RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-11-23 19:23:23 +01:00
Code Issues Projects Releases Wiki Activity

[InstCombine] prevent crashing with invalid extractelement index

Browse Source 
This was found/reduced from a fuzzer report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14956

llvm-svn: 361729
This commit is contained in:
Sanjay Patel 2019-05-26 14:03:50 +00:00
parent a0d036767d
commit 78254915c6
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/Transforms/InstCombine/InstCombineVectorOps.cpp
View File

@ -878,12 +878,13 @@ Instruction *InstCombiner::visitInsertElementInst(InsertElementInst &IE) {
}
// If the inserted element was extracted from some other vector and both
// indexes are constant, try to turn this into a shuffle.
// indexes are valid constants, try to turn this into a shuffle.
uint64_t InsertedIdx, ExtractedIdx;
Value *ExtVecOp;
if (match(IdxOp, m_ConstantInt(InsertedIdx)) &&
match(ScalarOp, m_ExtractElement(m_Value(ExtVecOp),
m_ConstantInt(ExtractedIdx)))) {
m_ConstantInt(ExtractedIdx))) &&
ExtractedIdx < ExtVecOp->getType()->getVectorNumElements()) {
// TODO: Looking at the user(s) to determine if this insert is a
// fold-to-shuffle opportunity does not match the usual instcombine
// constraints. We should decide if the transform is worthy based only

19
test/Transforms/InstCombine/extractelement.ll
View File

@ -310,3 +310,22 @@ define float @bitcasted_inselt_to_and_from_FP_uses2(double %x) {
ret float %r
}
; This would crash/assert because the logic for collectShuffleElements()
; does not consider the possibility of invalid insert/extract operands.
define <4 x double> @invalid_extractelement(<2 x double> %a, <4 x double> %b, double* %p) {
; ANY-LABEL: @invalid_extractelement(
; ANY-NEXT: [[TMP1:%.*]] = shufflevector <2 x double> [[A:%.*]], <2 x double> undef, <4 x i32> <i32 0, i32 undef, i32 undef, i32 undef>
; ANY-NEXT: [[T4:%.*]] = shufflevector <4 x double> [[B:%.*]], <4 x double> [[TMP1]], <4 x i32> <i32 undef, i32 1, i32 4, i32 3>
; ANY-NEXT: [[E:%.*]] = extractelement <4 x double> [[B]], i32 1
; ANY-NEXT: store double [[E]], double* [[P:%.*]], align 8
; ANY-NEXT: ret <4 x double> [[T4]]
;
%t3 = extractelement <2 x double> %a, i32 0
%t4 = insertelement <4 x double> %b, double %t3, i32 2
%e = extractelement <4 x double> %t4, i32 1
store double %e, double* %p
%e1 = extractelement <2 x double> %a, i32 4 ; invalid index
%r = insertelement <4 x double> %t4, double %e1, i64 0
ret <4 x double> %r
}