Fix representation of HLoadRoot.

Fix representation of HLoadRoot.

HLoadRoot doesn't participate in representation inference, and its
represenation is not Tagged at code generation, which leads to incorrect
pointer map assignment and eventual stale pointer access after GC.

BUG=chromium:419036
LOG=Y
R=jkummerow@chromium.org

Committed: https://code.google.com/p/v8/source/detail?r=24410

[ulan, 2014-10-06 11:15:44]

ulan@chromium.org changed reviewers:
+ jkummerow@chromium.org

[ulan, 2014-10-06 11:15:45]

PTAL

[ulan, 2014-10-06 11:17:17]

https://codereview.chromium.org/626383003/diff/1/src/hydrogen-representation-...
File src/hydrogen-representation-changes.cc (right):

https://codereview.chromium.org/626383003/diff/1/src/hydrogen-representation-...
src/hydrogen-representation-changes.cc:72: DCHECK(req.IsNone());
Without the HLoadRoot representation fix this assert triggers already at
snapshot generation.

[Jakob Kummerow, 2014-10-06 11:30:00]

LGTM. Nice catch!

As discussed, the verification pass you're adding won't catch all possible cases
of bad representations (notably: a required input representation might be
"None", meaning "I'll handle anything *except* actual 'None' coming in"), but
it's probably impossible to catch such cases in an automated way, so let's just
land what you have.

https://codereview.chromium.org/626383003/diff/1/src/hydrogen-representation-...
File src/hydrogen-representation-changes.cc (right):

https://codereview.chromium.org/626383003/diff/1/src/hydrogen-representation-...
src/hydrogen-representation-changes.cc:72: DCHECK(req.IsNone());
On 2014/10/06 11:17:17, ulan wrote:
> Without the HLoadRoot representation fix this assert triggers already at
> snapshot generation.

Acknowledged.

[ulan, 2014-10-06 11:42:22]

Committed patchset #3 (id:40001) manually as 24410 (presubmit successful).