diff -r 000000000000 -r 6474c204b198 js/src/jit/AsmJS.cpp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/js/src/jit/AsmJS.cpp	Wed Dec 31 06:09:35 2014 +0100
@@ -0,0 +1,7128 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "jit/AsmJS.h"
+
+#include "mozilla/Move.h"
+
+#ifdef MOZ_VTUNE
+# include "vtune/VTuneWrapper.h"
+#endif
+
+#include "jsmath.h"
+#include "jsprf.h"
+#include "jsworkers.h"
+#include "prmjtime.h"
+
+#include "assembler/assembler/MacroAssembler.h"
+#include "frontend/Parser.h"
+#include "jit/AsmJSLink.h"
+#include "jit/AsmJSModule.h"
+#include "jit/AsmJSSignalHandlers.h"
+#include "jit/CodeGenerator.h"
+#include "jit/CompileWrappers.h"
+#include "jit/MIR.h"
+#include "jit/MIRGraph.h"
+#ifdef JS_ION_PERF
+# include "jit/PerfSpewer.h"
+#endif
+#include "vm/Interpreter.h"
+
+#include "jsinferinlines.h"
+#include "jsobjinlines.h"
+
+#include "frontend/ParseNode-inl.h"
+#include "frontend/Parser-inl.h"
+
+using namespace js;
+using namespace js::frontend;
+using namespace js::jit;
+
+using mozilla::AddToHash;
+using mozilla::ArrayLength;
+using mozilla::CountLeadingZeroes32;
+using mozilla::DebugOnly;
+using mozilla::HashGeneric;
+using mozilla::IsNaN;
+using mozilla::IsNegativeZero;
+using mozilla::Maybe;
+using mozilla::Move;
+using mozilla::PositiveInfinity;
+using JS::GenericNaN;
+
+static const size_t LIFO_ALLOC_PRIMARY_CHUNK_SIZE = 1 << 12;
+
+/*****************************************************************************/
+// ParseNode utilities
+
+static inline ParseNode *
+NextNode(ParseNode *pn)
+{
+    return pn->pn_next;
+}
+
+static inline ParseNode *
+UnaryKid(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_UNARY));
+    return pn->pn_kid;
+}
+
+static inline ParseNode *
+ReturnExpr(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_RETURN));
+    return UnaryKid(pn);
+}
+
+static inline ParseNode *
+BinaryRight(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_BINARY));
+    return pn->pn_right;
+}
+
+static inline ParseNode *
+BinaryLeft(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_BINARY));
+    return pn->pn_left;
+}
+
+static inline ParseNode *
+TernaryKid1(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_TERNARY));
+    return pn->pn_kid1;
+}
+
+static inline ParseNode *
+TernaryKid2(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_TERNARY));
+    return pn->pn_kid2;
+}
+
+static inline ParseNode *
+TernaryKid3(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_TERNARY));
+    return pn->pn_kid3;
+}
+
+static inline ParseNode *
+ListHead(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_LIST));
+    return pn->pn_head;
+}
+
+static inline unsigned
+ListLength(ParseNode *pn)
+{
+    JS_ASSERT(pn->isArity(PN_LIST));
+    return pn->pn_count;
+}
+
+static inline ParseNode *
+CallCallee(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_CALL));
+    return ListHead(pn);
+}
+
+static inline unsigned
+CallArgListLength(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_CALL));
+    JS_ASSERT(ListLength(pn) >= 1);
+    return ListLength(pn) - 1;
+}
+
+static inline ParseNode *
+CallArgList(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_CALL));
+    return NextNode(ListHead(pn));
+}
+
+static inline ParseNode *
+VarListHead(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_VAR) || pn->isKind(PNK_CONST));
+    return ListHead(pn);
+}
+
+static inline ParseNode *
+CaseExpr(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_CASE) || pn->isKind(PNK_DEFAULT));
+    return BinaryLeft(pn);
+}
+
+static inline ParseNode *
+CaseBody(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_CASE) || pn->isKind(PNK_DEFAULT));
+    return BinaryRight(pn);
+}
+
+static inline bool
+IsExpressionStatement(ParseNode *pn)
+{
+    return pn->isKind(PNK_SEMI);
+}
+
+static inline ParseNode *
+ExpressionStatementExpr(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_SEMI));
+    return UnaryKid(pn);
+}
+
+static inline PropertyName *
+LoopControlMaybeLabel(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_BREAK) || pn->isKind(PNK_CONTINUE));
+    JS_ASSERT(pn->isArity(PN_NULLARY));
+    return pn->as<LoopControlStatement>().label();
+}
+
+static inline PropertyName *
+LabeledStatementLabel(ParseNode *pn)
+{
+    return pn->as<LabeledStatement>().label();
+}
+
+static inline ParseNode *
+LabeledStatementStatement(ParseNode *pn)
+{
+    return pn->as<LabeledStatement>().statement();
+}
+
+static double
+NumberNodeValue(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_NUMBER));
+    return pn->pn_dval;
+}
+
+static bool
+NumberNodeHasFrac(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_NUMBER));
+    return pn->pn_u.number.decimalPoint == HasDecimal;
+}
+
+static ParseNode *
+DotBase(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_DOT));
+    JS_ASSERT(pn->isArity(PN_NAME));
+    return pn->expr();
+}
+
+static PropertyName *
+DotMember(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_DOT));
+    JS_ASSERT(pn->isArity(PN_NAME));
+    return pn->pn_atom->asPropertyName();
+}
+
+static ParseNode *
+ElemBase(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_ELEM));
+    return BinaryLeft(pn);
+}
+
+static ParseNode *
+ElemIndex(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_ELEM));
+    return BinaryRight(pn);
+}
+
+static inline JSFunction *
+FunctionObject(ParseNode *fn)
+{
+    JS_ASSERT(fn->isKind(PNK_FUNCTION));
+    JS_ASSERT(fn->isArity(PN_CODE));
+    return fn->pn_funbox->function();
+}
+
+static inline PropertyName *
+FunctionName(ParseNode *fn)
+{
+    if (JSAtom *atom = FunctionObject(fn)->atom())
+        return atom->asPropertyName();
+    return nullptr;
+}
+
+static inline ParseNode *
+FunctionStatementList(ParseNode *fn)
+{
+    JS_ASSERT(fn->pn_body->isKind(PNK_ARGSBODY));
+    ParseNode *last = fn->pn_body->last();
+    JS_ASSERT(last->isKind(PNK_STATEMENTLIST));
+    return last;
+}
+
+static inline bool
+IsNormalObjectField(ExclusiveContext *cx, ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_COLON));
+    return pn->getOp() == JSOP_INITPROP &&
+           BinaryLeft(pn)->isKind(PNK_NAME) &&
+           BinaryLeft(pn)->name() != cx->names().proto;
+}
+
+static inline PropertyName *
+ObjectNormalFieldName(ExclusiveContext *cx, ParseNode *pn)
+{
+    JS_ASSERT(IsNormalObjectField(cx, pn));
+    return BinaryLeft(pn)->name();
+}
+
+static inline ParseNode *
+ObjectFieldInitializer(ParseNode *pn)
+{
+    JS_ASSERT(pn->isKind(PNK_COLON));
+    return BinaryRight(pn);
+}
+
+static inline bool
+IsDefinition(ParseNode *pn)
+{
+    return pn->isKind(PNK_NAME) && pn->isDefn();
+}
+
+static inline ParseNode *
+MaybeDefinitionInitializer(ParseNode *pn)
+{
+    JS_ASSERT(IsDefinition(pn));
+    return pn->expr();
+}
+
+static inline bool
+IsUseOfName(ParseNode *pn, PropertyName *name)
+{
+    return pn->isKind(PNK_NAME) && pn->name() == name;
+}
+
+static inline bool
+IsEmptyStatement(ParseNode *pn)
+{
+    return pn->isKind(PNK_SEMI) && !UnaryKid(pn);
+}
+
+static inline ParseNode *
+SkipEmptyStatements(ParseNode *pn)
+{
+    while (pn && IsEmptyStatement(pn))
+        pn = pn->pn_next;
+    return pn;
+}
+
+static inline ParseNode *
+NextNonEmptyStatement(ParseNode *pn)
+{
+    return SkipEmptyStatements(pn->pn_next);
+}
+
+static TokenKind
+PeekToken(AsmJSParser &parser)
+{
+    TokenStream &ts = parser.tokenStream;
+    while (ts.peekToken(TokenStream::Operand) == TOK_SEMI)
+        ts.consumeKnownToken(TOK_SEMI);
+    return ts.peekToken(TokenStream::Operand);
+}
+
+static bool
+ParseVarOrConstStatement(AsmJSParser &parser, ParseNode **var)
+{
+    TokenKind tk = PeekToken(parser);
+    if (tk != TOK_VAR && tk != TOK_CONST) {
+        *var = nullptr;
+        return true;
+    }
+
+    *var = parser.statement();
+    if (!*var)
+        return false;
+
+    JS_ASSERT((*var)->isKind(PNK_VAR) || (*var)->isKind(PNK_CONST));
+    return true;
+}
+
+/*****************************************************************************/
+
+namespace {
+
+// Respresents the type of a general asm.js expression.
+class Type
+{
+  public:
+    enum Which {
+        Double,
+        MaybeDouble,
+        Float,
+        MaybeFloat,
+        Floatish,
+        Fixnum,
+        Int,
+        Signed,
+        Unsigned,
+        Intish,
+        Void
+    };
+
+  private:
+    Which which_;
+
+  public:
+    Type() : which_(Which(-1)) {}
+    Type(Which w) : which_(w) {}
+
+    bool operator==(Type rhs) const { return which_ == rhs.which_; }
+    bool operator!=(Type rhs) const { return which_ != rhs.which_; }
+
+    bool isSigned() const {
+        return which_ == Signed || which_ == Fixnum;
+    }
+
+    bool isUnsigned() const {
+        return which_ == Unsigned || which_ == Fixnum;
+    }
+
+    bool isInt() const {
+        return isSigned() || isUnsigned() || which_ == Int;
+    }
+
+    bool isIntish() const {
+        return isInt() || which_ == Intish;
+    }
+
+    bool isDouble() const {
+        return which_ == Double;
+    }
+
+    bool isMaybeDouble() const {
+        return isDouble() || which_ == MaybeDouble;
+    }
+
+    bool isFloat() const {
+        return which_ == Float;
+    }
+
+    bool isMaybeFloat() const {
+        return isFloat() || which_ == MaybeFloat;
+    }
+
+    bool isFloatish() const {
+        return isMaybeFloat() || which_ == Floatish;
+    }
+
+    bool isVoid() const {
+        return which_ == Void;
+    }
+
+    bool isExtern() const {
+        return isDouble() || isSigned();
+    }
+
+    bool isVarType() const {
+        return isInt() || isDouble() || isFloat();
+    }
+
+    MIRType toMIRType() const {
+        switch (which_) {
+          case Double:
+          case MaybeDouble:
+            return MIRType_Double;
+          case Float:
+          case Floatish:
+          case MaybeFloat:
+            return MIRType_Float32;
+          case Fixnum:
+          case Int:
+          case Signed:
+          case Unsigned:
+          case Intish:
+            return MIRType_Int32;
+          case Void:
+            return MIRType_None;
+        }
+        MOZ_ASSUME_UNREACHABLE("Invalid Type");
+    }
+
+    const char *toChars() const {
+        switch (which_) {
+          case Double:      return "double";
+          case MaybeDouble: return "double?";
+          case Float:       return "float";
+          case Floatish:    return "floatish";
+          case MaybeFloat:  return "float?";
+          case Fixnum:      return "fixnum";
+          case Int:         return "int";
+          case Signed:      return "signed";
+          case Unsigned:    return "unsigned";
+          case Intish:      return "intish";
+          case Void:        return "void";
+        }
+        MOZ_ASSUME_UNREACHABLE("Invalid Type");
+    }
+};
+
+} /* anonymous namespace */
+
+// Represents the subset of Type that can be used as the return type of a
+// function.
+class RetType
+{
+  public:
+    enum Which {
+        Void = Type::Void,
+        Signed = Type::Signed,
+        Double = Type::Double,
+        Float = Type::Float
+    };
+
+  private:
+    Which which_;
+
+  public:
+    RetType() : which_(Which(-1)) {}
+    RetType(Which w) : which_(w) {}
+    RetType(AsmJSCoercion coercion) {
+        switch (coercion) {
+          case AsmJS_ToInt32: which_ = Signed; break;
+          case AsmJS_ToNumber: which_ = Double; break;
+          case AsmJS_FRound: which_ = Float; break;
+        }
+    }
+    Which which() const {
+        return which_;
+    }
+    Type toType() const {
+        return Type::Which(which_);
+    }
+    AsmJSModule::ReturnType toModuleReturnType() const {
+        switch (which_) {
+          case Void: return AsmJSModule::Return_Void;
+          case Signed: return AsmJSModule::Return_Int32;
+          case Float: // will be converted to a Double
+          case Double: return AsmJSModule::Return_Double;
+        }
+        MOZ_ASSUME_UNREACHABLE("Unexpected return type");
+    }
+    MIRType toMIRType() const {
+        switch (which_) {
+          case Void: return MIRType_None;
+          case Signed: return MIRType_Int32;
+          case Double: return MIRType_Double;
+          case Float: return MIRType_Float32;
+        }
+        MOZ_ASSUME_UNREACHABLE("Unexpected return type");
+    }
+    bool operator==(RetType rhs) const { return which_ == rhs.which_; }
+    bool operator!=(RetType rhs) const { return which_ != rhs.which_; }
+};
+
+namespace {
+
+// Represents the subset of Type that can be used as a variable or
+// argument's type. Note: AsmJSCoercion and VarType are kept separate to
+// make very clear the signed/int distinction: a coercion may explicitly sign
+// an *expression* but, when stored as a variable, this signedness information
+// is explicitly thrown away by the asm.js type system. E.g., in
+//
+//   function f(i) {
+//     i = i | 0;             (1)
+//     if (...)
+//         i = foo() >>> 0;
+//     else
+//         i = bar() | 0;
+//     return i | 0;          (2)
+//   }
+//
+// the AsmJSCoercion of (1) is Signed (since | performs ToInt32) but, when
+// translated to an VarType, the result is a plain Int since, as shown, it
+// is legal to assign both Signed and Unsigned (or some other Int) values to
+// it. For (2), the AsmJSCoercion is also Signed but, when translated to an
+// RetType, the result is Signed since callers (asm.js and non-asm.js) can
+// rely on the return value being Signed.
+class VarType
+{
+  public:
+    enum Which {
+        Int = Type::Int,
+        Double = Type::Double,
+        Float = Type::Float
+    };
+
+  private:
+    Which which_;
+
+  public:
+    VarType()
+      : which_(Which(-1)) {}
+    VarType(Which w)
+      : which_(w) {}
+    VarType(AsmJSCoercion coercion) {
+        switch (coercion) {
+          case AsmJS_ToInt32: which_ = Int; break;
+          case AsmJS_ToNumber: which_ = Double; break;
+          case AsmJS_FRound: which_ = Float; break;
+        }
+    }
+    Which which() const {
+        return which_;
+    }
+    Type toType() const {
+        return Type::Which(which_);
+    }
+    MIRType toMIRType() const {
+        switch(which_) {
+          case Int:     return MIRType_Int32;
+          case Double:  return MIRType_Double;
+          case Float:   return MIRType_Float32;
+        }
+        MOZ_ASSUME_UNREACHABLE("VarType can only be Int, Double or Float");
+    }
+    AsmJSCoercion toCoercion() const {
+        switch(which_) {
+          case Int:     return AsmJS_ToInt32;
+          case Double:  return AsmJS_ToNumber;
+          case Float:   return AsmJS_FRound;
+        }
+        MOZ_ASSUME_UNREACHABLE("VarType can only be Int, Double or Float");
+    }
+    static VarType FromCheckedType(Type type) {
+        JS_ASSERT(type.isInt() || type.isMaybeDouble() || type.isFloatish());
+        if (type.isMaybeDouble())
+            return Double;
+        else if (type.isFloatish())
+            return Float;
+        else
+            return Int;
+    }
+    bool operator==(VarType rhs) const { return which_ == rhs.which_; }
+    bool operator!=(VarType rhs) const { return which_ != rhs.which_; }
+};
+
+} /* anonymous namespace */
+
+// Implements <: (subtype) operator when the rhs is an VarType
+static inline bool
+operator<=(Type lhs, VarType rhs)
+{
+    switch (rhs.which()) {
+      case VarType::Int:    return lhs.isInt();
+      case VarType::Double: return lhs.isDouble();
+      case VarType::Float:  return lhs.isFloat();
+    }
+    MOZ_ASSUME_UNREACHABLE("Unexpected rhs type");
+}
+
+/*****************************************************************************/
+
+static inline MIRType ToMIRType(MIRType t) { return t; }
+static inline MIRType ToMIRType(VarType t) { return t.toMIRType(); }
+
+namespace {
+
+template <class VecT>
+class ABIArgIter
+{
+    ABIArgGenerator gen_;
+    const VecT &types_;
+    unsigned i_;
+
+    void settle() { if (!done()) gen_.next(ToMIRType(types_[i_])); }
+
+  public:
+    ABIArgIter(const VecT &types) : types_(types), i_(0) { settle(); }
+    void operator++(int) { JS_ASSERT(!done()); i_++; settle(); }
+    bool done() const { return i_ == types_.length(); }
+
+    ABIArg *operator->() { JS_ASSERT(!done()); return &gen_.current(); }
+    ABIArg &operator*() { JS_ASSERT(!done()); return gen_.current(); }
+
+    unsigned index() const { JS_ASSERT(!done()); return i_; }
+    MIRType mirType() const { JS_ASSERT(!done()); return ToMIRType(types_[i_]); }
+    uint32_t stackBytesConsumedSoFar() const { return gen_.stackBytesConsumedSoFar(); }
+};
+
+typedef js::Vector<MIRType, 8> MIRTypeVector;
+typedef ABIArgIter<MIRTypeVector> ABIArgMIRTypeIter;
+
+typedef js::Vector<VarType, 8, LifoAllocPolicy> VarTypeVector;
+typedef ABIArgIter<VarTypeVector> ABIArgTypeIter;
+
+class Signature
+{
+    VarTypeVector argTypes_;
+    RetType retType_;
+
+  public:
+    Signature(LifoAlloc &alloc)
+      : argTypes_(alloc) {}
+    Signature(LifoAlloc &alloc, RetType retType)
+      : argTypes_(alloc), retType_(retType) {}
+    Signature(VarTypeVector &&argTypes, RetType retType)
+      : argTypes_(Move(argTypes)), retType_(Move(retType)) {}
+    Signature(Signature &&rhs)
+      : argTypes_(Move(rhs.argTypes_)), retType_(Move(rhs.retType_)) {}
+
+    bool copy(const Signature &rhs) {
+        if (!argTypes_.resize(rhs.argTypes_.length()))
+            return false;
+        for (unsigned i = 0; i < argTypes_.length(); i++)
+            argTypes_[i] = rhs.argTypes_[i];
+        retType_ = rhs.retType_;
+        return true;
+    }
+
+    bool appendArg(VarType type) { return argTypes_.append(type); }
+    VarType arg(unsigned i) const { return argTypes_[i]; }
+    const VarTypeVector &args() const { return argTypes_; }
+    VarTypeVector &&extractArgs() { return Move(argTypes_); }
+
+    RetType retType() const { return retType_; }
+};
+
+} /* namespace anonymous */
+
+static
+bool operator==(const Signature &lhs, const Signature &rhs)
+{
+    if (lhs.retType() != rhs.retType())
+        return false;
+    if (lhs.args().length() != rhs.args().length())
+        return false;
+    for (unsigned i = 0; i < lhs.args().length(); i++) {
+        if (lhs.arg(i) != rhs.arg(i))
+            return false;
+    }
+    return true;
+}
+
+static inline
+bool operator!=(const Signature &lhs, const Signature &rhs)
+{
+    return !(lhs == rhs);
+}
+
+/*****************************************************************************/
+// Typed array utilities
+
+static Type
+TypedArrayLoadType(ArrayBufferView::ViewType viewType)
+{
+    switch (viewType) {
+      case ArrayBufferView::TYPE_INT8:
+      case ArrayBufferView::TYPE_INT16:
+      case ArrayBufferView::TYPE_INT32:
+      case ArrayBufferView::TYPE_UINT8:
+      case ArrayBufferView::TYPE_UINT16:
+      case ArrayBufferView::TYPE_UINT32:
+        return Type::Intish;
+      case ArrayBufferView::TYPE_FLOAT32:
+        return Type::MaybeFloat;
+      case ArrayBufferView::TYPE_FLOAT64:
+        return Type::MaybeDouble;
+      default:;
+    }
+    MOZ_ASSUME_UNREACHABLE("Unexpected array type");
+}
+
+enum NeedsBoundsCheck {
+    NO_BOUNDS_CHECK,
+    NEEDS_BOUNDS_CHECK
+};
+
+namespace {
+
+typedef js::Vector<PropertyName*,1> LabelVector;
+typedef js::Vector<MBasicBlock*,8> BlockVector;
+
+// ModuleCompiler encapsulates the compilation of an entire asm.js module. Over
+// the course of an ModuleCompiler object's lifetime, many FunctionCompiler
+// objects will be created and destroyed in sequence, one for each function in
+// the module.
+//
+// *** asm.js FFI calls ***
+//
+// asm.js allows calling out to non-asm.js via "FFI calls". The asm.js type
+// system does not place any constraints on the FFI call. In particular:
+//  - an FFI call's target is not known or speculated at module-compile time;
+//  - a single external function can be called with different signatures.
+//
+// If performance didn't matter, all FFI calls could simply box their arguments
+// and call js::Invoke. However, we'd like to be able to specialize FFI calls
+// to be more efficient in several cases:
+//
+//  - for calls to JS functions which have been jitted, we'd like to call
+//    directly into JIT code without going through C++.
+//
+//  - for calls to certain builtins, we'd like to be call directly into the C++
+//    code for the builtin without going through the general call path.
+//
+// All of this requires dynamic specialization techniques which must happen
+// after module compilation. To support this, at module-compilation time, each
+// FFI call generates a call signature according to the system ABI, as if the
+// callee was a C++ function taking/returning the same types as the caller was
+// passing/expecting. The callee is loaded from a fixed offset in the global
+// data array which allows the callee to change at runtime. Initially, the
+// callee is stub which boxes its arguments and calls js::Invoke.
+//
+// To do this, we need to generate a callee stub for each pairing of FFI callee
+// and signature. We call this pairing an "exit". For example, this code has
+// two external functions and three exits:
+//
+//  function f(global, imports) {
+//    "use asm";
+//    var foo = imports.foo;
+//    var bar = imports.bar;
+//    function g() {
+//      foo(1);      // Exit #1: (int) -> void
+//      foo(1.5);    // Exit #2: (double) -> void
+//      bar(1)|0;    // Exit #3: (int) -> int
+//      bar(2)|0;    // Exit #3: (int) -> int
+//    }
+//  }
+//
+// The ModuleCompiler maintains a hash table (ExitMap) which allows a call site
+// to add a new exit or reuse an existing one. The key is an ExitDescriptor
+// (which holds the exit pairing) and the value is an index into the
+// Vector<Exit> stored in the AsmJSModule.
+//
+// Rooting note: ModuleCompiler is a stack class that contains unrooted
+// PropertyName (JSAtom) pointers.  This is safe because it cannot be
+// constructed without a TokenStream reference.  TokenStream is itself a stack
+// class that cannot be constructed without an AutoKeepAtoms being live on the
+// stack, which prevents collection of atoms.
+//
+// ModuleCompiler is marked as rooted in the rooting analysis.  Don't add
+// non-JSAtom pointers, or this will break!
+class MOZ_STACK_CLASS ModuleCompiler
+{
+  public:
+    class Func
+    {
+        PropertyName *name_;
+        bool defined_;
+        uint32_t srcOffset_;
+        uint32_t endOffset_;
+        Signature sig_;
+        Label *code_;
+        unsigned compileTime_;
+
+      public:
+        Func(PropertyName *name, Signature &&sig, Label *code)
+          : name_(name), defined_(false), srcOffset_(0), endOffset_(0), sig_(Move(sig)),
+            code_(code), compileTime_(0)
+        {}
+
+        PropertyName *name() const { return name_; }
+
+        bool defined() const { return defined_; }
+        void finish(uint32_t start, uint32_t end) {
+            JS_ASSERT(!defined_);
+            defined_ = true;
+            srcOffset_ = start;
+            endOffset_ = end;
+        }
+
+        uint32_t srcOffset() const { JS_ASSERT(defined_); return srcOffset_; }
+        uint32_t endOffset() const { JS_ASSERT(defined_); return endOffset_; }
+        Signature &sig() { return sig_; }
+        const Signature &sig() const { return sig_; }
+        Label *code() const { return code_; }
+        unsigned compileTime() const { return compileTime_; }
+        void accumulateCompileTime(unsigned ms) { compileTime_ += ms; }
+    };
+
+    class Global
+    {
+      public:
+        enum Which {
+            Variable,
+            ConstantLiteral,
+            ConstantImport,
+            Function,
+            FuncPtrTable,
+            FFI,
+            ArrayView,
+            MathBuiltinFunction
+        };
+
+      private:
+        Which which_;
+        union {
+            struct {
+                VarType::Which type_;
+                uint32_t index_;
+                Value literalValue_;
+            } varOrConst;
+            uint32_t funcIndex_;
+            uint32_t funcPtrTableIndex_;
+            uint32_t ffiIndex_;
+            ArrayBufferView::ViewType viewType_;
+            AsmJSMathBuiltinFunction mathBuiltinFunc_;
+        } u;
+
+        friend class ModuleCompiler;
+        friend class js::LifoAlloc;
+
+        Global(Which which) : which_(which) {}
+
+      public:
+        Which which() const {
+            return which_;
+        }
+        VarType varOrConstType() const {
+            JS_ASSERT(which_ == Variable || which_ == ConstantLiteral || which_ == ConstantImport);
+            return VarType(u.varOrConst.type_);
+        }
+        uint32_t varOrConstIndex() const {
+            JS_ASSERT(which_ == Variable || which_ == ConstantImport);
+            return u.varOrConst.index_;
+        }
+        bool isConst() const {
+            return which_ == ConstantLiteral || which_ == ConstantImport;
+        }
+        Value constLiteralValue() const {
+            JS_ASSERT(which_ == ConstantLiteral);
+            return u.varOrConst.literalValue_;
+        }
+        uint32_t funcIndex() const {
+            JS_ASSERT(which_ == Function);
+            return u.funcIndex_;
+        }
+        uint32_t funcPtrTableIndex() const {
+            JS_ASSERT(which_ == FuncPtrTable);
+            return u.funcPtrTableIndex_;
+        }
+        unsigned ffiIndex() const {
+            JS_ASSERT(which_ == FFI);
+            return u.ffiIndex_;
+        }
+        ArrayBufferView::ViewType viewType() const {
+            JS_ASSERT(which_ == ArrayView);
+            return u.viewType_;
+        }
+        AsmJSMathBuiltinFunction mathBuiltinFunction() const {
+            JS_ASSERT(which_ == MathBuiltinFunction);
+            return u.mathBuiltinFunc_;
+        }
+    };
+
+    typedef js::Vector<const Func*> FuncPtrVector;
+
+    class FuncPtrTable
+    {
+        Signature sig_;
+        uint32_t mask_;
+        uint32_t globalDataOffset_;
+        FuncPtrVector elems_;
+
+      public:
+        FuncPtrTable(ExclusiveContext *cx, Signature &&sig, uint32_t mask, uint32_t gdo)
+          : sig_(Move(sig)), mask_(mask), globalDataOffset_(gdo), elems_(cx)
+        {}
+
+        FuncPtrTable(FuncPtrTable &&rhs)
+          : sig_(Move(rhs.sig_)), mask_(rhs.mask_), globalDataOffset_(rhs.globalDataOffset_),
+            elems_(Move(rhs.elems_))
+        {}
+
+        Signature &sig() { return sig_; }
+        const Signature &sig() const { return sig_; }
+        unsigned mask() const { return mask_; }
+        unsigned globalDataOffset() const { return globalDataOffset_; }
+
+        bool initialized() const { return !elems_.empty(); }
+        void initElems(FuncPtrVector &&elems) { elems_ = Move(elems); JS_ASSERT(initialized()); }
+        unsigned numElems() const { JS_ASSERT(initialized()); return elems_.length(); }
+        const Func &elem(unsigned i) const { return *elems_[i]; }
+    };
+
+    typedef js::Vector<FuncPtrTable> FuncPtrTableVector;
+
+    class ExitDescriptor
+    {
+        PropertyName *name_;
+        Signature sig_;
+
+      public:
+        ExitDescriptor(PropertyName *name, Signature &&sig)
+          : name_(name), sig_(Move(sig)) {}
+        ExitDescriptor(ExitDescriptor &&rhs)
+          : name_(rhs.name_), sig_(Move(rhs.sig_))
+        {}
+        const Signature &sig() const {
+            return sig_;
+        }
+
+        // ExitDescriptor is a HashPolicy:
+        typedef ExitDescriptor Lookup;
+        static HashNumber hash(const ExitDescriptor &d) {
+            HashNumber hn = HashGeneric(d.name_, d.sig_.retType().which());
+            const VarTypeVector &args = d.sig_.args();
+            for (unsigned i = 0; i < args.length(); i++)
+                hn = AddToHash(hn, args[i].which());
+            return hn;
+        }
+        static bool match(const ExitDescriptor &lhs, const ExitDescriptor &rhs) {
+            return lhs.name_ == rhs.name_ && lhs.sig_ == rhs.sig_;
+        }
+    };
+
+    typedef HashMap<ExitDescriptor, unsigned, ExitDescriptor> ExitMap;
+
+    struct MathBuiltin
+    {
+        enum Kind { Function, Constant };
+        Kind kind;
+
+        union {
+            double cst;
+            AsmJSMathBuiltinFunction func;
+        } u;
+
+        MathBuiltin() : kind(Kind(-1)) {}
+        MathBuiltin(double cst) : kind(Constant) {
+            u.cst = cst;
+        }
+        MathBuiltin(AsmJSMathBuiltinFunction func) : kind(Function) {
+            u.func = func;
+        }
+    };
+
+  private:
+    struct SlowFunction
+    {
+        PropertyName *name;
+        unsigned ms;
+        unsigned line;
+        unsigned column;
+    };
+
+    typedef HashMap<PropertyName*, MathBuiltin> MathNameMap;
+    typedef HashMap<PropertyName*, Global*> GlobalMap;
+    typedef js::Vector<Func*> FuncVector;
+    typedef js::Vector<AsmJSGlobalAccess> GlobalAccessVector;
+    typedef js::Vector<SlowFunction> SlowFunctionVector;
+
+    ExclusiveContext *             cx_;
+    AsmJSParser &                  parser_;
+
+    MacroAssembler                 masm_;
+
+    ScopedJSDeletePtr<AsmJSModule> module_;
+    LifoAlloc                      moduleLifo_;
+    ParseNode *                    moduleFunctionNode_;
+    PropertyName *                 moduleFunctionName_;
+
+    GlobalMap                      globals_;
+    FuncVector                     functions_;
+    FuncPtrTableVector             funcPtrTables_;
+    ExitMap                        exits_;
+    MathNameMap                    standardLibraryMathNames_;
+    Label                          stackOverflowLabel_;
+    Label                          interruptLabel_;
+
+    char *                         errorString_;
+    uint32_t                       errorOffset_;
+    bool                           errorOverRecursed_;
+
+    int64_t                        usecBefore_;
+    SlowFunctionVector             slowFunctions_;
+
+    DebugOnly<bool>                finishedFunctionBodies_;
+
+    bool addStandardLibraryMathName(const char *name, AsmJSMathBuiltinFunction func) {
+        JSAtom *atom = Atomize(cx_, name, strlen(name));
+        if (!atom)
+            return false;
+        MathBuiltin builtin(func);
+        return standardLibraryMathNames_.putNew(atom->asPropertyName(), builtin);
+    }
+    bool addStandardLibraryMathName(const char *name, double cst) {
+        JSAtom *atom = Atomize(cx_, name, strlen(name));
+        if (!atom)
+            return false;
+        MathBuiltin builtin(cst);
+        return standardLibraryMathNames_.putNew(atom->asPropertyName(), builtin);
+    }
+
+  public:
+    ModuleCompiler(ExclusiveContext *cx, AsmJSParser &parser)
+      : cx_(cx),
+        parser_(parser),
+        masm_(MacroAssembler::AsmJSToken()),
+        moduleLifo_(LIFO_ALLOC_PRIMARY_CHUNK_SIZE),
+        moduleFunctionNode_(parser.pc->maybeFunction),
+        moduleFunctionName_(nullptr),
+        globals_(cx),
+        functions_(cx),
+        funcPtrTables_(cx),
+        exits_(cx),
+        standardLibraryMathNames_(cx),
+        errorString_(nullptr),
+        errorOffset_(UINT32_MAX),
+        errorOverRecursed_(false),
+        usecBefore_(PRMJ_Now()),
+        slowFunctions_(cx),
+        finishedFunctionBodies_(false)
+    {
+        JS_ASSERT(moduleFunctionNode_->pn_funbox == parser.pc->sc->asFunctionBox());
+    }
+
+    ~ModuleCompiler() {
+        if (errorString_) {
+            JS_ASSERT(errorOffset_ != UINT32_MAX);
+            tokenStream().reportAsmJSError(errorOffset_,
+                                           JSMSG_USE_ASM_TYPE_FAIL,
+                                           errorString_);
+            js_free(errorString_);
+        }
+        if (errorOverRecursed_)
+            js_ReportOverRecursed(cx_);
+
+        // Avoid spurious Label assertions on compilation failure.
