Reviewers: Jakob,
Message:
PTAL
Description:
Fix representation of HLoadRoot.
HLoadRoot doesn't participate in representation inference, and its
represenation is not Tagged at code generation, which leads to incorrect
pointer map assignment and eventual stale pointer access after GC.
BUG=chromium:419036
LOG=Y
Please review this at https://codereview.chromium.org/626383003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+13, -1 lines):
M src/hydrogen-instructions.h
M src/hydrogen-representation-changes.cc
Index: src/hydrogen-instructions.h
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index
695c629a7049dc051fdc33a06751ef7ecadce622..64decbf13ba6db2f7de73aa15454efbf74411a20
100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -2716,6 +2716,7 @@ class HLoadRoot FINAL : public
HTemplateInstruction<0> {
// TODO(bmeurer): We'll need kDependsOnRoots once we add the
// corresponding HStoreRoot instruction.
SetDependsOnFlag(kCalls);
+ set_representation(Representation::Tagged());
}
virtual bool IsDeletable() const OVERRIDE { return true; }
@@ -6376,6 +6377,7 @@ class HLoadNamedField FINAL : public
HTemplateInstruction<2> {
// object must be external in case of external memory access
return Representation::External();
}
+ if (index == 1) return Representation::None();
return Representation::Tagged();
}
virtual Range* InferRange(Zone* zone) OVERRIDE;
Index: src/hydrogen-representation-changes.cc
diff --git a/src/hydrogen-representation-changes.cc
b/src/hydrogen-representation-changes.cc
index
ebb03b503ae2fdf7a48f224c78c8894511f14bf6..bfc8271a9b694762bc6bd18407c56bc02d9385db
100644
--- a/src/hydrogen-representation-changes.cc
+++ b/src/hydrogen-representation-changes.cc
@@ -63,7 +63,17 @@ static bool IsNonDeoptingIntToSmiChange(HChange* change)
{
void HRepresentationChangesPhase::InsertRepresentationChangesForValue(
HValue* value) {
Representation r = value->representation();
- if (r.IsNone()) return;
+ if (r.IsNone()) {
+#ifdef DEBUG
+ for (HUseIterator it(value->uses()); !it.Done(); it.Advance()) {
+ HValue* use_value = it.value();
+ int use_index = it.index();
+ Representation req =
use_value->RequiredInputRepresentation(use_index);
+ DCHECK(req.IsNone());
+ }
+#endif
+ return;
+ }
if (value->HasNoUses()) {
if (value->IsForceRepresentation()) value->DeleteAndReplaceWith(NULL);
return;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
