol())) {
+#ifdef DEBUG
+      if (FLAG_trace_ic) PrintF("[LoadIC : +#length /array]\n");
+#endif
+      if (state == PREMONOMORPHIC) {
+        Map* map = HeapObject::cast(*object)->map();
+        const int offset = JSArray::kLengthOffset;
+        PatchInlinedLoad(address(), map, offset);
+        set_target(isolate()->builtins()->builtin(
+            Builtins::kLoadIC_ArrayLength));
+      } else {
+        set_target(non_monomorphic_stub);
+      }
+      return JSArray::cast(*object)->length();
+    }
+
+    // Use specialized code for getting prototype of functions.
+    if (object->IsJSFunction() &&
+        name->Equals(isolate()->heap()->prototype_symbol()) &&
+        JSFunction::cast(*object)->should_have_prototype()) {
+#ifdef DEBUG
+      if (FLAG_trace_ic) PrintF("[LoadIC : +#prototype /function]\n");
+#endif
+      if (state == PREMONOMORPHIC) {
+        set_target(isolate()->builtins()->builtin(
+            Builtins::kLoadIC_FunctionPrototype));
+      } else {
+        set_target(non_monomorphic_stub);
+      }
+      return Accessors::FunctionGetPrototype(*object, 0);
+    }
+  }
+
+  // Check if the name is trivially convertible to an index and get
+  // the element if so.
+  uint32_t index;
+  if (name->AsArrayIndex(&index)) return object->GetElement(index);
+
+  // Named lookup in the object.
+  LookupResult lookup;
+  LookupForRead(*object, *name, &lookup);
+
+  // If we did not find a property, check if we need to throw an exception.
+  if (!lookup.IsProperty()) {
+    if (FLAG_strict || IsContextual(object)) {
+      return ReferenceError("not_defined", name);
+    }
+    LOG(isolate(), SuspectReadEvent(*name, *object));
+  }
+
+  bool can_be_inlined_precheck =
+      FLAG_use_ic &&
+      lookup.IsProperty() &&
+      lookup.IsCacheable() &&
+      lookup.holder() == *object &&
+      !object->IsAccessCheckNeeded();
+
+  bool can_be_inlined =
+      can_be_inlined_precheck &&
+      state == PREMONOMORPHIC &&
+      lookup.type() == FIELD;
+
+  bool can_be_inlined_contextual =
+      can_be_inlined_precheck &&
+      state == UNINITIALIZED &&
+      lookup.holder()->IsGlobalObject() &&
+      lookup.type() == NORMAL;
+
+  if (can_be_inlined) {
+    Map* map = lookup.holder()->map();
+    // Property's index in the properties array.  If negative we have
+    // an inobject property.
+    int index = lookup.GetFieldIndex() - map->inobject_properties();
+    if (index < 0) {
+      // Index is an offset from the end of the object.
+      int offset = map->instance_size() + (index * kPointerSize);
+      if (PatchInlinedLoad(address(), map, offset)) {
+        set_target(megamorphic_stub());
+        TRACE_IC_NAMED("[LoadIC : inline patch %s]\n", name);
+        return lookup.holder()->FastPropertyAt(lookup.GetFieldIndex());
+      } else {
+        TRACE_IC_NAMED("[LoadIC : no inline patch %s (patching failed)]\n",
+                       name);
+      }
+    } else {
+      TRACE_IC_NAMED("[LoadIC : no inline patch %s (not inobject)]\n", name);
+    }
+  } else if (can_be_inlined_contextual) {
+    Map* map = lookup.holder()->map();
+    JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(
+        lookup.holder()->property_dictionary()->ValueAt(
+            lookup.GetDictionaryEntry()));
+    if (PatchInlinedContextualLoad(address(),
+                                   map,
+                                   cell,
+                                   lookup.IsDontDelete())) {
+      set_target(megamorphic_stub());
+      TRACE_IC_NAMED("[LoadIC : inline contextual patch %s]\n", name);
+      ASSERT(cell->value() != isolate()->heap()->the_hole_value());
+      return cell->value();
+    }
+  } else {
+    if (FLAG_use_ic && state == PREMONOMORPHIC) {
+      TRACE_IC_NAMED("[LoadIC : no inline patch %s (not inlinable)]\n", name);
+    }
+  }
+
+  // Update inline cache and stub cache.
+  if (FLAG_use_ic) {
+    UpdateCaches(&lookup, state, object, name);
+  }
+
+  PropertyAttributes attr;
+  if (lookup.IsProperty() && lookup.type() == INTERCEPTOR) {
+    // Get the property.
+    Object* result;
+    { MaybeObject* maybe_result =
+          object->GetProperty(*object, &lookup, *name, &attr);
+      if (!maybe_result->ToObject(&result)) return maybe_result;
+    }
+    // If the property is not present, check if we need to throw an
+    // exception.
+    if (attr == ABSENT && IsContextual(object)) {
+      return ReferenceError("not_defined", name);
+    }
+    return result;
+  }
+
+  // Get the property.
+  return object->GetProperty(*object, &lookup, *name, &attr);
+}
+
+
+void LoadIC::UpdateCaches(LookupResult* lookup,
+                          State state,
+                          Handle<Object> object,
+                          Handle<String> name) {
+  // Bail out if the result is not cacheable.
+  if (!lookup->IsCacheable()) return;
+
+  // Loading properties from values is not common, so don't try to
+  // deal with non-JS objects here.
+  if (!object->IsJSObject()) return;
+  Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+
+  if (HasNormalObjectsInPrototypeChain(isolate(), lookup, *object)) return;
+
+  // Compute the code stub for this load.
+  MaybeObject* maybe_code = NULL;
+  Object* code;
+  if (state == UNINITIALIZED) {
+    // This is the first time we execute this inline cache.
+    // Set the target to the pre monomorphic stub to delay
+    // setting the monomorphic state.
+    maybe_code = pre_monomorphic_stub();
+  } else if (!lookup->IsProperty()) {
+    // Nonexistent property. The result is undefined.
+    maybe_code = isolate()->stub_cache()->ComputeLoadNonexistent(*name,
+                                                                 *receiver);
+  } else {
+    // Compute monomorphic stub.
+    switch (lookup->type()) {
+      case FIELD: {
+        maybe_code = isolate()->stub_cache()->ComputeLoadField(
+            *name,
+            *receiver,
+            lookup->holder(),
+            lookup->GetFieldIndex());
+        break;
+      }
+      case CONSTANT_FUNCTION: {
+        Object* constant = lookup->GetConstantFunction();
+        maybe_code = isolate()->stub_cache()->ComputeLoadConstant(
+            *name, *receiver, lookup->holder(), constant);
+        break;
+      }
+      case NORMAL: {
+        if (lookup->holder()->IsGlobalObject()) {
+          GlobalObject* global = GlobalObject::cast(lookup->holder());
+          JSGlobalPropertyCell* cell =
+              JSGlobalPropertyCell::cast(global->GetPropertyCell(lookup));
+          maybe_code = isolate()->stub_cache()->ComputeLoadGlobal(*name,
+                                                    *receiver,
+                                                    global,
+                                                    cell,
+                                                    lookup->IsDontDelete());
+        } else {
+          // There is only one shared stub for loading normalized
+          // properties. It does not traverse the prototype chain, so the
+          // property must be found in the receiver for the stub to be
+          // applicable.
