Fix representation of HLoadRoot.

HLoadRoot doesn't participate in representation inference, and its represenation is not Tagged at code generation, which leads to incorrect pointer map assignment and eventual stale pointer access after GC. BUG=chromium:419036 LOG=Y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/626383003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix representation of HLoadRoot.
HLoadRoot doesn't participate in representation inference, and its represenation is not Tagged at code generation, which leads to incorrect pointer map assignment and eventual stale pointer access after GC. BUG=chromium:419036 LOG=Y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/626383003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
de518336 · ulan@chromium.org · 33da50f2 · de518336 · de518336
Commit de518336 authored Oct 06, 2014 by ulan@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 4 deletions

hydrogen-instructions.h src/hydrogen-instructions.h +6 -3

hydrogen-representation-changes.cc src/hydrogen-representation-changes.cc +11 -1

No files found.
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -2716,6 +2716,7 @@ class HLoadRoot FINAL : public HTemplateInstruction<0> {
    // TODO(bmeurer): We'll need kDependsOnRoots once we add the
    // corresponding HStoreRoot instruction.
    SetDependsOnFlag(kCalls);
+    set_representation(Representation::Tagged());
  }

  virtual bool IsDeletable() const OVERRIDE { return true; }
@@ -6373,11 +6374,13 @@ class HLoadNamedField FINAL : public HTemplateInstruction<2> {
    return !access().IsInobject() || access().offset() >= size;
  }
  virtual Representation RequiredInputRepresentation(int index) OVERRIDE {
-    if (index == 0 && access().IsExternalMemory()) {
+    if (index == 0) {
      // object must be external in case of external memory access
-      return Representation::External();
+      return access().IsExternalMemory() ? Representation::External()
+                                         : Representation::Tagged();
    }
-    return Representation::Tagged();
+    DCHECK(index == 1);
+    return Representation::None();
  }
  virtual Range* InferRange(Zone* zone) OVERRIDE;
  virtual std::ostream& PrintDataTo(std::ostream& os) const OVERRIDE;  // NOLINT

--- a/src/hydrogen-representation-changes.cc
+++ b/src/hydrogen-representation-changes.cc
@@ -63,7 +63,17 @@ static bool IsNonDeoptingIntToSmiChange(HChange* change) {
 void HRepresentationChangesPhase::InsertRepresentationChangesForValue(
    HValue* value) {
  Representation r = value->representation();
-  if (r.IsNone()) return;
+  if (r.IsNone()) {
+#ifdef DEBUG
+    for (HUseIterator it(value->uses()); !it.Done(); it.Advance()) {
+      HValue* use_value = it.value();
+      int use_index = it.index();
+      Representation req = use_value->RequiredInputRepresentation(use_index);
+      DCHECK(req.IsNone());
+    }
+#endif
+    return;
+  }
  if (value->HasNoUses()) {
    if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL);
    return;