+        if (!stackOverflowLabel_.bound())
+            stackOverflowLabel_.bind(0);
+        if (!interruptLabel_.bound())
+            interruptLabel_.bind(0);
+    }
+
+    bool init() {
+        if (!globals_.init() || !exits_.init())
+            return false;
+
+        if (!standardLibraryMathNames_.init() ||
+            !addStandardLibraryMathName("sin", AsmJSMathBuiltin_sin) ||
+            !addStandardLibraryMathName("cos", AsmJSMathBuiltin_cos) ||
+            !addStandardLibraryMathName("tan", AsmJSMathBuiltin_tan) ||
+            !addStandardLibraryMathName("asin", AsmJSMathBuiltin_asin) ||
+            !addStandardLibraryMathName("acos", AsmJSMathBuiltin_acos) ||
+            !addStandardLibraryMathName("atan", AsmJSMathBuiltin_atan) ||
+            !addStandardLibraryMathName("ceil", AsmJSMathBuiltin_ceil) ||
+            !addStandardLibraryMathName("floor", AsmJSMathBuiltin_floor) ||
+            !addStandardLibraryMathName("exp", AsmJSMathBuiltin_exp) ||
+            !addStandardLibraryMathName("log", AsmJSMathBuiltin_log) ||
+            !addStandardLibraryMathName("pow", AsmJSMathBuiltin_pow) ||
+            !addStandardLibraryMathName("sqrt", AsmJSMathBuiltin_sqrt) ||
+            !addStandardLibraryMathName("abs", AsmJSMathBuiltin_abs) ||
+            !addStandardLibraryMathName("atan2", AsmJSMathBuiltin_atan2) ||
+            !addStandardLibraryMathName("imul", AsmJSMathBuiltin_imul) ||
+            !addStandardLibraryMathName("fround", AsmJSMathBuiltin_fround) ||
+            !addStandardLibraryMathName("min", AsmJSMathBuiltin_min) ||
+            !addStandardLibraryMathName("max", AsmJSMathBuiltin_max) ||
+            !addStandardLibraryMathName("E", M_E) ||
+            !addStandardLibraryMathName("LN10", M_LN10) ||
+            !addStandardLibraryMathName("LN2", M_LN2) ||
+            !addStandardLibraryMathName("LOG2E", M_LOG2E) ||
+            !addStandardLibraryMathName("LOG10E", M_LOG10E) ||
+            !addStandardLibraryMathName("PI", M_PI) ||
+            !addStandardLibraryMathName("SQRT1_2", M_SQRT1_2) ||
+            !addStandardLibraryMathName("SQRT2", M_SQRT2))
+        {
+            return false;
+        }
+
+        uint32_t funcStart = parser_.pc->maybeFunction->pn_body->pn_pos.begin;
+        uint32_t offsetToEndOfUseAsm = tokenStream().currentToken().pos.end;
+
+        // "use strict" should be added to the source if we are in an implicit
+        // strict context, see also comment above addUseStrict in
+        // js::FunctionToString.
+        bool strict = parser_.pc->sc->strict && !parser_.pc->sc->hasExplicitUseStrict();
+
+        module_ = cx_->new_<AsmJSModule>(parser_.ss, funcStart, offsetToEndOfUseAsm, strict);
+        if (!module_)
+            return false;
+
+        return true;
+    }
+
+    bool failOffset(uint32_t offset, const char *str) {
+        JS_ASSERT(!errorString_);
+        JS_ASSERT(errorOffset_ == UINT32_MAX);
+        JS_ASSERT(str);
+        errorOffset_ = offset;
+        errorString_ = js_strdup(cx_, str);
+        return false;
+    }
+
+    bool fail(ParseNode *pn, const char *str) {
+        if (pn)
+            return failOffset(pn->pn_pos.begin, str);
+
+        // The exact rooting static analysis does not perform dataflow analysis, so it believes
+        // that unrooted things on the stack during compilation may still be accessed after this.
+        // Since pn is typically only null under OOM, this suppression simply forces any GC to be
+        // delayed until the compilation is off the stack and more memory can be freed.
+        gc::AutoSuppressGC nogc(cx_);
+        return failOffset(tokenStream().peekTokenPos().begin, str);
+    }
+
+    bool failfVA(ParseNode *pn, const char *fmt, va_list ap) {
+        JS_ASSERT(!errorString_);
+        JS_ASSERT(errorOffset_ == UINT32_MAX);
+        JS_ASSERT(fmt);
+        errorOffset_ = pn ? pn->pn_pos.begin : tokenStream().currentToken().pos.end;
+        errorString_ = JS_vsmprintf(fmt, ap);
+        return false;
+    }
+
+    bool failf(ParseNode *pn, const char *fmt, ...) {
+        va_list ap;
+        va_start(ap, fmt);
+        failfVA(pn, fmt, ap);
+        va_end(ap);
+        return false;
+    }
+
+    bool failName(ParseNode *pn, const char *fmt, PropertyName *name) {
+        // This function is invoked without the caller properly rooting its locals.
+        gc::AutoSuppressGC suppress(cx_);
+        JSAutoByteString bytes;
+        if (AtomToPrintableString(cx_, name, &bytes))
+            failf(pn, fmt, bytes.ptr());
+        return false;
+    }
+
+    bool failOverRecursed() {
+        errorOverRecursed_ = true;
+        return false;
+    }
+
+    static const unsigned SLOW_FUNCTION_THRESHOLD_MS = 250;
+
+    bool maybeReportCompileTime(const Func &func) {
+        if (func.compileTime() < SLOW_FUNCTION_THRESHOLD_MS)
+            return true;
+        SlowFunction sf;
+        sf.name = func.name();
+        sf.ms = func.compileTime();
+        tokenStream().srcCoords.lineNumAndColumnIndex(func.srcOffset(), &sf.line, &sf.column);
+        return slowFunctions_.append(sf);
+    }
+
+    /*************************************************** Read-only interface */
+
+    ExclusiveContext *cx() const { return cx_; }
+    AsmJSParser &parser() const { return parser_; }
+    TokenStream &tokenStream() const { return parser_.tokenStream; }
+    MacroAssembler &masm() { return masm_; }
+    Label &stackOverflowLabel() { return stackOverflowLabel_; }
+    Label &interruptLabel() { return interruptLabel_; }
+    bool hasError() const { return errorString_ != nullptr; }
+    const AsmJSModule &module() const { return *module_.get(); }
+    uint32_t moduleStart() const { return module_->funcStart(); }
+
+    ParseNode *moduleFunctionNode() const { return moduleFunctionNode_; }
+    PropertyName *moduleFunctionName() const { return moduleFunctionName_; }
+
+    const Global *lookupGlobal(PropertyName *name) const {
+        if (GlobalMap::Ptr p = globals_.lookup(name))
+            return p->value();
+        return nullptr;
+    }
+    Func *lookupFunction(PropertyName *name) {
+        if (GlobalMap::Ptr p = globals_.lookup(name)) {
+            Global *value = p->value();
+            if (value->which() == Global::Function)
+                return functions_[value->funcIndex()];
+        }
+        return nullptr;
+    }
+    unsigned numFunctions() const {
+        return functions_.length();
+    }
+    Func &function(unsigned i) {
+        return *functions_[i];
+    }
+    unsigned numFuncPtrTables() const {
+        return funcPtrTables_.length();
+    }
+    FuncPtrTable &funcPtrTable(unsigned i) {
+        return funcPtrTables_[i];
+    }
+    bool lookupStandardLibraryMathName(PropertyName *name, MathBuiltin *mathBuiltin) const {
+        if (MathNameMap::Ptr p = standardLibraryMathNames_.lookup(name)) {
+            *mathBuiltin = p->value();
+            return true;
+        }
+        return false;
+    }
+    ExitMap::Range allExits() const {
+        return exits_.all();
+    }
+
+    /***************************************************** Mutable interface */
+
+    void initModuleFunctionName(PropertyName *name) { moduleFunctionName_ = name; }
+
+    void initGlobalArgumentName(PropertyName *n) { module_->initGlobalArgumentName(n); }
+    void initImportArgumentName(PropertyName *n) { module_->initImportArgumentName(n); }
+    void initBufferArgumentName(PropertyName *n) { module_->initBufferArgumentName(n); }
+
+    bool addGlobalVarInit(PropertyName *varName, VarType type, const Value &v, bool isConst) {
+        uint32_t index;
+        if (!module_->addGlobalVarInit(v, type.toCoercion(), &index))
+            return false;
+
+        Global::Which which = isConst ? Global::ConstantLiteral : Global::Variable;
+        Global *global = moduleLifo_.new_<Global>(which);
+        if (!global)
+            return false;
+        global->u.varOrConst.index_ = index;
+        global->u.varOrConst.type_ = type.which();
+        if (isConst)
+            global->u.varOrConst.literalValue_ = v;
+
+        return globals_.putNew(varName, global);
+    }
+    bool addGlobalVarImport(PropertyName *varName, PropertyName *fieldName, AsmJSCoercion coercion,
+                            bool isConst) {
+        uint32_t index;
+        if (!module_->addGlobalVarImport(fieldName, coercion, &index))
+            return false;
+
+        Global::Which which = isConst ? Global::ConstantImport : Global::Variable;
+        Global *global = moduleLifo_.new_<Global>(which);
+        if (!global)
+            return false;
+        global->u.varOrConst.index_ = index;
+        global->u.varOrConst.type_ = VarType(coercion).which();
+
+        return globals_.putNew(varName, global);
+    }
+    bool addFunction(PropertyName *name, Signature &&sig, Func **func) {
+        JS_ASSERT(!finishedFunctionBodies_);
+        Global *global = moduleLifo_.new_<Global>(Global::Function);
+        if (!global)
+            return false;
+        global->u.funcIndex_ = functions_.length();
+        if (!globals_.putNew(name, global))
+            return false;
+        Label *code = moduleLifo_.new_<Label>();
+        if (!code)
+            return false;
+        *func = moduleLifo_.new_<Func>(name, Move(sig), code);
+        if (!*func)
+            return false;
+        return functions_.append(*func);
+    }
+    bool addFuncPtrTable(PropertyName *name, Signature &&sig, uint32_t mask, FuncPtrTable **table) {
+        Global *global = moduleLifo_.new_<Global>(Global::FuncPtrTable);
+        if (!global)
+            return false;
+        global->u.funcPtrTableIndex_ = funcPtrTables_.length();
+        if (!globals_.putNew(name, global))
+            return false;
+        uint32_t globalDataOffset;
+        if (!module_->addFuncPtrTable(/* numElems = */ mask + 1, &globalDataOffset))
+            return false;
+        FuncPtrTable tmpTable(cx_, Move(sig), mask, globalDataOffset);
+        if (!funcPtrTables_.append(Move(tmpTable)))
+            return false;
+        *table = &funcPtrTables_.back();
+        return true;
+    }
+    bool addFFI(PropertyName *varName, PropertyName *field) {
+        Global *global = moduleLifo_.new_<Global>(Global::FFI);
+        if (!global)
+            return false;
+        uint32_t index;
+        if (!module_->addFFI(field, &index))
+            return false;
+        global->u.ffiIndex_ = index;
+        return globals_.putNew(varName, global);
+    }
+    bool addArrayView(PropertyName *varName, ArrayBufferView::ViewType vt, PropertyName *fieldName) {
+        Global *global = moduleLifo_.new_<Global>(Global::ArrayView);
+        if (!global)
+            return false;
+        if (!module_->addArrayView(vt, fieldName))
+            return false;
+        global->u.viewType_ = vt;
+        return globals_.putNew(varName, global);
+    }
+    bool addMathBuiltinFunction(PropertyName *varName, AsmJSMathBuiltinFunction func, PropertyName *fieldName) {
+        if (!module_->addMathBuiltinFunction(func, fieldName))
+            return false;
+        Global *global = moduleLifo_.new_<Global>(Global::MathBuiltinFunction);
+        if (!global)
+            return false;
+        global->u.mathBuiltinFunc_ = func;
+        return globals_.putNew(varName, global);
+    }
+  private:
+    bool addGlobalDoubleConstant(PropertyName *varName, double constant) {
+        Global *global = moduleLifo_.new_<Global>(Global::ConstantLiteral);
+        if (!global)
+            return false;
+        global->u.varOrConst.literalValue_ = DoubleValue(constant);
+        global->u.varOrConst.type_ = VarType::Double;
+        return globals_.putNew(varName, global);
+    }
+  public:
+    bool addMathBuiltinConstant(PropertyName *varName, double constant, PropertyName *fieldName) {
+        if (!module_->addMathBuiltinConstant(constant, fieldName))
+            return false;
+        return addGlobalDoubleConstant(varName, constant);
+    }
+    bool addGlobalConstant(PropertyName *varName, double constant, PropertyName *fieldName) {
+        if (!module_->addGlobalConstant(constant, fieldName))
+            return false;
+        return addGlobalDoubleConstant(varName, constant);
+    }
+    bool addExportedFunction(const Func *func, PropertyName *maybeFieldName) {
+        AsmJSModule::ArgCoercionVector argCoercions;
+        const VarTypeVector &args = func->sig().args();
+        if (!argCoercions.resize(args.length()))
+            return false;
+        for (unsigned i = 0; i < args.length(); i++)
+            argCoercions[i] = args[i].toCoercion();
+        AsmJSModule::ReturnType retType = func->sig().retType().toModuleReturnType();
+        return module_->addExportedFunction(func->name(), func->srcOffset(), func->endOffset(),
+                                            maybeFieldName, Move(argCoercions), retType);
+    }
+    bool addExit(unsigned ffiIndex, PropertyName *name, Signature &&sig, unsigned *exitIndex) {
+        ExitDescriptor exitDescriptor(name, Move(sig));
+        ExitMap::AddPtr p = exits_.lookupForAdd(exitDescriptor);
+        if (p) {
+            *exitIndex = p->value();
+            return true;
+        }
+        if (!module_->addExit(ffiIndex, exitIndex))
+            return false;
+        return exits_.add(p, Move(exitDescriptor), *exitIndex);
+    }
+    bool addFunctionName(PropertyName *name, uint32_t *index) {
+        return module_->addFunctionName(name, index);
+    }
+
+    // Note a constraint on the minimum size of the heap.  The heap size is
+    // constrained when linking to be at least the maximum of all such constraints.
+    void requireHeapLengthToBeAtLeast(uint32_t len) {
+        module_->requireHeapLengthToBeAtLeast(len);
+    }
+    uint32_t minHeapLength() const {
+        return module_->minHeapLength();
+    }
+    LifoAlloc &lifo() {
+        return moduleLifo_;
+    }
+
+#if defined(MOZ_VTUNE) || defined(JS_ION_PERF)
+    bool trackProfiledFunction(const Func &func, unsigned endCodeOffset) {
+        unsigned lineno = 0U, columnIndex = 0U;
+        tokenStream().srcCoords.lineNumAndColumnIndex(func.srcOffset(), &lineno, &columnIndex);
+        unsigned startCodeOffset = func.code()->offset();
+        return module_->trackProfiledFunction(func.name(), startCodeOffset, endCodeOffset,
+                                              lineno, columnIndex);
+    }
+#endif
+
+#ifdef JS_ION_PERF
+    bool trackPerfProfiledBlocks(AsmJSPerfSpewer &perfSpewer, const Func &func, unsigned endCodeOffset) {
+        unsigned startCodeOffset = func.code()->offset();
+        perfSpewer.noteBlocksOffsets();
+        unsigned endInlineCodeOffset = perfSpewer.endInlineCode.offset();
+        return module_->trackPerfProfiledBlocks(func.name(), startCodeOffset, endInlineCodeOffset,
+                                                endCodeOffset, perfSpewer.basicBlocks());
+    }
+#endif
+
+    void finishFunctionBodies() {
+        JS_ASSERT(!finishedFunctionBodies_);
+        masm_.align(AsmJSPageSize);
+        finishedFunctionBodies_ = true;
+        module_->initFunctionBytes(masm_.currentOffset());
+    }
+
+    void setInterpExitOffset(unsigned exitIndex) {
+        module_->exit(exitIndex).initInterpOffset(masm_.currentOffset());
+    }
+    void setIonExitOffset(unsigned exitIndex) {
+        module_->exit(exitIndex).initIonOffset(masm_.currentOffset());
+    }
+    void setEntryOffset(unsigned exportIndex) {
+        module_->exportedFunction(exportIndex).initCodeOffset(masm_.currentOffset());
+    }
+
+    void buildCompilationTimeReport(bool storedInCache, ScopedJSFreePtr<char> *out) {
+        ScopedJSFreePtr<char> slowFuns;
+#ifndef JS_MORE_DETERMINISTIC
+        int64_t usecAfter = PRMJ_Now();
+        int msTotal = (usecAfter - usecBefore_) / PRMJ_USEC_PER_MSEC;
+        if (!slowFunctions_.empty()) {
+            slowFuns.reset(JS_smprintf("; %d functions compiled slowly: ", slowFunctions_.length()));
+            if (!slowFuns)
+                return;
+            for (unsigned i = 0; i < slowFunctions_.length(); i++) {
+                SlowFunction &func = slowFunctions_[i];
+                JSAutoByteString name;
+                if (!AtomToPrintableString(cx_, func.name, &name))
+                    return;
+                slowFuns.reset(JS_smprintf("%s%s:%u:%u (%ums)%s", slowFuns.get(),
+                                           name.ptr(), func.line, func.column, func.ms,
+                                           i+1 < slowFunctions_.length() ? ", " : ""));
+                if (!slowFuns)
+                    return;
+            }
+        }
+        out->reset(JS_smprintf("total compilation time %dms; %s%s",
+                               msTotal,
+                               storedInCache ? "stored in cache" : "not stored in cache",
+                               slowFuns ? slowFuns.get() : ""));
+#endif
+    }
+
+    bool finish(ScopedJSDeletePtr<AsmJSModule> *module)
+    {
+        module_->initFuncEnd(tokenStream().currentToken().pos.end,
+                             tokenStream().peekTokenPos().end);
+        masm_.finish();
+        if (masm_.oom())
+            return false;
+
+        module_->assignCallSites(masm_.extractCallSites());
+        module_->assignHeapAccesses(masm_.extractAsmJSHeapAccesses());
+
+#if defined(JS_CODEGEN_ARM)
+        // Now that compilation has finished, we need to update offsets to
+        // reflect actual offsets (an ARM distinction).
+        for (unsigned i = 0; i < module_->numHeapAccesses(); i++) {
+            AsmJSHeapAccess &a = module_->heapAccess(i);
+            a.setOffset(masm_.actualOffset(a.offset()));
+        }
+        for (unsigned i = 0; i < module_->numExportedFunctions(); i++)
+            module_->exportedFunction(i).updateCodeOffset(masm_);
+        for (unsigned i = 0; i < module_->numExits(); i++)
+            module_->exit(i).updateOffsets(masm_);
+        for (unsigned i = 0; i < module_->numCallSites(); i++) {
+            CallSite &c = module_->callSite(i);
+            c.setReturnAddressOffset(masm_.actualOffset(c.returnAddressOffset()));
+        }
+#endif
+
+        // The returned memory is owned by module_.
+        if (!module_->allocateAndCopyCode(cx_, masm_))
+            return false;
+
+        module_->updateFunctionBytes(masm_);
+        // c.f. JitCode::copyFrom
+        JS_ASSERT(masm_.jumpRelocationTableBytes() == 0);
+        JS_ASSERT(masm_.dataRelocationTableBytes() == 0);
+        JS_ASSERT(masm_.preBarrierTableBytes() == 0);
+        JS_ASSERT(!masm_.hasEnteredExitFrame());
+
+#if defined(MOZ_VTUNE) || defined(JS_ION_PERF)
+        // Fix up the code offsets.
+        for (unsigned i = 0; i < module_->numProfiledFunctions(); i++) {
+            AsmJSModule::ProfiledFunction &func = module_->profiledFunction(i);
+            func.pod.startCodeOffset = masm_.actualOffset(func.pod.startCodeOffset);
+            func.pod.endCodeOffset = masm_.actualOffset(func.pod.endCodeOffset);
+        }
+#endif
+
+#ifdef JS_ION_PERF
+        for (unsigned i = 0; i < module_->numPerfBlocksFunctions(); i++) {
+            AsmJSModule::ProfiledBlocksFunction &func = module_->perfProfiledBlocksFunction(i);
+            func.pod.startCodeOffset = masm_.actualOffset(func.pod.startCodeOffset);
+            func.endInlineCodeOffset = masm_.actualOffset(func.endInlineCodeOffset);
+            func.pod.endCodeOffset = masm_.actualOffset(func.pod.endCodeOffset);
+            BasicBlocksVector &basicBlocks = func.blocks;
+            for (uint32_t i = 0; i < basicBlocks.length(); i++) {
+                Record &r = basicBlocks[i];
+                r.startOffset = masm_.actualOffset(r.startOffset);
+                r.endOffset = masm_.actualOffset(r.endOffset);
+            }
+        }
+#endif
+
+        module_->setInterruptOffset(masm_.actualOffset(interruptLabel_.offset()));
+
+        // CodeLabels produced during codegen
+        for (size_t i = 0; i < masm_.numCodeLabels(); i++) {
+            CodeLabel src = masm_.codeLabel(i);
+            int32_t labelOffset = src.dest()->offset();
+            int32_t targetOffset = masm_.actualOffset(src.src()->offset());
+            // The patched uses of a label embed a linked list where the
+            // to-be-patched immediate is the offset of the next to-be-patched
+            // instruction.
+            while (labelOffset != LabelBase::INVALID_OFFSET) {
+                size_t patchAtOffset = masm_.labelOffsetToPatchOffset(labelOffset);
+                AsmJSModule::RelativeLink link;
+                link.patchAtOffset = patchAtOffset;
+                link.targetOffset = targetOffset;
+                if (!module_->addRelativeLink(link))
+                    return false;
+                labelOffset = *(uintptr_t *)(module_->codeBase() + patchAtOffset);
+            }
+        }
+
+        // Function-pointer-table entries
+        for (unsigned tableIndex = 0; tableIndex < funcPtrTables_.length(); tableIndex++) {
+            FuncPtrTable &table = funcPtrTables_[tableIndex];
+            unsigned tableBaseOffset = module_->offsetOfGlobalData() + table.globalDataOffset();
+            for (unsigned elemIndex = 0; elemIndex < table.numElems(); elemIndex++) {
+                AsmJSModule::RelativeLink link;
+                link.patchAtOffset = tableBaseOffset + elemIndex * sizeof(uint8_t*);
+                link.targetOffset = masm_.actualOffset(table.elem(elemIndex).code()->offset());
+                if (!module_->addRelativeLink(link))
+                    return false;
+            }
+        }
+
+#if defined(JS_CODEGEN_X86)
+        // Global data accesses in x86 need to be patched with the absolute
+        // address of the global. Globals are allocated sequentially after the
+        // code section so we can just use an RelativeLink.
+        for (unsigned i = 0; i < masm_.numAsmJSGlobalAccesses(); i++) {
+            AsmJSGlobalAccess a = masm_.asmJSGlobalAccess(i);
+            AsmJSModule::RelativeLink link;
+            link.patchAtOffset = masm_.labelOffsetToPatchOffset(a.patchAt.offset());
+            link.targetOffset = module_->offsetOfGlobalData() + a.globalDataOffset;
+            if (!module_->addRelativeLink(link))
+                return false;
+        }
+#endif
+
+#if defined(JS_CODEGEN_X64)
+        // Global data accesses on x64 use rip-relative addressing and thus do
+        // not need patching after deserialization.
+        uint8_t *code = module_->codeBase();
+        for (unsigned i = 0; i < masm_.numAsmJSGlobalAccesses(); i++) {
+            AsmJSGlobalAccess a = masm_.asmJSGlobalAccess(i);
+            masm_.patchAsmJSGlobalAccess(a.patchAt, code, module_->globalData(), a.globalDataOffset);
+        }
+#endif
+
+        // Absolute links
+        for (size_t i = 0; i < masm_.numAsmJSAbsoluteLinks(); i++) {
+            AsmJSAbsoluteLink src = masm_.asmJSAbsoluteLink(i);
+            AsmJSModule::AbsoluteLink link;
+            link.patchAt = masm_.actualOffset(src.patchAt.offset());
+            link.target = src.target;
+            if (!module_->addAbsoluteLink(link))
+                return false;
+        }
+
+        *module = module_.forget();
+        return true;
+    }
+};
+
+} /* anonymous namespace */
+
+/*****************************************************************************/
+// Numeric literal utilities
+
+namespace {
+
+// Represents the type and value of an asm.js numeric literal.
+//
+// A literal is a double iff the literal contains an exponent or decimal point
+// (even if the fractional part is 0). Otherwise, integers may be classified:
+//  fixnum: [0, 2^31)
+//  negative int: [-2^31, 0)
+//  big unsigned: [2^31, 2^32)
+//  out of range: otherwise
+// Lastly, a literal may be a float literal which is any double or integer
+// literal coerced with Math.fround.
+class NumLit
+{
+  public:
+    enum Which {
+        Fixnum = Type::Fixnum,
+        NegativeInt = Type::Signed,
+        BigUnsigned = Type::Unsigned,
+        Double = Type::Double,
+        Float = Type::Float,
+        OutOfRangeInt = -1
+    };
+
+  private:
+    Which which_;
+    Value v_;
+
+  public:
+    NumLit() {}
+
+    NumLit(Which w, Value v)
+      : which_(w), v_(v)
+    {}
+
+    Which which() const {
+        return which_;
+    }
+
+    int32_t toInt32() const {
+        JS_ASSERT(which_ == Fixnum || which_ == NegativeInt || which_ == BigUnsigned);
+        return v_.toInt32();
+    }
+
+    double toDouble() const {
+        JS_ASSERT(which_ == Double);
+        return v_.toDouble();
+    }
+
+    float toFloat() const {
+        JS_ASSERT(which_ == Float);
+        return float(v_.toDouble());
+    }
+
+    Value value() const {
+        JS_ASSERT(which_ != OutOfRangeInt);
+        return v_;
+    }
+
+    bool hasType() const {
+        return which_ != OutOfRangeInt;
+    }
+
+    Type type() const {
+        JS_ASSERT(hasType());
+        return Type::Which(which_);
+    }
+
+    VarType varType() const {
+        JS_ASSERT(hasType());
+        switch (which_) {
+          case NumLit::Fixnum:
+          case NumLit::NegativeInt:
+          case NumLit::BigUnsigned:
+            return VarType::Int;
+          case NumLit::Double:
+            return VarType::Double;
+          case NumLit::Float:
+            return VarType::Float;
+          case NumLit::OutOfRangeInt:;
+        }
+        MOZ_ASSUME_UNREACHABLE("Unexpected NumLit type");
+    }
+};
+
+} /* anonymous namespace */
+
+static bool
+IsNumericNonFloatLiteral(ParseNode *pn)
+{
+    // Note: '-' is never rolled into the number; numbers are always positive
+    // and negations must be applied manually.
+    return pn->isKind(PNK_NUMBER) ||
+           (pn->isKind(PNK_NEG) && UnaryKid(pn)->isKind(PNK_NUMBER));
+}
+
+static bool
+IsFloatCoercion(ModuleCompiler &m, ParseNode *pn, ParseNode **coercedExpr)
+{
+    if (!pn->isKind(PNK_CALL))
+        return false;
+
+    ParseNode *callee = CallCallee(pn);
+    if (!callee->isKind(PNK_NAME))
+        return false;
+
+    const ModuleCompiler::Global *global = m.lookupGlobal(callee->name());
+    if (!global ||
+        global->which() != ModuleCompiler::Global::MathBuiltinFunction ||
+        global->mathBuiltinFunction() != AsmJSMathBuiltin_fround)
+    {
+        return false;
+    }
+
+    if (CallArgListLength(pn) != 1)
+        return false;
+
+    if (coercedExpr)
+        *coercedExpr = CallArgList(pn);
+
+    return true;
+}
+
+static bool
+IsNumericFloatLiteral(ModuleCompiler &m, ParseNode *pn)
+{
+    ParseNode *coercedExpr;
+    if (!IsFloatCoercion(m, pn, &coercedExpr))
+        return false;
+
+    return IsNumericNonFloatLiteral(coercedExpr);
+}
+
+static bool
+IsNumericLiteral(ModuleCompiler &m, ParseNode *pn)
+{
+    return IsNumericNonFloatLiteral(pn) ||
+           IsNumericFloatLiteral(m, pn);
+}
+
+// The JS grammar treats -42 as -(42) (i.e., with separate grammar
+// productions) for the unary - and literal 42). However, the asm.js spec
+// recognizes -42 (modulo parens, so -(42) and -((42))) as a single literal
+// so fold the two potential parse nodes into a single double value.
+static double
+ExtractNumericNonFloatValue(ParseNode **pn)
+{
+    JS_ASSERT(IsNumericNonFloatLiteral(*pn));
+
+    if ((*pn)->isKind(PNK_NEG)) {
+        *pn = UnaryKid(*pn);
+        return -NumberNodeValue(*pn);
+    }
+
+    return NumberNodeValue(*pn);
+}
+
+static NumLit
+ExtractNumericLiteral(ModuleCompiler &m, ParseNode *pn)
+{
+    JS_ASSERT(IsNumericLiteral(m, pn));
+
+    // Float literals are explicitly coerced and thus the coerced literal may be
+    // any valid (non-float) numeric literal.
+    if (pn->isKind(PNK_CALL)) {
+        pn = CallArgList(pn);
+        double d = ExtractNumericNonFloatValue(&pn);
+        return NumLit(NumLit::Float, DoubleValue(d));
+    }
+
+    double d = ExtractNumericNonFloatValue(&pn);
+
+    // The asm.js spec syntactically distinguishes any literal containing a
+    // decimal point or the literal -0 as having double type.
+    if (NumberNodeHasFrac(pn) || IsNegativeZero(d))
+        return NumLit(NumLit::Double, DoubleValue(d));
+
+    // The syntactic checks above rule out these double values.
+    JS_ASSERT(!IsNegativeZero(d));
+    JS_ASSERT(!IsNaN(d));
+
+    // Although doubles can only *precisely* represent 53-bit integers, they
+    // can *imprecisely* represent integers much bigger than an int64_t.
+    // Furthermore, d may be inf or -inf. In both cases, casting to an int64_t
+    // is undefined, so test against the integer bounds using doubles.
+    if (d < double(INT32_MIN) || d > double(UINT32_MAX))
+        return NumLit(NumLit::OutOfRangeInt, UndefinedValue());
+
+    // With the above syntactic and range limitations, d is definitely an
+    // integer in the range [INT32_MIN, UINT32_MAX] range.
+    int64_t i64 = int64_t(d);
+    if (i64 >= 0) {
+        if (i64 <= INT32_MAX)
+            return NumLit(NumLit::Fixnum, Int32Value(i64));
+        JS_ASSERT(i64 <= UINT32_MAX);
+        return NumLit(NumLit::BigUnsigned, Int32Value(uint32_t(i64)));
+    }
+    JS_ASSERT(i64 >= INT32_MIN);
+    return NumLit(NumLit::NegativeInt, Int32Value(i64));
+}
+
+static inline bool
+IsLiteralInt(ModuleCompiler &m, ParseNode *pn, uint32_t *u32)
+{
+    if (!IsNumericLiteral(m, pn))
+        return false;
+
+    NumLit literal = ExtractNumericLiteral(m, pn);
+    switch (literal.which()) {
+      case NumLit::Fixnum:
+      case NumLit::BigUnsigned:
+      case NumLit::NegativeInt:
+        *u32 = uint32_t(literal.toInt32());
+        return true;
+      case NumLit::Double:
+      case NumLit::Float:
+      case NumLit::OutOfRangeInt:
+        return false;
+    }
+
+    MOZ_ASSUME_UNREACHABLE("Bad literal type");
+}
+
+/*****************************************************************************/
+
+namespace {
+
+// Encapsulates the compilation of a single function in an asm.js module. The
+// function compiler handles the creation and final backend compilation of the
+// MIR graph. Also see ModuleCompiler comment.
+class FunctionCompiler
+{
+  public:
+    struct Local
+    {
+        VarType type;
+        unsigned slot;
+        Local(VarType t, unsigned slot) : type(t), slot(slot) {}
+    };
+
+    struct TypedValue
+    {
+        VarType type;
+        Value value;
+        TypedValue(VarType t, const Value &v) : type(t), value(v) {}
+    };
+
+  private:
+    typedef HashMap<PropertyName*, Local> LocalMap;
+    typedef js::Vector<TypedValue> VarInitializerVector;
+    typedef HashMap<PropertyName*, BlockVector> LabeledBlockMap;
+    typedef HashMap<ParseNode*, BlockVector> UnlabeledBlockMap;
+    typedef js::Vector<ParseNode*, 4> NodeStack;
+
+    ModuleCompiler &       m_;
+    LifoAlloc &            lifo_;
+    ParseNode *            fn_;
+    uint32_t               functionNameIndex_;
+
+    LocalMap               locals_;
+    VarInitializerVector   varInitializers_;
+    Maybe<RetType>         alreadyReturned_;
+
+    TempAllocator *        alloc_;
+    MIRGraph *             graph_;
+    CompileInfo *          info_;
+    MIRGenerator *         mirGen_;
+    Maybe<IonContext>      ionContext_;
+
+    MBasicBlock *          curBlock_;
+
+    NodeStack              loopStack_;
+    NodeStack              breakableStack_;
+    UnlabeledBlockMap      unlabeledBreaks_;
+    UnlabeledBlockMap      unlabeledContinues_;
+    LabeledBlockMap        labeledBreaks_;
+    LabeledBlockMap        labeledContinues_;
+
+    static const uint32_t NO_FUNCTION_NAME_INDEX = UINT32_MAX;
+    JS_STATIC_ASSERT(NO_FUNCTION_NAME_INDEX > CallSiteDesc::FUNCTION_NAME_INDEX_MAX);
+
+  public:
+    FunctionCompiler(ModuleCompiler &m, ParseNode *fn, LifoAlloc &lifo)
+      : m_(m),
+        lifo_(lifo),
+        fn_(fn),
+        functionNameIndex_(NO_FUNCTION_NAME_INDEX),
+        locals_(m.cx()),
+        varInitializers_(m.cx()),
+        alloc_(nullptr),
+        graph_(nullptr),
+        info_(nullptr),
+        mirGen_(nullptr),
+        curBlock_(nullptr),
+        loopStack_(m.cx()),
+        breakableStack_(m.cx()),
+        unlabeledBreaks_(m.cx()),
+        unlabeledContinues_(m.cx()),
+        labeledBreaks_(m.cx()),
+        labeledContinues_(m.cx())
+    {}
+
+    ModuleCompiler &    m() const      { return m_; }
+    TempAllocator &     alloc() const  { return *alloc_; }
+    LifoAlloc &         lifo() const   { return lifo_; }
+    ParseNode *         fn() const     { return fn_; }
+    ExclusiveContext *  cx() const     { return m_.cx(); }
+    const AsmJSModule & module() const { return m_.module(); }
+
+    bool init()
+    {
+        return locals_.init() &&
+               unlabeledBreaks_.init() &&
+               unlabeledContinues_.init() &&
+               labeledBreaks_.init() &&
+               labeledContinues_.init();
+    }
+
+    bool fail(ParseNode *pn, const char *str)
+    {
+        return m_.fail(pn, str);
+    }
+
+    bool failf(ParseNode *pn, const char *fmt, ...)