+          if (lookup->holder() != *receiver) return;
+          maybe_code = isolate()->stub_cache()->ComputeLoadNormal();
+        }
+        break;
+      }
+      case CALLBACKS: {
+        if (!lookup->GetCallbackObject()->IsAccessorInfo()) return;
+        AccessorInfo* callback =
+            AccessorInfo::cast(lookup->GetCallbackObject());
+        if (v8::ToCData<Address>(callback->getter()) == 0) return;
+        maybe_code = isolate()->stub_cache()->ComputeLoadCallback(
+            *name, *receiver, lookup->holder(), callback);
+        break;
+      }
+      case INTERCEPTOR: {
+        ASSERT(HasInterceptorGetter(lookup->holder()));
+        maybe_code = isolate()->stub_cache()->ComputeLoadInterceptor(
+            *name, *receiver, lookup->holder());
+        break;
+      }
+      default:
+        return;
+    }
+  }
+
+  // If we're unable to compute the stub (not enough memory left), we
+  // simply avoid updating the caches.
+  if (maybe_code == NULL || !maybe_code->ToObject(&code)) return;
+
+  // Patch the call site depending on the state of the cache.
+  if (state == UNINITIALIZED || state == PREMONOMORPHIC ||
+      state == MONOMORPHIC_PROTOTYPE_FAILURE) {
+    set_target(Code::cast(code));
+  } else if (state == MONOMORPHIC) {
+    set_target(megamorphic_stub());
+  } else if (state == MEGAMORPHIC) {
+    // Cache code holding map should be consistent with
+    // GenerateMonomorphicCacheProbe.
+    Map* map = JSObject::cast(object->IsJSObject() ? *object :
+                              object->GetPrototype())->map();
+
+    isolate()->stub_cache()->Set(*name, map, Code::cast(code));
+  }
+
+#ifdef DEBUG
+  TraceIC("LoadIC", name, state, target());
+#endif
+}
+
+
+MaybeObject* KeyedLoadIC::Load(State state,
+                               Handle<Object> object,
+                               Handle<Object> key) {
+  // Check for values that can be converted into a symbol.
+  // TODO(1295): Remove this code.
+  HandleScope scope(isolate());
+  if (key->IsHeapNumber() &&
+      isnan(HeapNumber::cast(*key)->value())) {
+    key = isolate()->factory()->nan_symbol();
+  } else if (key->IsUndefined()) {
+    key = isolate()->factory()->undefined_symbol();
+  }
+
+  if (key->IsSymbol()) {
+    Handle<String> name = Handle<String>::cast(key);
+
+    // If the object is undefined or null it's illegal to try to get any
+    // of its properties; throw a TypeError in that case.
+    if (object->IsUndefined() || object->IsNull()) {
+      return TypeError("non_object_property_load", object, name);
+    }
+
+    if (FLAG_use_ic) {
+      // TODO(1073): don't ignore the current stub state.
+
+      // Use specialized code for getting the length of strings.
+      if (object->IsString() &&
+          name->Equals(isolate()->heap()->length_symbol())) {
+        Handle<String> string = Handle<String>::cast(object);
+        Object* code = NULL;
+        { MaybeObject* maybe_code =
+              isolate()->stub_cache()->ComputeKeyedLoadStringLength(*name,
+                                                                    *string);
+          if (!maybe_code->ToObject(&code)) return maybe_code;
+        }
+        set_target(Code::cast(code));
+#ifdef DEBUG
+        TraceIC("KeyedLoadIC", name, state, target());
+#endif  // DEBUG
+        return Smi::FromInt(string->length());
+      }
+
+      // Use specialized code for getting the length of arrays.
+      if (object->IsJSArray() &&
+          name->Equals(isolate()->heap()->length_symbol())) {
+        Handle<JSArray> array = Handle<JSArray>::cast(object);
+        Object* code;
+        { MaybeObject* maybe_code =
+              isolate()->stub_cache()->ComputeKeyedLoadArrayLength(*name,
+                                                                   *array);
+          if (!maybe_code->ToObject(&code)) return maybe_code;
+        }
+        set_target(Code::cast(code));
+#ifdef DEBUG
+        TraceIC("KeyedLoadIC", name, state, target());
+#endif  // DEBUG
+        return JSArray::cast(*object)->length();
+      }
+
+      // Use specialized code for getting prototype of functions.
+      if (object->IsJSFunction() &&
+          name->Equals(isolate()->heap()->prototype_symbol()) &&
+        JSFunction::cast(*object)->should_have_prototype()) {
+        Handle<JSFunction> function = Handle<JSFunction>::cast(object);
+        Object* code;
+        { MaybeObject* maybe_code =
+              isolate()->stub_cache()->ComputeKeyedLoadFunctionPrototype(
+                  *name, *function);
+          if (!maybe_code->ToObject(&code)) return maybe_code;
+        }
+        set_target(Code::cast(code));
+#ifdef DEBUG
+        TraceIC("KeyedLoadIC", name, state, target());
+#endif  // DEBUG
+        return Accessors::FunctionGetPrototype(*object, 0);
+      }
+    }
+
+    // Check if the name is trivially convertible to an index and get
+    // the element or char if so.
+    uint32_t index = 0;
+    if (name->AsArrayIndex(&index)) {
+      HandleScope scope(isolate());
+      // Rewrite to the generic keyed load stub.
+      if (FLAG_use_ic) set_target(generic_stub());
+      return Runtime::GetElementOrCharAt(isolate(), object, index);
+    }
+
+    // Named lookup.
+    LookupResult lookup;
+    LookupForRead(*object, *name, &lookup);
+
+    // If we did not find a property, check if we need to throw an exception.
+    if (!lookup.IsProperty()) {
+      if (FLAG_strict || IsContextual(object)) {
+        return ReferenceError("not_defined", name);
+      }
+    }
+
+    if (FLAG_use_ic) {
+      UpdateCaches(&lookup, state, object, name);
+    }
+
+    PropertyAttributes attr;
+    if (lookup.IsProperty() && lookup.type() == INTERCEPTOR) {
+      // Get the property.
+      Object* result;
+      { MaybeObject* maybe_result =
+            object->GetProperty(*object, &lookup, *name, &attr);
+        if (!maybe_result->ToObject(&result)) return maybe_result;
+      }
+      // If the property is not present, check if we need to throw an
+      // exception.
+      if (attr == ABSENT && IsContextual(object)) {
+        return ReferenceError("not_defined", name);
+      }
+      return result;
+    }
+
+    return object->GetProperty(*object, &lookup, *name, &attr);
+  }
+
+  // Do not use ICs for objects that require access checks (including
+  // the global object).
