Index: Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
===================================================================
--- Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm	(revision 139916)
+++ Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm	(working copy)
@@ -1728,7 +1728,7 @@ _llint_op_next_pname:
     loadi 20[PC], t2
     loadi PayloadOffset[cfr, t2, 8], t2
     loadp JSPropertyNameIterator::m_jsStrings[t2], t3
-    loadi [t3, t0, 8], t3
+    loadi PayloadOffset[t3, t0, 8], t3
     addi 1, t0
     storei t0, PayloadOffset[cfr, t1, 8]
     loadi 4[PC], t1
Index: Source/JavaScriptCore/llint/LowLevelInterpreter.asm
===================================================================
--- Source/JavaScriptCore/llint/LowLevelInterpreter.asm	(revision 139916)
+++ Source/JavaScriptCore/llint/LowLevelInterpreter.asm	(working copy)
@@ -263,13 +263,13 @@ macro assertNotConstant(index)
 end
 
 macro functionForCallCodeBlockGetter(targetRegister)
-    loadp Callee[cfr], targetRegister
+    loadp Callee + PayloadOffset[cfr], targetRegister
     loadp JSFunction::m_executable[targetRegister], targetRegister
     loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister
 end
 
 macro functionForConstructCodeBlockGetter(targetRegister)
-    loadp Callee[cfr], targetRegister
+    loadp Callee + PayloadOffset[cfr], targetRegister
     loadp JSFunction::m_executable[targetRegister], targetRegister
     loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister
 end
@@ -841,7 +841,7 @@ macro interpretResolveWithBase(opcodeLen
     getResolveOperation(4, t0, t1)
     btpz t0, .slowPath
 
-    loadp ScopeChain[cfr], t3
+    loadp ScopeChain + PayloadOffset[cfr], t3
     # Get the base
     loadis ResolveOperation::m_operation[t0], t2
 
Index: Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
===================================================================
--- Source/JavaScriptCore/llint/LowLevelInterpreter.cpp	(revision 139916)
+++ Source/JavaScriptCore/llint/LowLevelInterpreter.cpp	(working copy)
@@ -33,6 +33,7 @@
 
 #if ENABLE(LLINT_C_LOOP)
 #include "CodeBlock.h"
+#include "JSValueInlines.h"
 #include "LLIntCLoop.h"
 #include "LLIntSlowPaths.h"
 #include "VMInspector.h"
@@ -116,6 +117,17 @@ static double Ints2Double(uint32_t lo, u
     u.ival64 = (static_cast<uint64_t>(hi) << 32) | lo;
     return u.dval;
 }
+
+static void Double2Ints(double input, intptr_t& lo, intptr_t& hi)
+{
+    union {
+        double dval;
+        uint64_t ival64;
+    } u;
+    u.dval = input;
+    hi = static_cast<intptr_t>(u.ival64 >> 32);
+    lo = static_cast<intptr_t>(u.ival64);
+}
 #endif // USE(JSVALUE32_64)
 
 } // namespace LLint