+    {
+        va_list ap;
+        va_start(ap, fmt);
+        m_.failfVA(pn, fmt, ap);
+        va_end(ap);
+        return false;
+    }
+
+    bool failName(ParseNode *pn, const char *fmt, PropertyName *name)
+    {
+        return m_.failName(pn, fmt, name);
+    }
+
+    ~FunctionCompiler()
+    {
+#ifdef DEBUG
+        if (!m().hasError() && cx()->isJSContext() && !cx()->asJSContext()->isExceptionPending()) {
+            JS_ASSERT(loopStack_.empty());
+            JS_ASSERT(unlabeledBreaks_.empty());
+            JS_ASSERT(unlabeledContinues_.empty());
+            JS_ASSERT(labeledBreaks_.empty());
+            JS_ASSERT(labeledContinues_.empty());
+            JS_ASSERT(inDeadCode());
+        }
+#endif
+    }
+
+    /***************************************************** Local scope setup */
+
+    bool addFormal(ParseNode *pn, PropertyName *name, VarType type)
+    {
+        LocalMap::AddPtr p = locals_.lookupForAdd(name);
+        if (p)
+            return failName(pn, "duplicate local name '%s' not allowed", name);
+        return locals_.add(p, name, Local(type, locals_.count()));
+    }
+
+    bool addVariable(ParseNode *pn, PropertyName *name, VarType type, const Value &init)
+    {
+        LocalMap::AddPtr p = locals_.lookupForAdd(name);
+        if (p)
+            return failName(pn, "duplicate local name '%s' not allowed", name);
+        if (!locals_.add(p, name, Local(type, locals_.count())))
+            return false;
+        return varInitializers_.append(TypedValue(type, init));
+    }
+
+    bool prepareToEmitMIR(const VarTypeVector &argTypes)
+    {
+        JS_ASSERT(locals_.count() == argTypes.length() + varInitializers_.length());
+
+        alloc_  = lifo_.new_<TempAllocator>(&lifo_);
+        ionContext_.construct(m_.cx(), alloc_);
+
+        graph_  = lifo_.new_<MIRGraph>(alloc_);
+        info_   = lifo_.new_<CompileInfo>(locals_.count(), SequentialExecution);
+        const OptimizationInfo *optimizationInfo = js_IonOptimizations.get(Optimization_AsmJS);
+        const JitCompileOptions options;
+        mirGen_ = lifo_.new_<MIRGenerator>(CompileCompartment::get(cx()->compartment()),
+                                           options, alloc_,
+                                           graph_, info_, optimizationInfo);
+
+        if (!newBlock(/* pred = */ nullptr, &curBlock_, fn_))
+            return false;
+
+        for (ABIArgTypeIter i = argTypes; !i.done(); i++) {
+            MAsmJSParameter *ins = MAsmJSParameter::New(alloc(), *i, i.mirType());
+            curBlock_->add(ins);
+            curBlock_->initSlot(info().localSlot(i.index()), ins);
+            if (!mirGen_->ensureBallast())
+                return false;
+        }
+        unsigned firstLocalSlot = argTypes.length();
+        for (unsigned i = 0; i < varInitializers_.length(); i++) {
+            MConstant *ins = MConstant::NewAsmJS(alloc(), varInitializers_[i].value,
+                                                 varInitializers_[i].type.toMIRType());
+            curBlock_->add(ins);
+            curBlock_->initSlot(info().localSlot(firstLocalSlot + i), ins);
+            if (!mirGen_->ensureBallast())
+                return false;
+        }
+        return true;
+    }
+
+    /******************************* For consistency of returns in a function */
+
+    bool hasAlreadyReturned() const {
+        return !alreadyReturned_.empty();
+    }
+
+    RetType returnedType() const {
+        return alreadyReturned_.ref();
+    }
+
+    void setReturnedType(RetType retType) {
+        alreadyReturned_.construct(retType);
+    }
+
+    /************************* Read-only interface (after local scope setup) */
+
+    MIRGenerator & mirGen() const     { JS_ASSERT(mirGen_); return *mirGen_; }
+    MIRGraph &     mirGraph() const   { JS_ASSERT(graph_); return *graph_; }
+    CompileInfo &  info() const       { JS_ASSERT(info_); return *info_; }
+
+    const Local *lookupLocal(PropertyName *name) const
+    {
+        if (LocalMap::Ptr p = locals_.lookup(name))
+            return &p->value();
+        return nullptr;
+    }
+
+    MDefinition *getLocalDef(const Local &local)
+    {
+        if (inDeadCode())
+            return nullptr;
+        return curBlock_->getSlot(info().localSlot(local.slot));
+    }
+
+    const ModuleCompiler::Global *lookupGlobal(PropertyName *name) const
+    {
+        if (locals_.has(name))
+            return nullptr;
+        return m_.lookupGlobal(name);
+    }
+
+    /***************************** Code generation (after local scope setup) */
+
+    MDefinition *constant(Value v, Type t)
+    {
+        if (inDeadCode())
+            return nullptr;
+        MConstant *constant = MConstant::NewAsmJS(alloc(), v, t.toMIRType());
+        curBlock_->add(constant);
+        return constant;
+    }
+
+    template <class T>
+    MDefinition *unary(MDefinition *op)
+    {
+        if (inDeadCode())
+            return nullptr;
+        T *ins = T::NewAsmJS(alloc(), op);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    template <class T>
+    MDefinition *unary(MDefinition *op, MIRType type)
+    {
+        if (inDeadCode())
+            return nullptr;
+        T *ins = T::NewAsmJS(alloc(), op, type);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    template <class T>
+    MDefinition *binary(MDefinition *lhs, MDefinition *rhs)
+    {
+        if (inDeadCode())
+            return nullptr;
+        T *ins = T::New(alloc(), lhs, rhs);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    template <class T>
+    MDefinition *binary(MDefinition *lhs, MDefinition *rhs, MIRType type)
+    {
+        if (inDeadCode())
+            return nullptr;
+        T *ins = T::NewAsmJS(alloc(), lhs, rhs, type);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    MDefinition *minMax(MDefinition *lhs, MDefinition *rhs, MIRType type, bool isMax) {
+        if (inDeadCode())
+            return nullptr;
+        MMinMax *ins = MMinMax::New(alloc(), lhs, rhs, type, isMax);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    MDefinition *mul(MDefinition *lhs, MDefinition *rhs, MIRType type, MMul::Mode mode)
+    {
+        if (inDeadCode())
+            return nullptr;
+        MMul *ins = MMul::New(alloc(), lhs, rhs, type, mode);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    MDefinition *div(MDefinition *lhs, MDefinition *rhs, MIRType type, bool unsignd)
+    {
+        if (inDeadCode())
+            return nullptr;
+        MDiv *ins = MDiv::NewAsmJS(alloc(), lhs, rhs, type, unsignd);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    MDefinition *mod(MDefinition *lhs, MDefinition *rhs, MIRType type, bool unsignd)
+    {
+        if (inDeadCode())
+            return nullptr;
+        MMod *ins = MMod::NewAsmJS(alloc(), lhs, rhs, type, unsignd);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    template <class T>
+    MDefinition *bitwise(MDefinition *lhs, MDefinition *rhs)
+    {
+        if (inDeadCode())
+            return nullptr;
+        T *ins = T::NewAsmJS(alloc(), lhs, rhs);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    template <class T>
+    MDefinition *bitwise(MDefinition *op)
+    {
+        if (inDeadCode())
+            return nullptr;
+        T *ins = T::NewAsmJS(alloc(), op);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    MDefinition *compare(MDefinition *lhs, MDefinition *rhs, JSOp op, MCompare::CompareType type)
+    {
+        if (inDeadCode())
+            return nullptr;
+        MCompare *ins = MCompare::NewAsmJS(alloc(), lhs, rhs, op, type);
+        curBlock_->add(ins);
+        return ins;
+    }
+
+    void assign(const Local &local, MDefinition *def)
+    {
+        if (inDeadCode())
+            return;
+        curBlock_->setSlot(info().localSlot(local.slot), def);
+    }
+
+    MDefinition *loadHeap(ArrayBufferView::ViewType vt, MDefinition *ptr, NeedsBoundsCheck chk)
+    {
+        if (inDeadCode())
+            return nullptr;
+        MAsmJSLoadHeap *load = MAsmJSLoadHeap::New(alloc(), vt, ptr);
+        curBlock_->add(load);
+        if (chk == NO_BOUNDS_CHECK)
+            load->setSkipBoundsCheck(true);
+        return load;
+    }
+
+    void storeHeap(ArrayBufferView::ViewType vt, MDefinition *ptr, MDefinition *v, NeedsBoundsCheck chk)
+    {
+        if (inDeadCode())
+            return;
+        MAsmJSStoreHeap *store = MAsmJSStoreHeap::New(alloc(), vt, ptr, v);
+        curBlock_->add(store);
+        if (chk == NO_BOUNDS_CHECK)
+            store->setSkipBoundsCheck(true);
+    }
+
+    MDefinition *loadGlobalVar(const ModuleCompiler::Global &global)
+    {
+        if (inDeadCode())
+            return nullptr;
+
+        uint32_t index = global.varOrConstIndex();
+        unsigned globalDataOffset = module().globalVarIndexToGlobalDataOffset(index);
+        MIRType type = global.varOrConstType().toMIRType();
+        MAsmJSLoadGlobalVar *load = MAsmJSLoadGlobalVar::New(alloc(), type, globalDataOffset,
+                                                             global.isConst());
+        curBlock_->add(load);
+        return load;
+    }
+
+    void storeGlobalVar(const ModuleCompiler::Global &global, MDefinition *v)
+    {
+        if (inDeadCode())
+            return;
+        JS_ASSERT(!global.isConst());
+        unsigned globalDataOffset = module().globalVarIndexToGlobalDataOffset(global.varOrConstIndex());
+        curBlock_->add(MAsmJSStoreGlobalVar::New(alloc(), globalDataOffset, v));
+    }
+
+    /***************************************************************** Calls */
+
+    // The IonMonkey backend maintains a single stack offset (from the stack
+    // pointer to the base of the frame) by adding the total amount of spill
+    // space required plus the maximum stack required for argument passing.
+    // Since we do not use IonMonkey's MPrepareCall/MPassArg/MCall, we must
+    // manually accumulate, for the entire function, the maximum required stack
+    // space for argument passing. (This is passed to the CodeGenerator via
+    // MIRGenerator::maxAsmJSStackArgBytes.) Naively, this would just be the
+    // maximum of the stack space required for each individual call (as
+    // determined by the call ABI). However, as an optimization, arguments are
+    // stored to the stack immediately after evaluation (to decrease live
+    // ranges and reduce spilling). This introduces the complexity that,
+    // between evaluating an argument and making the call, another argument
+    // evaluation could perform a call that also needs to store to the stack.
+    // When this occurs childClobbers_ = true and the parent expression's
+    // arguments are stored above the maximum depth clobbered by a child
+    // expression.
+
+    class Call
+    {
+        ParseNode *node_;
+        ABIArgGenerator abi_;
+        uint32_t prevMaxStackBytes_;
+        uint32_t maxChildStackBytes_;
+        uint32_t spIncrement_;
+        Signature sig_;
+        MAsmJSCall::Args regArgs_;
+        js::Vector<MAsmJSPassStackArg*> stackArgs_;
+        bool childClobbers_;
+
+        friend class FunctionCompiler;
+
+      public:
+        Call(FunctionCompiler &f, ParseNode *callNode, RetType retType)
+          : node_(callNode),
+            prevMaxStackBytes_(0),
+            maxChildStackBytes_(0),
+            spIncrement_(0),
+            sig_(f.m().lifo(), retType),
+            regArgs_(f.cx()),
+            stackArgs_(f.cx()),
+            childClobbers_(false)
+        { }
+        Signature &sig() { return sig_; }
+        const Signature &sig() const { return sig_; }
+    };
+
+    void startCallArgs(Call *call)
+    {
+        if (inDeadCode())
+            return;
+        call->prevMaxStackBytes_ = mirGen().resetAsmJSMaxStackArgBytes();
+    }
+
+    bool passArg(MDefinition *argDef, VarType type, Call *call)
+    {
+        if (!call->sig().appendArg(type))
+            return false;
+
+        if (inDeadCode())
+            return true;
+
+        uint32_t childStackBytes = mirGen().resetAsmJSMaxStackArgBytes();
+        call->maxChildStackBytes_ = Max(call->maxChildStackBytes_, childStackBytes);
+        if (childStackBytes > 0 && !call->stackArgs_.empty())
+            call->childClobbers_ = true;
+
+        ABIArg arg = call->abi_.next(type.toMIRType());
+        if (arg.kind() == ABIArg::Stack) {
+            MAsmJSPassStackArg *mir = MAsmJSPassStackArg::New(alloc(), arg.offsetFromArgBase(),
+                                                              argDef);
+            curBlock_->add(mir);
+            if (!call->stackArgs_.append(mir))
+                return false;
+        } else {
+            if (!call->regArgs_.append(MAsmJSCall::Arg(arg.reg(), argDef)))
+                return false;
+        }
+        return true;
+    }
+
+    void finishCallArgs(Call *call)
+    {
+        if (inDeadCode())
+            return;
+        uint32_t parentStackBytes = call->abi_.stackBytesConsumedSoFar();
+        uint32_t newStackBytes;
+        if (call->childClobbers_) {
+            call->spIncrement_ = AlignBytes(call->maxChildStackBytes_, StackAlignment);
+            for (unsigned i = 0; i < call->stackArgs_.length(); i++)
+                call->stackArgs_[i]->incrementOffset(call->spIncrement_);
+            newStackBytes = Max(call->prevMaxStackBytes_,
+                                call->spIncrement_ + parentStackBytes);
+        } else {
+            call->spIncrement_ = 0;
+            newStackBytes = Max(call->prevMaxStackBytes_,
+                                Max(call->maxChildStackBytes_, parentStackBytes));
+        }
+        mirGen_->setAsmJSMaxStackArgBytes(newStackBytes);
+    }
+
+  private:
+    bool callPrivate(MAsmJSCall::Callee callee, const Call &call, MIRType returnType, MDefinition **def)
+    {
+        if (inDeadCode()) {
+            *def = nullptr;
+            return true;
+        }
+
+        uint32_t line, column;
+        m_.tokenStream().srcCoords.lineNumAndColumnIndex(call.node_->pn_pos.begin, &line, &column);
+
+        if (functionNameIndex_ == NO_FUNCTION_NAME_INDEX) {
+            if (!m_.addFunctionName(FunctionName(fn_), &functionNameIndex_))
+                return false;
+        }
+
+        CallSiteDesc desc(line, column, functionNameIndex_);
+        MAsmJSCall *ins = MAsmJSCall::New(alloc(), desc, callee, call.regArgs_, returnType,
+                                          call.spIncrement_);
+        if (!ins)
+            return false;
+
+        curBlock_->add(ins);
+        *def = ins;
+        return true;
+    }
+
+  public:
+    bool internalCall(const ModuleCompiler::Func &func, const Call &call, MDefinition **def)
+    {
+        MIRType returnType = func.sig().retType().toMIRType();
+        return callPrivate(MAsmJSCall::Callee(func.code()), call, returnType, def);
+    }
+
+    bool funcPtrCall(const ModuleCompiler::FuncPtrTable &table, MDefinition *index,
+                     const Call &call, MDefinition **def)
+    {
+        if (inDeadCode()) {
+            *def = nullptr;
+            return true;
+        }
+
+        MConstant *mask = MConstant::New(alloc(), Int32Value(table.mask()));
+        curBlock_->add(mask);
+        MBitAnd *maskedIndex = MBitAnd::NewAsmJS(alloc(), index, mask);
+        curBlock_->add(maskedIndex);
+        MAsmJSLoadFuncPtr *ptrFun = MAsmJSLoadFuncPtr::New(alloc(), table.globalDataOffset(), maskedIndex);
+        curBlock_->add(ptrFun);
+
+        MIRType returnType = table.sig().retType().toMIRType();
+        return callPrivate(MAsmJSCall::Callee(ptrFun), call, returnType, def);
+    }
+
+    bool ffiCall(unsigned exitIndex, const Call &call, MIRType returnType, MDefinition **def)
+    {
+        if (inDeadCode()) {
+            *def = nullptr;
+            return true;
+        }
+
+        JS_STATIC_ASSERT(offsetof(AsmJSModule::ExitDatum, exit) == 0);
+        unsigned globalDataOffset = module().exitIndexToGlobalDataOffset(exitIndex);
+
+        MAsmJSLoadFFIFunc *ptrFun = MAsmJSLoadFFIFunc::New(alloc(), globalDataOffset);
+        curBlock_->add(ptrFun);
+
+        return callPrivate(MAsmJSCall::Callee(ptrFun), call, returnType, def);
+    }
+
+    bool builtinCall(AsmJSImmKind builtin, const Call &call, MIRType returnType, MDefinition **def)
+    {
+        return callPrivate(MAsmJSCall::Callee(builtin), call, returnType, def);
+    }
+
+    /*********************************************** Control flow generation */
+
+    inline bool inDeadCode() const {
+        return curBlock_ == nullptr;
+    }
+
+    void returnExpr(MDefinition *expr)
+    {
+        if (inDeadCode())
+            return;
+        MAsmJSReturn *ins = MAsmJSReturn::New(alloc(), expr);
+        curBlock_->end(ins);
+        curBlock_ = nullptr;
+    }
+
+    void returnVoid()
+    {
+        if (inDeadCode())
+            return;
+        MAsmJSVoidReturn *ins = MAsmJSVoidReturn::New(alloc());
+        curBlock_->end(ins);
+        curBlock_ = nullptr;
+    }
+
+    bool branchAndStartThen(MDefinition *cond, MBasicBlock **thenBlock, MBasicBlock **elseBlock,
+                            ParseNode *thenPn, ParseNode* elsePn)
+    {
+        if (inDeadCode())
+            return true;
+
+        bool hasThenBlock = *thenBlock != nullptr;
+        bool hasElseBlock = *elseBlock != nullptr;
+
+        if (!hasThenBlock && !newBlock(curBlock_, thenBlock, thenPn))
+            return false;
+        if (!hasElseBlock && !newBlock(curBlock_, elseBlock, thenPn))
+            return false;
+
+        curBlock_->end(MTest::New(alloc(), cond, *thenBlock, *elseBlock));
+
+        // Only add as a predecessor if newBlock hasn't been called (as it does it for us)
+        if (hasThenBlock && !(*thenBlock)->addPredecessor(alloc(), curBlock_))
+            return false;
+        if (hasElseBlock && !(*elseBlock)->addPredecessor(alloc(), curBlock_))
+            return false;
+
+        curBlock_ = *thenBlock;
+        mirGraph().moveBlockToEnd(curBlock_);
+        return true;
+    }
+
+    void assertCurrentBlockIs(MBasicBlock *block) {
+        if (inDeadCode())
+            return;
+        JS_ASSERT(curBlock_ == block);
+    }
+
+    bool appendThenBlock(BlockVector *thenBlocks)
+    {
+        if (inDeadCode())
+            return true;
+        return thenBlocks->append(curBlock_);
+    }
+
+    bool joinIf(const BlockVector &thenBlocks, MBasicBlock *joinBlock)
+    {
+        if (!joinBlock)
+            return true;
+        JS_ASSERT_IF(curBlock_, thenBlocks.back() == curBlock_);
+        for (size_t i = 0; i < thenBlocks.length(); i++) {
+            thenBlocks[i]->end(MGoto::New(alloc(), joinBlock));
+            if (!joinBlock->addPredecessor(alloc(), thenBlocks[i]))
+                return false;
+        }
+        curBlock_ = joinBlock;
+        mirGraph().moveBlockToEnd(curBlock_);
+        return true;
+    }
+
+    void switchToElse(MBasicBlock *elseBlock)
+    {
+        if (!elseBlock)
+            return;
+        curBlock_ = elseBlock;
+        mirGraph().moveBlockToEnd(curBlock_);
+    }
+
+    bool joinIfElse(const BlockVector &thenBlocks, ParseNode *pn)
+    {
+        if (inDeadCode() && thenBlocks.empty())
+            return true;
+        MBasicBlock *pred = curBlock_ ? curBlock_ : thenBlocks[0];
+        MBasicBlock *join;
+        if (!newBlock(pred, &join, pn))
+            return false;
+        if (curBlock_)
+            curBlock_->end(MGoto::New(alloc(), join));
+        for (size_t i = 0; i < thenBlocks.length(); i++) {
+            thenBlocks[i]->end(MGoto::New(alloc(), join));
+            if (pred == curBlock_ || i > 0) {
+                if (!join->addPredecessor(alloc(), thenBlocks[i]))
+                    return false;
+            }
+        }
+        curBlock_ = join;
+        return true;
+    }
+
+    void pushPhiInput(MDefinition *def)
+    {
+        if (inDeadCode())
+            return;
+        JS_ASSERT(curBlock_->stackDepth() == info().firstStackSlot());
+        curBlock_->push(def);
+    }
+
+    MDefinition *popPhiOutput()
+    {
+        if (inDeadCode())
+            return nullptr;
+        JS_ASSERT(curBlock_->stackDepth() == info().firstStackSlot() + 1);
+        return curBlock_->pop();
+    }
+
+    bool startPendingLoop(ParseNode *pn, MBasicBlock **loopEntry, ParseNode *bodyStmt)
+    {
+        if (!loopStack_.append(pn) || !breakableStack_.append(pn))
+            return false;
+        JS_ASSERT_IF(curBlock_, curBlock_->loopDepth() == loopStack_.length() - 1);
+        if (inDeadCode()) {
+            *loopEntry = nullptr;
+            return true;
+        }
+        *loopEntry = MBasicBlock::NewAsmJS(mirGraph(), info(), curBlock_,
+                                           MBasicBlock::PENDING_LOOP_HEADER);
+        if (!*loopEntry)
+            return false;
+        mirGraph().addBlock(*loopEntry);
+        noteBasicBlockPosition(*loopEntry, bodyStmt);
+        (*loopEntry)->setLoopDepth(loopStack_.length());
+        curBlock_->end(MGoto::New(alloc(), *loopEntry));
+        curBlock_ = *loopEntry;
+        return true;
+    }
+
+    bool branchAndStartLoopBody(MDefinition *cond, MBasicBlock **afterLoop, ParseNode *bodyPn, ParseNode *afterPn)
+    {
+        if (inDeadCode()) {
+            *afterLoop = nullptr;
+            return true;
+        }
+        JS_ASSERT(curBlock_->loopDepth() > 0);
+        MBasicBlock *body;
+        if (!newBlock(curBlock_, &body, bodyPn))
+            return false;
+        if (cond->isConstant() && cond->toConstant()->valueToBoolean()) {
+            *afterLoop = nullptr;
+            curBlock_->end(MGoto::New(alloc(), body));
+        } else {
+            if (!newBlockWithDepth(curBlock_, curBlock_->loopDepth() - 1, afterLoop, afterPn))
+                return false;
+            curBlock_->end(MTest::New(alloc(), cond, body, *afterLoop));
+        }
+        curBlock_ = body;
+        return true;
+    }
+
+  private:
+    ParseNode *popLoop()
+    {
+        ParseNode *pn = loopStack_.popCopy();
+        JS_ASSERT(!unlabeledContinues_.has(pn));
+        breakableStack_.popBack();
+        return pn;
+    }
+
+  public:
+    bool closeLoop(MBasicBlock *loopEntry, MBasicBlock *afterLoop)
+    {
+        ParseNode *pn = popLoop();
+        if (!loopEntry) {
+            JS_ASSERT(!afterLoop);
+            JS_ASSERT(inDeadCode());
+            JS_ASSERT(!unlabeledBreaks_.has(pn));
+            return true;
+        }
+        JS_ASSERT(loopEntry->loopDepth() == loopStack_.length() + 1);
+        JS_ASSERT_IF(afterLoop, afterLoop->loopDepth() == loopStack_.length());
+        if (curBlock_) {
+            JS_ASSERT(curBlock_->loopDepth() == loopStack_.length() + 1);
+            curBlock_->end(MGoto::New(alloc(), loopEntry));
+            if (!loopEntry->setBackedgeAsmJS(curBlock_))
+                return false;
+        }
+        curBlock_ = afterLoop;
+        if (curBlock_)
+            mirGraph().moveBlockToEnd(curBlock_);
+        return bindUnlabeledBreaks(pn);
+    }
+
+    bool branchAndCloseDoWhileLoop(MDefinition *cond, MBasicBlock *loopEntry, ParseNode *afterLoopStmt)
+    {
+        ParseNode *pn = popLoop();
+        if (!loopEntry) {
+            JS_ASSERT(inDeadCode());
+            JS_ASSERT(!unlabeledBreaks_.has(pn));
+            return true;
+        }
+        JS_ASSERT(loopEntry->loopDepth() == loopStack_.length() + 1);
+        if (curBlock_) {
+            JS_ASSERT(curBlock_->loopDepth() == loopStack_.length() + 1);
+            if (cond->isConstant()) {
+                if (cond->toConstant()->valueToBoolean()) {
+                    curBlock_->end(MGoto::New(alloc(), loopEntry));
+                    if (!loopEntry->setBackedgeAsmJS(curBlock_))
+                        return false;
+                    curBlock_ = nullptr;
+                } else {
+                    MBasicBlock *afterLoop;
+                    if (!newBlock(curBlock_, &afterLoop, afterLoopStmt))
+                        return false;
+                    curBlock_->end(MGoto::New(alloc(), afterLoop));
+                    curBlock_ = afterLoop;
+                }
+            } else {
+                MBasicBlock *afterLoop;
+                if (!newBlock(curBlock_, &afterLoop, afterLoopStmt))
+                    return false;
+                curBlock_->end(MTest::New(alloc(), cond, loopEntry, afterLoop));
+                if (!loopEntry->setBackedgeAsmJS(curBlock_))
+                    return false;
+                curBlock_ = afterLoop;
+            }
+        }
+        return bindUnlabeledBreaks(pn);
+    }
+
+    bool bindContinues(ParseNode *pn, const LabelVector *maybeLabels)
+    {
+        bool createdJoinBlock = false;
+        if (UnlabeledBlockMap::Ptr p = unlabeledContinues_.lookup(pn)) {
+            if (!bindBreaksOrContinues(&p->value(), &createdJoinBlock, pn))
+                return false;
+            unlabeledContinues_.remove(p);
+        }
+        return bindLabeledBreaksOrContinues(maybeLabels, &labeledContinues_, &createdJoinBlock, pn);
+    }
+
+    bool bindLabeledBreaks(const LabelVector *maybeLabels, ParseNode *pn)
+    {
+        bool createdJoinBlock = false;
+        return bindLabeledBreaksOrContinues(maybeLabels, &labeledBreaks_, &createdJoinBlock, pn);
+    }
+
+    bool addBreak(PropertyName *maybeLabel) {
+        if (maybeLabel)
+            return addBreakOrContinue(maybeLabel, &labeledBreaks_);
+        return addBreakOrContinue(breakableStack_.back(), &unlabeledBreaks_);
+    }
+
+    bool addContinue(PropertyName *maybeLabel) {
+        if (maybeLabel)
+            return addBreakOrContinue(maybeLabel, &labeledContinues_);
+        return addBreakOrContinue(loopStack_.back(), &unlabeledContinues_);
+    }
+
+    bool startSwitch(ParseNode *pn, MDefinition *expr, int32_t low, int32_t high,
+                     MBasicBlock **switchBlock)
+    {
+        if (!breakableStack_.append(pn))
+            return false;
+        if (inDeadCode()) {
+            *switchBlock = nullptr;
+            return true;
+        }
+        curBlock_->end(MTableSwitch::New(alloc(), expr, low, high));
+        *switchBlock = curBlock_;
+        curBlock_ = nullptr;
+        return true;
+    }
+
+    bool startSwitchCase(MBasicBlock *switchBlock, MBasicBlock **next, ParseNode *pn)
+    {
+        if (!switchBlock) {
+            *next = nullptr;
+            return true;
+        }
+        if (!newBlock(switchBlock, next, pn))
+            return false;
+        if (curBlock_) {
+            curBlock_->end(MGoto::New(alloc(), *next));
+            if (!(*next)->addPredecessor(alloc(), curBlock_))
+                return false;
+        }
+        curBlock_ = *next;
+        return true;
+    }
+
+    bool startSwitchDefault(MBasicBlock *switchBlock, BlockVector *cases, MBasicBlock **defaultBlock, ParseNode *pn)
+    {
+        if (!startSwitchCase(switchBlock, defaultBlock, pn))
+            return false;
+        if (!*defaultBlock)
+            return true;
+        mirGraph().moveBlockToEnd(*defaultBlock);
+        return true;
+    }
+
+    bool joinSwitch(MBasicBlock *switchBlock, const BlockVector &cases, MBasicBlock *defaultBlock)
+    {
+        ParseNode *pn = breakableStack_.popCopy();
+        if (!switchBlock)
+            return true;
+        MTableSwitch *mir = switchBlock->lastIns()->toTableSwitch();
+        size_t defaultIndex = mir->addDefault(defaultBlock);
+        for (unsigned i = 0; i < cases.length(); i++) {
+            if (!cases[i])
+                mir->addCase(defaultIndex);
+            else
+                mir->addCase(mir->addSuccessor(cases[i]));
+        }
+        if (curBlock_) {
+            MBasicBlock *next;
+            if (!newBlock(curBlock_, &next, pn))
+                return false;