+  bool use_ic = FLAG_use_ic && !object->IsAccessCheckNeeded();
+
+  if (use_ic) {
+    Code* stub = generic_stub();
+    if (state == UNINITIALIZED) {
+      if (object->IsString() && key->IsNumber()) {
+        stub = string_stub();
+      } else if (object->IsJSObject()) {
+        Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+        if (receiver->HasExternalArrayElements()) {
+          MaybeObject* probe =
+              isolate()->stub_cache()->ComputeKeyedLoadOrStoreExternalArray(
+                  *receiver, false, kNonStrictMode);
+          stub = probe->IsFailure() ?
+              NULL : Code::cast(probe->ToObjectUnchecked());
+        } else if (receiver->HasIndexedInterceptor()) {
+          stub = indexed_interceptor_stub();
+        } else if (key->IsSmi() &&
+                   receiver->map()->has_fast_elements()) {
+          MaybeObject* probe =
+              isolate()->stub_cache()->ComputeKeyedLoadSpecialized(*receiver);
+          stub = probe->IsFailure() ?
+              NULL : Code::cast(probe->ToObjectUnchecked());
+        }
+      }
+    }
+    if (stub != NULL) set_target(stub);
+
+#ifdef DEBUG
+    TraceIC("KeyedLoadIC", key, state, target());
+#endif  // DEBUG
+
+    // For JSObjects with fast elements that are not value wrappers
+    // and that do not have indexed interceptors, we initialize the
+    // inlined fast case (if present) by patching the inlined map
+    // check.
+    if (object->IsJSObject() &&
+        !object->IsJSValue() &&
+        !JSObject::cast(*object)->HasIndexedInterceptor() &&
+        JSObject::cast(*object)->HasFastElements()) {
+      Map* map = JSObject::cast(*object)->map();
+      PatchInlinedLoad(address(), map);
+    }
+  }
+
+  // Get the property.
+  return Runtime::GetObjectProperty(isolate(), object, key);
+}
+
+
+void KeyedLoadIC::UpdateCaches(LookupResult* lookup, State state,
+                               Handle<Object> object, Handle<String> name) {
+  // Bail out if we didn't find a result.
+  if (!lookup->IsProperty() || !lookup->IsCacheable()) return;
+
+  if (!object->IsJSObject()) return;
+  Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+
+  if (HasNormalObjectsInPrototypeChain(isolate(), lookup, *object)) return;
+
+  // Compute the code stub for this load.
+  MaybeObject* maybe_code = NULL;
+  Object* code;
+
+  if (state == UNINITIALIZED) {
+    // This is the first time we execute this inline cache.
+    // Set the target to the pre monomorphic stub to delay
+    // setting the monomorphic state.
+    maybe_code = pre_monomorphic_stub();
+  } else {
+    // Compute a monomorphic stub.
+    switch (lookup->type()) {
+      case FIELD: {
+        maybe_code = isolate()->stub_cache()->ComputeKeyedLoadField(
+            *name, *receiver, lookup->holder(), lookup->GetFieldIndex());
+        break;
+      }
+      case CONSTANT_FUNCTION: {
+        Object* constant = lookup->GetConstantFunction();
+        maybe_code = isolate()->stub_cache()->ComputeKeyedLoadConstant(
+            *name, *receiver, lookup->holder(), constant);
+        break;
+      }
+      case CALLBACKS: {
+        if (!lookup->GetCallbackObject()->IsAccessorInfo()) return;
+        AccessorInfo* callback =
+            AccessorInfo::cast(lookup->GetCallbackObject());
+        if (v8::ToCData<Address>(callback->getter()) == 0) return;
+        maybe_code = isolate()->stub_cache()->ComputeKeyedLoadCallback(
+            *name, *receiver, lookup->holder(), callback);
+        break;
+      }
+      case INTERCEPTOR: {
+        ASSERT(HasInterceptorGetter(lookup->holder()));
+        maybe_code = isolate()->stub_cache()->ComputeKeyedLoadInterceptor(
+            *name, *receiver, lookup->holder());
+        break;
+      }
+      default: {
+        // Always rewrite to the generic case so that we do not
+        // repeatedly try to rewrite.
+        maybe_code = generic_stub();
+        break;
+      }
+    }
+  }
+
+  // If we're unable to compute the stub (not enough memory left), we
+  // simply avoid updating the caches.
+  if (maybe_code == NULL || !maybe_code->ToObject(&code)) return;
+
+  // Patch the call site depending on the state of the cache.  Make
+  // sure to always rewrite from monomorphic to megamorphic.
+  ASSERT(state != MONOMORPHIC_PROTOTYPE_FAILURE);
+  if (state == UNINITIALIZED || state == PREMONOMORPHIC) {
+    set_target(Code::cast(code));
+  } else if (state == MONOMORPHIC) {
+    set_target(megamorphic_stub());
+  }
+
+#ifdef DEBUG
+  TraceIC("KeyedLoadIC", name, state, target());
+#endif
+}
+
+
+static bool StoreICableLookup(LookupResult* lookup) {
+  // Bail out if we didn't find a result.
+  if (!lookup->IsPropertyOrTransition() || !lookup->IsCacheable()) return false;
+
+  // If the property is read-only, we leave the IC in its current
+  // state.
+  if (lookup->IsReadOnly()) return false;
+
+  return true;
+}
+
+
+static bool LookupForWrite(JSObject* object,
+                           String* name,
+                           LookupResult* lookup) {
+  object->LocalLookup(name, lookup);
+  if (!StoreICableLookup(lookup)) {
+    return false;
+  }
+
+  if (lookup->type() == INTERCEPTOR) {
+    if (object->GetNamedInterceptor()->setter()->IsUndefined()) {
+      object->LocalLookupRealNamedProperty(name, lookup);
+      return StoreICableLookup(lookup);
+    }
+  }
+
+  return true;
+}
+
+
+MaybeObject* StoreIC::Store(State state,
+                            StrictModeFlag strict_mode,
+                            Handle<Object> object,
+                            Handle<String> name,
+                            Handle<Object> value) {
+  // If the object is undefined or null it's illegal to try to set any
+  // properties on it; throw a TypeError in that case.
+  if (object->IsUndefined() || object->IsNull()) {
+    return TypeError("non_object_property_store", object, name);
+  }
+
+  if (!object->IsJSObject()) {
+    // The length property of string values is read-only. Throw in strict mode.
+    if (strict_mode == kStrictMode && object->IsString() &&
+        name->Equals(isolate()->heap()->length_symbol())) {
+      return TypeError("strict_read_only_property", object, name);
+    }
+    // Ignore stores where the receiver is not a JSObject.
+    return *value;
+  }
+
+  Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+
+  // Check if the given name is an array index.
+  uint32_t index;
+  if (name->AsArrayIndex(&index)) {
+    HandleScope scope(isolate());
+    Handle<Object> result = SetElement(receiver, index, value, strict_mode);
+    if (result.is_null()) return Failure::Exception();
+    return *value;
+  }
+
+  // Use specialized code for setting the length of arrays.
