Fix representation of HLoadRoot.

HLoadRoot doesn't participate in representation inference, and its represenation is not Tagged at code generation, which leads to incorrect pointer map assignment and eventual stale pointer access after GC. BUG=chromium:419036 LOG=Y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/626383003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-10-06 11:42:13 +00:00 · 2014-10-06 11:42:13 +00:00 · de51833695
commit de51833695
parent 33da50f2ea
2 changed files with 17 additions and 4 deletions
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@ -2716,6 +2716,7 @@ class HLoadRoot FINAL : public HTemplateInstruction<0> {
    // TODO(bmeurer): We'll need kDependsOnRoots once we add the
    // corresponding HStoreRoot instruction.
    SetDependsOnFlag(kCalls);
+    set_representation(Representation::Tagged());
  }

  virtual bool IsDeletable() const OVERRIDE { return true; }
@ -6373,11 +6374,13 @@ class HLoadNamedField FINAL : public HTemplateInstruction<2> {
    return !access().IsInobject() || access().offset() >= size;
  }
  virtual Representation RequiredInputRepresentation(int index) OVERRIDE {
-    if (index == 0 && access().IsExternalMemory()) {
+    if (index == 0) {
      // object must be external in case of external memory access
-      return Representation::External();
+      return access().IsExternalMemory() ? Representation::External()
+                                         : Representation::Tagged();
    }
-    return Representation::Tagged();
+    DCHECK(index == 1);
+    return Representation::None();
  }
  virtual Range* InferRange(Zone* zone) OVERRIDE;
  virtual std::ostream& PrintDataTo(std::ostream& os) const OVERRIDE;  // NOLINT
--- a/src/hydrogen-representation-changes.cc
+++ b/src/hydrogen-representation-changes.cc
@ -63,7 +63,17 @@ static bool IsNonDeoptingIntToSmiChange(HChange* change) {
 void HRepresentationChangesPhase::InsertRepresentationChangesForValue(
    HValue* value) {
  Representation r = value->representation();
-  if (r.IsNone()) return;
+  if (r.IsNone()) {
+#ifdef DEBUG
+    for (HUseIterator it(value->uses()); !it.Done(); it.Advance()) {
+      HValue* use_value = it.value();
+      int use_index = it.index();
+      Representation req = use_value->RequiredInputRepresentation(use_index);
+      DCHECK(req.IsNone());
+    }
+#endif
+    return;
+  }
  if (value->HasNoUses()) {
    if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL);
    return;