+            curBlock_->end(MGoto::New(alloc(), next));
+            curBlock_ = next;
+        }
+        return bindUnlabeledBreaks(pn);
+    }
+
+    /*************************************************************************/
+
+    MIRGenerator *extractMIR()
+    {
+        JS_ASSERT(mirGen_ != nullptr);
+        MIRGenerator *mirGen = mirGen_;
+        mirGen_ = nullptr;
+        return mirGen;
+    }
+
+    /*************************************************************************/
+  private:
+    void noteBasicBlockPosition(MBasicBlock *blk, ParseNode *pn)
+    {
+#if defined(JS_ION_PERF)
+        if (pn) {
+            unsigned line = 0U, column = 0U;
+            m().tokenStream().srcCoords.lineNumAndColumnIndex(pn->pn_pos.begin, &line, &column);
+            blk->setLineno(line);
+            blk->setColumnIndex(column);
+        }
+#endif
+    }
+
+    bool newBlockWithDepth(MBasicBlock *pred, unsigned loopDepth, MBasicBlock **block, ParseNode *pn)
+    {
+        *block = MBasicBlock::NewAsmJS(mirGraph(), info(), pred, MBasicBlock::NORMAL);
+        if (!*block)
+            return false;
+        noteBasicBlockPosition(*block, pn);
+        mirGraph().addBlock(*block);
+        (*block)->setLoopDepth(loopDepth);
+        return true;
+    }
+
+    bool newBlock(MBasicBlock *pred, MBasicBlock **block, ParseNode *pn)
+    {
+        return newBlockWithDepth(pred, loopStack_.length(), block, pn);
+    }
+
+    bool bindBreaksOrContinues(BlockVector *preds, bool *createdJoinBlock, ParseNode *pn)
+    {
+        for (unsigned i = 0; i < preds->length(); i++) {
+            MBasicBlock *pred = (*preds)[i];
+            if (*createdJoinBlock) {
+                pred->end(MGoto::New(alloc(), curBlock_));
+                if (!curBlock_->addPredecessor(alloc(), pred))
+                    return false;
+            } else {
+                MBasicBlock *next;
+                if (!newBlock(pred, &next, pn))
+                    return false;
+                pred->end(MGoto::New(alloc(), next));
+                if (curBlock_) {
+                    curBlock_->end(MGoto::New(alloc(), next));
+                    if (!next->addPredecessor(alloc(), curBlock_))
+                        return false;
+                }
+                curBlock_ = next;
+                *createdJoinBlock = true;
+            }
+            JS_ASSERT(curBlock_->begin() == curBlock_->end());
+            if (!mirGen_->ensureBallast())
+                return false;
+        }
+        preds->clear();
+        return true;
+    }
+
+    bool bindLabeledBreaksOrContinues(const LabelVector *maybeLabels, LabeledBlockMap *map,
+                                      bool *createdJoinBlock, ParseNode *pn)
+    {
+        if (!maybeLabels)
+            return true;
+        const LabelVector &labels = *maybeLabels;
+        for (unsigned i = 0; i < labels.length(); i++) {
+            if (LabeledBlockMap::Ptr p = map->lookup(labels[i])) {
+                if (!bindBreaksOrContinues(&p->value(), createdJoinBlock, pn))
+                    return false;
+                map->remove(p);
+            }
+            if (!mirGen_->ensureBallast())
+                return false;
+        }
+        return true;
+    }
+
+    template <class Key, class Map>
+    bool addBreakOrContinue(Key key, Map *map)
+    {
+        if (inDeadCode())
+            return true;
+        typename Map::AddPtr p = map->lookupForAdd(key);
+        if (!p) {
+            BlockVector empty(m().cx());
+            if (!map->add(p, key, Move(empty)))
+                return false;
+        }
+        if (!p->value().append(curBlock_))
+            return false;
+        curBlock_ = nullptr;
+        return true;
+    }
+
+    bool bindUnlabeledBreaks(ParseNode *pn)
+    {
+        bool createdJoinBlock = false;
+        if (UnlabeledBlockMap::Ptr p = unlabeledBreaks_.lookup(pn)) {
+            if (!bindBreaksOrContinues(&p->value(), &createdJoinBlock, pn))
+                return false;
+            unlabeledBreaks_.remove(p);
+        }
+        return true;
+    }
+};
+
+} /* anonymous namespace */
+
+/*****************************************************************************/
+// asm.js type-checking and code-generation algorithm
+
+static bool
+CheckIdentifier(ModuleCompiler &m, ParseNode *usepn, PropertyName *name)
+{
+    if (name == m.cx()->names().arguments || name == m.cx()->names().eval)
+        return m.failName(usepn, "'%s' is not an allowed identifier", name);
+    return true;
+}
+
+static bool
+CheckModuleLevelName(ModuleCompiler &m, ParseNode *usepn, PropertyName *name)
+{
+    if (!CheckIdentifier(m, usepn, name))
+        return false;
+
+    if (name == m.moduleFunctionName() ||
+        name == m.module().globalArgumentName() ||
+        name == m.module().importArgumentName() ||
+        name == m.module().bufferArgumentName() ||
+        m.lookupGlobal(name))
+    {
+        return m.failName(usepn, "duplicate name '%s' not allowed", name);
+    }
+
+    return true;
+}
+
+static bool
+CheckFunctionHead(ModuleCompiler &m, ParseNode *fn)
+{
+    JSFunction *fun = FunctionObject(fn);
+    if (fun->hasRest())
+        return m.fail(fn, "rest args not allowed");
+    if (fun->isExprClosure())
+        return m.fail(fn, "expression closures not allowed");
+    if (fn->pn_funbox->hasDestructuringArgs)
+        return m.fail(fn, "destructuring args not allowed");
+    return true;
+}
+
+static bool
+CheckArgument(ModuleCompiler &m, ParseNode *arg, PropertyName **name)
+{
+    if (!IsDefinition(arg))
+        return m.fail(arg, "duplicate argument name not allowed");
+
+    if (arg->pn_dflags & PND_DEFAULT)
+        return m.fail(arg, "default arguments not allowed");
+
+    if (!CheckIdentifier(m, arg, arg->name()))
+        return false;
+
+    *name = arg->name();
+    return true;
+}
+
+static bool
+CheckModuleArgument(ModuleCompiler &m, ParseNode *arg, PropertyName **name)
+{
+    if (!CheckArgument(m, arg, name))
+        return false;
+
+    if (!CheckModuleLevelName(m, arg, *name))
+        return false;
+
+    return true;
+}
+
+static bool
+CheckModuleArguments(ModuleCompiler &m, ParseNode *fn)
+{
+    unsigned numFormals;
+    ParseNode *arg1 = FunctionArgsList(fn, &numFormals);
+    ParseNode *arg2 = arg1 ? NextNode(arg1) : nullptr;
+    ParseNode *arg3 = arg2 ? NextNode(arg2) : nullptr;
+
+    if (numFormals > 3)
+        return m.fail(fn, "asm.js modules takes at most 3 argument");
+
+    PropertyName *arg1Name = nullptr;
+    if (numFormals >= 1 && !CheckModuleArgument(m, arg1, &arg1Name))
+        return false;
+    m.initGlobalArgumentName(arg1Name);
+
+    PropertyName *arg2Name = nullptr;
+    if (numFormals >= 2 && !CheckModuleArgument(m, arg2, &arg2Name))
+        return false;
+    m.initImportArgumentName(arg2Name);
+
+    PropertyName *arg3Name = nullptr;
+    if (numFormals >= 3 && !CheckModuleArgument(m, arg3, &arg3Name))
+        return false;
+    m.initBufferArgumentName(arg3Name);
+
+    return true;
+}
+
+static bool
+CheckPrecedingStatements(ModuleCompiler &m, ParseNode *stmtList)
+{
+    JS_ASSERT(stmtList->isKind(PNK_STATEMENTLIST));
+
+    if (ListLength(stmtList) != 0)
+        return m.fail(ListHead(stmtList), "invalid asm.js statement");
+
+    return true;
+}
+
+static bool
+CheckGlobalVariableInitConstant(ModuleCompiler &m, PropertyName *varName, ParseNode *initNode,
+                                bool isConst)
+{
+    NumLit literal = ExtractNumericLiteral(m, initNode);
+    if (!literal.hasType())
+        return m.fail(initNode, "global initializer is out of representable integer range");
+
+    return m.addGlobalVarInit(varName, literal.varType(), literal.value(), isConst);
+}
+
+static bool
+CheckTypeAnnotation(ModuleCompiler &m, ParseNode *coercionNode, AsmJSCoercion *coercion,
+                    ParseNode **coercedExpr = nullptr)
+{
+    switch (coercionNode->getKind()) {
+      case PNK_BITOR: {
+        ParseNode *rhs = BinaryRight(coercionNode);
+        uint32_t i;
+        if (!IsLiteralInt(m, rhs, &i) || i != 0)
+            return m.fail(rhs, "must use |0 for argument/return coercion");
+        *coercion = AsmJS_ToInt32;
+        if (coercedExpr)
+            *coercedExpr = BinaryLeft(coercionNode);
+        return true;
+      }
+      case PNK_POS: {
+        *coercion = AsmJS_ToNumber;
+        if (coercedExpr)
+            *coercedExpr = UnaryKid(coercionNode);
+        return true;
+      }
+      case PNK_CALL: {
+        *coercion = AsmJS_FRound;
+        if (!IsFloatCoercion(m, coercionNode, coercedExpr))
+            return m.fail(coercionNode, "call must be to fround coercion");
+        return true;
+      }
+      default:;
+    }
+
+    return m.fail(coercionNode, "must be of the form +x, fround(x) or x|0");
+}
+
+static bool
+CheckGlobalVariableImportExpr(ModuleCompiler &m, PropertyName *varName, AsmJSCoercion coercion,
+                              ParseNode *coercedExpr, bool isConst)
+{
+    if (!coercedExpr->isKind(PNK_DOT))
+        return m.failName(coercedExpr, "invalid import expression for global '%s'", varName);
+
+    ParseNode *base = DotBase(coercedExpr);
+    PropertyName *field = DotMember(coercedExpr);
+
+    PropertyName *importName = m.module().importArgumentName();
+    if (!importName)
+        return m.fail(coercedExpr, "cannot import without an asm.js foreign parameter");
+    if (!IsUseOfName(base, importName))
+        return m.failName(coercedExpr, "base of import expression must be '%s'", importName);
+
+    return m.addGlobalVarImport(varName, field, coercion, isConst);
+}
+
+static bool
+CheckGlobalVariableInitImport(ModuleCompiler &m, PropertyName *varName, ParseNode *initNode,
+                              bool isConst)
+{
+    AsmJSCoercion coercion;
+    ParseNode *coercedExpr;
+    if (!CheckTypeAnnotation(m, initNode, &coercion, &coercedExpr))
+        return false;
+    return CheckGlobalVariableImportExpr(m, varName, coercion, coercedExpr, isConst);
+}
+
+static bool
+CheckNewArrayView(ModuleCompiler &m, PropertyName *varName, ParseNode *newExpr)
+{
+    ParseNode *ctorExpr = ListHead(newExpr);
+    if (!ctorExpr->isKind(PNK_DOT))
+        return m.fail(ctorExpr, "only valid 'new' import is 'new global.*Array(buf)'");
+
+    ParseNode *base = DotBase(ctorExpr);
+    PropertyName *field = DotMember(ctorExpr);
+
+    PropertyName *globalName = m.module().globalArgumentName();
+    if (!globalName)
+        return m.fail(base, "cannot create array view without an asm.js global parameter");
+    if (!IsUseOfName(base, globalName))
+        return m.failName(base, "expecting '%s.*Array", globalName);
+
+    ParseNode *bufArg = NextNode(ctorExpr);
+    if (!bufArg || NextNode(bufArg) != nullptr)
+        return m.fail(ctorExpr, "array view constructor takes exactly one argument");
+
+    PropertyName *bufferName = m.module().bufferArgumentName();
+    if (!bufferName)
+        return m.fail(bufArg, "cannot create array view without an asm.js heap parameter");
+    if (!IsUseOfName(bufArg, bufferName))
+        return m.failName(bufArg, "argument to array view constructor must be '%s'", bufferName);
+
+    JSAtomState &names = m.cx()->names();
+    ArrayBufferView::ViewType type;
+    if (field == names.Int8Array)
+        type = ArrayBufferView::TYPE_INT8;
+    else if (field == names.Uint8Array)
+        type = ArrayBufferView::TYPE_UINT8;
+    else if (field == names.Int16Array)
+        type = ArrayBufferView::TYPE_INT16;
+    else if (field == names.Uint16Array)
+        type = ArrayBufferView::TYPE_UINT16;
+    else if (field == names.Int32Array)
+        type = ArrayBufferView::TYPE_INT32;
+    else if (field == names.Uint32Array)
+        type = ArrayBufferView::TYPE_UINT32;
+    else if (field == names.Float32Array)
+        type = ArrayBufferView::TYPE_FLOAT32;
+    else if (field == names.Float64Array)
+        type = ArrayBufferView::TYPE_FLOAT64;
+    else
+        return m.fail(ctorExpr, "could not match typed array name");
+
+    return m.addArrayView(varName, type, field);
+}
+
+static bool
+CheckGlobalDotImport(ModuleCompiler &m, PropertyName *varName, ParseNode *initNode)
+{
+    ParseNode *base = DotBase(initNode);
+    PropertyName *field = DotMember(initNode);
+
+    if (base->isKind(PNK_DOT)) {
+        ParseNode *global = DotBase(base);
+        PropertyName *math = DotMember(base);
+        if (!IsUseOfName(global, m.module().globalArgumentName()) || math != m.cx()->names().Math)
+            return m.fail(base, "expecting global.Math");
+
+        ModuleCompiler::MathBuiltin mathBuiltin;
+        if (!m.lookupStandardLibraryMathName(field, &mathBuiltin))
+            return m.failName(initNode, "'%s' is not a standard Math builtin", field);
+
+        switch (mathBuiltin.kind) {
+          case ModuleCompiler::MathBuiltin::Function:
+            return m.addMathBuiltinFunction(varName, mathBuiltin.u.func, field);
+          case ModuleCompiler::MathBuiltin::Constant:
+            return m.addMathBuiltinConstant(varName, mathBuiltin.u.cst, field);
+          default:
+            break;
+        }
+        MOZ_ASSUME_UNREACHABLE("unexpected or uninitialized math builtin type");
+    }
+
+    if (IsUseOfName(base, m.module().globalArgumentName())) {
+        if (field == m.cx()->names().NaN)
+            return m.addGlobalConstant(varName, GenericNaN(), field);
+        if (field == m.cx()->names().Infinity)
+            return m.addGlobalConstant(varName, PositiveInfinity<double>(), field);
+        return m.failName(initNode, "'%s' is not a standard global constant", field);
+    }
+
+    if (IsUseOfName(base, m.module().importArgumentName()))
+        return m.addFFI(varName, field);
+
+    return m.fail(initNode, "expecting c.y where c is either the global or foreign parameter");
+}
+
+static bool
+CheckModuleGlobal(ModuleCompiler &m, ParseNode *var, bool isConst)
+{
+    if (!IsDefinition(var))
+        return m.fail(var, "import variable names must be unique");
+
+    if (!CheckModuleLevelName(m, var, var->name()))
+        return false;
+
+    ParseNode *initNode = MaybeDefinitionInitializer(var);
+    if (!initNode)
+        return m.fail(var, "module import needs initializer");
+
+    if (IsNumericLiteral(m, initNode))
+        return CheckGlobalVariableInitConstant(m, var->name(), initNode, isConst);
+
+    if (initNode->isKind(PNK_BITOR) || initNode->isKind(PNK_POS) || initNode->isKind(PNK_CALL))
+        return CheckGlobalVariableInitImport(m, var->name(), initNode, isConst);
+
+    if (initNode->isKind(PNK_NEW))
+        return CheckNewArrayView(m, var->name(), initNode);
+
+    if (initNode->isKind(PNK_DOT))
+        return CheckGlobalDotImport(m, var->name(), initNode);
+
+    return m.fail(initNode, "unsupported import expression");
+}
+
+static bool
+CheckModuleGlobals(ModuleCompiler &m)
+{
+    while (true) {
+        ParseNode *varStmt;
+        if (!ParseVarOrConstStatement(m.parser(), &varStmt))
+            return false;
+        if (!varStmt)
+            break;
+        for (ParseNode *var = VarListHead(varStmt); var; var = NextNode(var)) {
+            if (!CheckModuleGlobal(m, var, varStmt->isKind(PNK_CONST)))
+                return false;
+        }
+    }
+
+    return true;
+}
+
+static bool
+ArgFail(FunctionCompiler &f, PropertyName *argName, ParseNode *stmt)
+{
+    return f.failName(stmt, "expecting argument type declaration for '%s' of the "
+                      "form 'arg = arg|0' or 'arg = +arg' or 'arg = fround(arg)'", argName);
+}
+
+static bool
+CheckArgumentType(FunctionCompiler &f, ParseNode *stmt, PropertyName *name, VarType *type)
+{
+    if (!stmt || !IsExpressionStatement(stmt))
+        return ArgFail(f, name, stmt ? stmt : f.fn());
+
+    ParseNode *initNode = ExpressionStatementExpr(stmt);
+    if (!initNode || !initNode->isKind(PNK_ASSIGN))
+        return ArgFail(f, name, stmt);
+
+    ParseNode *argNode = BinaryLeft(initNode);
+    ParseNode *coercionNode = BinaryRight(initNode);
+
+    if (!IsUseOfName(argNode, name))
+        return ArgFail(f, name, stmt);
+
+    ParseNode *coercedExpr;
+    AsmJSCoercion coercion;
+    if (!CheckTypeAnnotation(f.m(), coercionNode, &coercion, &coercedExpr))
+        return false;
+
+    if (!IsUseOfName(coercedExpr, name))
+        return ArgFail(f, name, stmt);
+
+    *type = VarType(coercion);
+    return true;
+}
+
+static bool
+CheckArguments(FunctionCompiler &f, ParseNode **stmtIter, VarTypeVector *argTypes)
+{
+    ParseNode *stmt = *stmtIter;
+
+    unsigned numFormals;
+    ParseNode *argpn = FunctionArgsList(f.fn(), &numFormals);
+
+    for (unsigned i = 0; i < numFormals; i++, argpn = NextNode(argpn), stmt = NextNode(stmt)) {
+        PropertyName *name;
+        if (!CheckArgument(f.m(), argpn, &name))
+            return false;
+
+        VarType type;
+        if (!CheckArgumentType(f, stmt, name, &type))
+            return false;
+
+        if (!argTypes->append(type))
+            return false;
+
+        if (!f.addFormal(argpn, name, type))
+            return false;
+    }
+
+    *stmtIter = stmt;
+    return true;
+}
+
+static bool
+CheckFinalReturn(FunctionCompiler &f, ParseNode *stmt, RetType *retType)
+{
+    if (stmt && stmt->isKind(PNK_RETURN)) {
+        if (ParseNode *coercionNode = UnaryKid(stmt)) {
+            if (IsNumericLiteral(f.m(), coercionNode)) {
+                switch (ExtractNumericLiteral(f.m(), coercionNode).which()) {
+                  case NumLit::BigUnsigned:
+                  case NumLit::OutOfRangeInt:
+                    return f.fail(coercionNode, "returned literal is out of integer range");
+                  case NumLit::Fixnum:
+                  case NumLit::NegativeInt:
+                    *retType = RetType::Signed;
+                    break;
+                  case NumLit::Double:
+                    *retType = RetType::Double;
+                    break;
+                  case NumLit::Float:
+                    *retType = RetType::Float;
+                    break;
+                }
+                return true;
+            }
+
+            AsmJSCoercion coercion;
+            if (!CheckTypeAnnotation(f.m(), coercionNode, &coercion))
+                return false;
+
+            *retType = RetType(coercion);
+            return true;
+        }
+
+        *retType = RetType::Void;
+        return true;
+    }
+
+    *retType = RetType::Void;
+    f.returnVoid();
+    return true;
+}
+
+static bool
+CheckVariable(FunctionCompiler &f, ParseNode *var)
+{
+    if (!IsDefinition(var))
+        return f.fail(var, "local variable names must not restate argument names");
+
+    PropertyName *name = var->name();
+
+    if (!CheckIdentifier(f.m(), var, name))
+        return false;
+
+    ParseNode *initNode = MaybeDefinitionInitializer(var);
+    if (!initNode)
+        return f.failName(var, "var '%s' needs explicit type declaration via an initial value", name);
+
+    if (initNode->isKind(PNK_NAME)) {
+        PropertyName *initName = initNode->name();
+        if (const ModuleCompiler::Global *global = f.lookupGlobal(initName)) {
+            if (global->which() != ModuleCompiler::Global::ConstantLiteral)
+                return f.failName(initNode, "'%s' isn't a possible global variable initializer, "
+                                            "needs to be a const numeric literal", initName);
+            return f.addVariable(var, name, global->varOrConstType(), global->constLiteralValue());
+        }
+        return f.failName(initNode, "'%s' needs to be a global name", initName);
+    }
+
+    if (!IsNumericLiteral(f.m(), initNode))
+        return f.failName(initNode, "initializer for '%s' needs to be a numeric literal or a global const literal", name);
+
+    NumLit literal = ExtractNumericLiteral(f.m(), initNode);
+    if (!literal.hasType())
+        return f.failName(initNode, "initializer for '%s' is out of range", name);
+
+    return f.addVariable(var, name, literal.varType(), literal.value());
+}
+
+static bool
+CheckVariables(FunctionCompiler &f, ParseNode **stmtIter)
+{
+    ParseNode *stmt = *stmtIter;
+
+    for (; stmt && stmt->isKind(PNK_VAR); stmt = NextNonEmptyStatement(stmt)) {
+        for (ParseNode *var = VarListHead(stmt); var; var = NextNode(var)) {
+            if (!CheckVariable(f, var))
+                return false;
+        }
+    }
+
+    *stmtIter = stmt;
+    return true;
+}
+
+static bool
+CheckExpr(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type);
+
+static bool
+CheckNumericLiteral(FunctionCompiler &f, ParseNode *num, MDefinition **def, Type *type)
+{
+    NumLit literal = ExtractNumericLiteral(f.m(), num);
+    if (!literal.hasType())
+        return f.fail(num, "numeric literal out of representable integer range");
+
+    *type = literal.type();
+    *def = f.constant(literal.value(), literal.type());
+    return true;
+}
+
+static bool
+CheckVarRef(FunctionCompiler &f, ParseNode *varRef, MDefinition **def, Type *type)
+{
+    PropertyName *name = varRef->name();
+
+    if (const FunctionCompiler::Local *local = f.lookupLocal(name)) {
+        *def = f.getLocalDef(*local);
+        *type = local->type.toType();
+        return true;
+    }
+
+    if (const ModuleCompiler::Global *global = f.lookupGlobal(name)) {
+        switch (global->which()) {
+          case ModuleCompiler::Global::ConstantLiteral:
+            *def = f.constant(global->constLiteralValue(), global->varOrConstType().toType());
+            *type = global->varOrConstType().toType();
+            break;
+          case ModuleCompiler::Global::ConstantImport:
+          case ModuleCompiler::Global::Variable:
+            *def = f.loadGlobalVar(*global);
+            *type = global->varOrConstType().toType();
+            break;
+          case ModuleCompiler::Global::Function:
+          case ModuleCompiler::Global::FFI:
+          case ModuleCompiler::Global::MathBuiltinFunction:
+          case ModuleCompiler::Global::FuncPtrTable:
+          case ModuleCompiler::Global::ArrayView:
+            return f.failName(varRef, "'%s' may not be accessed by ordinary expressions", name);
+        }
+        return true;
+    }
+
+    return f.failName(varRef, "'%s' not found in local or asm.js module scope", name);
+}
+
+static inline bool
+IsLiteralOrConstInt(FunctionCompiler &f, ParseNode *pn, uint32_t *u32)
+{
+    if (IsLiteralInt(f.m(), pn, u32))
+        return true;
+
+    if (pn->getKind() != PNK_NAME)
+        return false;
+
+    PropertyName *name = pn->name();
+    const ModuleCompiler::Global *global = f.lookupGlobal(name);
+    if (!global || global->which() != ModuleCompiler::Global::ConstantLiteral)
+        return false;
+
+    const Value &v = global->constLiteralValue();
+    if (!v.isInt32())
+        return false;
+
+    *u32 = (uint32_t) v.toInt32();
+    return true;
+}
+
+static bool
+FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask,
+                     NeedsBoundsCheck *needsBoundsCheck)
+{
+    ParseNode *indexNode = BinaryLeft(*indexExpr);
+    ParseNode *maskNode = BinaryRight(*indexExpr);
+
+    uint32_t mask2;
+    if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
+        // Flag the access to skip the bounds check if the mask ensures that an 'out of
+        // bounds' access can not occur based on the current heap length constraint.
+        if (mask2 == 0 ||
+            CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) {
+            *needsBoundsCheck = NO_BOUNDS_CHECK;
+        }
+        *mask &= mask2;
+        *indexExpr = indexNode;
+        return true;
+    }
+
+    return false;
+}
+
+static bool
+CheckArrayAccess(FunctionCompiler &f, ParseNode *elem, ArrayBufferView::ViewType *viewType,
+                 MDefinition **def, NeedsBoundsCheck *needsBoundsCheck)
+{
+    ParseNode *viewName = ElemBase(elem);
+    ParseNode *indexExpr = ElemIndex(elem);
+    *needsBoundsCheck = NEEDS_BOUNDS_CHECK;
+
+    if (!viewName->isKind(PNK_NAME))
+        return f.fail(viewName, "base of array access must be a typed array view name");
+
+    const ModuleCompiler::Global *global = f.lookupGlobal(viewName->name());
+    if (!global || global->which() != ModuleCompiler::Global::ArrayView)
+        return f.fail(viewName, "base of array access must be a typed array view name");
+
+    *viewType = global->viewType();
+
+    uint32_t pointer;
+    if (IsLiteralOrConstInt(f, indexExpr, &pointer)) {
+        if (pointer > (uint32_t(INT32_MAX) >> TypedArrayShift(*viewType)))
+            return f.fail(indexExpr, "constant index out of range");
+        pointer <<= TypedArrayShift(*viewType);
+        // It is adequate to note pointer+1 rather than rounding up to the next
+        // access-size boundary because access is always aligned and the constraint
+        // will be rounded up to a larger alignment later.
+        f.m().requireHeapLengthToBeAtLeast(uint32_t(pointer) + 1);
+        *needsBoundsCheck = NO_BOUNDS_CHECK;
+        *def = f.constant(Int32Value(pointer), Type::Int);
+        return true;
+    }
+
+    // Mask off the low bits to account for the clearing effect of a right shift
+    // followed by the left shift implicit in the array access. E.g., H32[i>>2]
+    // loses the low two bits.
+    int32_t mask = ~((uint32_t(1) << TypedArrayShift(*viewType)) - 1);
+
+    MDefinition *pointerDef;
+    if (indexExpr->isKind(PNK_RSH)) {
+        ParseNode *shiftNode = BinaryRight(indexExpr);
+        ParseNode *pointerNode = BinaryLeft(indexExpr);
+
+        uint32_t shift;
+        if (!IsLiteralInt(f.m(), shiftNode, &shift))
+            return f.failf(shiftNode, "shift amount must be constant");
+
+        unsigned requiredShift = TypedArrayShift(*viewType);
+        if (shift != requiredShift)
+            return f.failf(shiftNode, "shift amount must be %u", requiredShift);
+
+        if (pointerNode->isKind(PNK_BITAND))
+            FoldMaskedArrayIndex(f, &pointerNode, &mask, needsBoundsCheck);
+
+        // Fold a 'literal constant right shifted' now, and skip the bounds check if
+        // currently possible. This handles the optimization of many of these uses without
+        // the need for range analysis, and saves the generation of a MBitAnd op.
+        if (IsLiteralOrConstInt(f, pointerNode, &pointer) && pointer <= uint32_t(INT32_MAX)) {
+            // Cases: b[c>>n], and b[(c&m)>>n]
+            pointer &= mask;
+            if (pointer < f.m().minHeapLength())
+                *needsBoundsCheck = NO_BOUNDS_CHECK;
+            *def = f.constant(Int32Value(pointer), Type::Int);
+            return true;
+        }
+
+        Type pointerType;
+        if (!CheckExpr(f, pointerNode, &pointerDef, &pointerType))
+            return false;
+
+        if (!pointerType.isIntish())
+            return f.failf(indexExpr, "%s is not a subtype of int", pointerType.toChars());
+    } else {
+        if (TypedArrayShift(*viewType) != 0)
+            return f.fail(indexExpr, "index expression isn't shifted; must be an Int8/Uint8 access");
+
+        JS_ASSERT(mask == -1);
+        bool folded = false;
+
+        if (indexExpr->isKind(PNK_BITAND))
+            folded = FoldMaskedArrayIndex(f, &indexExpr, &mask, needsBoundsCheck);
+
+        Type pointerType;
+        if (!CheckExpr(f, indexExpr, &pointerDef, &pointerType))
+            return false;
+
+        if (folded) {
+            if (!pointerType.isIntish())
+                return f.failf(indexExpr, "%s is not a subtype of intish", pointerType.toChars());
+        } else {
+            if (!pointerType.isInt())
+                return f.failf(indexExpr, "%s is not a subtype of int", pointerType.toChars());
+        }
+    }
+
+    // Don't generate the mask op if there is no need for it which could happen for
+    // a shift of zero.
