Fix representation of HLoadRoot.
HLoadRoot doesn't participate in representation inference, and its represenation is not Tagged at code generation, which leads to incorrect pointer map assignment and eventual stale pointer access after GC. BUG=chromium:419036 LOG=Y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/626383003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
parent
33da50f2ea
commit
de51833695
@ -2716,6 +2716,7 @@ class HLoadRoot FINAL : public HTemplateInstruction<0> {
|
|||||||
// TODO(bmeurer): We'll need kDependsOnRoots once we add the
|
// TODO(bmeurer): We'll need kDependsOnRoots once we add the
|
||||||
// corresponding HStoreRoot instruction.
|
// corresponding HStoreRoot instruction.
|
||||||
SetDependsOnFlag(kCalls);
|
SetDependsOnFlag(kCalls);
|
||||||
|
set_representation(Representation::Tagged());
|
||||||
}
|
}
|
||||||
|
|
||||||
virtual bool IsDeletable() const OVERRIDE { return true; }
|
virtual bool IsDeletable() const OVERRIDE { return true; }
|
||||||
@ -6373,11 +6374,13 @@ class HLoadNamedField FINAL : public HTemplateInstruction<2> {
|
|||||||
return !access().IsInobject() || access().offset() >= size;
|
return !access().IsInobject() || access().offset() >= size;
|
||||||
}
|
}
|
||||||
virtual Representation RequiredInputRepresentation(int index) OVERRIDE {
|
virtual Representation RequiredInputRepresentation(int index) OVERRIDE {
|
||||||
if (index == 0 && access().IsExternalMemory()) {
|
if (index == 0) {
|
||||||
// object must be external in case of external memory access
|
// object must be external in case of external memory access
|
||||||
return Representation::External();
|
return access().IsExternalMemory() ? Representation::External()
|
||||||
|
: Representation::Tagged();
|
||||||
}
|
}
|
||||||
return Representation::Tagged();
|
DCHECK(index == 1);
|
||||||
|
return Representation::None();
|
||||||
}
|
}
|
||||||
virtual Range* InferRange(Zone* zone) OVERRIDE;
|
virtual Range* InferRange(Zone* zone) OVERRIDE;
|
||||||
virtual std::ostream& PrintDataTo(std::ostream& os) const OVERRIDE; // NOLINT
|
virtual std::ostream& PrintDataTo(std::ostream& os) const OVERRIDE; // NOLINT
|
||||||
|
@ -63,7 +63,17 @@ static bool IsNonDeoptingIntToSmiChange(HChange* change) {
|
|||||||
void HRepresentationChangesPhase::InsertRepresentationChangesForValue(
|
void HRepresentationChangesPhase::InsertRepresentationChangesForValue(
|
||||||
HValue* value) {
|
HValue* value) {
|
||||||
Representation r = value->representation();
|
Representation r = value->representation();
|
||||||
if (r.IsNone()) return;
|
if (r.IsNone()) {
|
||||||
|
#ifdef DEBUG
|
||||||
|
for (HUseIterator it(value->uses()); !it.Done(); it.Advance()) {
|
||||||
|
HValue* use_value = it.value();
|
||||||
|
int use_index = it.index();
|
||||||
|
Representation req = use_value->RequiredInputRepresentation(use_index);
|
||||||
|
DCHECK(req.IsNone());
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
return;
|
||||||
|
}
|
||||||
if (value->HasNoUses()) {
|
if (value->HasNoUses()) {
|
||||||
if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL);
|
if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL);
|
||||||
return;
|
return;
|
||||||
|
Loading…
Reference in New Issue
Block a user