+  if (receiver->IsJSArray()
+      && name->Equals(isolate()->heap()->length_symbol())
+      && receiver->AllowsSetElementsLength()) {
+#ifdef DEBUG
+    if (FLAG_trace_ic) PrintF("[StoreIC : +#length /array]\n");
+#endif
+    Builtins::Name target = (strict_mode == kStrictMode)
+        ? Builtins::kStoreIC_ArrayLength_Strict
+        : Builtins::kStoreIC_ArrayLength;
+    set_target(isolate()->builtins()->builtin(target));
+    return receiver->SetProperty(*name, *value, NONE, strict_mode);
+  }
+
+  // Lookup the property locally in the receiver.
+  if (FLAG_use_ic && !receiver->IsJSGlobalProxy()) {
+    LookupResult lookup;
+
+    if (LookupForWrite(*receiver, *name, &lookup)) {
+      bool can_be_inlined =
+          state == UNINITIALIZED &&
+          lookup.IsProperty() &&
+          lookup.holder() == *receiver &&
+          lookup.type() == FIELD &&
+          !receiver->IsAccessCheckNeeded();
+
+      if (can_be_inlined) {
+        Map* map = lookup.holder()->map();
+        // Property's index in the properties array.  If negative we have
+        // an inobject property.
+        int index = lookup.GetFieldIndex() - map->inobject_properties();
+        if (index < 0) {
+          // Index is an offset from the end of the object.
+          int offset = map->instance_size() + (index * kPointerSize);
+          if (PatchInlinedStore(address(), map, offset)) {
+            set_target((strict_mode == kStrictMode)
+                         ? megamorphic_stub_strict()
+                         : megamorphic_stub());
+#ifdef DEBUG
+            if (FLAG_trace_ic) {
+              PrintF("[StoreIC : inline patch %s]\n", *name->ToCString());
+            }
+#endif
+            return receiver->SetProperty(*name, *value, NONE, strict_mode);
+#ifdef DEBUG
+
+          } else {
+            if (FLAG_trace_ic) {
+              PrintF("[StoreIC : no inline patch %s (patching failed)]\n",
+                     *name->ToCString());
+            }
+          }
+        } else {
+          if (FLAG_trace_ic) {
+            PrintF("[StoreIC : no inline patch %s (not inobject)]\n",
+                   *name->ToCString());
+          }
+        }
+      } else {
+        if (state == PREMONOMORPHIC) {
+          if (FLAG_trace_ic) {
+            PrintF("[StoreIC : no inline patch %s (not inlinable)]\n",
+                   *name->ToCString());
+#endif
+          }
+        }
+      }
+
+      // If no inlined store ic was patched, generate a stub for this
+      // store.
+      UpdateCaches(&lookup, state, strict_mode, receiver, name, value);
+    } else {
+      // Strict mode doesn't allow setting non-existent global property
+      // or an assignment to a read only property.
+      if (strict_mode == kStrictMode) {
+        if (lookup.IsFound() && lookup.IsReadOnly()) {
+          return TypeError("strict_read_only_property", object, name);
+        } else if (IsContextual(object)) {
+          return ReferenceError("not_defined", name);
+        }
+      }
+    }
+  }
+
+  if (receiver->IsJSGlobalProxy()) {
+    // Generate a generic stub that goes to the runtime when we see a global
+    // proxy as receiver.
+    Code* stub = (strict_mode == kStrictMode)
+        ? global_proxy_stub_strict()
+        : global_proxy_stub();
+    if (target() != stub) {
+      set_target(stub);
+#ifdef DEBUG
+      TraceIC("StoreIC", name, state, target());
+#endif
+    }
+  }
+
+  // Set the property.
+  return receiver->SetProperty(*name, *value, NONE, strict_mode);
+}
+
+
+void StoreIC::UpdateCaches(LookupResult* lookup,
+                           State state,
+                           StrictModeFlag strict_mode,
+                           Handle<JSObject> receiver,
+                           Handle<String> name,
+                           Handle<Object> value) {
+  // Skip JSGlobalProxy.
+  ASSERT(!receiver->IsJSGlobalProxy());
+
+  ASSERT(StoreICableLookup(lookup));
+
+  // If the property has a non-field type allowing map transitions
+  // where there is extra room in the object, we leave the IC in its
+  // current state.
+  PropertyType type = lookup->type();
+
+  // Compute the code stub for this store; used for rewriting to
+  // monomorphic state and making sure that the code stub is in the
+  // stub cache.
+  MaybeObject* maybe_code = NULL;
+  Object* code = NULL;
+  switch (type) {
+    case FIELD: {
+      maybe_code = isolate()->stub_cache()->ComputeStoreField(
+          *name, *receiver, lookup->GetFieldIndex(), NULL, strict_mode);
+      break;
+    }
+    case MAP_TRANSITION: {
+      if (lookup->GetAttributes() != NONE) return;
+      HandleScope scope(isolate());
+      ASSERT(type == MAP_TRANSITION);
+      Handle<Map> transition(lookup->GetTransitionMap());
+      int index = transition->PropertyIndexFor(*name);
+      maybe_code = isolate()->stub_cache()->ComputeStoreField(
+          *name, *receiver, index, *transition, strict_mode);
+      break;
+    }
+    case NORMAL: {
+      if (receiver->IsGlobalObject()) {
+        // The stub generated for the global object picks the value directly
+        // from the property cell. So the property must be directly on the
+        // global object.
+        Handle<GlobalObject> global = Handle<GlobalObject>::cast(receiver);
+        JSGlobalPropertyCell* cell =
+            JSGlobalPropertyCell::cast(global->GetPropertyCell(lookup));
+        maybe_code = isolate()->stub_cache()->ComputeStoreGlobal(
+            *name, *global, cell, strict_mode);
+      } else {
+        if (lookup->holder() != *receiver) return;
+        maybe_code = isolate()->stub_cache()->ComputeStoreNormal(strict_mode);
+      }
+      break;
+    }
+    case CALLBACKS: {
+      if (!lookup->GetCallbackObject()->IsAccessorInfo()) return;
+      AccessorInfo* callback = AccessorInfo::cast(lookup->GetCallbackObject());
+      if (v8::ToCData<Address>(callback->setter()) == 0) return;
+      maybe_code = isolate()->stub_cache()->ComputeStoreCallback(
+          *name, *receiver, callback, strict_mode);
+      break;
+    }
+    case INTERCEPTOR: {
+      ASSERT(!receiver->GetNamedInterceptor()->setter()->IsUndefined());
+      maybe_code = isolate()->stub_cache()->ComputeStoreInterceptor(
+          *name, *receiver, strict_mode);
+      break;
+    }
+    default:
+      return;
+  }
+
+  // If we're unable to compute the stub (not enough memory left), we
+  // simply avoid updating the caches.