+    if (mask == -1)
+        *def = pointerDef;
+    else
+        *def = f.bitwise<MBitAnd>(pointerDef, f.constant(Int32Value(mask), Type::Int));
+
+    return true;
+}
+
+static bool
+CheckLoadArray(FunctionCompiler &f, ParseNode *elem, MDefinition **def, Type *type)
+{
+    ArrayBufferView::ViewType viewType;
+    MDefinition *pointerDef;
+    NeedsBoundsCheck needsBoundsCheck;
+    if (!CheckArrayAccess(f, elem, &viewType, &pointerDef, &needsBoundsCheck))
+        return false;
+
+    *def = f.loadHeap(viewType, pointerDef, needsBoundsCheck);
+    *type = TypedArrayLoadType(viewType);
+    return true;
+}
+
+static bool
+CheckStoreArray(FunctionCompiler &f, ParseNode *lhs, ParseNode *rhs, MDefinition **def, Type *type)
+{
+    ArrayBufferView::ViewType viewType;
+    MDefinition *pointerDef;
+    NeedsBoundsCheck needsBoundsCheck;
+    if (!CheckArrayAccess(f, lhs, &viewType, &pointerDef, &needsBoundsCheck))
+        return false;
+
+    MDefinition *rhsDef;
+    Type rhsType;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    switch (viewType) {
+      case ArrayBufferView::TYPE_INT8:
+      case ArrayBufferView::TYPE_INT16:
+      case ArrayBufferView::TYPE_INT32:
+      case ArrayBufferView::TYPE_UINT8:
+      case ArrayBufferView::TYPE_UINT16:
+      case ArrayBufferView::TYPE_UINT32:
+        if (!rhsType.isIntish())
+            return f.failf(lhs, "%s is not a subtype of intish", rhsType.toChars());
+        break;
+      case ArrayBufferView::TYPE_FLOAT32:
+        if (rhsType.isMaybeDouble())
+            rhsDef = f.unary<MToFloat32>(rhsDef);
+        else if (!rhsType.isFloatish())
+            return f.failf(lhs, "%s is not a subtype of double? or floatish", rhsType.toChars());
+        break;
+      case ArrayBufferView::TYPE_FLOAT64:
+        if (rhsType.isFloat())
+            rhsDef = f.unary<MToDouble>(rhsDef);
+        else if (!rhsType.isMaybeDouble())
+            return f.failf(lhs, "%s is not a subtype of float or double?", rhsType.toChars());
+        break;
+      default:
+        MOZ_ASSUME_UNREACHABLE("Unexpected view type");
+    }
+
+    f.storeHeap(viewType, pointerDef, rhsDef, needsBoundsCheck);
+
+    *def = rhsDef;
+    *type = rhsType;
+    return true;
+}
+
+static bool
+CheckAssignName(FunctionCompiler &f, ParseNode *lhs, ParseNode *rhs, MDefinition **def, Type *type)
+{
+    Rooted<PropertyName *> name(f.cx(), lhs->name());
+
+    MDefinition *rhsDef;
+    Type rhsType;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    if (const FunctionCompiler::Local *lhsVar = f.lookupLocal(name)) {
+        if (!(rhsType <= lhsVar->type)) {
+            return f.failf(lhs, "%s is not a subtype of %s",
+                           rhsType.toChars(), lhsVar->type.toType().toChars());
+        }
+        f.assign(*lhsVar, rhsDef);
+    } else if (const ModuleCompiler::Global *global = f.lookupGlobal(name)) {
+        if (global->which() != ModuleCompiler::Global::Variable)
+            return f.failName(lhs, "'%s' is not a mutable variable", name);
+        if (!(rhsType <= global->varOrConstType())) {
+            return f.failf(lhs, "%s is not a subtype of %s",
+                           rhsType.toChars(), global->varOrConstType().toType().toChars());
+        }
+        f.storeGlobalVar(*global, rhsDef);
+    } else {
+        return f.failName(lhs, "'%s' not found in local or asm.js module scope", name);
+    }
+
+    *def = rhsDef;
+    *type = rhsType;
+    return true;
+}
+
+static bool
+CheckAssign(FunctionCompiler &f, ParseNode *assign, MDefinition **def, Type *type)
+{
+    JS_ASSERT(assign->isKind(PNK_ASSIGN));
+    ParseNode *lhs = BinaryLeft(assign);
+    ParseNode *rhs = BinaryRight(assign);
+
+    if (lhs->getKind() == PNK_ELEM)
+        return CheckStoreArray(f, lhs, rhs, def, type);
+
+    if (lhs->getKind() == PNK_NAME)
+        return CheckAssignName(f, lhs, rhs, def, type);
+
+    return f.fail(assign, "left-hand side of assignment must be a variable or array access");
+}
+
+static bool
+CheckMathIMul(FunctionCompiler &f, ParseNode *call, RetType retType, MDefinition **def, Type *type)
+{
+    if (CallArgListLength(call) != 2)
+        return f.fail(call, "Math.imul must be passed 2 arguments");
+
+    ParseNode *lhs = CallArgList(call);
+    ParseNode *rhs = NextNode(lhs);
+
+    MDefinition *lhsDef;
+    Type lhsType;
+    if (!CheckExpr(f, lhs, &lhsDef, &lhsType))
+        return false;
+
+    MDefinition *rhsDef;
+    Type rhsType;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    if (!lhsType.isIntish())
+        return f.failf(lhs, "%s is not a subtype of intish", lhsType.toChars());
+    if (!rhsType.isIntish())
+        return f.failf(rhs, "%s is not a subtype of intish", rhsType.toChars());
+    if (retType != RetType::Signed)
+        return f.failf(call, "return type is signed, used as %s", retType.toType().toChars());
+
+    *def = f.mul(lhsDef, rhsDef, MIRType_Int32, MMul::Integer);
+    *type = Type::Signed;
+    return true;
+}
+
+static bool
+CheckMathAbs(FunctionCompiler &f, ParseNode *call, RetType retType, MDefinition **def, Type *type)
+{
+    if (CallArgListLength(call) != 1)
+        return f.fail(call, "Math.abs must be passed 1 argument");
+
+    ParseNode *arg = CallArgList(call);
+
+    MDefinition *argDef;
+    Type argType;
+    if (!CheckExpr(f, arg, &argDef, &argType))
+        return false;
+
+    if (argType.isSigned()) {
+        if (retType != RetType::Signed)
+            return f.failf(call, "return type is signed, used as %s", retType.toType().toChars());
+        *def = f.unary<MAbs>(argDef, MIRType_Int32);
+        *type = Type::Signed;
+        return true;
+    }
+
+    if (argType.isMaybeDouble()) {
+        if (retType != RetType::Double)
+            return f.failf(call, "return type is double, used as %s", retType.toType().toChars());
+        *def = f.unary<MAbs>(argDef, MIRType_Double);
+        *type = Type::Double;
+        return true;
+    }
+
+    if (argType.isMaybeFloat()) {
+        if (retType != RetType::Float)
+            return f.failf(call, "return type is float, used as %s", retType.toType().toChars());
+        *def = f.unary<MAbs>(argDef, MIRType_Float32);
+        *type = Type::Float;
+        return true;
+    }
+
+    return f.failf(call, "%s is not a subtype of signed, float? or double?", argType.toChars());
+}
+
+static bool
+CheckMathSqrt(FunctionCompiler &f, ParseNode *call, RetType retType, MDefinition **def, Type *type)
+{
+    if (CallArgListLength(call) != 1)
+        return f.fail(call, "Math.sqrt must be passed 1 argument");
+
+    ParseNode *arg = CallArgList(call);
+
+    MDefinition *argDef;
+    Type argType;
+    if (!CheckExpr(f, arg, &argDef, &argType))
+        return false;
+
+    if (argType.isMaybeDouble()) {
+        if (retType != RetType::Double)
+            return f.failf(call, "return type is double, used as %s", retType.toType().toChars());
+        *def = f.unary<MSqrt>(argDef, MIRType_Double);
+        *type = Type::Double;
+        return true;
+    }
+
+    if (argType.isMaybeFloat()) {
+        if (retType != RetType::Float)
+            return f.failf(call, "return type is float, used as %s", retType.toType().toChars());
+        *def = f.unary<MSqrt>(argDef, MIRType_Float32);
+        *type = Type::Float;
+        return true;
+    }
+
+    return f.failf(call, "%s is neither a subtype of double? nor float?", argType.toChars());
+}
+
+static bool
+CheckMathMinMax(FunctionCompiler &f, ParseNode *callNode, RetType retType, MDefinition **def, Type *type, bool isMax)
+{
+    if (CallArgListLength(callNode) < 2)
+        return f.fail(callNode, "Math.min/max must be passed at least 2 arguments");
+
+    ParseNode *firstArg = CallArgList(callNode);
+    MDefinition *firstDef;
+    Type firstType;
+    if (!CheckExpr(f, firstArg, &firstDef, &firstType))
+        return false;
+
+    bool opIsDouble = firstType.isMaybeDouble();
+    bool opIsInteger = firstType.isInt();
+    MIRType opType = firstType.toMIRType();
+
+    if (!opIsDouble && !opIsInteger)
+        return f.failf(firstArg, "%s is not a subtype of double? or int", firstType.toChars());
+
+    MDefinition *lastDef = firstDef;
+    ParseNode *nextArg = NextNode(firstArg);
+    for (unsigned i = 1; i < CallArgListLength(callNode); i++, nextArg = NextNode(nextArg)) {
+        MDefinition *nextDef;
+        Type nextType;
+        if (!CheckExpr(f, nextArg, &nextDef, &nextType))
+            return false;
+
+        if (opIsDouble && !nextType.isMaybeDouble())
+            return f.failf(nextArg, "%s is not a subtype of double?", nextType.toChars());
+        if (opIsInteger && !nextType.isInt())
+            return f.failf(nextArg, "%s is not a subtype of int", nextType.toChars());
+
+        lastDef = f.minMax(lastDef, nextDef, opType, isMax);
+    }
+
+    if (opIsDouble && retType != RetType::Double)
+        return f.failf(callNode, "return type is double, used as %s", retType.toType().toChars());
+    if (opIsInteger && retType != RetType::Signed)
+        return f.failf(callNode, "return type is int, used as %s", retType.toType().toChars());
+
+    *type = opIsDouble ? Type::Double : Type::Signed;
+    *def = lastDef;
+    return true;
+}
+
+typedef bool (*CheckArgType)(FunctionCompiler &f, ParseNode *argNode, Type type);
+
+static bool
+CheckCallArgs(FunctionCompiler &f, ParseNode *callNode, CheckArgType checkArg,
+              FunctionCompiler::Call *call)
+{
+    f.startCallArgs(call);
+
+    ParseNode *argNode = CallArgList(callNode);
+    for (unsigned i = 0; i < CallArgListLength(callNode); i++, argNode = NextNode(argNode)) {
+        MDefinition *def;
+        Type type;
+        if (!CheckExpr(f, argNode, &def, &type))
+            return false;
+
+        if (!checkArg(f, argNode, type))
+            return false;
+
+        if (!f.passArg(def, VarType::FromCheckedType(type), call))
+            return false;
+    }
+
+    f.finishCallArgs(call);
+    return true;
+}
+
+static bool
+CheckSignatureAgainstExisting(ModuleCompiler &m, ParseNode *usepn, const Signature &sig,
+                              const Signature &existing)
+{
+    if (sig.args().length() != existing.args().length()) {
+        return m.failf(usepn, "incompatible number of arguments (%u here vs. %u before)",
+                       sig.args().length(), existing.args().length());
+    }
+
+    for (unsigned i = 0; i < sig.args().length(); i++) {
+        if (sig.arg(i) != existing.arg(i)) {
+            return m.failf(usepn, "incompatible type for argument %u: (%s here vs. %s before)",
+                           i, sig.arg(i).toType().toChars(), existing.arg(i).toType().toChars());
+        }
+    }
+
+    if (sig.retType() != existing.retType()) {
+        return m.failf(usepn, "%s incompatible with previous return of type %s",
+                       sig.retType().toType().toChars(), existing.retType().toType().toChars());
+    }
+
+    JS_ASSERT(sig == existing);
+    return true;
+}
+
+static bool
+CheckFunctionSignature(ModuleCompiler &m, ParseNode *usepn, Signature &&sig, PropertyName *name,
+                       ModuleCompiler::Func **func)
+{
+    ModuleCompiler::Func *existing = m.lookupFunction(name);
+    if (!existing) {
+        if (!CheckModuleLevelName(m, usepn, name))
+            return false;
+        return m.addFunction(name, Move(sig), func);
+    }
+
+    if (!CheckSignatureAgainstExisting(m, usepn, sig, existing->sig()))
+        return false;
+
+    *func = existing;
+    return true;
+}
+
+static bool
+CheckIsVarType(FunctionCompiler &f, ParseNode *argNode, Type type)
+{
+    if (!type.isVarType())
+        return f.failf(argNode, "%s is not a subtype of int, float or double", type.toChars());
+    return true;
+}
+
+static bool
+CheckInternalCall(FunctionCompiler &f, ParseNode *callNode, PropertyName *calleeName,
+                  RetType retType, MDefinition **def, Type *type)
+{
+    FunctionCompiler::Call call(f, callNode, retType);
+
+    if (!CheckCallArgs(f, callNode, CheckIsVarType, &call))
+        return false;
+
+    ModuleCompiler::Func *callee;
+    if (!CheckFunctionSignature(f.m(), callNode, Move(call.sig()), calleeName, &callee))
+        return false;
+
+    if (!f.internalCall(*callee, call, def))
+        return false;
+
+    *type = retType.toType();
+    return true;
+}
+
+static bool
+CheckFuncPtrTableAgainstExisting(ModuleCompiler &m, ParseNode *usepn,
+                                 PropertyName *name, Signature &&sig, unsigned mask,
+                                 ModuleCompiler::FuncPtrTable **tableOut)
+{
+    if (const ModuleCompiler::Global *existing = m.lookupGlobal(name)) {
+        if (existing->which() != ModuleCompiler::Global::FuncPtrTable)
+            return m.failName(usepn, "'%s' is not a function-pointer table", name);
+
+        ModuleCompiler::FuncPtrTable &table = m.funcPtrTable(existing->funcPtrTableIndex());
+        if (mask != table.mask())
+            return m.failf(usepn, "mask does not match previous value (%u)", table.mask());
+
+        if (!CheckSignatureAgainstExisting(m, usepn, sig, table.sig()))
+            return false;
+
+        *tableOut = &table;
+        return true;
+    }
+
+    if (!CheckModuleLevelName(m, usepn, name))
+        return false;
+
+    return m.addFuncPtrTable(name, Move(sig), mask, tableOut);
+}
+
+static bool
+CheckFuncPtrCall(FunctionCompiler &f, ParseNode *callNode, RetType retType, MDefinition **def, Type *type)
+{
+    ParseNode *callee = CallCallee(callNode);
+    ParseNode *tableNode = ElemBase(callee);
+    ParseNode *indexExpr = ElemIndex(callee);
+
+    if (!tableNode->isKind(PNK_NAME))
+        return f.fail(tableNode, "expecting name of function-pointer array");
+
+    PropertyName *name = tableNode->name();
+    if (const ModuleCompiler::Global *existing = f.lookupGlobal(name)) {
+        if (existing->which() != ModuleCompiler::Global::FuncPtrTable)
+            return f.failName(tableNode, "'%s' is not the name of a function-pointer array", name);
+    }
+
+    if (!indexExpr->isKind(PNK_BITAND))
+        return f.fail(indexExpr, "function-pointer table index expression needs & mask");
+
+    ParseNode *indexNode = BinaryLeft(indexExpr);
+    ParseNode *maskNode = BinaryRight(indexExpr);
+
+    uint32_t mask;
+    if (!IsLiteralInt(f.m(), maskNode, &mask) || mask == UINT32_MAX || !IsPowerOfTwo(mask + 1))
+        return f.fail(maskNode, "function-pointer table index mask value must be a power of two");
+
+    MDefinition *indexDef;
+    Type indexType;
+    if (!CheckExpr(f, indexNode, &indexDef, &indexType))
+        return false;
+
+    if (!indexType.isIntish())
+        return f.failf(indexNode, "%s is not a subtype of intish", indexType.toChars());
+
+    FunctionCompiler::Call call(f, callNode, retType);
+
+    if (!CheckCallArgs(f, callNode, CheckIsVarType, &call))
+        return false;
+
+    ModuleCompiler::FuncPtrTable *table;
+    if (!CheckFuncPtrTableAgainstExisting(f.m(), tableNode, name, Move(call.sig()), mask, &table))
+        return false;
+
+    if (!f.funcPtrCall(*table, indexDef, call, def))
+        return false;
+
+    *type = retType.toType();
+    return true;
+}
+
+static bool
+CheckIsExternType(FunctionCompiler &f, ParseNode *argNode, Type type)
+{
+    if (!type.isExtern())
+        return f.failf(argNode, "%s is not a subtype of extern", type.toChars());
+    return true;
+}
+
+static bool
+CheckFFICall(FunctionCompiler &f, ParseNode *callNode, unsigned ffiIndex, RetType retType,
+             MDefinition **def, Type *type)
+{
+    PropertyName *calleeName = CallCallee(callNode)->name();
+
+    if (retType == RetType::Float)
+        return f.fail(callNode, "FFI calls can't return float");
+
+    FunctionCompiler::Call call(f, callNode, retType);
+    if (!CheckCallArgs(f, callNode, CheckIsExternType, &call))
+        return false;
+
+    unsigned exitIndex;
+    if (!f.m().addExit(ffiIndex, calleeName, Move(call.sig()), &exitIndex))
+        return false;
+
+    if (!f.ffiCall(exitIndex, call, retType.toMIRType(), def))
+        return false;
+
+    *type = retType.toType();
+    return true;
+}
+
+static bool CheckCall(FunctionCompiler &f, ParseNode *call, RetType retType, MDefinition **def, Type *type);
+
+static bool
+CheckFRoundArg(FunctionCompiler &f, ParseNode *arg, MDefinition **def, Type *type)
+{
+    if (arg->isKind(PNK_CALL))
+        return CheckCall(f, arg, RetType::Float, def, type);
+
+    MDefinition *inputDef;
+    Type inputType;
+    if (!CheckExpr(f, arg, &inputDef, &inputType))
+        return false;
+
+    if (inputType.isMaybeDouble() || inputType.isSigned())
+        *def = f.unary<MToFloat32>(inputDef);
+    else if (inputType.isUnsigned())
+        *def = f.unary<MAsmJSUnsignedToFloat32>(inputDef);
+    else if (inputType.isFloatish())
+        *def = inputDef;
+    else
+        return f.failf(arg, "%s is not a subtype of signed, unsigned, double? or floatish", inputType.toChars());
+
+    *type = Type::Float;
+    return true;
+}
+
+static bool
+CheckMathFRound(FunctionCompiler &f, ParseNode *callNode, RetType retType, MDefinition **def, Type *type)
+{
+    ParseNode *argNode = nullptr;
+    if (!IsFloatCoercion(f.m(), callNode, &argNode))
+        return f.fail(callNode, "invalid call to fround");
+
+    MDefinition *operand;
+    Type operandType;
+    if (!CheckFRoundArg(f, argNode, &operand, &operandType))
+        return false;
+
+    JS_ASSERT(operandType == Type::Float);
+
+    switch (retType.which()) {
+      case RetType::Double:
+        *def = f.unary<MToDouble>(operand);
+        *type = Type::Double;
+        return true;
+      case RetType::Signed:
+        *def = f.unary<MTruncateToInt32>(operand);
+        *type = Type::Signed;
+        return true;
+      case RetType::Float:
+        *def = operand;
+        *type = Type::Float;
+        return true;
+      case RetType::Void:
+        // definition and return types should be ignored by the caller
+        return true;
+    }
+
+    MOZ_ASSUME_UNREACHABLE("return value of fround is ignored");
+}
+
+static bool
+CheckIsMaybeDouble(FunctionCompiler &f, ParseNode *argNode, Type type)
+{
+    if (!type.isMaybeDouble())
+        return f.failf(argNode, "%s is not a subtype of double?", type.toChars());
+    return true;
+}
+
+static bool
+CheckIsMaybeFloat(FunctionCompiler &f, ParseNode *argNode, Type type)
+{
+    if (!type.isMaybeFloat())
+        return f.failf(argNode, "%s is not a subtype of float?", type.toChars());
+    return true;
+}
+
+static bool
+CheckMathBuiltinCall(FunctionCompiler &f, ParseNode *callNode, AsmJSMathBuiltinFunction func,
+                     RetType retType, MDefinition **def, Type *type)
+{
+    unsigned arity = 0;
+    AsmJSImmKind doubleCallee, floatCallee;
+    switch (func) {
+      case AsmJSMathBuiltin_imul:   return CheckMathIMul(f, callNode, retType, def, type);
+      case AsmJSMathBuiltin_abs:    return CheckMathAbs(f, callNode, retType, def, type);
+      case AsmJSMathBuiltin_sqrt:   return CheckMathSqrt(f, callNode, retType, def, type);
+      case AsmJSMathBuiltin_fround: return CheckMathFRound(f, callNode, retType, def, type);
+      case AsmJSMathBuiltin_min:    return CheckMathMinMax(f, callNode, retType, def, type, /* isMax = */ false);
+      case AsmJSMathBuiltin_max:    return CheckMathMinMax(f, callNode, retType, def, type, /* isMax = */ true);
+      case AsmJSMathBuiltin_ceil:   arity = 1; doubleCallee = AsmJSImm_CeilD;  floatCallee = AsmJSImm_CeilF;   break;
+      case AsmJSMathBuiltin_floor:  arity = 1; doubleCallee = AsmJSImm_FloorD; floatCallee = AsmJSImm_FloorF;  break;
+      case AsmJSMathBuiltin_sin:    arity = 1; doubleCallee = AsmJSImm_SinD;   floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_cos:    arity = 1; doubleCallee = AsmJSImm_CosD;   floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_tan:    arity = 1; doubleCallee = AsmJSImm_TanD;   floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_asin:   arity = 1; doubleCallee = AsmJSImm_ASinD;  floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_acos:   arity = 1; doubleCallee = AsmJSImm_ACosD;  floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_atan:   arity = 1; doubleCallee = AsmJSImm_ATanD;  floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_exp:    arity = 1; doubleCallee = AsmJSImm_ExpD;   floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_log:    arity = 1; doubleCallee = AsmJSImm_LogD;   floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_pow:    arity = 2; doubleCallee = AsmJSImm_PowD;   floatCallee = AsmJSImm_Invalid; break;
+      case AsmJSMathBuiltin_atan2:  arity = 2; doubleCallee = AsmJSImm_ATan2D; floatCallee = AsmJSImm_Invalid; break;
+      default: MOZ_ASSUME_UNREACHABLE("unexpected mathBuiltin function");
+    }
+
+    if (retType == RetType::Float && floatCallee == AsmJSImm_Invalid)
+        return f.fail(callNode, "math builtin cannot be used as float");
+    if (retType != RetType::Double && retType != RetType::Float)
+        return f.failf(callNode, "return type of math function is double or float, used as %s", retType.toType().toChars());
+
+    FunctionCompiler::Call call(f, callNode, retType);
+    if (retType == RetType::Float && !CheckCallArgs(f, callNode, CheckIsMaybeFloat, &call))
+        return false;
+    if (retType == RetType::Double && !CheckCallArgs(f, callNode, CheckIsMaybeDouble, &call))
+        return false;
+
+    if (call.sig().args().length() != arity)
+        return f.failf(callNode, "call passed %u arguments, expected %u", call.sig().args().length(), arity);
+
+    if (retType == RetType::Float && !f.builtinCall(floatCallee, call, retType.toMIRType(), def))
+        return false;
+    if (retType == RetType::Double && !f.builtinCall(doubleCallee, call, retType.toMIRType(), def))
+        return false;
+
+    *type = retType.toType();
+    return true;
+}
+
+static bool
+CheckCall(FunctionCompiler &f, ParseNode *call, RetType retType, MDefinition **def, Type *type)
+{
+    JS_CHECK_RECURSION_DONT_REPORT(f.cx(), return f.m().failOverRecursed());
+
+    ParseNode *callee = CallCallee(call);
+
+    if (callee->isKind(PNK_ELEM))
+        return CheckFuncPtrCall(f, call, retType, def, type);
+
+    if (!callee->isKind(PNK_NAME))
+        return f.fail(callee, "unexpected callee expression type");
+
+    PropertyName *calleeName = callee->name();
+
+    if (const ModuleCompiler::Global *global = f.lookupGlobal(calleeName)) {
+        switch (global->which()) {
+          case ModuleCompiler::Global::FFI:
+            return CheckFFICall(f, call, global->ffiIndex(), retType, def, type);
+          case ModuleCompiler::Global::MathBuiltinFunction:
+            return CheckMathBuiltinCall(f, call, global->mathBuiltinFunction(), retType, def, type);
+          case ModuleCompiler::Global::ConstantLiteral:
+          case ModuleCompiler::Global::ConstantImport:
+          case ModuleCompiler::Global::Variable:
+          case ModuleCompiler::Global::FuncPtrTable:
+          case ModuleCompiler::Global::ArrayView:
+            return f.failName(callee, "'%s' is not callable function", callee->name());
+          case ModuleCompiler::Global::Function:
+            break;
+        }
+    }
+
+    return CheckInternalCall(f, call, calleeName, retType, def, type);
+}
+
+static bool
+CheckPos(FunctionCompiler &f, ParseNode *pos, MDefinition **def, Type *type)
+{
+    JS_ASSERT(pos->isKind(PNK_POS));
+    ParseNode *operand = UnaryKid(pos);
+
+    if (operand->isKind(PNK_CALL))
+        return CheckCall(f, operand, RetType::Double, def, type);
+
+    MDefinition *operandDef;
+    Type operandType;
+    if (!CheckExpr(f, operand, &operandDef, &operandType))
+        return false;
+
+    if (operandType.isMaybeFloat() || operandType.isSigned())
+        *def = f.unary<MToDouble>(operandDef);
+    else if (operandType.isUnsigned())
+        *def = f.unary<MAsmJSUnsignedToDouble>(operandDef);
+    else if (operandType.isMaybeDouble())
+        *def = operandDef;
+    else
+        return f.failf(operand, "%s is not a subtype of signed, unsigned, float or double?", operandType.toChars());
+
+    *type = Type::Double;
+    return true;
+}
+
+static bool
+CheckNot(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type)
+{
+    JS_ASSERT(expr->isKind(PNK_NOT));
+    ParseNode *operand = UnaryKid(expr);
+
+    MDefinition *operandDef;
+    Type operandType;
+    if (!CheckExpr(f, operand, &operandDef, &operandType))
+        return false;
+
+    if (!operandType.isInt())
+        return f.failf(operand, "%s is not a subtype of int", operandType.toChars());
+
+    *def = f.unary<MNot>(operandDef);
+    *type = Type::Int;
+    return true;
+}
+
+static bool
+CheckNeg(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type)
+{
+    JS_ASSERT(expr->isKind(PNK_NEG));
+    ParseNode *operand = UnaryKid(expr);
+
+    MDefinition *operandDef;
+    Type operandType;
+    if (!CheckExpr(f, operand, &operandDef, &operandType))
+        return false;
+
+    if (operandType.isInt()) {
+        *def = f.unary<MAsmJSNeg>(operandDef, MIRType_Int32);
+        *type = Type::Intish;
+        return true;
+    }
+
+    if (operandType.isMaybeDouble()) {
+        *def = f.unary<MAsmJSNeg>(operandDef, MIRType_Double);
+        *type = Type::Double;
+        return true;
+    }
+
+    if (operandType.isMaybeFloat()) {
+        *def = f.unary<MAsmJSNeg>(operandDef, MIRType_Float32);
+        *type = Type::Floatish;
+        return true;
+    }
+
+    return f.failf(operand, "%s is not a subtype of int, float? or double?", operandType.toChars());
+}
+
+static bool
+CheckCoerceToInt(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type)
+{
+    JS_ASSERT(expr->isKind(PNK_BITNOT));
+    ParseNode *operand = UnaryKid(expr);
+
+    MDefinition *operandDef;
+    Type operandType;
+    if (!CheckExpr(f, operand, &operandDef, &operandType))
+        return false;
+
+    if (operandType.isMaybeDouble() || operandType.isMaybeFloat()) {
+        *def = f.unary<MTruncateToInt32>(operandDef);
+        *type = Type::Signed;
+        return true;
+    }
+
+    if (!operandType.isIntish())
+        return f.failf(operand, "%s is not a subtype of double?, float? or intish", operandType.toChars());
+
+    *def = operandDef;
+    *type = Type::Signed;
+    return true;
+}
+
+static bool
+CheckBitNot(FunctionCompiler &f, ParseNode *neg, MDefinition **def, Type *type)
+{
+    JS_ASSERT(neg->isKind(PNK_BITNOT));
+    ParseNode *operand = UnaryKid(neg);
+
+    if (operand->isKind(PNK_BITNOT))
+        return CheckCoerceToInt(f, operand, def, type);
+
+    MDefinition *operandDef;
+    Type operandType;
+    if (!CheckExpr(f, operand, &operandDef, &operandType))
+        return false;
+
+    if (!operandType.isIntish())
+        return f.failf(operand, "%s is not a subtype of intish", operandType.toChars());
+
+    *def = f.bitwise<MBitNot>(operandDef);
+    *type = Type::Signed;
+    return true;
+}
+
+static bool
+CheckComma(FunctionCompiler &f, ParseNode *comma, MDefinition **def, Type *type)
+{
+    JS_ASSERT(comma->isKind(PNK_COMMA));
+    ParseNode *operands = ListHead(comma);
+
+    ParseNode *pn = operands;
+    for (; NextNode(pn); pn = NextNode(pn)) {
+        MDefinition *_1;
+        Type _2;
+        if (pn->isKind(PNK_CALL)) {
+            if (!CheckCall(f, pn, RetType::Void, &_1, &_2))
+                return false;
+        } else {
+            if (!CheckExpr(f, pn, &_1, &_2))
+                return false;
+        }
+    }
+
+    if (!CheckExpr(f, pn, def, type))
+        return false;
+
+    return true;
+}
+
+static bool
+CheckConditional(FunctionCompiler &f, ParseNode *ternary, MDefinition **def, Type *type)
+{
+    JS_ASSERT(ternary->isKind(PNK_CONDITIONAL));
+    ParseNode *cond = TernaryKid1(ternary);
+    ParseNode *thenExpr = TernaryKid2(ternary);
+    ParseNode *elseExpr = TernaryKid3(ternary);
+
+    MDefinition *condDef;
+    Type condType;
+    if (!CheckExpr(f, cond, &condDef, &condType))
+        return false;
+
+    if (!condType.isInt())
+        return f.failf(cond, "%s is not a subtype of int", condType.toChars());
+
+    MBasicBlock *thenBlock = nullptr, *elseBlock = nullptr;
+    if (!f.branchAndStartThen(condDef, &thenBlock, &elseBlock, thenExpr, elseExpr))
+        return false;
+
+    MDefinition *thenDef;
+    Type thenType;
+    if (!CheckExpr(f, thenExpr, &thenDef, &thenType))
+        return false;
+
+    BlockVector thenBlocks(f.cx());
+    if (!f.appendThenBlock(&thenBlocks))
+        return false;
+
+    f.pushPhiInput(thenDef);
+    f.switchToElse(elseBlock);
+
+    MDefinition *elseDef;
+    Type elseType;
+    if (!CheckExpr(f, elseExpr, &elseDef, &elseType))
+        return false;
+
+    f.pushPhiInput(elseDef);
+
+    if (thenType.isInt() && elseType.isInt()) {
+        *type = Type::Int;
+    } else if (thenType.isDouble() && elseType.isDouble()) {
+        *type = Type::Double;
+    } else if (thenType.isFloat() && elseType.isFloat()) {
+        *type = Type::Float;
+    } else {
+        return f.failf(ternary, "then/else branches of conditional must both produce int or double, "
+                       "current types are %s and %s", thenType.toChars(), elseType.toChars());
+    }
+
+    if (!f.joinIfElse(thenBlocks, elseExpr))
+        return false;
+
+    *def = f.popPhiOutput();
+    return true;
+}
+
+static bool
+IsValidIntMultiplyConstant(ModuleCompiler &m, ParseNode *expr)
+{
+    if (!IsNumericLiteral(m, expr))
+        return false;
+
+    NumLit literal = ExtractNumericLiteral(m, expr);
+    switch (literal.which()) {
+      case NumLit::Fixnum:
+      case NumLit::NegativeInt:
+        if (abs(literal.toInt32()) < (1<<20))
+            return true;
+        return false;
+      case NumLit::BigUnsigned:
+      case NumLit::Double:
+      case NumLit::Float:
+      case NumLit::OutOfRangeInt:
+        return false;
+    }
+
+    MOZ_ASSUME_UNREACHABLE("Bad literal");
+}
+
+static bool
+CheckMultiply(FunctionCompiler &f, ParseNode *star, MDefinition **def, Type *type)
+{
+    JS_ASSERT(star->isKind(PNK_STAR));
+    ParseNode *lhs = BinaryLeft(star);
+    ParseNode *rhs = BinaryRight(star);
+
+    MDefinition *lhsDef;
+    Type lhsType;
+    if (!CheckExpr(f, lhs, &lhsDef, &lhsType))
+        return false;
+
+    MDefinition *rhsDef;
+    Type rhsType;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    if (lhsType.isInt() && rhsType.isInt()) {
+        if (!IsValidIntMultiplyConstant(f.m(), lhs) && !IsValidIntMultiplyConstant(f.m(), rhs))
+            return f.fail(star, "one arg to int multiply must be a small (-2^20, 2^20) int literal");
+        *def = f.mul(lhsDef, rhsDef, MIRType_Int32, MMul::Integer);
+        *type = Type::Intish;
+        return true;
+    }
+
+    if (lhsType.isMaybeDouble() && rhsType.isMaybeDouble()) {
+        *def = f.mul(lhsDef, rhsDef, MIRType_Double, MMul::Normal);
+        *type = Type::Double;
+        return true;
+    }
+
+    if (lhsType.isMaybeFloat() && rhsType.isMaybeFloat()) {
+        *def = f.mul(lhsDef, rhsDef, MIRType_Float32, MMul::Normal);
+        *type = Type::Floatish;
+        return true;
+    }
+
+    return f.fail(star, "multiply operands must be both int, both double? or both float?");
+}
+
+static bool
+CheckAddOrSub(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type,
+              unsigned *numAddOrSubOut = nullptr)
+{
+    JS_CHECK_RECURSION_DONT_REPORT(f.cx(), return f.m().failOverRecursed());
+
+    JS_ASSERT(expr->isKind(PNK_ADD) || expr->isKind(PNK_SUB));
+    ParseNode *lhs = BinaryLeft(expr);
+    ParseNode *rhs = BinaryRight(expr);
+
+    MDefinition *lhsDef, *rhsDef;
+    Type lhsType, rhsType;
+    unsigned lhsNumAddOrSub, rhsNumAddOrSub;
+
+    if (lhs->isKind(PNK_ADD) || lhs->isKind(PNK_SUB)) {
+        if (!CheckAddOrSub(f, lhs, &lhsDef, &lhsType, &lhsNumAddOrSub))
+            return false;
+        if (lhsType == Type::Intish)
+            lhsType = Type::Int;
+    } else {
+        if (!CheckExpr(f, lhs, &lhsDef, &lhsType))
+            return false;
+        lhsNumAddOrSub = 0;
+    }
+
+    if (rhs->isKind(PNK_ADD) || rhs->isKind(PNK_SUB)) {
+        if (!CheckAddOrSub(f, rhs, &rhsDef, &rhsType, &rhsNumAddOrSub))
+            return false;
+        if (rhsType == Type::Intish)
+            rhsType = Type::Int;
+    } else {
+        if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+            return false;
+        rhsNumAddOrSub = 0;
+    }
+
+    unsigned numAddOrSub = lhsNumAddOrSub + rhsNumAddOrSub + 1;
+    if (numAddOrSub > (1<<20))
+        return f.fail(expr, "too many + or - without intervening coercion");
+
+    if (lhsType.isInt() && rhsType.isInt()) {
+        *def = expr->isKind(PNK_ADD)
+               ? f.binary<MAdd>(lhsDef, rhsDef, MIRType_Int32)
+               : f.binary<MSub>(lhsDef, rhsDef, MIRType_Int32);
+        *type = Type::Intish;
+    } else if (lhsType.isMaybeDouble() && rhsType.isMaybeDouble()) {
+        *def = expr->isKind(PNK_ADD)
+               ? f.binary<MAdd>(lhsDef, rhsDef, MIRType_Double)
+               : f.binary<MSub>(lhsDef, rhsDef, MIRType_Double);
+        *type = Type::Double;
+    } else if (lhsType.isMaybeFloat() && rhsType.isMaybeFloat()) {
+        *def = expr->isKind(PNK_ADD)
+               ? f.binary<MAdd>(lhsDef, rhsDef, MIRType_Float32)
+               : f.binary<MSub>(lhsDef, rhsDef, MIRType_Float32);
+        *type = Type::Floatish;
+    } else {
+        return f.failf(expr, "operands to + or - must both be int, float? or double?, got %s and %s",
