[InstCombine] SliceUpIllegalIntegerPHI - bail on out of range shifts

trunc(lshr) handling - if the shift is out of range (undefined) then bail like we do for non-constant shifts. Fixes OSS Fuzz #15217 llvm-svn: 364181
2025-01-31 20:51:52 +01:00 · 2019-06-24 13:13:36 +00:00 · 2019-06-24 13:13:36 +00:00 · 8d6f027a2f
commit 8d6f027a2f
parent fd320855ef
2 changed files with 31 additions and 0 deletions
--- a/lib/Transforms/InstCombine/InstCombinePHI.cpp
+++ b/lib/Transforms/InstCombine/InstCombinePHI.cpp
@ -1004,6 +1004,11 @@ Instruction *InstCombiner::SliceUpIllegalIntegerPHI(PHINode &FirstPhi) {
          !isa<ConstantInt>(UserI->getOperand(1)))
        return nullptr;

+      // Bail on out of range shifts.
+      unsigned SizeInBits = UserI->getType()->getScalarSizeInBits();
+      if (cast<ConstantInt>(UserI->getOperand(1))->getValue().uge(SizeInBits))
+        return nullptr;
+
      unsigned Shift = cast<ConstantInt>(UserI->getOperand(1))->getZExtValue();
      PHIUsers.push_back(PHIUsageRecord(PHIId, Shift, UserI->user_back()));
    }
--- a/test/Transforms/InstCombine/phi-shifts.ll
+++ b/test/Transforms/InstCombine/phi-shifts.ll
@ -0,0 +1,26 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
+; RUN: opt < %s -S -instcombine | FileCheck %s
+
+; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15217
+define i64 @fuzz15217(i1 %cond, i8* %Ptr, i64 %Val) {
+; CHECK-LABEL: @fuzz15217(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    br i1 [[COND:%.*]], label [[END:%.*]], label [[TWO:%.*]]
+; CHECK:       two:
+; CHECK-NEXT:    br label [[END]]
+; CHECK:       end:
+; CHECK-NEXT:    ret i64 0
+;
+entry:
+  br i1 %cond, label %end, label %two
+
+two:
+  br label %end
+
+end:
+  %tmp869.0 = phi i128 [ 0, %entry ], [ 18446744073709551616, %two ]
+  %tmp29 = lshr i128 %tmp869.0, 64
+  %B1 = lshr i128 %tmp29, 170141183460469231731687303715884105727
+  %tmp30 = trunc i128 %B1 to i64
+  ret i64 %tmp30
+}