+  if (maybe_code == NULL || !maybe_code->ToObject(&code)) return;
+
+  // Patch the call site depending on the state of the cache.
+  if (state == UNINITIALIZED || state == MONOMORPHIC_PROTOTYPE_FAILURE) {
+    set_target(Code::cast(code));
+  } else if (state == MONOMORPHIC) {
+    // Only move to megamorphic if the target changes.
+    if (target() != Code::cast(code)) {
+      set_target((strict_mode == kStrictMode)
+                   ? megamorphic_stub_strict()
+                   : megamorphic_stub());
+    }
+  } else if (state == MEGAMORPHIC) {
+    // Update the stub cache.
+    isolate()->stub_cache()->Set(*name,
+                                 receiver->map(),
+                                 Code::cast(code));
+  }
+
+#ifdef DEBUG
+  TraceIC("StoreIC", name, state, target());
+#endif
+}
+
+
+MaybeObject* KeyedStoreIC::Store(State state,
+                                 StrictModeFlag strict_mode,
+                                 Handle<Object> object,
+                                 Handle<Object> key,
+                                 Handle<Object> value) {
+  if (key->IsSymbol()) {
+    Handle<String> name = Handle<String>::cast(key);
+
+    // If the object is undefined or null it's illegal to try to set any
+    // properties on it; throw a TypeError in that case.
+    if (object->IsUndefined() || object->IsNull()) {
+      return TypeError("non_object_property_store", object, name);
+    }
+
+    // Ignore stores where the receiver is not a JSObject.
+    if (!object->IsJSObject()) return *value;
+    Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+
+    // Check if the given name is an array index.
+    uint32_t index;
+    if (name->AsArrayIndex(&index)) {
+      HandleScope scope(isolate());
+      Handle<Object> result = SetElement(receiver, index, value, strict_mode);
+      if (result.is_null()) return Failure::Exception();
+      return *value;
+    }
+
+    // Lookup the property locally in the receiver.
+    LookupResult lookup;
+    receiver->LocalLookup(*name, &lookup);
+
+    // Update inline cache and stub cache.
+    if (FLAG_use_ic) {
+      UpdateCaches(&lookup, state, strict_mode, receiver, name, value);
+    }
+
+    // Set the property.
+    return receiver->SetProperty(*name, *value, NONE, strict_mode);
+  }
+
+  // Do not use ICs for objects that require access checks (including
+  // the global object).
+  bool use_ic = FLAG_use_ic && !object->IsAccessCheckNeeded();
+  ASSERT(!(use_ic && object->IsJSGlobalProxy()));
+
+  if (use_ic) {
+    Code* stub =
+        (strict_mode == kStrictMode) ? generic_stub_strict() : generic_stub();
+    if (state == UNINITIALIZED) {
+      if (object->IsJSObject()) {
+        Handle<JSObject> receiver = Handle<JSObject>::cast(object);
+        if (receiver->HasExternalArrayElements()) {
+          MaybeObject* probe =
+              isolate()->stub_cache()->ComputeKeyedLoadOrStoreExternalArray(
+                  *receiver, true, strict_mode);
+          stub = probe->IsFailure() ?
+              NULL : Code::cast(probe->ToObjectUnchecked());
+        } else if (key->IsSmi() && receiver->map()->has_fast_elements()) {
+          MaybeObject* probe =
+              isolate()->stub_cache()->ComputeKeyedStoreSpecialized(
+                  *receiver, strict_mode);
+          stub = probe->IsFailure() ?
+              NULL : Code::cast(probe->ToObjectUnchecked());
+        }
+      }
+    }
+    if (stub != NULL) set_target(stub);
+  }
+
+  // Set the property.
+  return Runtime::SetObjectProperty(
+      isolate(), object , key, value, NONE, strict_mode);
+}
+
+
+void KeyedStoreIC::UpdateCaches(LookupResult* lookup,
+                                State state,
+                                StrictModeFlag strict_mode,
+                                Handle<JSObject> receiver,
+                                Handle<String> name,
+                                Handle<Object> value) {
+  // Skip JSGlobalProxy.
+  if (receiver->IsJSGlobalProxy()) return;
+
+  // Bail out if we didn't find a result.
+  if (!lookup->IsPropertyOrTransition() || !lookup->IsCacheable()) return;
+
+  // If the property is read-only, we leave the IC in its current
+  // state.
+  if (lookup->IsReadOnly()) return;
+
+  // If the property has a non-field type allowing map transitions
+  // where there is extra room in the object, we leave the IC in its
+  // current state.
+  PropertyType type = lookup->type();
+
+  // Compute the code stub for this store; used for rewriting to
+  // monomorphic state and making sure that the code stub is in the
+  // stub cache.
+  MaybeObject* maybe_code = NULL;
+  Object* code = NULL;
+
+  switch (type) {
+    case FIELD: {
+      maybe_code = isolate()->stub_cache()->ComputeKeyedStoreField(
+          *name, *receiver, lookup->GetFieldIndex(), NULL, strict_mode);
+      break;
+    }
+    case MAP_TRANSITION: {
+      if (lookup->GetAttributes() == NONE) {
+        HandleScope scope(isolate());
+        ASSERT(type == MAP_TRANSITION);
+        Handle<Map> transition(lookup->GetTransitionMap());
+        int index = transition->PropertyIndexFor(*name);
+        maybe_code = isolate()->stub_cache()->ComputeKeyedStoreField(
+            *name, *receiver, index, *transition, strict_mode);
+        break;
+      }
+      // fall through.
+    }
+    default: {
+      // Always rewrite to the generic case so that we do not
+      // repeatedly try to rewrite.
+      maybe_code = (strict_mode == kStrictMode)
+          ? generic_stub_strict()
+          : generic_stub();
+      break;
+    }
+  }
+
+  // If we're unable to compute the stub (not enough memory left), we
+  // simply avoid updating the caches.
+  if (maybe_code == NULL || !maybe_code->ToObject(&code)) return;
+
+  // Patch the call site depending on the state of the cache.  Make
+  // sure to always rewrite from monomorphic to megamorphic.
+  ASSERT(state != MONOMORPHIC_PROTOTYPE_FAILURE);
+  if (state == UNINITIALIZED || state == PREMONOMORPHIC) {
+    set_target(Code::cast(code));
+  } else if (state == MONOMORPHIC) {
+    set_target((strict_mode == kStrictMode)
+                 ? megamorphic_stub_strict()
+                 : megamorphic_stub());
+  }
+
+#ifdef DEBUG
+  TraceIC("KeyedStoreIC", name, state, target());
+#endif
+}
+
+
+// ----------------------------------------------------------------------------
+// Static IC stub generators.
+//
+
+static JSFunction* CompileFunction(Isolate* isolate,
+                                   JSFunction* function,
+                                   InLoopFlag in_loop) {
+  // Compile now with optimization.