+                       lhsType.toChars(), rhsType.toChars());
+    }
+
+    if (numAddOrSubOut)
+        *numAddOrSubOut = numAddOrSub;
+    return true;
+}
+
+static bool
+CheckDivOrMod(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type)
+{
+    JS_ASSERT(expr->isKind(PNK_DIV) || expr->isKind(PNK_MOD));
+    ParseNode *lhs = BinaryLeft(expr);
+    ParseNode *rhs = BinaryRight(expr);
+
+    MDefinition *lhsDef, *rhsDef;
+    Type lhsType, rhsType;
+    if (!CheckExpr(f, lhs, &lhsDef, &lhsType))
+        return false;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    if (lhsType.isMaybeDouble() && rhsType.isMaybeDouble()) {
+        *def = expr->isKind(PNK_DIV)
+               ? f.div(lhsDef, rhsDef, MIRType_Double, /* unsignd = */ false)
+               : f.mod(lhsDef, rhsDef, MIRType_Double, /* unsignd = */ false);
+        *type = Type::Double;
+        return true;
+    }
+
+    if (lhsType.isMaybeFloat() && rhsType.isMaybeFloat()) {
+        if (expr->isKind(PNK_DIV))
+            *def = f.div(lhsDef, rhsDef, MIRType_Float32, /* unsignd = */ false);
+        else
+            return f.fail(expr, "modulo cannot receive float arguments");
+        *type = Type::Floatish;
+        return true;
+    }
+
+    if (lhsType.isSigned() && rhsType.isSigned()) {
+        if (expr->isKind(PNK_DIV))
+            *def = f.div(lhsDef, rhsDef, MIRType_Int32, /* unsignd = */ false);
+        else
+            *def = f.mod(lhsDef, rhsDef, MIRType_Int32, /* unsignd = */ false);
+        *type = Type::Intish;
+        return true;
+    }
+
+    if (lhsType.isUnsigned() && rhsType.isUnsigned()) {
+        if (expr->isKind(PNK_DIV))
+            *def = f.div(lhsDef, rhsDef, MIRType_Int32, /* unsignd = */ true);
+        else
+            *def = f.mod(lhsDef, rhsDef, MIRType_Int32, /* unsignd = */ true);
+        *type = Type::Intish;
+        return true;
+    }
+
+    return f.failf(expr, "arguments to / or %% must both be double?, float?, signed, or unsigned; "
+                   "%s and %s are given", lhsType.toChars(), rhsType.toChars());
+}
+
+static bool
+CheckComparison(FunctionCompiler &f, ParseNode *comp, MDefinition **def, Type *type)
+{
+    JS_ASSERT(comp->isKind(PNK_LT) || comp->isKind(PNK_LE) || comp->isKind(PNK_GT) ||
+              comp->isKind(PNK_GE) || comp->isKind(PNK_EQ) || comp->isKind(PNK_NE));
+    ParseNode *lhs = BinaryLeft(comp);
+    ParseNode *rhs = BinaryRight(comp);
+
+    MDefinition *lhsDef, *rhsDef;
+    Type lhsType, rhsType;
+    if (!CheckExpr(f, lhs, &lhsDef, &lhsType))
+        return false;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    if ((lhsType.isSigned() && rhsType.isSigned()) || (lhsType.isUnsigned() && rhsType.isUnsigned())) {
+        MCompare::CompareType compareType = (lhsType.isUnsigned() && rhsType.isUnsigned())
+                                            ? MCompare::Compare_UInt32
+                                            : MCompare::Compare_Int32;
+        *def = f.compare(lhsDef, rhsDef, comp->getOp(), compareType);
+        *type = Type::Int;
+        return true;
+    }
+
+    if (lhsType.isDouble() && rhsType.isDouble()) {
+        *def = f.compare(lhsDef, rhsDef, comp->getOp(), MCompare::Compare_Double);
+        *type = Type::Int;
+        return true;
+    }
+
+    if (lhsType.isFloat() && rhsType.isFloat()) {
+        *def = f.compare(lhsDef, rhsDef, comp->getOp(), MCompare::Compare_Float32);
+        *type = Type::Int;
+        return true;
+    }
+
+    return f.failf(comp, "arguments to a comparison must both be signed, unsigned, floats or doubles; "
+                   "%s and %s are given", lhsType.toChars(), rhsType.toChars());
+}
+
+static bool
+CheckBitwise(FunctionCompiler &f, ParseNode *bitwise, MDefinition **def, Type *type)
+{
+    ParseNode *lhs = BinaryLeft(bitwise);
+    ParseNode *rhs = BinaryRight(bitwise);
+
+    int32_t identityElement;
+    bool onlyOnRight;
+    switch (bitwise->getKind()) {
+      case PNK_BITOR:  identityElement = 0;  onlyOnRight = false; *type = Type::Signed;   break;
+      case PNK_BITAND: identityElement = -1; onlyOnRight = false; *type = Type::Signed;   break;
+      case PNK_BITXOR: identityElement = 0;  onlyOnRight = false; *type = Type::Signed;   break;
+      case PNK_LSH:    identityElement = 0;  onlyOnRight = true;  *type = Type::Signed;   break;
+      case PNK_RSH:    identityElement = 0;  onlyOnRight = true;  *type = Type::Signed;   break;
+      case PNK_URSH:   identityElement = 0;  onlyOnRight = true;  *type = Type::Unsigned; break;
+      default: MOZ_ASSUME_UNREACHABLE("not a bitwise op");
+    }
+
+    uint32_t i;
+    if (!onlyOnRight && IsLiteralInt(f.m(), lhs, &i) && i == uint32_t(identityElement)) {
+        Type rhsType;
+        if (!CheckExpr(f, rhs, def, &rhsType))
+            return false;
+        if (!rhsType.isIntish())
+            return f.failf(bitwise, "%s is not a subtype of intish", rhsType.toChars());
+        return true;
+    }
+
+    if (IsLiteralInt(f.m(), rhs, &i) && i == uint32_t(identityElement)) {
+        if (bitwise->isKind(PNK_BITOR) && lhs->isKind(PNK_CALL))
+            return CheckCall(f, lhs, RetType::Signed, def, type);
+
+        Type lhsType;
+        if (!CheckExpr(f, lhs, def, &lhsType))
+            return false;
+        if (!lhsType.isIntish())
+            return f.failf(bitwise, "%s is not a subtype of intish", lhsType.toChars());
+        return true;
+    }
+
+    MDefinition *lhsDef;
+    Type lhsType;
+    if (!CheckExpr(f, lhs, &lhsDef, &lhsType))
+        return false;
+
+    MDefinition *rhsDef;
+    Type rhsType;
+    if (!CheckExpr(f, rhs, &rhsDef, &rhsType))
+        return false;
+
+    if (!lhsType.isIntish())
+        return f.failf(lhs, "%s is not a subtype of intish", lhsType.toChars());
+    if (!rhsType.isIntish())
+        return f.failf(rhs, "%s is not a subtype of intish", rhsType.toChars());
+
+    switch (bitwise->getKind()) {
+      case PNK_BITOR:  *def = f.bitwise<MBitOr>(lhsDef, rhsDef); break;
+      case PNK_BITAND: *def = f.bitwise<MBitAnd>(lhsDef, rhsDef); break;
+      case PNK_BITXOR: *def = f.bitwise<MBitXor>(lhsDef, rhsDef); break;
+      case PNK_LSH:    *def = f.bitwise<MLsh>(lhsDef, rhsDef); break;
+      case PNK_RSH:    *def = f.bitwise<MRsh>(lhsDef, rhsDef); break;
+      case PNK_URSH:   *def = f.bitwise<MUrsh>(lhsDef, rhsDef); break;
+      default: MOZ_ASSUME_UNREACHABLE("not a bitwise op");
+    }
+
+    return true;
+}
+
+static bool
+CheckUncoercedCall(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type)
+{
+    JS_ASSERT(expr->isKind(PNK_CALL));
+
+    ParseNode *arg;
+    if (!IsFloatCoercion(f.m(), expr, &arg)) {
+        return f.fail(expr, "all function calls must either be ignored (via f(); or "
+                            "comma-expression), coerced to signed (via f()|0), coerced to float "
+                            "(via fround(f())) or coerced to double (via +f())");
+    }
+
+    return CheckFRoundArg(f, arg, def, type);
+}
+
+static bool
+CheckExpr(FunctionCompiler &f, ParseNode *expr, MDefinition **def, Type *type)
+{
+    JS_CHECK_RECURSION_DONT_REPORT(f.cx(), return f.m().failOverRecursed());
+
+    if (!f.mirGen().ensureBallast())
+        return false;
+
+    if (IsNumericLiteral(f.m(), expr))
+        return CheckNumericLiteral(f, expr, def, type);
+
+    switch (expr->getKind()) {
+      case PNK_NAME:        return CheckVarRef(f, expr, def, type);
+      case PNK_ELEM:        return CheckLoadArray(f, expr, def, type);
+      case PNK_ASSIGN:      return CheckAssign(f, expr, def, type);
+      case PNK_POS:         return CheckPos(f, expr, def, type);
+      case PNK_NOT:         return CheckNot(f, expr, def, type);
+      case PNK_NEG:         return CheckNeg(f, expr, def, type);
+      case PNK_BITNOT:      return CheckBitNot(f, expr, def, type);
+      case PNK_COMMA:       return CheckComma(f, expr, def, type);
+      case PNK_CONDITIONAL: return CheckConditional(f, expr, def, type);
+      case PNK_STAR:        return CheckMultiply(f, expr, def, type);
+      case PNK_CALL:        return CheckUncoercedCall(f, expr, def, type);
+
+      case PNK_ADD:
+      case PNK_SUB:         return CheckAddOrSub(f, expr, def, type);
+
+      case PNK_DIV:
+      case PNK_MOD:         return CheckDivOrMod(f, expr, def, type);
+
+      case PNK_LT:
+      case PNK_LE:
+      case PNK_GT:
+      case PNK_GE:
+      case PNK_EQ:
+      case PNK_NE:          return CheckComparison(f, expr, def, type);
+
+      case PNK_BITOR:
+      case PNK_BITAND:
+      case PNK_BITXOR:
+      case PNK_LSH:
+      case PNK_RSH:
+      case PNK_URSH:        return CheckBitwise(f, expr, def, type);
+
+      default:;
+    }
+
+    return f.fail(expr, "unsupported expression");
+}
+
+static bool
+CheckStatement(FunctionCompiler &f, ParseNode *stmt, LabelVector *maybeLabels = nullptr);
+
+static bool
+CheckExprStatement(FunctionCompiler &f, ParseNode *exprStmt)
+{
+    JS_ASSERT(exprStmt->isKind(PNK_SEMI));
+    ParseNode *expr = UnaryKid(exprStmt);
+
+    if (!expr)
+        return true;
+
+    MDefinition *_1;
+    Type _2;
+
+    if (expr->isKind(PNK_CALL))
+        return CheckCall(f, expr, RetType::Void, &_1, &_2);
+
+    return CheckExpr(f, UnaryKid(exprStmt), &_1, &_2);
+}
+
+static bool
+CheckWhile(FunctionCompiler &f, ParseNode *whileStmt, const LabelVector *maybeLabels)
+{
+    JS_ASSERT(whileStmt->isKind(PNK_WHILE));
+    ParseNode *cond = BinaryLeft(whileStmt);
+    ParseNode *body = BinaryRight(whileStmt);
+
+    MBasicBlock *loopEntry;
+    if (!f.startPendingLoop(whileStmt, &loopEntry, body))
+        return false;
+
+    MDefinition *condDef;
+    Type condType;
+    if (!CheckExpr(f, cond, &condDef, &condType))
+        return false;
+
+    if (!condType.isInt())
+        return f.failf(cond, "%s is not a subtype of int", condType.toChars());
+
+    MBasicBlock *afterLoop;
+    if (!f.branchAndStartLoopBody(condDef, &afterLoop, body, NextNode(whileStmt)))
+        return false;
+
+    if (!CheckStatement(f, body))
+        return false;
+
+    if (!f.bindContinues(whileStmt, maybeLabels))
+        return false;
+
+    return f.closeLoop(loopEntry, afterLoop);
+}
+
+static bool
+CheckFor(FunctionCompiler &f, ParseNode *forStmt, const LabelVector *maybeLabels)
+{
+    JS_ASSERT(forStmt->isKind(PNK_FOR));
+    ParseNode *forHead = BinaryLeft(forStmt);
+    ParseNode *body = BinaryRight(forStmt);
+
+    if (!forHead->isKind(PNK_FORHEAD))
+        return f.fail(forHead, "unsupported for-loop statement");
+
+    ParseNode *maybeInit = TernaryKid1(forHead);
+    ParseNode *maybeCond = TernaryKid2(forHead);
+    ParseNode *maybeInc = TernaryKid3(forHead);
+
+    if (maybeInit) {
+        MDefinition *_1;
+        Type _2;
+        if (!CheckExpr(f, maybeInit, &_1, &_2))
+            return false;
+    }
+
+    MBasicBlock *loopEntry;
+    if (!f.startPendingLoop(forStmt, &loopEntry, body))
+        return false;
+
+    MDefinition *condDef;
+    if (maybeCond) {
+        Type condType;
+        if (!CheckExpr(f, maybeCond, &condDef, &condType))
+            return false;
+
+        if (!condType.isInt())
+            return f.failf(maybeCond, "%s is not a subtype of int", condType.toChars());
+    } else {
+        condDef = f.constant(Int32Value(1), Type::Int);
+    }
+
+    MBasicBlock *afterLoop;
+    if (!f.branchAndStartLoopBody(condDef, &afterLoop, body, NextNode(forStmt)))
+        return false;
+
+    if (!CheckStatement(f, body))
+        return false;
+
+    if (!f.bindContinues(forStmt, maybeLabels))
+        return false;
+
+    if (maybeInc) {
+        MDefinition *_1;
+        Type _2;
+        if (!CheckExpr(f, maybeInc, &_1, &_2))
+            return false;
+    }
+
+    return f.closeLoop(loopEntry, afterLoop);
+}
+
+static bool
+CheckDoWhile(FunctionCompiler &f, ParseNode *whileStmt, const LabelVector *maybeLabels)
+{
+    JS_ASSERT(whileStmt->isKind(PNK_DOWHILE));
+    ParseNode *body = BinaryLeft(whileStmt);
+    ParseNode *cond = BinaryRight(whileStmt);
+
+    MBasicBlock *loopEntry;
+    if (!f.startPendingLoop(whileStmt, &loopEntry, body))
+        return false;
+
+    if (!CheckStatement(f, body))
+        return false;
+
+    if (!f.bindContinues(whileStmt, maybeLabels))
+        return false;
+
+    MDefinition *condDef;
+    Type condType;
+    if (!CheckExpr(f, cond, &condDef, &condType))
+        return false;
+
+    if (!condType.isInt())
+        return f.failf(cond, "%s is not a subtype of int", condType.toChars());
+
+    return f.branchAndCloseDoWhileLoop(condDef, loopEntry, NextNode(whileStmt));
+}
+
+static bool
+CheckLabel(FunctionCompiler &f, ParseNode *labeledStmt, LabelVector *maybeLabels)
+{
+    JS_ASSERT(labeledStmt->isKind(PNK_LABEL));
+    PropertyName *label = LabeledStatementLabel(labeledStmt);
+    ParseNode *stmt = LabeledStatementStatement(labeledStmt);
+
+    if (maybeLabels) {
+        if (!maybeLabels->append(label))
+            return false;
+        if (!CheckStatement(f, stmt, maybeLabels))
+            return false;
+        return true;
+    }
+
+    LabelVector labels(f.cx());
+    if (!labels.append(label))
+        return false;
+
+    if (!CheckStatement(f, stmt, &labels))
+        return false;
+
+    return f.bindLabeledBreaks(&labels, labeledStmt);
+}
+
+static bool
+CheckLeafCondition(FunctionCompiler &f, ParseNode *cond, ParseNode *thenStmt, ParseNode *elseOrJoinStmt,
+                   MBasicBlock **thenBlock, MBasicBlock **elseOrJoinBlock)
+{
+    MDefinition *condDef;
+    Type condType;
+    if (!CheckExpr(f, cond, &condDef, &condType))
+        return false;
+    if (!condType.isInt())
+        return f.failf(cond, "%s is not a subtype of int", condType.toChars());
+
+    if (!f.branchAndStartThen(condDef, thenBlock, elseOrJoinBlock, thenStmt, elseOrJoinStmt))
+        return false;
+    return true;
+}
+
+static bool
+CheckIfCondition(FunctionCompiler &f, ParseNode *cond, ParseNode *thenStmt, ParseNode *elseOrJoinStmt,
+                 MBasicBlock **thenBlock, MBasicBlock **elseOrJoinBlock);
+
+static bool
+CheckIfConditional(FunctionCompiler &f, ParseNode *conditional, ParseNode *thenStmt, ParseNode *elseOrJoinStmt,
+                   MBasicBlock **thenBlock, MBasicBlock **elseOrJoinBlock)
+{
+    JS_ASSERT(conditional->isKind(PNK_CONDITIONAL));
+
+    // a ? b : c <=> (a && b) || (!a && c)
+    // b is always referred to the AND condition, as we need A and B to reach this test,
+    // c is always referred as the OR condition, as we reach it if we don't have A.
+    ParseNode *cond = TernaryKid1(conditional);
+    ParseNode *lhs = TernaryKid2(conditional);
+    ParseNode *rhs = TernaryKid3(conditional);
+
+    MBasicBlock *maybeAndTest = nullptr, *maybeOrTest = nullptr;
+    MBasicBlock **ifTrueBlock = &maybeAndTest, **ifFalseBlock = &maybeOrTest;
+    ParseNode *ifTrueBlockNode = lhs, *ifFalseBlockNode = rhs;
+
+    // Try to spot opportunities for short-circuiting in the AND subpart
+    uint32_t andTestLiteral = 0;
+    bool skipAndTest = false;
+
+    if (IsLiteralInt(f.m(), lhs, &andTestLiteral)) {
+        skipAndTest = true;
+        if (andTestLiteral == 0) {
+            // (a ? 0 : b) is equivalent to !a && b
+            // If a is true, jump to the elseBlock directly
+            ifTrueBlock = elseOrJoinBlock;
+            ifTrueBlockNode = elseOrJoinStmt;
+        } else {
+            // (a ? 1 : b) is equivalent to a || b
+            // If a is true, jump to the thenBlock directly
+            ifTrueBlock = thenBlock;
+            ifTrueBlockNode = thenStmt;
+        }
+    }
+
+    // Try to spot opportunities for short-circuiting in the OR subpart
+    uint32_t orTestLiteral = 0;
+    bool skipOrTest = false;
+
+    if (IsLiteralInt(f.m(), rhs, &orTestLiteral)) {
+        skipOrTest = true;
+        if (orTestLiteral == 0) {
+            // (a ? b : 0) is equivalent to a && b
+            // If a is false, jump to the elseBlock directly
+            ifFalseBlock = elseOrJoinBlock;
+            ifFalseBlockNode = elseOrJoinStmt;
+        } else {
+            // (a ? b : 1) is equivalent to !a || b
+            // If a is false, jump to the thenBlock directly
+            ifFalseBlock = thenBlock;
+            ifFalseBlockNode = thenStmt;
+        }
+    }
+
+    // Pathological cases: a ? 0 : 0 (i.e. false) or a ? 1 : 1 (i.e. true)
+    // These cases can't be optimized properly at this point: one of the blocks might be
+    // created and won't ever be executed. Furthermore, it introduces inconsistencies in the
+    // MIR graph (even if we try to create a block by hand, it will have no predecessor, which
+    // breaks graph assumptions). The only way we could optimize it is to do it directly in
+    // CheckIf by removing the control flow entirely.
+    if (skipOrTest && skipAndTest && (!!orTestLiteral == !!andTestLiteral))
+        return CheckLeafCondition(f, conditional, thenStmt, elseOrJoinStmt, thenBlock, elseOrJoinBlock);
+
+    if (!CheckIfCondition(f, cond, ifTrueBlockNode, ifFalseBlockNode, ifTrueBlock, ifFalseBlock))
+        return false;
+    f.assertCurrentBlockIs(*ifTrueBlock);
+
+    // Add supplementary tests, if needed
+    if (!skipAndTest) {
+        if (!CheckIfCondition(f, lhs, thenStmt, elseOrJoinStmt, thenBlock, elseOrJoinBlock))
+            return false;
+        f.assertCurrentBlockIs(*thenBlock);
+    }
+
+    if (!skipOrTest) {
+        f.switchToElse(*ifFalseBlock);
+        if (!CheckIfCondition(f, rhs, thenStmt, elseOrJoinStmt, thenBlock, elseOrJoinBlock))
+            return false;
+        f.assertCurrentBlockIs(*thenBlock);
+    }
+
+    // We might not be on the thenBlock in one case
+    if (ifTrueBlock == elseOrJoinBlock) {
+        JS_ASSERT(skipAndTest && andTestLiteral == 0);
+        f.switchToElse(*thenBlock);
+    }
+
+    // Check post-conditions
+    f.assertCurrentBlockIs(*thenBlock);
+    JS_ASSERT_IF(!f.inDeadCode(), *thenBlock && *elseOrJoinBlock);
+    return true;
+}
+
+/*
+ * Recursive function that checks for a complex condition (formed with ternary
+ * conditionals) and creates the associated short-circuiting control flow graph.
+ *
+ * After a call to CheckCondition, the followings are true:
+ * - if *thenBlock and *elseOrJoinBlock were non-null on entry, their value is
+ *   not changed by this function.
+ * - *thenBlock and *elseOrJoinBlock are non-null on exit.
+ * - the current block on exit is the *thenBlock.
+ */
+static bool
+CheckIfCondition(FunctionCompiler &f, ParseNode *cond, ParseNode *thenStmt,
+                 ParseNode *elseOrJoinStmt, MBasicBlock **thenBlock, MBasicBlock **elseOrJoinBlock)
+{
+    JS_CHECK_RECURSION_DONT_REPORT(f.cx(), return f.m().failOverRecursed());
+
+    if (cond->isKind(PNK_CONDITIONAL))
+        return CheckIfConditional(f, cond, thenStmt, elseOrJoinStmt, thenBlock, elseOrJoinBlock);
+
+    // We've reached a leaf, i.e. an atomic condition
+    JS_ASSERT(!cond->isKind(PNK_CONDITIONAL));
+    if (!CheckLeafCondition(f, cond, thenStmt, elseOrJoinStmt, thenBlock, elseOrJoinBlock))
+        return false;
+
+    // Check post-conditions
+    f.assertCurrentBlockIs(*thenBlock);
+    JS_ASSERT_IF(!f.inDeadCode(), *thenBlock && *elseOrJoinBlock);
+    return true;
+}
+
+static bool
+CheckIf(FunctionCompiler &f, ParseNode *ifStmt)
+{
+    // Handle if/else-if chains using iteration instead of recursion. This
+    // avoids blowing the C stack quota for long if/else-if chains and also
+    // creates fewer MBasicBlocks at join points (by creating one join block
+    // for the entire if/else-if chain).
+    BlockVector thenBlocks(f.cx());
+
+    ParseNode *nextStmt = NextNode(ifStmt);
+  recurse:
+    JS_ASSERT(ifStmt->isKind(PNK_IF));
+    ParseNode *cond = TernaryKid1(ifStmt);
+    ParseNode *thenStmt = TernaryKid2(ifStmt);
+    ParseNode *elseStmt = TernaryKid3(ifStmt);
+
+    MBasicBlock *thenBlock = nullptr, *elseBlock = nullptr;
+    ParseNode *elseOrJoinStmt = elseStmt ? elseStmt : nextStmt;
+
+    if (!CheckIfCondition(f, cond, thenStmt, elseOrJoinStmt, &thenBlock, &elseBlock))
+        return false;
+
+    if (!CheckStatement(f, thenStmt))
+        return false;
+
+    if (!f.appendThenBlock(&thenBlocks))
+        return false;
+
+    if (!elseStmt) {
+        if (!f.joinIf(thenBlocks, elseBlock))
+            return false;
+    } else {
+        f.switchToElse(elseBlock);
+
+        if (elseStmt->isKind(PNK_IF)) {
+            ifStmt = elseStmt;
+            goto recurse;
+        }
+
+        if (!CheckStatement(f, elseStmt))
+            return false;
+
+        if (!f.joinIfElse(thenBlocks, nextStmt))
+            return false;
+    }
+
+    return true;
+}
+
+static bool
+CheckCaseExpr(FunctionCompiler &f, ParseNode *caseExpr, int32_t *value)
+{
+    if (!IsNumericLiteral(f.m(), caseExpr))
+        return f.fail(caseExpr, "switch case expression must be an integer literal");
+
+    NumLit literal = ExtractNumericLiteral(f.m(), caseExpr);
+    switch (literal.which()) {
+      case NumLit::Fixnum:
+      case NumLit::NegativeInt:
+        *value = literal.toInt32();
+        break;
+      case NumLit::OutOfRangeInt:
+      case NumLit::BigUnsigned:
+        return f.fail(caseExpr, "switch case expression out of integer range");
+      case NumLit::Double:
+      case NumLit::Float:
+        return f.fail(caseExpr, "switch case expression must be an integer literal");
+    }
+
+    return true;
+}
+
+static bool
+CheckDefaultAtEnd(FunctionCompiler &f, ParseNode *stmt)
+{
+    for (; stmt; stmt = NextNode(stmt)) {
+        JS_ASSERT(stmt->isKind(PNK_CASE) || stmt->isKind(PNK_DEFAULT));
+        if (stmt->isKind(PNK_DEFAULT) && NextNode(stmt) != nullptr)
+            return f.fail(stmt, "default label must be at the end");
+    }
+
+    return true;
+}
+
+static bool
+CheckSwitchRange(FunctionCompiler &f, ParseNode *stmt, int32_t *low, int32_t *high,
+                 int32_t *tableLength)
+{
+    if (stmt->isKind(PNK_DEFAULT)) {
+        *low = 0;
+        *high = -1;
+        *tableLength = 0;
+        return true;
+    }
+
+    int32_t i = 0;
+    if (!CheckCaseExpr(f, CaseExpr(stmt), &i))
+        return false;
+
+    *low = *high = i;
+
+    ParseNode *initialStmt = stmt;
+    for (stmt = NextNode(stmt); stmt && stmt->isKind(PNK_CASE); stmt = NextNode(stmt)) {
+        int32_t i = 0;
+        if (!CheckCaseExpr(f, CaseExpr(stmt), &i))
+            return false;
+
+        *low = Min(*low, i);
+        *high = Max(*high, i);
+    }
+
+    int64_t i64 = (int64_t(*high) - int64_t(*low)) + 1;
+    if (i64 > 4*1024*1024)
+        return f.fail(initialStmt, "all switch statements generate tables; this table would be too big");
+
+    *tableLength = int32_t(i64);
+    return true;
+}
+
+static bool
+CheckSwitch(FunctionCompiler &f, ParseNode *switchStmt)
+{
+    JS_ASSERT(switchStmt->isKind(PNK_SWITCH));
+    ParseNode *switchExpr = BinaryLeft(switchStmt);
+    ParseNode *switchBody = BinaryRight(switchStmt);
+
+    if (!switchBody->isKind(PNK_STATEMENTLIST))
+        return f.fail(switchBody, "switch body may not contain 'let' declarations");
+
+    MDefinition *exprDef;
+    Type exprType;
+    if (!CheckExpr(f, switchExpr, &exprDef, &exprType))
+        return false;
+
+    if (!exprType.isSigned())
+        return f.failf(switchExpr, "%s is not a subtype of signed", exprType.toChars());
+
+    ParseNode *stmt = ListHead(switchBody);
+
+    if (!CheckDefaultAtEnd(f, stmt))
+        return false;
+
+    if (!stmt)
+        return true;
+
+    int32_t low = 0, high = 0, tableLength = 0;
+    if (!CheckSwitchRange(f, stmt, &low, &high, &tableLength))
+        return false;
+
+    BlockVector cases(f.cx());
+    if (!cases.resize(tableLength))
+        return false;
+
+    MBasicBlock *switchBlock;
+    if (!f.startSwitch(switchStmt, exprDef, low, high, &switchBlock))
+        return false;
+
+    for (; stmt && stmt->isKind(PNK_CASE); stmt = NextNode(stmt)) {
+        int32_t caseValue = ExtractNumericLiteral(f.m(), CaseExpr(stmt)).toInt32();
+        unsigned caseIndex = caseValue - low;
+
+        if (cases[caseIndex])
+            return f.fail(stmt, "no duplicate case labels");
+
+        if (!f.startSwitchCase(switchBlock, &cases[caseIndex], stmt))
+            return false;
+
+        if (!CheckStatement(f, CaseBody(stmt)))
+            return false;
+    }
+
+    MBasicBlock *defaultBlock;
+    if (!f.startSwitchDefault(switchBlock, &cases, &defaultBlock, stmt))
+        return false;
+
+    if (stmt && stmt->isKind(PNK_DEFAULT)) {
+        if (!CheckStatement(f, CaseBody(stmt)))
+            return false;
+    }
+
+    return f.joinSwitch(switchBlock, cases, defaultBlock);
+}
+
+static bool
+CheckReturnType(FunctionCompiler &f, ParseNode *usepn, RetType retType)
+{
+    if (!f.hasAlreadyReturned()) {
+        f.setReturnedType(retType);
+        return true;
+    }
+
+    if (f.returnedType() != retType) {
+        return f.failf(usepn, "%s incompatible with previous return of type %s",
+                       retType.toType().toChars(), f.returnedType().toType().toChars());
+    }
+
+    return true;
+}
+
+static bool
+CheckReturn(FunctionCompiler &f, ParseNode *returnStmt)
+{
+    ParseNode *expr = ReturnExpr(returnStmt);
+
+    if (!expr) {
+        if (!CheckReturnType(f, returnStmt, RetType::Void))
+            return false;
+
+        f.returnVoid();
+        return true;
+    }
+
+    MDefinition *def;
+    Type type;
+    if (!CheckExpr(f, expr, &def, &type))
+        return false;
+
+    RetType retType;
+    if (type.isSigned())
+        retType = RetType::Signed;
+    else if (type.isDouble())
+        retType = RetType::Double;
+    else if (type.isFloat())
+        retType = RetType::Float;
+    else if (type.isVoid())
+        retType = RetType::Void;
+    else
+        return f.failf(expr, "%s is not a valid return type", type.toChars());
+
+    if (!CheckReturnType(f, expr, retType))
+        return false;
+
+    if (retType == RetType::Void)
+        f.returnVoid();
+    else
+        f.returnExpr(def);
+    return true;
+}
+
+static bool
+CheckStatementList(FunctionCompiler &f, ParseNode *stmtList)
+{
+    JS_ASSERT(stmtList->isKind(PNK_STATEMENTLIST));
+
+    for (ParseNode *stmt = ListHead(stmtList); stmt; stmt = NextNode(stmt)) {
+        if (!CheckStatement(f, stmt))
+            return false;
+    }
+
+    return true;
+}
+
+static bool
+CheckStatement(FunctionCompiler &f, ParseNode *stmt, LabelVector *maybeLabels)
+{
+    JS_CHECK_RECURSION_DONT_REPORT(f.cx(), return f.m().failOverRecursed());
+
+    if (!f.mirGen().ensureBallast())
+        return false;
+
+    switch (stmt->getKind()) {
+      case PNK_SEMI:          return CheckExprStatement(f, stmt);
+      case PNK_WHILE:         return CheckWhile(f, stmt, maybeLabels);
+      case PNK_FOR:           return CheckFor(f, stmt, maybeLabels);
+      case PNK_DOWHILE:       return CheckDoWhile(f, stmt, maybeLabels);
+      case PNK_LABEL:         return CheckLabel(f, stmt, maybeLabels);
+      case PNK_IF:            return CheckIf(f, stmt);
+      case PNK_SWITCH:        return CheckSwitch(f, stmt);
+      case PNK_RETURN:        return CheckReturn(f, stmt);
+      case PNK_STATEMENTLIST: return CheckStatementList(f, stmt);
+      case PNK_BREAK:         return f.addBreak(LoopControlMaybeLabel(stmt));
+      case PNK_CONTINUE:      return f.addContinue(LoopControlMaybeLabel(stmt));
+      default:;
+    }
+
+    return f.fail(stmt, "unexpected statement kind");
+}
+
+static bool
+ParseFunction(ModuleCompiler &m, ParseNode **fnOut)
+{
+    TokenStream &tokenStream = m.tokenStream();
+
+    DebugOnly<TokenKind> tk = tokenStream.getToken();
+    JS_ASSERT(tk == TOK_FUNCTION);
+
+    RootedPropertyName name(m.cx());
+
+    TokenKind tt = tokenStream.getToken();
+    if (tt == TOK_NAME) {
+        name = tokenStream.currentName();
+    } else if (tt == TOK_YIELD) {
+        if (!m.parser().checkYieldNameValidity())
+            return false;
+        name = m.cx()->names().yield;
+    } else {
+        return false;  // The regular parser will throw a SyntaxError, no need to m.fail.
+    }
+
+    ParseNode *fn = m.parser().handler.newFunctionDefinition();
+    if (!fn)
+        return false;
+
+    // This flows into FunctionBox, so must be tenured.
+    RootedFunction fun(m.cx(), NewFunction(m.cx(), NullPtr(), nullptr, 0, JSFunction::INTERPRETED,
+                                           m.cx()->global(), name, JSFunction::FinalizeKind,
+                                           TenuredObject));
+    if (!fun)
+        return false;
+
+    AsmJSParseContext *outerpc = m.parser().pc;
+
+    Directives directives(outerpc);
+    FunctionBox *funbox = m.parser().newFunctionBox(fn, fun, outerpc, directives, NotGenerator);
+    if (!funbox)
+        return false;
+
+    Directives newDirectives = directives;
+    AsmJSParseContext funpc(&m.parser(), outerpc, fn, funbox, &newDirectives,
+                            outerpc->staticLevel + 1, outerpc->blockidGen,
+                            /* blockScopeDepth = */ 0);
+    if (!funpc.init(tokenStream))
+        return false;
+
+    if (!m.parser().functionArgsAndBodyGeneric(fn, fun, Normal, Statement, &newDirectives))
+        return false;
+
+    if (tokenStream.hadError() || directives != newDirectives)
+        return false;
+
+    outerpc->blockidGen = funpc.blockidGen;
+    fn->pn_blockid = outerpc->blockid();
+
+    *fnOut = fn;
+    return true;
+}
+
+static bool
+CheckFunction(ModuleCompiler &m, LifoAlloc &lifo, MIRGenerator **mir, ModuleCompiler::Func **funcOut)
+{
+    int64_t before = PRMJ_Now();
+
+    // asm.js modules can be quite large when represented as parse trees so pop
+    // the backing LifoAlloc after parsing/compiling each function.
+    AsmJSParser::Mark mark = m.parser().mark();
+
+    ParseNode *fn;
+    if (!ParseFunction(m, &fn))
+        return false;
+
+    if (!CheckFunctionHead(m, fn))
+        return false;
+
+    FunctionCompiler f(m, fn, lifo);
+    if (!f.init())
+        return false;
+
+    ParseNode *stmtIter = ListHead(FunctionStatementList(fn));
+
+    VarTypeVector argTypes(m.lifo());
+    if (!CheckArguments(f, &stmtIter, &argTypes))
+        return false;
+
+    if (!CheckVariables(f, &stmtIter))
+        return false;
+
+    if (!f.prepareToEmitMIR(argTypes))
+        return false;
+
+    ParseNode *lastNonEmptyStmt = nullptr;
+    for (; stmtIter; stmtIter = NextNode(stmtIter)) {
+        if (!CheckStatement(f, stmtIter))
+            return false;
+        if (!IsEmptyStatement(stmtIter))
+            lastNonEmptyStmt = stmtIter;
+    }
+
+    RetType retType;
+    if (!CheckFinalReturn(f, lastNonEmptyStmt, &retType))
+        return false;
+
+    if (!CheckReturnType(f, lastNonEmptyStmt, retType))
+        return false;
+
+    Signature sig(Move(argTypes), retType);
+    ModuleCompiler::Func *func = nullptr;
+    if (!CheckFunctionSignature(m, fn, Move(sig), FunctionName(fn), &func))
+        return false;
+
+    if (func->defined())
+        return m.failName(fn, "function '%s' already defined", FunctionName(fn));
+
+    uint32_t funcBegin = fn->pn_pos.begin;
+    uint32_t funcEnd = fn->pn_pos.end;
+    // The begin/end char range is relative to the beginning of the module,
+    // hence the assertions.
+    JS_ASSERT(funcBegin > m.moduleStart());
+    JS_ASSERT(funcEnd > m.moduleStart());
+    funcBegin -= m.moduleStart();
+    funcEnd -= m.moduleStart();
+    func->finish(funcBegin, funcEnd);
+
+    func->accumulateCompileTime((PRMJ_Now() - before) / PRMJ_USEC_PER_MSEC);
+
+    m.parser().release(mark);
+
+    // Copy the cumulative minimum heap size constraint to the MIR for use in analysis.  The length
+    // is also constrained to particular lengths, so firstly round up - a larger 'heap required
+    // length' can help range analysis to prove that bounds checks are not needed.
+    uint32_t len = js::RoundUpToNextValidAsmJSHeapLength(m.minHeapLength());
+    m.requireHeapLengthToBeAtLeast(len);
+
+    *mir = f.extractMIR();
+    (*mir)->noteMinAsmJSHeapLength(len);
+    *funcOut = func;
+    return true;
+}
+
+static bool
+GenerateCode(ModuleCompiler &m, ModuleCompiler::Func &func, MIRGenerator &mir, LIRGraph &lir)
+{
+    int64_t before = PRMJ_Now();
+
+    // A single MacroAssembler is reused for all function compilations so
+    // that there is a single linear code segment for each module. To avoid
+    // spiking memory, a LifoAllocScope in the caller frees all MIR/LIR
+    // after each function is compiled. This method is responsible for cleaning
+    // out any dangling pointers that the MacroAssembler may have kept.
+    m.masm().resetForNewCodeGenerator(mir.alloc());
+
+    m.masm().bind(func.code());
+
+    ScopedJSDeletePtr<CodeGenerator> codegen(js_new<CodeGenerator>(&mir, &lir, &m.masm()));
+    if (!codegen || !codegen->generateAsmJS(&m.stackOverflowLabel()))
+        return m.fail(nullptr, "internal codegen failure (probably out of memory)");
+
+#if defined(MOZ_VTUNE) || defined(JS_ION_PERF)
+    // Profiling might not be active now, but it may be activated later (perhaps
+    // after the module has been cached and reloaded from the cache). Function
+    // profiling info isn't huge, so store it always (in --enable-profiling
+    // builds, which is only Nightly builds, but default).
+    if (!m.trackProfiledFunction(func, m.masm().currentOffset()))
+        return false;
+#endif
+
+#ifdef JS_ION_PERF
+    // Per-block profiling info uses significantly more memory so only store
+    // this information if it is actively requested.
