X87: [Interpreter] Fix GenerateSmiToDouble to avoid assuming it is called from a JSFrame.

  port 471893cc (r36649)

  original commit message:
  GenerateSmiToDouble on ia32 assumes that it is called from a JSFrame and can restore
  the context from the StandardFrameConstants::kContextObject. In the case of the
  interpreter it is called from a interpreter handler stub frame which doesn't
  push the context onto it's frame. Instead, push and pop esi to explicitly restore it
  correctly.

BUG=

Review-Url: https://codereview.chromium.org/2036083003
Cr-Commit-Position: refs/heads/master@{#36702}

src/x87/codegen-x87.cc

@@ -269,6 +269,7 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(
 
   __ push(eax);
   __ push(ebx);
+  __ push(esi);
 
   __ mov(edi, FieldOperand(edi, FixedArray::kLengthOffset));
 
@@ -301,8 +302,9 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(
 
   // Call into runtime if GC is required.
   __ bind(&gc_required);
+
   // Restore registers before jumping into runtime.
-  __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
+  __ pop(esi);
   __ pop(ebx);
   __ pop(eax);
   __ jmp(fail);
@@ -338,12 +340,11 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(
   __ sub(edi, Immediate(Smi::FromInt(1)));
   __ j(not_sign, &loop);
 
+  // Restore registers.
+  __ pop(esi);
   __ pop(ebx);
   __ pop(eax);
 
-  // Restore esi.
-  __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
-
   __ bind(&only_change_map);
   // eax: value
   // ebx: target map