+  HandleScope scope(isolate);
+  Handle<JSFunction> function_handle(function, isolate);
+  if (in_loop == IN_LOOP) {
+    CompileLazyInLoop(function_handle, CLEAR_EXCEPTION);
+  } else {
+    CompileLazy(function_handle, CLEAR_EXCEPTION);
+  }
+  return *function_handle;
+}
+
+
+// Used from ic-<arch>.cc.
+RUNTIME_FUNCTION(MaybeObject*, CallIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 2);
+  CallIC ic(isolate);
+  IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
+  Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
+  MaybeObject* maybe_result = ic.LoadFunction(state,
+                                              extra_ic_state,
+                                              args.at<Object>(0),
+                                              args.at<String>(1));
+  Object* result;
+  if (!maybe_result->ToObject(&result)) return maybe_result;
+
+  // The first time the inline cache is updated may be the first time the
+  // function it references gets called.  If the function was lazily compiled
+  // then the first call will trigger a compilation.  We check for this case
+  // and we do the compilation immediately, instead of waiting for the stub
+  // currently attached to the JSFunction object to trigger compilation.  We
+  // do this in the case where we know that the inline cache is inside a loop,
+  // because then we know that we want to optimize the function.
+  if (!result->IsJSFunction() || JSFunction::cast(result)->is_compiled()) {
+    return result;
+  }
+  return CompileFunction(isolate,
+                         JSFunction::cast(result),
+                         ic.target()->ic_in_loop());
+}
+
+
+// Used from ic-<arch>.cc.
+RUNTIME_FUNCTION(MaybeObject*, KeyedCallIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 2);
+  KeyedCallIC ic(isolate);
+  IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
+  Object* result;
+  { MaybeObject* maybe_result =
+      ic.LoadFunction(state, args.at<Object>(0), args.at<Object>(1));
+    if (!maybe_result->ToObject(&result)) return maybe_result;
+  }
+
+  if (!result->IsJSFunction() || JSFunction::cast(result)->is_compiled()) {
+    return result;
+  }
+  return CompileFunction(isolate,
+                         JSFunction::cast(result),
+                         ic.target()->ic_in_loop());
+}
+
+
+// Used from ic-<arch>.cc.
+RUNTIME_FUNCTION(MaybeObject*, LoadIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 2);
+  LoadIC ic(isolate);
+  IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
+  return ic.Load(state, args.at<Object>(0), args.at<String>(1));
+}
+
+
+// Used from ic-<arch>.cc
+RUNTIME_FUNCTION(MaybeObject*, KeyedLoadIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 2);
+  KeyedLoadIC ic(isolate);
+  IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
+  return ic.Load(state, args.at<Object>(0), args.at<Object>(1));
+}
+
+
+// Used from ic-<arch>.cc.
+RUNTIME_FUNCTION(MaybeObject*, StoreIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 3);
+  StoreIC ic(isolate);
+  IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
+  Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
+  return ic.Store(state,
+                  static_cast<StrictModeFlag>(extra_ic_state & kStrictMode),
+                  args.at<Object>(0),
+                  args.at<String>(1),
+                  args.at<Object>(2));
+}
+
+
+RUNTIME_FUNCTION(MaybeObject*, StoreIC_ArrayLength) {
+  NoHandleAllocation nha;
+
+  ASSERT(args.length() == 2);
+  JSObject* receiver = JSObject::cast(args[0]);
+  Object* len = args[1];
+
+  // The generated code should filter out non-Smis before we get here.
+  ASSERT(len->IsSmi());
+
+  Object* result;
+  { MaybeObject* maybe_result = receiver->SetElementsLength(len);
+    if (!maybe_result->ToObject(&result)) return maybe_result;
+  }
+  return len;
+}
+
+
+// Extend storage is called in a store inline cache when
+// it is necessary to extend the properties array of a
+// JSObject.
+RUNTIME_FUNCTION(MaybeObject*, SharedStoreIC_ExtendStorage) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 3);
+
+  // Convert the parameters
+  JSObject* object = JSObject::cast(args[0]);
+  Map* transition = Map::cast(args[1]);
+  Object* value = args[2];
+
+  // Check the object has run out out property space.
+  ASSERT(object->HasFastProperties());
+  ASSERT(object->map()->unused_property_fields() == 0);
+
+  // Expand the properties array.
+  FixedArray* old_storage = object->properties();
+  int new_unused = transition->unused_property_fields();
+  int new_size = old_storage->length() + new_unused + 1;
+  Object* result;
+  { MaybeObject* maybe_result = old_storage->CopySize(new_size);
+    if (!maybe_result->ToObject(&result)) return maybe_result;
+  }
+  FixedArray* new_storage = FixedArray::cast(result);
+  new_storage->set(old_storage->length(), value);
+
+  // Set the new property value and do the map transition.
+  object->set_properties(new_storage);
+  object->set_map(transition);
+
+  // Return the stored value.
+  return value;
+}
+
+
+// Used from ic-<arch>.cc.
+RUNTIME_FUNCTION(MaybeObject*, KeyedStoreIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 3);
+  KeyedStoreIC ic(isolate);
+  IC::State state = IC::StateFrom(ic.target(), args[0], args[1]);
+  Code::ExtraICState extra_ic_state = ic.target()->extra_ic_state();
+  return ic.Store(state,
+                  static_cast<StrictModeFlag>(extra_ic_state & kStrictMode),
+                  args.at<Object>(0),
+                  args.at<Object>(1),
+                  args.at<Object>(2));
+}
+
+
+void BinaryOpIC::patch(Code* code) {
+  set_target(code);
+}
+
+
+const char* BinaryOpIC::GetName(TypeInfo type_info) {
+  switch (type_info) {
+    case UNINIT_OR_SMI: return "UninitOrSmi";
+    case DEFAULT: return "Default";
+    case GENERIC: return "Generic";
+    case HEAP_NUMBERS: return "HeapNumbers";
+    case STRINGS: return "Strings";
+    default: return "Invalid";
+  }
+}
+
+
+BinaryOpIC::State BinaryOpIC::ToState(TypeInfo type_info) {
+  switch (type_info) {
+    case UNINIT_OR_SMI:
+      return UNINITIALIZED;
+    case DEFAULT:
+    case HEAP_NUMBERS:
+    case STRINGS:
+      return MONOMORPHIC;
+    case GENERIC:
+      return MEGAMORPHIC;
+  }
+  UNREACHABLE();
+  return UNINITIALIZED;
+}
+
+
+BinaryOpIC::TypeInfo BinaryOpIC::GetTypeInfo(Object* left,
+                                             Object* right) {
+  if (left->IsSmi() && right->IsSmi()) {
+    // If we have two smi inputs we can reach here because
+    // of an overflow. Enter default state.
+    return DEFAULT;
+  }
+
+  if (left->IsNumber() && right->IsNumber()) {
+    return HEAP_NUMBERS;
+  }
+
+  if (left->IsString() || right->IsString()) {
+    // Patching for fast string ADD makes sense even if only one of the
+    // arguments is a string.