+    if (PerfBlockEnabled()) {
+        if (!m.trackPerfProfiledBlocks(mir.perfSpewer(), func, m.masm().currentOffset()))
+            return false;
+    }
+#endif
+
+    // Align internal function headers.
+    m.masm().align(CodeAlignment);
+
+    func.accumulateCompileTime((PRMJ_Now() - before) / PRMJ_USEC_PER_MSEC);
+    if (!m.maybeReportCompileTime(func))
+        return false;
+
+    // Unlike regular IonMonkey which links and generates a new JitCode for
+    // every function, we accumulate all the functions in the module in a
+    // single MacroAssembler and link at end. Linking asm.js doesn't require a
+    // CodeGenerator so we can destroy it now.
+    return true;
+}
+
+static bool
+CheckAllFunctionsDefined(ModuleCompiler &m)
+{
+    for (unsigned i = 0; i < m.numFunctions(); i++) {
+        if (!m.function(i).code()->bound())
+            return m.failName(nullptr, "missing definition of function %s", m.function(i).name());
+    }
+
+    return true;
+}
+
+static bool
+CheckFunctionsSequential(ModuleCompiler &m)
+{
+    // Use a single LifoAlloc to allocate all the temporary compiler IR.
+    // All allocated LifoAlloc'd memory is released after compiling each
+    // function by the LifoAllocScope inside the loop.
+    LifoAlloc lifo(LIFO_ALLOC_PRIMARY_CHUNK_SIZE);
+
+    while (PeekToken(m.parser()) == TOK_FUNCTION) {
+        LifoAllocScope scope(&lifo);
+
+        MIRGenerator *mir;
+        ModuleCompiler::Func *func;
+        if (!CheckFunction(m, lifo, &mir, &func))
+            return false;
+
+        int64_t before = PRMJ_Now();
+
+        IonContext icx(m.cx(), &mir->alloc());
+
+        IonSpewNewFunction(&mir->graph(), NullPtr());
+
+        if (!OptimizeMIR(mir))
+            return m.failOffset(func->srcOffset(), "internal compiler failure (probably out of memory)");
+
+        LIRGraph *lir = GenerateLIR(mir);
+        if (!lir)
+            return m.failOffset(func->srcOffset(), "internal compiler failure (probably out of memory)");
+
+        func->accumulateCompileTime((PRMJ_Now() - before) / PRMJ_USEC_PER_MSEC);
+
+        if (!GenerateCode(m, *func, *mir, *lir))
+            return false;
+
+        IonSpewEndFunction();
+    }
+
+    if (!CheckAllFunctionsDefined(m))
+        return false;
+
+    return true;
+}
+
+#ifdef JS_THREADSAFE
+
+// Currently, only one asm.js parallel compilation is allowed at a time.
+// This RAII class attempts to claim this parallel compilation using atomic ops
+// on rt->workerThreadState->asmJSCompilationInProgress.
+class ParallelCompilationGuard
+{
+    bool parallelState_;
+  public:
+    ParallelCompilationGuard() : parallelState_(false) {}
+    ~ParallelCompilationGuard() {
+        if (parallelState_) {
+            JS_ASSERT(WorkerThreadState().asmJSCompilationInProgress == true);
+            WorkerThreadState().asmJSCompilationInProgress = false;
+        }
+    }
+    bool claim() {
+        JS_ASSERT(!parallelState_);
+        if (!WorkerThreadState().asmJSCompilationInProgress.compareExchange(false, true))
+            return false;
+        parallelState_ = true;
+        return true;
+    }
+};
+
+static bool
+ParallelCompilationEnabled(ExclusiveContext *cx)
+{
+    // If 'cx' isn't a JSContext, then we are already off the main thread so
+    // off-thread compilation must be enabled. However, since there are a fixed
+    // number of worker threads and one is already being consumed by this
+    // parsing task, ensure that there another free thread to avoid deadlock.
+    // (Note: there is at most one thread used for parsing so we don't have to
+    // worry about general dining philosophers.)
+    if (WorkerThreadState().threadCount <= 1)
+        return false;
+
+    if (!cx->isJSContext())
+        return true;
+    return cx->asJSContext()->runtime()->canUseParallelIonCompilation();
+}
+
+// State of compilation as tracked and updated by the main thread.
+struct ParallelGroupState
+{
+    js::Vector<AsmJSParallelTask> &tasks;
+    int32_t outstandingJobs; // Good work, jobs!
+    uint32_t compiledJobs;
+
+    ParallelGroupState(js::Vector<AsmJSParallelTask> &tasks)
+      : tasks(tasks), outstandingJobs(0), compiledJobs(0)
+    { }
+};
+
+// Block until a worker-assigned LifoAlloc becomes finished.
+static AsmJSParallelTask *
+GetFinishedCompilation(ModuleCompiler &m, ParallelGroupState &group)
+{
+    AutoLockWorkerThreadState lock;
+
+    while (!WorkerThreadState().asmJSWorkerFailed()) {
+        if (!WorkerThreadState().asmJSFinishedList().empty()) {
+            group.outstandingJobs--;
+            return WorkerThreadState().asmJSFinishedList().popCopy();
+        }
+        WorkerThreadState().wait(GlobalWorkerThreadState::CONSUMER);
+    }
+
+    return nullptr;
+}
+
+static bool
+GenerateCodeForFinishedJob(ModuleCompiler &m, ParallelGroupState &group, AsmJSParallelTask **outTask)
+{
+    // Block until a used LifoAlloc becomes available.
+    AsmJSParallelTask *task = GetFinishedCompilation(m, group);
+    if (!task)
+        return false;
+
+    ModuleCompiler::Func &func = *reinterpret_cast<ModuleCompiler::Func *>(task->func);
+    func.accumulateCompileTime(task->compileTime);
+
+    {
+        // Perform code generation on the main thread.
+        IonContext ionContext(m.cx(), &task->mir->alloc());
+        if (!GenerateCode(m, func, *task->mir, *task->lir))
+            return false;
+    }
+
+    group.compiledJobs++;
+
+    // Clear the LifoAlloc for use by another worker.
+    TempAllocator &tempAlloc = task->mir->alloc();
+    tempAlloc.TempAllocator::~TempAllocator();
+    task->lifo.releaseAll();
+
+    *outTask = task;
+    return true;
+}
+
+static inline bool
+GetUnusedTask(ParallelGroupState &group, uint32_t i, AsmJSParallelTask **outTask)
+{
+    // Since functions are dispatched in order, if fewer than |numLifos| functions
+    // have been generated, then the |i'th| LifoAlloc must never have been
+    // assigned to a worker thread.
+    if (i >= group.tasks.length())
+        return false;
+    *outTask = &group.tasks[i];
+    return true;
+}
+
+static bool
+CheckFunctionsParallelImpl(ModuleCompiler &m, ParallelGroupState &group)
+{
+#ifdef DEBUG
+    {
+        AutoLockWorkerThreadState lock;
+        JS_ASSERT(WorkerThreadState().asmJSWorklist().empty());
+        JS_ASSERT(WorkerThreadState().asmJSFinishedList().empty());
+    }
+#endif
+    WorkerThreadState().resetAsmJSFailureState();
+
+    for (unsigned i = 0; PeekToken(m.parser()) == TOK_FUNCTION; i++) {
+        // Get exclusive access to an empty LifoAlloc from the thread group's pool.
+        AsmJSParallelTask *task = nullptr;
+        if (!GetUnusedTask(group, i, &task) && !GenerateCodeForFinishedJob(m, group, &task))
+            return false;
+
+        // Generate MIR into the LifoAlloc on the main thread.
+        MIRGenerator *mir;
+        ModuleCompiler::Func *func;
+        if (!CheckFunction(m, task->lifo, &mir, &func))
+            return false;
+
+        // Perform optimizations and LIR generation on a worker thread.
+        task->init(m.cx()->compartment()->runtimeFromAnyThread(), func, mir);
+        if (!StartOffThreadAsmJSCompile(m.cx(), task))
+            return false;
+
+        group.outstandingJobs++;
+    }
+
+    // Block for all outstanding workers to complete.
+    while (group.outstandingJobs > 0) {
+        AsmJSParallelTask *ignored = nullptr;
+        if (!GenerateCodeForFinishedJob(m, group, &ignored))
+            return false;
+    }
+
+    if (!CheckAllFunctionsDefined(m))
+        return false;
+
+    JS_ASSERT(group.outstandingJobs == 0);
+    JS_ASSERT(group.compiledJobs == m.numFunctions());
+#ifdef DEBUG
+    {
+        AutoLockWorkerThreadState lock;
+        JS_ASSERT(WorkerThreadState().asmJSWorklist().empty());
+        JS_ASSERT(WorkerThreadState().asmJSFinishedList().empty());
+    }
+#endif
+    JS_ASSERT(!WorkerThreadState().asmJSWorkerFailed());
+    return true;
+}
+
+static void
+CancelOutstandingJobs(ModuleCompiler &m, ParallelGroupState &group)
+{
+    // This is failure-handling code, so it's not allowed to fail.
+    // The problem is that all memory for compilation is stored in LifoAllocs
+    // maintained in the scope of CheckFunctionsParallel() -- so in order
+    // for that function to safely return, and thereby remove the LifoAllocs,
+    // none of that memory can be in use or reachable by workers.
+
+    JS_ASSERT(group.outstandingJobs >= 0);
+    if (!group.outstandingJobs)
+        return;
+
+    AutoLockWorkerThreadState lock;
+
+    // From the compiling tasks, eliminate those waiting for worker assignation.
+    group.outstandingJobs -= WorkerThreadState().asmJSWorklist().length();
+    WorkerThreadState().asmJSWorklist().clear();
+
+    // From the compiling tasks, eliminate those waiting for codegen.
+    group.outstandingJobs -= WorkerThreadState().asmJSFinishedList().length();
+    WorkerThreadState().asmJSFinishedList().clear();
+
+    // Eliminate tasks that failed without adding to the finished list.
+    group.outstandingJobs -= WorkerThreadState().harvestFailedAsmJSJobs();
+
+    // Any remaining tasks are therefore undergoing active compilation.
+    JS_ASSERT(group.outstandingJobs >= 0);
+    while (group.outstandingJobs > 0) {
+        WorkerThreadState().wait(GlobalWorkerThreadState::CONSUMER);
+
+        group.outstandingJobs -= WorkerThreadState().harvestFailedAsmJSJobs();
+        group.outstandingJobs -= WorkerThreadState().asmJSFinishedList().length();
+        WorkerThreadState().asmJSFinishedList().clear();
+    }
+
+    JS_ASSERT(group.outstandingJobs == 0);
+    JS_ASSERT(WorkerThreadState().asmJSWorklist().empty());
+    JS_ASSERT(WorkerThreadState().asmJSFinishedList().empty());
+}
+
+static const size_t LIFO_ALLOC_PARALLEL_CHUNK_SIZE = 1 << 12;
+
+static bool
+CheckFunctionsParallel(ModuleCompiler &m)
+{
+    // If parallel compilation isn't enabled (not enough cores, disabled by
+    // pref, etc) or another thread is currently compiling asm.js in parallel,
+    // fall back to sequential compilation. (We could lift the latter
+    // constraint by hoisting asmJS* state out of WorkerThreadState so multiple
+    // concurrent asm.js parallel compilations don't race.)
+    ParallelCompilationGuard g;
+    if (!ParallelCompilationEnabled(m.cx()) || !g.claim())
+        return CheckFunctionsSequential(m);
+
+    IonSpew(IonSpew_Logs, "Can't log asm.js script. (Compiled on background thread.)");
+
+    // Saturate all worker threads plus the main thread.
+    size_t numParallelJobs = WorkerThreadState().threadCount + 1;
+
+    // Allocate scoped AsmJSParallelTask objects. Each contains a unique
+    // LifoAlloc that provides all necessary memory for compilation.
+    js::Vector<AsmJSParallelTask, 0> tasks(m.cx());
+    if (!tasks.initCapacity(numParallelJobs))
+        return false;
+
+    for (size_t i = 0; i < numParallelJobs; i++)
+        tasks.infallibleAppend(LIFO_ALLOC_PARALLEL_CHUNK_SIZE);
+
+    // With compilation memory in-scope, dispatch worker threads.
+    ParallelGroupState group(tasks);
+    if (!CheckFunctionsParallelImpl(m, group)) {
+        CancelOutstandingJobs(m, group);
+
+        // If failure was triggered by a worker thread, report error.
+        if (void *maybeFunc = WorkerThreadState().maybeAsmJSFailedFunction()) {
+            ModuleCompiler::Func *func = reinterpret_cast<ModuleCompiler::Func *>(maybeFunc);
+            return m.failOffset(func->srcOffset(), "allocation failure during compilation");
+        }
+
+        // Otherwise, the error occurred on the main thread and was already reported.
+        return false;
+    }
+    return true;
+}
+#endif // JS_THREADSAFE
+
+static bool
+CheckFuncPtrTable(ModuleCompiler &m, ParseNode *var)
+{
+    if (!IsDefinition(var))
+        return m.fail(var, "function-pointer table name must be unique");
+
+    ParseNode *arrayLiteral = MaybeDefinitionInitializer(var);
+    if (!arrayLiteral || !arrayLiteral->isKind(PNK_ARRAY))
+        return m.fail(var, "function-pointer table's initializer must be an array literal");
+
+    unsigned length = ListLength(arrayLiteral);
+
+    if (!IsPowerOfTwo(length))
+        return m.failf(arrayLiteral, "function-pointer table length must be a power of 2 (is %u)", length);
+
+    unsigned mask = length - 1;
+
+    ModuleCompiler::FuncPtrVector elems(m.cx());
+    const Signature *firstSig = nullptr;
+
+    for (ParseNode *elem = ListHead(arrayLiteral); elem; elem = NextNode(elem)) {
+        if (!elem->isKind(PNK_NAME))
+            return m.fail(elem, "function-pointer table's elements must be names of functions");
+
+        PropertyName *funcName = elem->name();
+        const ModuleCompiler::Func *func = m.lookupFunction(funcName);
+        if (!func)
+            return m.fail(elem, "function-pointer table's elements must be names of functions");
+
+        if (firstSig) {
+            if (*firstSig != func->sig())
+                return m.fail(elem, "all functions in table must have same signature");
+        } else {
+            firstSig = &func->sig();
+        }
+
+        if (!elems.append(func))
+            return false;
+    }
+
+    Signature sig(m.lifo());
+    if (!sig.copy(*firstSig))
+        return false;
+
+    ModuleCompiler::FuncPtrTable *table;
+    if (!CheckFuncPtrTableAgainstExisting(m, var, var->name(), Move(sig), mask, &table))
+        return false;
+
+    table->initElems(Move(elems));
+    return true;
+}
+
+static bool
+CheckFuncPtrTables(ModuleCompiler &m)
+{
+    while (true) {
+        ParseNode *varStmt;
+        if (!ParseVarOrConstStatement(m.parser(), &varStmt))
+            return false;
+        if (!varStmt)
+            break;
+        for (ParseNode *var = VarListHead(varStmt); var; var = NextNode(var)) {
+            if (!CheckFuncPtrTable(m, var))
+                return false;
+        }
+    }
+
+    for (unsigned i = 0; i < m.numFuncPtrTables(); i++) {
+        if (!m.funcPtrTable(i).initialized())
+            return m.fail(nullptr, "expecting function-pointer table");
+    }
+
+    return true;
+}
+
+static bool
+CheckModuleExportFunction(ModuleCompiler &m, ParseNode *returnExpr)
+{
+    if (!returnExpr->isKind(PNK_NAME))
+        return m.fail(returnExpr, "export statement must be of the form 'return name'");
+
+    PropertyName *funcName = returnExpr->name();
+
+    const ModuleCompiler::Func *func = m.lookupFunction(funcName);
+    if (!func)
+        return m.failName(returnExpr, "exported function name '%s' not found", funcName);
+
+    return m.addExportedFunction(func, /* maybeFieldName = */ nullptr);
+}
+
+static bool
+CheckModuleExportObject(ModuleCompiler &m, ParseNode *object)
+{
+    JS_ASSERT(object->isKind(PNK_OBJECT));
+
+    for (ParseNode *pn = ListHead(object); pn; pn = NextNode(pn)) {
+        if (!IsNormalObjectField(m.cx(), pn))
+            return m.fail(pn, "only normal object properties may be used in the export object literal");
+
+        PropertyName *fieldName = ObjectNormalFieldName(m.cx(), pn);
+
+        ParseNode *initNode = ObjectFieldInitializer(pn);
+        if (!initNode->isKind(PNK_NAME))
+            return m.fail(initNode, "initializer of exported object literal must be name of function");
+
+        PropertyName *funcName = initNode->name();
+
+        const ModuleCompiler::Func *func = m.lookupFunction(funcName);
+        if (!func)
+            return m.failName(initNode, "exported function name '%s' not found", funcName);
+
+        if (!m.addExportedFunction(func, fieldName))
+            return false;
+    }
+
+    return true;
+}
+
+static bool
+CheckModuleReturn(ModuleCompiler &m)
+{
+    if (PeekToken(m.parser()) != TOK_RETURN) {
+        TokenKind tk = PeekToken(m.parser());
+        if (tk == TOK_RC || tk == TOK_EOF)
+            return m.fail(nullptr, "expecting return statement");
+        return m.fail(nullptr, "invalid asm.js statement");
+    }
+
+    ParseNode *returnStmt = m.parser().statement();
+    if (!returnStmt)
+        return false;
+
+    ParseNode *returnExpr = ReturnExpr(returnStmt);
+    if (!returnExpr)
+        return m.fail(returnStmt, "export statement must return something");
+
+    if (returnExpr->isKind(PNK_OBJECT)) {
+        if (!CheckModuleExportObject(m, returnExpr))
+            return false;
+    } else {
+        if (!CheckModuleExportFunction(m, returnExpr))
+            return false;
+    }
+
+    // Function statements are not added to the lexical scope in ParseContext
+    // (since cx->tempLifoAlloc is marked/released after each function
+    // statement) and thus all the identifiers in the return statement will be
+    // mistaken as free variables and added to lexdeps. Clear these now.
+    m.parser().pc->lexdeps->clear();
+    return true;
+}
+
+// All registers except the stack pointer.
+static const RegisterSet AllRegsExceptSP =
+    RegisterSet(GeneralRegisterSet(Registers::AllMask &
+                                   ~(uint32_t(1) << Registers::StackPointer)),
+                FloatRegisterSet(FloatRegisters::AllMask));
+#if defined(JS_CODEGEN_ARM)
+// The ARM system ABI also includes d15 in the non volatile float registers.
+static const RegisterSet NonVolatileRegs =
+    RegisterSet(GeneralRegisterSet(Registers::NonVolatileMask),
+                    FloatRegisterSet(FloatRegisters::NonVolatileMask | (1 << FloatRegisters::d15)));
+#else
+static const RegisterSet NonVolatileRegs =
+    RegisterSet(GeneralRegisterSet(Registers::NonVolatileMask),
+                FloatRegisterSet(FloatRegisters::NonVolatileMask));
+#endif
+
+static void
+LoadAsmJSActivationIntoRegister(MacroAssembler &masm, Register reg)
+{
+    masm.movePtr(AsmJSImm_Runtime, reg);
+    size_t offset = offsetof(JSRuntime, mainThread) +
+                    PerThreadData::offsetOfAsmJSActivationStackReadOnly();
+    masm.loadPtr(Address(reg, offset), reg);
+}
+
+static void
+LoadJSContextFromActivation(MacroAssembler &masm, Register activation, Register dest)
+{
+    masm.loadPtr(Address(activation, AsmJSActivation::offsetOfContext()), dest);
+}
+
+static void
+AssertStackAlignment(MacroAssembler &masm)
+{
+    JS_ASSERT((AlignmentAtPrologue + masm.framePushed()) % StackAlignment == 0);
+#ifdef DEBUG
+    Label ok;
+    JS_ASSERT(IsPowerOfTwo(StackAlignment));
+    masm.branchTestPtr(Assembler::Zero, StackPointer, Imm32(StackAlignment - 1), &ok);
+    masm.assumeUnreachable("Stack should be aligned.");
+    masm.bind(&ok);
+#endif
+}
+
+template <class VectorT>
+static unsigned
+StackArgBytes(const VectorT &argTypes)
+{
+    ABIArgIter<VectorT> iter(argTypes);
+    while (!iter.done())
+        iter++;
+    return iter.stackBytesConsumedSoFar();
+}
+
+static unsigned
+StackDecrementForCall(MacroAssembler &masm, unsigned bytesToPush)
+{
+    // Include extra padding so that, after pushing the bytesToPush,
+    // the stack is aligned for a call instruction.
+    unsigned alreadyPushed = AlignmentAtPrologue + masm.framePushed();
+    return AlignBytes(alreadyPushed + bytesToPush, StackAlignment) - alreadyPushed;
+}
+
+template <class VectorT>
+static unsigned
+StackDecrementForCall(MacroAssembler &masm, const VectorT &argTypes, unsigned extraBytes = 0)
+{
+    return StackDecrementForCall(masm, StackArgBytes(argTypes) + extraBytes);
+}
+
+static const unsigned FramePushedAfterSave = NonVolatileRegs.gprs().size() * sizeof(intptr_t) +
+                                             NonVolatileRegs.fpus().size() * sizeof(double);
+
+// On arm, we need to include an extra word of space at the top of the stack so
+// we can explicitly store the return address before making the call to C++ or
+// Ion. On x86/x64, this isn't necessary since the call instruction pushes the
+// return address.
+#ifdef JS_CODEGEN_ARM
+static const unsigned MaybeRetAddr = sizeof(void*);
+#else
+static const unsigned MaybeRetAddr = 0;
+#endif
+
+static bool
+GenerateEntry(ModuleCompiler &m, const AsmJSModule::ExportedFunction &exportedFunc)
+{
+    MacroAssembler &masm = m.masm();
+
+    // In constrast to the system ABI, the Ion convention is that all registers
+    // are clobbered by calls. Thus, we must save the caller's non-volatile
+    // registers.
+    //
+    // NB: GenerateExits assumes that masm.framePushed() == 0 before
+    // PushRegsInMask(NonVolatileRegs).
+    masm.setFramePushed(0);
+    masm.PushRegsInMask(NonVolatileRegs);
+    JS_ASSERT(masm.framePushed() == FramePushedAfterSave);
+
+    // Remember the stack pointer in the current AsmJSActivation. This will be
+    // used by error exit paths to set the stack pointer back to what it was
+    // right after the (C++) caller's non-volatile registers were saved so that
+    // they can be restored.
+    Register activation = ABIArgGenerator::NonArgReturnVolatileReg0;
+    LoadAsmJSActivationIntoRegister(masm, activation);
+    masm.storePtr(StackPointer, Address(activation, AsmJSActivation::offsetOfErrorRejoinSP()));
+
+    // ARM has a globally-pinned GlobalReg (x64 uses RIP-relative addressing,
+    // x86 uses immediates in effective addresses) and NaN register (used as
+    // part of the out-of-bounds handling in heap loads/stores).
+#if defined(JS_CODEGEN_ARM)
+    masm.movePtr(IntArgReg1, GlobalReg);
+    masm.ma_vimm(GenericNaN(), NANReg);
+#endif
+
+    // ARM and x64 have a globally-pinned HeapReg (x86 uses immediates in
+    // effective addresses).
+#if defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_ARM)
+    masm.loadPtr(Address(IntArgReg1, m.module().heapOffset()), HeapReg);
+#endif
+
+    // Get 'argv' into a non-arg register and save it on the stack.
+    Register argv = ABIArgGenerator::NonArgReturnVolatileReg0;
+    Register scratch = ABIArgGenerator::NonArgReturnVolatileReg1;
+#if defined(JS_CODEGEN_X86)
+    masm.loadPtr(Address(StackPointer, NativeFrameSize + masm.framePushed()), argv);
+#else
+    masm.movePtr(IntArgReg0, argv);
+#endif
+    masm.Push(argv);
+
+    // Bump the stack for the call.
+    const ModuleCompiler::Func &func = *m.lookupFunction(exportedFunc.name());
+    unsigned stackDec = StackDecrementForCall(masm, func.sig().args());
+    masm.reserveStack(stackDec);
+
+    // Copy parameters out of argv and into the registers/stack-slots specified by
+    // the system ABI.
+    for (ABIArgTypeIter iter(func.sig().args()); !iter.done(); iter++) {
+        unsigned argOffset = iter.index() * sizeof(uint64_t);
+        Address src(argv, argOffset);
+        switch (iter->kind()) {
+          case ABIArg::GPR:
+            masm.load32(src, iter->gpr());
+            break;
+          case ABIArg::FPU:
+            masm.loadDouble(src, iter->fpu());
+            break;
+          case ABIArg::Stack:
+            if (iter.mirType() == MIRType_Int32) {
+                masm.load32(src, scratch);
+                masm.storePtr(scratch, Address(StackPointer, iter->offsetFromArgBase()));
+            } else {
+                JS_ASSERT(iter.mirType() == MIRType_Double || iter.mirType() == MIRType_Float32);
+                masm.loadDouble(src, ScratchFloatReg);
+                masm.storeDouble(ScratchFloatReg, Address(StackPointer, iter->offsetFromArgBase()));
+            }
+            break;
+        }
+    }
+
+    // Call into the real function.
+    AssertStackAlignment(masm);
+    masm.call(CallSiteDesc::Entry(), func.code());
+
+    // Pop the stack and recover the original 'argv' argument passed to the
+    // trampoline (which was pushed on the stack).
+    masm.freeStack(stackDec);
+    masm.Pop(argv);
+
+    // Store the return value in argv[0]
+    switch (func.sig().retType().which()) {
+      case RetType::Void:
+        break;
+      case RetType::Signed:
+        masm.storeValue(JSVAL_TYPE_INT32, ReturnReg, Address(argv, 0));
+        break;
+      case RetType::Float:
+        masm.convertFloat32ToDouble(ReturnFloatReg, ReturnFloatReg);
+        // Fall through as ReturnFloatReg now contains a Double
+      case RetType::Double:
+        masm.canonicalizeDouble(ReturnFloatReg);
+        masm.storeDouble(ReturnFloatReg, Address(argv, 0));
+        break;
+    }
+
+    // Restore clobbered non-volatile registers of the caller.
+    masm.PopRegsInMask(NonVolatileRegs);
+
+    JS_ASSERT(masm.framePushed() == 0);
+
+    masm.move32(Imm32(true), ReturnReg);
+    masm.abiret();
+    return true;
+}
+
+static inline bool
+TryEnablingIon(JSContext *cx, AsmJSModule &module, HandleFunction fun, uint32_t exitIndex,
+               int32_t argc, Value *argv)
+{
+    if (!fun->hasScript())
+        return true;
+
+    // Test if the function is Ion compiled
+    JSScript *script = fun->nonLazyScript();
+    if (!script->hasIonScript())
+        return true;
+
+    // Currently we can't rectify arguments. Therefore disabling if argc is too low.
+    if (fun->nargs() > size_t(argc))
+        return true;
+
+    // Normally the types should corresond, since we just ran with those types,
+    // but there are reports this is asserting. Therefore doing it as a check, instead of DEBUG only.
+    if (!types::TypeScript::ThisTypes(script)->hasType(types::Type::UndefinedType()))
+        return true;
+    for(uint32_t i = 0; i < fun->nargs(); i++) {
+        types::StackTypeSet *typeset = types::TypeScript::ArgTypes(script, i);
+        types::Type type = types::Type::DoubleType();
+        if (!argv[i].isDouble())
+            type = types::Type::PrimitiveType(argv[i].extractNonDoubleType());
+        if (!typeset->hasType(type))
+            return true;
+    }
+
+    // Enable
+    IonScript *ionScript = script->ionScript();
+    if (!ionScript->addDependentAsmJSModule(cx, DependentAsmJSModuleExit(&module, exitIndex)))
+        return false;
+
+    module.exitIndexToGlobalDatum(exitIndex).exit = module.ionExitTrampoline(module.exit(exitIndex));
+    return true;
+}
+
+namespace js {
+
+int32_t
+InvokeFromAsmJS_Ignore(JSContext *cx, int32_t exitIndex, int32_t argc, Value *argv)
+{
+    AsmJSModule &module = cx->mainThread().asmJSActivationStackFromOwnerThread()->module();
+
+    RootedFunction fun(cx, module.exitIndexToGlobalDatum(exitIndex).fun);
+    RootedValue fval(cx, ObjectValue(*fun));
+    RootedValue rval(cx);
+    if (!Invoke(cx, UndefinedValue(), fval, argc, argv, &rval))
+        return false;
+
+    if (!TryEnablingIon(cx, module, fun, exitIndex, argc, argv))
+        return false;
+
+    return true;
+}
+
+int32_t
+InvokeFromAsmJS_ToInt32(JSContext *cx, int32_t exitIndex, int32_t argc, Value *argv)
+{
+    AsmJSModule &module = cx->mainThread().asmJSActivationStackFromOwnerThread()->module();
+
+    RootedFunction fun(cx, module.exitIndexToGlobalDatum(exitIndex).fun);
+    RootedValue fval(cx, ObjectValue(*fun));
+    RootedValue rval(cx);
+    if (!Invoke(cx, UndefinedValue(), fval, argc, argv, &rval))
+        return false;
+
+    if (!TryEnablingIon(cx, module, fun, exitIndex, argc, argv))
+        return false;
+
+    int32_t i32;
+    if (!ToInt32(cx, rval, &i32))
+        return false;
+    argv[0] = Int32Value(i32);
+
+    return true;
+}
+
+int32_t
+InvokeFromAsmJS_ToNumber(JSContext *cx, int32_t exitIndex, int32_t argc, Value *argv)
+{
+    AsmJSModule &module = cx->mainThread().asmJSActivationStackFromOwnerThread()->module();
+
+    RootedFunction fun(cx, module.exitIndexToGlobalDatum(exitIndex).fun);
+    RootedValue fval(cx, ObjectValue(*fun));
+    RootedValue rval(cx);
+    if (!Invoke(cx, UndefinedValue(), fval, argc, argv, &rval))
+        return false;
+
+    if (!TryEnablingIon(cx, module, fun, exitIndex, argc, argv))
+        return false;
+
+    double dbl;
+    if (!ToNumber(cx, rval, &dbl))
+        return false;
+    argv[0] = DoubleValue(dbl);
+
+    return true;
+}
+
+}  // namespace js
+
+static void
+FillArgumentArray(ModuleCompiler &m, const VarTypeVector &argTypes,
+                  unsigned offsetToArgs, unsigned offsetToCallerStackArgs,
+                  Register scratch)
+{
+    MacroAssembler &masm = m.masm();
+
+    for (ABIArgTypeIter i(argTypes); !i.done(); i++) {
+        Address dstAddr = Address(StackPointer, offsetToArgs + i.index() * sizeof(Value));
+        switch (i->kind()) {
+          case ABIArg::GPR:
+            masm.storeValue(JSVAL_TYPE_INT32, i->gpr(), dstAddr);
+            break;
+          case ABIArg::FPU: {
+              masm.canonicalizeDouble(i->fpu());
+              masm.storeDouble(i->fpu(), dstAddr);
+              break;
+          }
+          case ABIArg::Stack:
+            if (i.mirType() == MIRType_Int32) {
+                Address src(StackPointer, offsetToCallerStackArgs + i->offsetFromArgBase());
+#if defined(JS_CODEGEN_X86) || defined(JS_CODEGEN_X64)
+                masm.load32(src, scratch);
+                masm.storeValue(JSVAL_TYPE_INT32, scratch, dstAddr);
+#else
+                masm.memIntToValue(src, dstAddr);
+#endif
+            } else {
+                JS_ASSERT(i.mirType() == MIRType_Double);
+                Address src(StackPointer, offsetToCallerStackArgs + i->offsetFromArgBase());
+                masm.loadDouble(src, ScratchFloatReg);
+                masm.canonicalizeDouble(ScratchFloatReg);
+                masm.storeDouble(ScratchFloatReg, dstAddr);
+            }
+            break;
+        }
+    }
+}
+
+static void
+GenerateFFIInterpreterExit(ModuleCompiler &m, const ModuleCompiler::ExitDescriptor &exit,
+                           unsigned exitIndex, Label *throwLabel)
+{
+    MacroAssembler &masm = m.masm();
+    masm.align(CodeAlignment);
+    m.setInterpExitOffset(exitIndex);
+    masm.setFramePushed(0);
+#if defined(JS_CODEGEN_ARM)
+    masm.Push(lr);
+#endif
+
+    MIRType typeArray[] = { MIRType_Pointer,   // cx
+                            MIRType_Pointer,   // exitDatum
+                            MIRType_Int32,     // argc
+                            MIRType_Pointer }; // argv
+    MIRTypeVector invokeArgTypes(m.cx());
+    invokeArgTypes.infallibleAppend(typeArray, ArrayLength(typeArray));
+
+    // The stack layout looks like:
+    // | return address | stack arguments | array of values |
+    unsigned arraySize = Max<size_t>(1, exit.sig().args().length()) * sizeof(Value);
+    unsigned stackDec = StackDecrementForCall(masm, invokeArgTypes, arraySize + MaybeRetAddr);
+    masm.reserveStack(stackDec);
+
+    // Fill the argument array.
+    unsigned offsetToCallerStackArgs = AlignmentAtPrologue + masm.framePushed();
+    unsigned offsetToArgv = StackArgBytes(invokeArgTypes) + MaybeRetAddr;
+    Register scratch = ABIArgGenerator::NonArgReturnVolatileReg0;
+    FillArgumentArray(m, exit.sig().args(), offsetToArgv, offsetToCallerStackArgs, scratch);
+
+    // Prepare the arguments for the call to InvokeFromAsmJS_*.
+    ABIArgMIRTypeIter i(invokeArgTypes);
+    Register activation = ABIArgGenerator::NonArgReturnVolatileReg1;
+    LoadAsmJSActivationIntoRegister(masm, activation);
+
+    // Record sp in the AsmJSActivation for stack-walking.
