From de5183369585d381b8e9c625ac16c378af74a833 Mon Sep 17 00:00:00 2001 From: "ulan@chromium.org" Date: Mon, 6 Oct 2014 11:42:13 +0000 Subject: [PATCH] Fix representation of HLoadRoot. HLoadRoot doesn't participate in representation inference, and its represenation is not Tagged at code generation, which leads to incorrect pointer map assignment and eventual stale pointer access after GC. BUG=chromium:419036 LOG=Y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/626383003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen-instructions.h | 9 ++++++--- src/hydrogen-representation-changes.cc | 12 +++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h index aec7644..af95c71 100644 --- a/src/hydrogen-instructions.h +++ b/src/hydrogen-instructions.h @@ -2716,6 +2716,7 @@ class HLoadRoot FINAL : public HTemplateInstruction<0> { // TODO(bmeurer): We'll need kDependsOnRoots once we add the // corresponding HStoreRoot instruction. SetDependsOnFlag(kCalls); + set_representation(Representation::Tagged()); } virtual bool IsDeletable() const OVERRIDE { return true; } @@ -6373,11 +6374,13 @@ class HLoadNamedField FINAL : public HTemplateInstruction<2> { return !access().IsInobject() || access().offset() >= size; } virtual Representation RequiredInputRepresentation(int index) OVERRIDE { - if (index == 0 && access().IsExternalMemory()) { + if (index == 0) { // object must be external in case of external memory access - return Representation::External(); + return access().IsExternalMemory() ? Representation::External() + : Representation::Tagged(); } - return Representation::Tagged(); + DCHECK(index == 1); + return Representation::None(); } virtual Range* InferRange(Zone* zone) OVERRIDE; virtual std::ostream& PrintDataTo(std::ostream& os) const OVERRIDE; // NOLINT diff --git a/src/hydrogen-representation-changes.cc b/src/hydrogen-representation-changes.cc index ebb03b5..bfc8271 100644 --- a/src/hydrogen-representation-changes.cc +++ b/src/hydrogen-representation-changes.cc @@ -63,7 +63,17 @@ static bool IsNonDeoptingIntToSmiChange(HChange* change) { void HRepresentationChangesPhase::InsertRepresentationChangesForValue( HValue* value) { Representation r = value->representation(); - if (r.IsNone()) return; + if (r.IsNone()) { +#ifdef DEBUG + for (HUseIterator it(value->uses()); !it.Done(); it.Advance()) { + HValue* use_value = it.value(); + int use_index = it.index(); + Representation req = use_value->RequiredInputRepresentation(use_index); + DCHECK(req.IsNone()); + } +#endif + return; + } if (value->HasNoUses()) { if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL); return; -- 2.7.4