+    return STRINGS;
+  }
+
+  return GENERIC;
+}
+
+
+// defined in code-stubs-<arch>.cc
+Handle<Code> GetBinaryOpStub(int key, BinaryOpIC::TypeInfo type_info);
+
+
+RUNTIME_FUNCTION(MaybeObject*, BinaryOp_Patch) {
+  ASSERT(args.length() == 5);
+
+  HandleScope scope(isolate);
+  Handle<Object> left = args.at<Object>(0);
+  Handle<Object> right = args.at<Object>(1);
+  int key = Smi::cast(args[2])->value();
+  Token::Value op = static_cast<Token::Value>(Smi::cast(args[3])->value());
+  BinaryOpIC::TypeInfo previous_type =
+      static_cast<BinaryOpIC::TypeInfo>(Smi::cast(args[4])->value());
+
+  BinaryOpIC::TypeInfo type = BinaryOpIC::GetTypeInfo(*left, *right);
+  Handle<Code> code = GetBinaryOpStub(key, type);
+  if (!code.is_null()) {
+    BinaryOpIC ic(isolate);
+    ic.patch(*code);
+    if (FLAG_trace_ic) {
+      PrintF("[BinaryOpIC (%s->%s)#%s]\n",
+             BinaryOpIC::GetName(previous_type),
+             BinaryOpIC::GetName(type),
+             Token::Name(op));
+    }
+  }
+
+  Handle<JSBuiltinsObject> builtins = Handle<JSBuiltinsObject>(
+      isolate->thread_local_top()->context_->builtins(), isolate);
+  Object* builtin = NULL;  // Initialization calms down the compiler.
+  switch (op) {
+    case Token::ADD:
+      builtin = builtins->javascript_builtin(Builtins::ADD);
+      break;
+    case Token::SUB:
+      builtin = builtins->javascript_builtin(Builtins::SUB);
+      break;
+    case Token::MUL:
+      builtin = builtins->javascript_builtin(Builtins::MUL);
+      break;
+    case Token::DIV:
+      builtin = builtins->javascript_builtin(Builtins::DIV);
+      break;
+    case Token::MOD:
+      builtin = builtins->javascript_builtin(Builtins::MOD);
+      break;
+    case Token::BIT_AND:
+      builtin = builtins->javascript_builtin(Builtins::BIT_AND);
+      break;
+    case Token::BIT_OR:
+      builtin = builtins->javascript_builtin(Builtins::BIT_OR);
+      break;
+    case Token::BIT_XOR:
+      builtin = builtins->javascript_builtin(Builtins::BIT_XOR);
+      break;
+    case Token::SHR:
+      builtin = builtins->javascript_builtin(Builtins::SHR);
+      break;
+    case Token::SAR:
+      builtin = builtins->javascript_builtin(Builtins::SAR);
+      break;
+    case Token::SHL:
+      builtin = builtins->javascript_builtin(Builtins::SHL);
+      break;
+    default:
+      UNREACHABLE();
+  }
+
+  Handle<JSFunction> builtin_function(JSFunction::cast(builtin),
+                                      isolate);
+
+  bool caught_exception;
+  Object** builtin_args[] = { right.location() };
+  Handle<Object> result = Execution::Call(builtin_function,
+                                          left,
+                                          ARRAY_SIZE(builtin_args),
+                                          builtin_args,
+                                          &caught_exception);
+  if (caught_exception) {
+    return Failure::Exception();
+  }
+  return *result;
+}
+
+
+void TRBinaryOpIC::patch(Code* code) {
+  set_target(code);
+}
+
+
+const char* TRBinaryOpIC::GetName(TypeInfo type_info) {
+  switch (type_info) {
+    case UNINITIALIZED: return "Uninitialized";
+    case SMI: return "SMI";
+    case INT32: return "Int32s";
+    case HEAP_NUMBER: return "HeapNumbers";
+    case ODDBALL: return "Oddball";
+    case STRING: return "Strings";
+    case GENERIC: return "Generic";
+    default: return "Invalid";
+  }
+}
+
+
+TRBinaryOpIC::State TRBinaryOpIC::ToState(TypeInfo type_info) {
+  switch (type_info) {
+    case UNINITIALIZED:
+      return ::v8::internal::UNINITIALIZED;
+    case SMI:
+    case INT32:
+    case HEAP_NUMBER:
+    case ODDBALL:
+    case STRING:
+      return MONOMORPHIC;
+    case GENERIC:
+      return MEGAMORPHIC;
+  }
+  UNREACHABLE();
+  return ::v8::internal::UNINITIALIZED;
+}
+
+
+TRBinaryOpIC::TypeInfo TRBinaryOpIC::JoinTypes(TRBinaryOpIC::TypeInfo x,
+                                               TRBinaryOpIC::TypeInfo y) {
+  if (x == UNINITIALIZED) return y;
+  if (y == UNINITIALIZED) return x;
+  if (x == STRING && y == STRING) return STRING;
+  if (x == STRING || y == STRING) return GENERIC;
+  if (x >= y) return x;
+  return y;
+}
+
+TRBinaryOpIC::TypeInfo TRBinaryOpIC::GetTypeInfo(Handle<Object> left,
+                                                 Handle<Object> right) {
+  ::v8::internal::TypeInfo left_type =
+      ::v8::internal::TypeInfo::TypeFromValue(left);
+  ::v8::internal::TypeInfo right_type =
+      ::v8::internal::TypeInfo::TypeFromValue(right);
+
+  if (left_type.IsSmi() && right_type.IsSmi()) {
+    return SMI;
+  }
+
+  if (left_type.IsInteger32() && right_type.IsInteger32()) {
+    // Platforms with 32-bit Smis have no distinct INT32 type.
+    if (kSmiValueSize == 32) return SMI;
+    return INT32;
+  }
+
+  if (left_type.IsNumber() && right_type.IsNumber()) {
+    return HEAP_NUMBER;
+  }
+
+  if (left_type.IsString() || right_type.IsString()) {
+    // Patching for fast string ADD makes sense even if only one of the
+    // arguments is a string.
+    return STRING;
+  }
+
+  // Check for oddball objects.
+  if (left->IsUndefined() && right->IsNumber()) return ODDBALL;
+  if (left->IsNumber() && right->IsUndefined()) return ODDBALL;
+
+  return GENERIC;
+}
+
+
+// defined in code-stubs-<arch>.cc
+// Only needed to remove dependency of ic.cc on code-stubs-<arch>.h.
