Fix representation of HLoadRoot.

HLoadRoot doesn't participate in representation inference, and its
represenation is not Tagged at code generation, which leads to incorrect
pointer map assignment and eventual stale pointer access after GC.

BUG=chromium:419036
LOG=Y
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/626383003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index aec7644..af95c71 100644 (file)
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -2716,6 +2716,7 @@ class HLoadRoot FINAL : public HTemplateInstruction<0> {
     // TODO(bmeurer): We'll need kDependsOnRoots once we add the
     // corresponding HStoreRoot instruction.
     SetDependsOnFlag(kCalls);
+    set_representation(Representation::Tagged());
   }
 
   virtual bool IsDeletable() const OVERRIDE { return true; }
@@ -6373,11 +6374,13 @@ class HLoadNamedField FINAL : public HTemplateInstruction<2> {
     return !access().IsInobject() || access().offset() >= size;
   }
   virtual Representation RequiredInputRepresentation(int index) OVERRIDE {
-    if (index == 0 && access().IsExternalMemory()) {
+    if (index == 0) {
       // object must be external in case of external memory access
-      return Representation::External();
+      return access().IsExternalMemory() ? Representation::External()
+                                         : Representation::Tagged();
     }
-    return Representation::Tagged();
+    DCHECK(index == 1);
+    return Representation::None();
   }
   virtual Range* InferRange(Zone* zone) OVERRIDE;
   virtual std::ostream& PrintDataTo(std::ostream& os) const OVERRIDE;  // NOLINT

diff --git a/src/hydrogen-representation-changes.cc b/src/hydrogen-representation-changes.cc
index ebb03b5..bfc8271 100644 (file)
--- a/src/hydrogen-representation-changes.cc
+++ b/src/hydrogen-representation-changes.cc
@@ -63,7 +63,17 @@ static bool IsNonDeoptingIntToSmiChange(HChange* change) {
 void HRepresentationChangesPhase::InsertRepresentationChangesForValue(
     HValue* value) {
   Representation r = value->representation();
-  if (r.IsNone()) return;
+  if (r.IsNone()) {
+#ifdef DEBUG
+    for (HUseIterator it(value->uses()); !it.Done(); it.Advance()) {
+      HValue* use_value = it.value();
+      int use_index = it.index();
+      Representation req = use_value->RequiredInputRepresentation(use_index);
+      DCHECK(req.IsNone());
+    }
+#endif
+    return;
+  }
   if (value->HasNoUses()) {
     if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL);
     return;