Commit 2e4b960b (https://codereview.chromium.org/2084793002), which made address mode inference more aggressive, exposed a long-standing bug in memory sandboxing, which now manifests in 164.gzip.

The problem is in sandboxed code like this:

  movl %eax, %eax
  movb 64(%rsp,%rax), %cl

If %eax starts out -1, the mov address is something close to %rsp+4GB, instead of %rsp+63.

To fix this, we need to use an lea instruction in more cases - specifically when the sandboxed address has an index register and the non-symbolic portion of the offset is nonzero.

BUG= none
R=jpp@chromium.org

Review URL: https://codereview.chromium.org/2097193003 .