+Handle<Code> GetTypeRecordingBinaryOpStub(int key,
+                                          TRBinaryOpIC::TypeInfo type_info,
+                                          TRBinaryOpIC::TypeInfo result_type);
+
+
+RUNTIME_FUNCTION(MaybeObject*, TypeRecordingBinaryOp_Patch) {
+  ASSERT(args.length() == 5);
+
+  HandleScope scope(isolate);
+  Handle<Object> left = args.at<Object>(0);
+  Handle<Object> right = args.at<Object>(1);
+  int key = Smi::cast(args[2])->value();
+  Token::Value op = static_cast<Token::Value>(Smi::cast(args[3])->value());
+  TRBinaryOpIC::TypeInfo previous_type =
+      static_cast<TRBinaryOpIC::TypeInfo>(Smi::cast(args[4])->value());
+
+  TRBinaryOpIC::TypeInfo type = TRBinaryOpIC::GetTypeInfo(left, right);
+  type = TRBinaryOpIC::JoinTypes(type, previous_type);
+  TRBinaryOpIC::TypeInfo result_type = TRBinaryOpIC::UNINITIALIZED;
+  if (type == TRBinaryOpIC::STRING && op != Token::ADD) {
+    type = TRBinaryOpIC::GENERIC;
+  }
+  if (type == TRBinaryOpIC::SMI &&
+      previous_type == TRBinaryOpIC::SMI) {
+    if (op == Token::DIV || op == Token::MUL || kSmiValueSize == 32) {
+      // Arithmetic on two Smi inputs has yielded a heap number.
+      // That is the only way to get here from the Smi stub.
+      // With 32-bit Smis, all overflows give heap numbers, but with
+      // 31-bit Smis, most operations overflow to int32 results.
+      result_type = TRBinaryOpIC::HEAP_NUMBER;
+    } else {
+      // Other operations on SMIs that overflow yield int32s.
+      result_type = TRBinaryOpIC::INT32;
+    }
+  }
+  if (type == TRBinaryOpIC::INT32 &&
+      previous_type == TRBinaryOpIC::INT32) {
+    // We must be here because an operation on two INT32 types overflowed.
+    result_type = TRBinaryOpIC::HEAP_NUMBER;
+  }
+
+  Handle<Code> code = GetTypeRecordingBinaryOpStub(key, type, result_type);
+  if (!code.is_null()) {
+    if (FLAG_trace_ic) {
+      PrintF("[TypeRecordingBinaryOpIC (%s->(%s->%s))#%s]\n",
+             TRBinaryOpIC::GetName(previous_type),
+             TRBinaryOpIC::GetName(type),
+             TRBinaryOpIC::GetName(result_type),
+             Token::Name(op));
+    }
+    TRBinaryOpIC ic(isolate);
+    ic.patch(*code);
+
+    // Activate inlined smi code.
+    if (previous_type == TRBinaryOpIC::UNINITIALIZED) {
+      PatchInlinedSmiCode(ic.address());
+    }
+  }
+
+  Handle<JSBuiltinsObject> builtins = Handle<JSBuiltinsObject>(
+      isolate->thread_local_top()->context_->builtins(), isolate);
+  Object* builtin = NULL;  // Initialization calms down the compiler.
+  switch (op) {
+    case Token::ADD:
+      builtin = builtins->javascript_builtin(Builtins::ADD);
+      break;
+    case Token::SUB:
+      builtin = builtins->javascript_builtin(Builtins::SUB);
+      break;
+    case Token::MUL:
+      builtin = builtins->javascript_builtin(Builtins::MUL);
+      break;
+    case Token::DIV:
+      builtin = builtins->javascript_builtin(Builtins::DIV);
+      break;
+    case Token::MOD:
+      builtin = builtins->javascript_builtin(Builtins::MOD);
+      break;
+    case Token::BIT_AND:
+      builtin = builtins->javascript_builtin(Builtins::BIT_AND);
+      break;
+    case Token::BIT_OR:
+      builtin = builtins->javascript_builtin(Builtins::BIT_OR);
+      break;
+    case Token::BIT_XOR:
+      builtin = builtins->javascript_builtin(Builtins::BIT_XOR);
+      break;
+    case Token::SHR:
+      builtin = builtins->javascript_builtin(Builtins::SHR);
+      break;
+    case Token::SAR:
+      builtin = builtins->javascript_builtin(Builtins::SAR);
+      break;
+    case Token::SHL:
+      builtin = builtins->javascript_builtin(Builtins::SHL);
+      break;
+    default:
+      UNREACHABLE();
+  }
+
+  Handle<JSFunction> builtin_function(JSFunction::cast(builtin), isolate);
+
+  bool caught_exception;
+  Object** builtin_args[] = { right.location() };
+  Handle<Object> result = Execution::Call(builtin_function,
+                                          left,
+                                          ARRAY_SIZE(builtin_args),
+                                          builtin_args,
+                                          &caught_exception);
+  if (caught_exception) {
+    return Failure::Exception();
+  }
+  return *result;
+}
+
+
+Handle<Code> CompareIC::GetUninitialized(Token::Value op) {
+  ICCompareStub stub(op, UNINITIALIZED);
+  return stub.GetCode();
+}
+
+
+CompareIC::State CompareIC::ComputeState(Code* target) {
+  int key = target->major_key();
+  if (key == CodeStub::Compare) return GENERIC;
+  ASSERT(key == CodeStub::CompareIC);
+  return static_cast<State>(target->compare_state());
+}
+
+
+const char* CompareIC::GetStateName(State state) {
+  switch (state) {
+    case UNINITIALIZED: return "UNINITIALIZED";
+    case SMIS: return "SMIS";
+    case HEAP_NUMBERS: return "HEAP_NUMBERS";
+    case OBJECTS: return "OBJECTS";
+    case GENERIC: return "GENERIC";
+    default:
+      UNREACHABLE();
+      return NULL;
+  }
+}
+
+
+CompareIC::State CompareIC::TargetState(State state,
+                                        bool has_inlined_smi_code,
+                                        Handle<Object> x,
+                                        Handle<Object> y) {
+  if (!has_inlined_smi_code && state != UNINITIALIZED) return GENERIC;
+  if (state == UNINITIALIZED && x->IsSmi() && y->IsSmi()) return SMIS;
+  if ((state == UNINITIALIZED || (state == SMIS && has_inlined_smi_code)) &&
+      x->IsNumber() && y->IsNumber()) return HEAP_NUMBERS;
+  if (op_ != Token::EQ && op_ != Token::EQ_STRICT) return GENERIC;
+  if (state == UNINITIALIZED &&
+      x->IsJSObject() && y->IsJSObject()) return OBJECTS;
+  return GENERIC;
+}
+
+
+// Used from ic_<arch>.cc.
+RUNTIME_FUNCTION(Code*, CompareIC_Miss) {
+  NoHandleAllocation na;
+  ASSERT(args.length() == 3);
+  CompareIC ic(isolate, static_cast<Token::Value>(Smi::cast(args[2])->value()));
+  ic.UpdateCaches(args.at<Object>(0), args.at<Object>(1));
+  return ic.target();
+}
+
+
+static const Address IC_utilities[] = {
+#define ADDR(name) FUNCTION_ADDR(name),
+    IC_UTIL_LIST(ADDR)
+    NULL
+#undef ADDR
+};
+
+
+Address IC::AddressFromUtilityId(IC::UtilityId id) {
+  return IC_utilities[id];
+}
+
+
+} }  // namespace v8::internal