+    masm.storePtr(StackPointer, Address(activation, AsmJSActivation::offsetOfExitSP()));
+
+    // argument 0: cx
+    if (i->kind() == ABIArg::GPR) {
+        LoadJSContextFromActivation(masm, activation, i->gpr());
+    } else {
+        LoadJSContextFromActivation(masm, activation, scratch);
+        masm.storePtr(scratch, Address(StackPointer, i->offsetFromArgBase()));
+    }
+    i++;
+
+    // argument 1: exitIndex
+    if (i->kind() == ABIArg::GPR)
+        masm.mov(ImmWord(exitIndex), i->gpr());
+    else
+        masm.store32(Imm32(exitIndex), Address(StackPointer, i->offsetFromArgBase()));
+    i++;
+
+    // argument 2: argc
+    unsigned argc = exit.sig().args().length();
+    if (i->kind() == ABIArg::GPR)
+        masm.mov(ImmWord(argc), i->gpr());
+    else
+        masm.store32(Imm32(argc), Address(StackPointer, i->offsetFromArgBase()));
+    i++;
+
+    // argument 3: argv
+    Address argv(StackPointer, offsetToArgv);
+    if (i->kind() == ABIArg::GPR) {
+        masm.computeEffectiveAddress(argv, i->gpr());
+    } else {
+        masm.computeEffectiveAddress(argv, scratch);
+        masm.storePtr(scratch, Address(StackPointer, i->offsetFromArgBase()));
+    }
+    i++;
+    JS_ASSERT(i.done());
+
+    // Make the call, test whether it succeeded, and extract the return value.
+    AssertStackAlignment(masm);
+    switch (exit.sig().retType().which()) {
+      case RetType::Void:
+        masm.callExit(AsmJSImm_InvokeFromAsmJS_Ignore, i.stackBytesConsumedSoFar());
+        masm.branchTest32(Assembler::Zero, ReturnReg, ReturnReg, throwLabel);
+        break;
+      case RetType::Signed:
+        masm.callExit(AsmJSImm_InvokeFromAsmJS_ToInt32, i.stackBytesConsumedSoFar());
+        masm.branchTest32(Assembler::Zero, ReturnReg, ReturnReg, throwLabel);
+        masm.unboxInt32(argv, ReturnReg);
+        break;
+      case RetType::Double:
+        masm.callExit(AsmJSImm_InvokeFromAsmJS_ToNumber, i.stackBytesConsumedSoFar());
+        masm.branchTest32(Assembler::Zero, ReturnReg, ReturnReg, throwLabel);
+        masm.loadDouble(argv, ReturnFloatReg);
+        break;
+      case RetType::Float:
+        MOZ_ASSUME_UNREACHABLE("Float32 shouldn't be returned from a FFI");
+        break;
+    }
+
+    // Note: the caller is IonMonkey code which means there are no non-volatile
+    // registers to restore.
+    masm.freeStack(stackDec);
+    masm.ret();
+}
+
+static void
+GenerateOOLConvert(ModuleCompiler &m, RetType retType, Label *throwLabel)
+{
+    MacroAssembler &masm = m.masm();
+
+    MIRType typeArray[] = { MIRType_Pointer,   // cx
+                            MIRType_Pointer }; // argv
+    MIRTypeVector callArgTypes(m.cx());
+    callArgTypes.infallibleAppend(typeArray, ArrayLength(typeArray));
+
+    // The stack is assumed to be aligned.  The frame is allocated by GenerateFFIIonExit and
+    // the stack usage here needs to kept in sync with GenerateFFIIonExit.
+
+    // Store value
+    unsigned offsetToArgv = StackArgBytes(callArgTypes) + MaybeRetAddr;
+    masm.storeValue(JSReturnOperand, Address(StackPointer, offsetToArgv));
+
+    Register scratch = ABIArgGenerator::NonArgReturnVolatileReg0;
+    Register activation = ABIArgGenerator::NonArgReturnVolatileReg1;
+    LoadAsmJSActivationIntoRegister(masm, activation);
+
+    // Record sp in the AsmJSActivation for stack-walking.
+    masm.storePtr(StackPointer, Address(activation, AsmJSActivation::offsetOfExitSP()));
+
+    // Store real arguments
+    ABIArgMIRTypeIter i(callArgTypes);
+
+    // argument 0: cx
+    if (i->kind() == ABIArg::GPR) {
+        LoadJSContextFromActivation(masm, activation, i->gpr());
+    } else {
+        LoadJSContextFromActivation(masm, activation, scratch);
+        masm.storePtr(scratch, Address(StackPointer, i->offsetFromArgBase()));
+    }
+    i++;
+
+    // argument 1: argv
+    Address argv(StackPointer, offsetToArgv);
+    if (i->kind() == ABIArg::GPR) {
+        masm.computeEffectiveAddress(argv, i->gpr());
+    } else {
+        masm.computeEffectiveAddress(argv, scratch);
+        masm.storePtr(scratch, Address(StackPointer, i->offsetFromArgBase()));
+    }
+    i++;
+    JS_ASSERT(i.done());
+
+    // Call
+    AssertStackAlignment(masm);
+    switch (retType.which()) {
+      case RetType::Signed:
+        masm.callExit(AsmJSImm_CoerceInPlace_ToInt32, i.stackBytesConsumedSoFar());
+        masm.branchTest32(Assembler::Zero, ReturnReg, ReturnReg, throwLabel);
+        masm.unboxInt32(Address(StackPointer, offsetToArgv), ReturnReg);
+        break;
+      case RetType::Double:
+        masm.callExit(AsmJSImm_CoerceInPlace_ToNumber, i.stackBytesConsumedSoFar());
+        masm.branchTest32(Assembler::Zero, ReturnReg, ReturnReg, throwLabel);
+        masm.loadDouble(Address(StackPointer, offsetToArgv), ReturnFloatReg);
+        break;
+      default:
+        MOZ_ASSUME_UNREACHABLE("Unsupported convert type");
+    }
+}
+
+static void
+GenerateFFIIonExit(ModuleCompiler &m, const ModuleCompiler::ExitDescriptor &exit,
+                         unsigned exitIndex, Label *throwLabel)
+{
+    MacroAssembler &masm = m.masm();
+    masm.align(CodeAlignment);
+    m.setIonExitOffset(exitIndex);
+    masm.setFramePushed(0);
+
+#if defined(JS_CODEGEN_X64)
+    masm.Push(HeapReg);
+#elif defined(JS_CODEGEN_ARM)
+    // The lr register holds the return address and needs to be saved.  The GlobalReg
+    // (r10) and HeapReg (r11) also need to be restored before returning to asm.js code.
+    // The NANReg also needs to be restored, but is a constant and is reloaded before
+    // returning to asm.js code.
+    masm.PushRegsInMask(RegisterSet(GeneralRegisterSet((1<<GlobalReg.code()) |
+                                                       (1<<HeapReg.code()) |
+                                                       (1<<lr.code())),
+                                    FloatRegisterSet(uint32_t(0))));
+#endif
+
+    // The stack frame is used for the call into Ion and also for calls into C for OOL
+    // conversion of the result.  A frame large enough for both is allocated.
+    //
+    // Arguments to the Ion function are in the following order on the stack:
+    // | return address | descriptor | callee | argc | this | arg1 | arg2 | ...
+    unsigned argBytes = 3 * sizeof(size_t) + (1 + exit.sig().args().length()) * sizeof(Value);
+    unsigned offsetToArgs = MaybeRetAddr;
+    unsigned stackDecForIonCall = StackDecrementForCall(masm, argBytes + offsetToArgs);
+
+    // Reserve space for a call to AsmJSImm_CoerceInPlace_* and an array of values used by
+    // OOLConvert which reuses the same frame. This code needs to be kept in sync with the
+    // stack usage in GenerateOOLConvert.
+    MIRType typeArray[] = { MIRType_Pointer, MIRType_Pointer }; // cx, argv
+    MIRTypeVector callArgTypes(m.cx());
+    callArgTypes.infallibleAppend(typeArray, ArrayLength(typeArray));
+    unsigned oolExtraBytes = sizeof(Value) + MaybeRetAddr;
+    unsigned stackDecForOOLCall = StackDecrementForCall(masm, callArgTypes, oolExtraBytes);
+
+    // Allocate a frame large enough for both of the above calls.
+    unsigned stackDec = Max(stackDecForIonCall, stackDecForOOLCall);
+
+    masm.reserveStack(stackDec);
+    AssertStackAlignment(masm);
+
+    // 1. Descriptor
+    size_t argOffset = offsetToArgs;
+    uint32_t descriptor = MakeFrameDescriptor(masm.framePushed(), JitFrame_Entry);
+    masm.storePtr(ImmWord(uintptr_t(descriptor)), Address(StackPointer, argOffset));
+    argOffset += sizeof(size_t);
+
+    // 2. Callee
+    Register callee = ABIArgGenerator::NonArgReturnVolatileReg0;
+    Register scratch = ABIArgGenerator::NonArgReturnVolatileReg1;
+
+    // 2.1. Get ExitDatum
+    unsigned globalDataOffset = m.module().exitIndexToGlobalDataOffset(exitIndex);
+#if defined(JS_CODEGEN_X64)
+    CodeOffsetLabel label2 = masm.leaRipRelative(callee);
+    m.masm().append(AsmJSGlobalAccess(label2.offset(), globalDataOffset));
+#elif defined(JS_CODEGEN_X86)
+    CodeOffsetLabel label2 = masm.movlWithPatch(Imm32(0), callee);
+    m.masm().append(AsmJSGlobalAccess(label2.offset(), globalDataOffset));
+#else
+    masm.lea(Operand(GlobalReg, globalDataOffset), callee);
+#endif
+
+    // 2.2. Get callee
+    masm.loadPtr(Address(callee, offsetof(AsmJSModule::ExitDatum, fun)), callee);
+
+    // 2.3. Save callee
+    masm.storePtr(callee, Address(StackPointer, argOffset));
+    argOffset += sizeof(size_t);
+
+    // 3. Argc
+    unsigned argc = exit.sig().args().length();
+    masm.storePtr(ImmWord(uintptr_t(argc)), Address(StackPointer, argOffset));
+    argOffset += sizeof(size_t);
+
+    // 4. |this| value
+    masm.storeValue(UndefinedValue(), Address(StackPointer, argOffset));
+    argOffset += sizeof(Value);
+
+    // 5. Fill the arguments
+    unsigned offsetToCallerStackArgs = masm.framePushed();
+#if defined(JS_CODEGEN_X86) || defined(JS_CODEGEN_X64)
+    offsetToCallerStackArgs += NativeFrameSize;
+#endif
+    FillArgumentArray(m, exit.sig().args(), argOffset, offsetToCallerStackArgs, scratch);
+    argOffset += exit.sig().args().length() * sizeof(Value);
+    JS_ASSERT(argOffset == offsetToArgs + argBytes);
+
+    // Get the pointer to the ion code
+    Label done, oolConvert;
+    Label *maybeDebugBreakpoint = nullptr;
+
+#ifdef DEBUG
+    Label ionFailed;
+    maybeDebugBreakpoint = &ionFailed;
+    masm.branchIfFunctionHasNoScript(callee, &ionFailed);
+#endif
+
+    masm.loadPtr(Address(callee, JSFunction::offsetOfNativeOrScript()), callee);
+    masm.loadBaselineOrIonNoArgCheck(callee, callee, SequentialExecution, maybeDebugBreakpoint);
+
+    AssertStackAlignment(masm);
+
+    {
+        // Enable Activation.
+        //
+        // This sequence requires four registers, and needs to preserve the 'callee'
+        // register, so there are five live registers.
+        JS_ASSERT(callee == AsmJSIonExitRegCallee);
+        Register reg0 = AsmJSIonExitRegE0;
+        Register reg1 = AsmJSIonExitRegE1;
+        Register reg2 = AsmJSIonExitRegE2;
+        Register reg3 = AsmJSIonExitRegE3;
+
+        LoadAsmJSActivationIntoRegister(masm, reg0);
+
+        // Record sp in the AsmJSActivation for stack-walking.
+        masm.storePtr(StackPointer, Address(reg0, AsmJSActivation::offsetOfExitSP()));
+
+        // The following is inlined:
+        //   JSContext *cx = activation->cx();
+        //   Activation *act = cx->mainThread().activation();
+        //   act.active_ = true;
+        //   act.prevIonTop_ = cx->mainThread().ionTop;
+        //   act.prevJitJSContext_ = cx->mainThread().jitJSContext;
+        //   cx->mainThread().jitJSContext = cx;
+        // On the ARM store8() uses the secondScratchReg (lr) as a temp.
+        size_t offsetOfActivation = offsetof(JSRuntime, mainThread) +
+                                    PerThreadData::offsetOfActivation();
+        size_t offsetOfIonTop = offsetof(JSRuntime, mainThread) + offsetof(PerThreadData, ionTop);
+        size_t offsetOfJitJSContext = offsetof(JSRuntime, mainThread) +
+                                      offsetof(PerThreadData, jitJSContext);
+        masm.loadPtr(Address(reg0, AsmJSActivation::offsetOfContext()), reg3);
+        masm.loadPtr(Address(reg3, JSContext::offsetOfRuntime()), reg0);
+        masm.loadPtr(Address(reg0, offsetOfActivation), reg1);
+        masm.store8(Imm32(1), Address(reg1, JitActivation::offsetOfActiveUint8()));
+        masm.loadPtr(Address(reg0, offsetOfIonTop), reg2);
+        masm.storePtr(reg2, Address(reg1, JitActivation::offsetOfPrevIonTop()));
+        masm.loadPtr(Address(reg0, offsetOfJitJSContext), reg2);
+        masm.storePtr(reg2, Address(reg1, JitActivation::offsetOfPrevJitJSContext()));
+        masm.storePtr(reg3, Address(reg0, offsetOfJitJSContext));
+    }
+
+    // 2. Call
+    AssertStackAlignment(masm);
+    masm.callIonFromAsmJS(callee);
+    AssertStackAlignment(masm);
+
+    {
+        // Disable Activation.
+        //
+        // This sequence needs three registers, and must preserve the JSReturnReg_Data and
+        // JSReturnReg_Type, so there are five live registers.
+        JS_ASSERT(JSReturnReg_Data == AsmJSIonExitRegReturnData);
+        JS_ASSERT(JSReturnReg_Type == AsmJSIonExitRegReturnType);
+        Register reg0 = AsmJSIonExitRegD0;
+        Register reg1 = AsmJSIonExitRegD1;
+        Register reg2 = AsmJSIonExitRegD2;
+
+        LoadAsmJSActivationIntoRegister(masm, reg0);
+
+        // The following is inlined:
+        //   JSContext *cx = activation->cx();
+        //   Activation *act = cx->mainThread().activation();
+        //   act.active_ = false;
+        //   cx->mainThread().ionTop = prevIonTop_;
+        //   cx->mainThread().jitJSContext = prevJitJSContext_;
+        // On the ARM store8() uses the secondScratchReg (lr) as a temp.
+        size_t offsetOfActivation = offsetof(JSRuntime, mainThread) +
+                                    PerThreadData::offsetOfActivation();
+        size_t offsetOfIonTop = offsetof(JSRuntime, mainThread) + offsetof(PerThreadData, ionTop);
+        size_t offsetOfJitJSContext = offsetof(JSRuntime, mainThread) +
+                                      offsetof(PerThreadData, jitJSContext);
+        masm.loadPtr(Address(reg0, AsmJSActivation::offsetOfContext()), reg0);
+        masm.loadPtr(Address(reg0, JSContext::offsetOfRuntime()), reg0);
+        masm.loadPtr(Address(reg0, offsetOfActivation), reg1);
+        masm.store8(Imm32(0), Address(reg1, JitActivation::offsetOfActiveUint8()));
+        masm.loadPtr(Address(reg1, JitActivation::offsetOfPrevIonTop()), reg2);
+        masm.storePtr(reg2, Address(reg0, offsetOfIonTop));
+        masm.loadPtr(Address(reg1, JitActivation::offsetOfPrevJitJSContext()), reg2);
+        masm.storePtr(reg2, Address(reg0, offsetOfJitJSContext));
+    }
+
+#ifdef DEBUG
+    masm.branchTestMagicValue(Assembler::Equal, JSReturnOperand, JS_ION_ERROR, throwLabel);
+    masm.branchTestMagic(Assembler::Equal, JSReturnOperand, &ionFailed);
+#else
+    masm.branchTestMagic(Assembler::Equal, JSReturnOperand, throwLabel);
+#endif
+
+    uint32_t oolConvertFramePushed = masm.framePushed();
+    switch (exit.sig().retType().which()) {
+      case RetType::Void:
+        break;
+      case RetType::Signed:
+        masm.convertValueToInt32(JSReturnOperand, ReturnFloatReg, ReturnReg, &oolConvert,
+                                 /* -0 check */ false);
+        break;
+      case RetType::Double:
+        masm.convertValueToDouble(JSReturnOperand, ReturnFloatReg, &oolConvert);
+        break;
+      case RetType::Float:
+        MOZ_ASSUME_UNREACHABLE("Float shouldn't be returned from a FFI");
+        break;
+    }
+
+    masm.bind(&done);
+    masm.freeStack(stackDec);
+#if defined(JS_CODEGEN_ARM)
+    masm.ma_vimm(GenericNaN(), NANReg);
+    masm.PopRegsInMask(RegisterSet(GeneralRegisterSet((1<<GlobalReg.code()) |
+                                                      (1<<HeapReg.code()) |
+                                                      (1<<pc.code())),
+                                   FloatRegisterSet(uint32_t(0))));
+#else
+# if defined(JS_CODEGEN_X64)
+    masm.Pop(HeapReg);
+# endif
+    masm.ret();
+#endif
+    JS_ASSERT(masm.framePushed() == 0);
+
+    // oolConvert
+    if (oolConvert.used()) {
+        masm.bind(&oolConvert);
+        masm.setFramePushed(oolConvertFramePushed);
+        GenerateOOLConvert(m, exit.sig().retType(), throwLabel);
+        masm.setFramePushed(0);
+        masm.jump(&done);
+    }
+
+#ifdef DEBUG
+    masm.bind(&ionFailed);
+    masm.assumeUnreachable("AsmJS to IonMonkey call failed.");
+#endif
+}
+
+// See "asm.js FFI calls" comment above.
+static void
+GenerateFFIExit(ModuleCompiler &m, const ModuleCompiler::ExitDescriptor &exit, unsigned exitIndex,
+                Label *throwLabel)
+{
+    // Generate the slow path through the interpreter
+    GenerateFFIInterpreterExit(m, exit, exitIndex, throwLabel);
+
+    // Generate the fast path
+    GenerateFFIIonExit(m, exit, exitIndex, throwLabel);
+}
+
+// The stack-overflow exit is called when the stack limit has definitely been
+// exceeded. In this case, we can clobber everything since we are about to pop
+// all the frames.
+static bool
+GenerateStackOverflowExit(ModuleCompiler &m, Label *throwLabel)
+{
+    MacroAssembler &masm = m.masm();
+    masm.align(CodeAlignment);
+    masm.bind(&m.stackOverflowLabel());
+
+    // The overflow check always occurs before the initial function-specific
+    // stack-size adjustment. See CodeGenerator::generateAsmJSPrologue.
+    masm.setFramePushed(AlignmentMidPrologue - AlignmentAtPrologue);
+
+    MIRTypeVector argTypes(m.cx());
+    argTypes.infallibleAppend(MIRType_Pointer); // cx
+
+    unsigned stackDec = StackDecrementForCall(masm, argTypes, MaybeRetAddr);
+    masm.reserveStack(stackDec);
+
+    Register activation = ABIArgGenerator::NonArgReturnVolatileReg0;
+    LoadAsmJSActivationIntoRegister(masm, activation);
+
+    // Record sp in the AsmJSActivation for stack-walking.
+    masm.storePtr(StackPointer, Address(activation, AsmJSActivation::offsetOfExitSP()));
+
+    ABIArgMIRTypeIter i(argTypes);
+
+    // argument 0: cx
+    if (i->kind() == ABIArg::GPR) {
+        LoadJSContextFromActivation(masm, activation, i->gpr());
+    } else {
+        LoadJSContextFromActivation(masm, activation, activation);
+        masm.storePtr(activation, Address(StackPointer, i->offsetFromArgBase()));
+    }
+    i++;
+
+    JS_ASSERT(i.done());
+
+    AssertStackAlignment(masm);
+    masm.callExit(AsmJSImm_ReportOverRecursed, i.stackBytesConsumedSoFar());
+
+    // Don't worry about restoring the stack; throwLabel will pop everything.
+    masm.jump(throwLabel);
+    return !masm.oom();
+}
+
+// The operation-callback exit is called from arbitrarily-interrupted asm.js
+// code. That means we must first save *all* registers and restore *all*
+// registers (except the stack pointer) when we resume. The address to resume to
+// (assuming that js::HandleExecutionInterrupt doesn't indicate that the
+// execution should be aborted) is stored in AsmJSActivation::resumePC_.
+// Unfortunately, loading this requires a scratch register which we don't have
+// after restoring all registers. To hack around this, push the resumePC on the
+// stack so that it can be popped directly into PC.
+static bool
+GenerateInterruptExit(ModuleCompiler &m, Label *throwLabel)
+{
+    MacroAssembler &masm = m.masm();
+    masm.align(CodeAlignment);
+    masm.bind(&m.interruptLabel());
+
+#ifndef JS_CODEGEN_ARM
+    // Be very careful here not to perturb the machine state before saving it
+    // to the stack. In particular, add/sub instructions may set conditions in
+    // the flags register.
+    masm.push(Imm32(0));            // space for resumePC
+    masm.pushFlags();               // after this we are safe to use sub
+    masm.setFramePushed(0);         // set to zero so we can use masm.framePushed() below
+    masm.PushRegsInMask(AllRegsExceptSP); // save all GP/FP registers (except SP)
+
+    Register activation = ABIArgGenerator::NonArgReturnVolatileReg0;
+    Register scratch = ABIArgGenerator::NonArgReturnVolatileReg1;
+
+    // Store resumePC into the reserved space.
+    LoadAsmJSActivationIntoRegister(masm, activation);
+    masm.loadPtr(Address(activation, AsmJSActivation::offsetOfResumePC()), scratch);
+    masm.storePtr(scratch, Address(StackPointer, masm.framePushed() + sizeof(void*)));
+
+    // We know that StackPointer is word-aligned, but not necessarily
+    // stack-aligned, so we need to align it dynamically.
+    masm.mov(StackPointer, ABIArgGenerator::NonVolatileReg);
+#if defined(JS_CODEGEN_X86)
+    // Ensure that at least one slot is pushed for passing 'cx' below.
+    masm.push(Imm32(0));
+#endif
+    masm.andPtr(Imm32(~(StackAlignment - 1)), StackPointer);
+    if (ShadowStackSpace)
+        masm.subPtr(Imm32(ShadowStackSpace), StackPointer);
+
+    // argument 0: cx
+#if defined(JS_CODEGEN_X86)
+    LoadJSContextFromActivation(masm, activation, scratch);
+    masm.storePtr(scratch, Address(StackPointer, 0));
+#elif defined(JS_CODEGEN_X64)
+    LoadJSContextFromActivation(masm, activation, IntArgReg0);
+#endif
+
+    masm.call(AsmJSImm_HandleExecutionInterrupt);
+    masm.branchIfFalseBool(ReturnReg, throwLabel);
+
+    // Restore the StackPointer to it's position before the call.
+    masm.mov(ABIArgGenerator::NonVolatileReg, StackPointer);
+
+    // Restore the machine state to before the interrupt.
+    masm.PopRegsInMask(AllRegsExceptSP); // restore all GP/FP registers (except SP)
+    masm.popFlags();              // after this, nothing that sets conditions
+    masm.ret();                   // pop resumePC into PC
+#else
+    masm.setFramePushed(0);         // set to zero so we can use masm.framePushed() below
+    masm.PushRegsInMask(RegisterSet(GeneralRegisterSet(Registers::AllMask & ~(1<<Registers::sp)), FloatRegisterSet(uint32_t(0))));   // save all GP registers,excep sp
+
+    // Save both the APSR and FPSCR in non-volatile registers.
+    masm.as_mrs(r4);
+    masm.as_vmrs(r5);
+    // Save the stack pointer in a non-volatile register.
+    masm.mov(sp,r6);
+    // Align the stack.
+    masm.ma_and(Imm32(~7), sp, sp);
+
+    // Store resumePC into the return PC stack slot.
+    LoadAsmJSActivationIntoRegister(masm, IntArgReg0);
+    masm.loadPtr(Address(IntArgReg0, AsmJSActivation::offsetOfResumePC()), IntArgReg1);
+    masm.storePtr(IntArgReg1, Address(r6, 14 * sizeof(uint32_t*)));
+
+    // argument 0: cx
+    masm.loadPtr(Address(IntArgReg0, AsmJSActivation::offsetOfContext()), IntArgReg0);
+
+    masm.PushRegsInMask(RegisterSet(GeneralRegisterSet(0), FloatRegisterSet(FloatRegisters::AllMask)));   // save all FP registers
+    masm.call(AsmJSImm_HandleExecutionInterrupt);
+    masm.branchIfFalseBool(ReturnReg, throwLabel);
+
+    // Restore the machine state to before the interrupt. this will set the pc!
+    masm.PopRegsInMask(RegisterSet(GeneralRegisterSet(0), FloatRegisterSet(FloatRegisters::AllMask)));   // restore all FP registers
+    masm.mov(r6,sp);
+    masm.as_vmsr(r5);
+    masm.as_msr(r4);
+    // Restore all GP registers
+    masm.startDataTransferM(IsLoad, sp, IA, WriteBack);
+    masm.transferReg(r0);
+    masm.transferReg(r1);
+    masm.transferReg(r2);
+    masm.transferReg(r3);
+    masm.transferReg(r4);
+    masm.transferReg(r5);
+    masm.transferReg(r6);
+    masm.transferReg(r7);
+    masm.transferReg(r8);
+    masm.transferReg(r9);
+    masm.transferReg(r10);
+    masm.transferReg(r11);
+    masm.transferReg(r12);
+    masm.transferReg(lr);
+    masm.finishDataTransfer();
+    masm.ret();
+
+#endif
+
+    return !masm.oom();
+}
+
+// If an exception is thrown, simply pop all frames (since asm.js does not
+// contain try/catch). To do this:
+//  1. Restore 'sp' to it's value right after the PushRegsInMask in GenerateEntry.
+//  2. PopRegsInMask to restore the caller's non-volatile registers.
+//  3. Return (to CallAsmJS).
+static bool
+GenerateThrowExit(ModuleCompiler &m, Label *throwLabel)
+{
+    MacroAssembler &masm = m.masm();
+    masm.align(CodeAlignment);
+    masm.bind(throwLabel);
+
+    Register activation = ABIArgGenerator::NonArgReturnVolatileReg0;
+    LoadAsmJSActivationIntoRegister(masm, activation);
+
+    masm.setFramePushed(FramePushedAfterSave);
+    masm.loadPtr(Address(activation, AsmJSActivation::offsetOfErrorRejoinSP()), StackPointer);
+
+    masm.PopRegsInMask(NonVolatileRegs);
+    JS_ASSERT(masm.framePushed() == 0);
+
+    masm.mov(ImmWord(0), ReturnReg);
+    masm.abiret();
+
+    return !masm.oom();
+}
+
+static bool
+GenerateStubs(ModuleCompiler &m)
+{
+    for (unsigned i = 0; i < m.module().numExportedFunctions(); i++) {
+        m.setEntryOffset(i);
+        if (!GenerateEntry(m, m.module().exportedFunction(i)))
+            return false;
+        if (m.masm().oom())
+            return false;
+    }
+
+    Label throwLabel;
+
+    // The order of the iterations here is non-deterministic, since
+    // m.allExits() is a hash keyed by pointer values!
+    for (ModuleCompiler::ExitMap::Range r = m.allExits(); !r.empty(); r.popFront()) {
+        GenerateFFIExit(m, r.front().key(), r.front().value(), &throwLabel);
+        if (m.masm().oom())
+            return false;
+    }
+
+    if (m.stackOverflowLabel().used()) {
+        if (!GenerateStackOverflowExit(m, &throwLabel))
+            return false;
+    }
+
+    if (!GenerateInterruptExit(m, &throwLabel))
+        return false;
+
+    if (!GenerateThrowExit(m, &throwLabel))
+        return false;
+
+    return true;
+}
+
+static bool
+FinishModule(ModuleCompiler &m,
+             ScopedJSDeletePtr<AsmJSModule> *module)
+{
+    LifoAlloc lifo(LIFO_ALLOC_PRIMARY_CHUNK_SIZE);
+    TempAllocator alloc(&lifo);
+    IonContext ionContext(m.cx(), &alloc);
+
+    m.masm().resetForNewCodeGenerator(alloc);
+
+    if (!GenerateStubs(m))
+        return false;
+
+    return m.finish(module);
+}
+
+static bool
+CheckModule(ExclusiveContext *cx, AsmJSParser &parser, ParseNode *stmtList,
+            ScopedJSDeletePtr<AsmJSModule> *moduleOut,
+            ScopedJSFreePtr<char> *compilationTimeReport)
+{
+    if (!LookupAsmJSModuleInCache(cx, parser, moduleOut, compilationTimeReport))
+        return false;
+    if (*moduleOut)
+        return true;
+
+    ModuleCompiler m(cx, parser);
+    if (!m.init())
+        return false;
+
+    if (PropertyName *moduleFunctionName = FunctionName(m.moduleFunctionNode())) {
+        if (!CheckModuleLevelName(m, m.moduleFunctionNode(), moduleFunctionName))
+            return false;
+        m.initModuleFunctionName(moduleFunctionName);
+    }
+
+    if (!CheckFunctionHead(m, m.moduleFunctionNode()))
+        return false;
+
+    if (!CheckModuleArguments(m, m.moduleFunctionNode()))
+        return false;
+
+    if (!CheckPrecedingStatements(m, stmtList))
+        return false;
+
+    if (!CheckModuleGlobals(m))
+        return false;
+
+#ifdef JS_THREADSAFE
+    if (!CheckFunctionsParallel(m))
+        return false;
+#else
+    if (!CheckFunctionsSequential(m))
+        return false;
+#endif
+
+    m.finishFunctionBodies();
+
+    if (!CheckFuncPtrTables(m))
+        return false;
+
+    if (!CheckModuleReturn(m))
+        return false;
+
+    TokenKind tk = PeekToken(m.parser());
+    if (tk != TOK_EOF && tk != TOK_RC)
+        return m.fail(nullptr, "top-level export (return) must be the last statement");
+
+    // The instruction cache is flushed when dynamically linking, so can inhibit now.
+    AutoFlushICache afc("CheckModule", /* inhibit= */ true);
+
+    ScopedJSDeletePtr<AsmJSModule> module;
+    if (!FinishModule(m, &module))
+        return false;
+
+    bool storedInCache = StoreAsmJSModuleInCache(parser, *module, cx);
+    module->staticallyLink(cx);
+
+    m.buildCompilationTimeReport(storedInCache, compilationTimeReport);
+    *moduleOut = module.forget();
+    return true;
+}
+
+static bool
+Warn(AsmJSParser &parser, int errorNumber, const char *str)
+{
+    parser.reportNoOffset(ParseWarning, /* strict = */ false, errorNumber, str ? str : "");
+    return false;
+}
+
+static bool
+EstablishPreconditions(ExclusiveContext *cx, AsmJSParser &parser)
+{
+    if (!cx->jitSupportsFloatingPoint())
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by lack of floating point support");
+
+    if (!cx->signalHandlersInstalled())
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Platform missing signal handler support");
+
+    if (cx->gcSystemPageSize() != AsmJSPageSize)
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by non 4KiB system page size");
+
+    if (!parser.options().asmJSOption)
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by javascript.options.asmjs in about:config");
+
+    if (!parser.options().compileAndGo)
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Temporarily disabled for event-handler and other cloneable scripts");
+
+    if (cx->compartment()->debugMode())
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by debugger");
+
+    if (parser.pc->isGenerator())
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by generator context");
+
+    if (parser.pc->isArrowFunction())
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by arrow function context");
+
+#ifdef JS_THREADSAFE
+    if (ParallelCompilationEnabled(cx))
+        EnsureWorkerThreadsInitialized(cx);
+#endif
+
+    return true;
+}
+
+static bool
+NoExceptionPending(ExclusiveContext *cx)
+{
+    return !cx->isJSContext() || !cx->asJSContext()->isExceptionPending();
+}
+
+bool
+js::CompileAsmJS(ExclusiveContext *cx, AsmJSParser &parser, ParseNode *stmtList, bool *validated)
+{
+    *validated = false;
+
+    if (!EstablishPreconditions(cx, parser))
+        return NoExceptionPending(cx);
+
+    ScopedJSFreePtr<char> compilationTimeReport;
+    ScopedJSDeletePtr<AsmJSModule> module;
+    if (!CheckModule(cx, parser, stmtList, &module, &compilationTimeReport))
+        return NoExceptionPending(cx);
+
+    RootedObject moduleObj(cx, AsmJSModuleObject::create(cx, &module));
+    if (!moduleObj)
+        return false;
+
+    FunctionBox *funbox = parser.pc->maybeFunction->pn_funbox;
+    RootedFunction moduleFun(cx, NewAsmJSModuleFunction(cx, funbox->function(), moduleObj));
+    if (!moduleFun)
+        return false;
+
+    JS_ASSERT(funbox->function()->isInterpreted());
+    funbox->object = moduleFun;
+
+    *validated = true;
+    Warn(parser, JSMSG_USE_ASM_TYPE_OK, compilationTimeReport.get());
+    return NoExceptionPending(cx);
+}
+
+bool
+js::IsAsmJSCompilationAvailable(JSContext *cx, unsigned argc, Value *vp)
+{
+    CallArgs args = CallArgsFromVp(argc, vp);
+
+    // See EstablishPreconditions.
+    bool available = cx->jitSupportsFloatingPoint() &&
+                     cx->signalHandlersInstalled() &&
+                     cx->gcSystemPageSize() == AsmJSPageSize &&
+                     !cx->compartment()->debugMode() &&
+                     cx->runtime()->options().asmJS();
+
+    args.rval().set(BooleanValue(available));
+    return true;
+}