[SimplifyCFG] avoid crash on degenerate loop

The problematic code pattern in the test is based on:
https://llvm.org/PR50638

If the IfCond is itself the phi that we are trying to remove,
then the loop around line 2835 can end up with something like:
%cmp = select i1 %cmp, i1 false, i1 true

That can then lead to a use-after-free and assert (although
I'm still not seeing that locally in my release + asserts build).

I think this can only happen with unreachable code.

Differential Revision: https://reviews.llvm.org/D104063

lib/Transforms/Utils/SimplifyCFG.cpp

@@ -2713,6 +2713,12 @@ static bool FoldTwoEntryPHINode(PHINode *PN, const TargetTransformInfo &TTI,
       isa<ConstantInt>(IfCond))
     return false;
 
+  // Don't try to fold an unreachable block. For example, the phi node itself
+  // can't be the candidate if-condition for a select that we want to form.
+  if (auto *IfCondPhiInst = dyn_cast<PHINode>(IfCond))
+    if (IfCondPhiInst->getParent() == BB)
+      return false;
+
   // Okay, we found that we can merge this two-entry phi node into a select.
   // Doing so would require us to fold *all* two entry phi nodes in this block.
   // At some point this becomes non-profitable (particularly if the target

test/Transforms/SimplifyCFG/two-entry-phi-return.ll

@@ -23,4 +23,33 @@ UnifiedReturnBlock:
 
 }
 
+@a = external dso_local global i32, align 4
+
+define i32 @PR50638() {
+; CHECK-LABEL: @PR50638(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    store i32 0, i32* @a, align 4
+; CHECK-NEXT:    ret i32 0
+;
+entry:
+  store i32 0, i32* @a, align 4
+  br label %pre.for
+
+pre.for:
+  %tobool.not = phi i1 [ false, %for ], [ true, %entry ]
+  br i1 %tobool.not, label %end, label %for
+
+for:
+  %cmp = phi i1 [ true, %pre.for ], [ false, %post.for ]
+  %storemerge = phi i32 [ 0, %pre.for ], [ 1, %post.for ]
+  store i32 %storemerge, i32* @a, align 4
+  br i1 %cmp, label %post.for, label %pre.for
+
+post.for:
+  br label %for
+
+end:
+  ret i32 0
+}
+
 !0 = !{!"branch_weights", i32 4, i32 64}