From c009e5b6dfbe2bb2e51cccc29e04ebfe5cec4abd Mon Sep 17 00:00:00 2001 From: Sanjay Patel Date: Fri, 11 Jun 2021 09:33:32 -0400 Subject: [PATCH] [SimplifyCFG] avoid crash on degenerate loop The problematic code pattern in the test is based on: https://llvm.org/PR50638 If the IfCond is itself the phi that we are trying to remove, then the loop around line 2835 can end up with something like: %cmp = select i1 %cmp, i1 false, i1 true That can then lead to a use-after-free and assert (although I'm still not seeing that locally in my release + asserts build). I think this can only happen with unreachable code. Differential Revision: https://reviews.llvm.org/D104063 --- lib/Transforms/Utils/SimplifyCFG.cpp | 6 ++++ .../SimplifyCFG/two-entry-phi-return.ll | 29 +++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/lib/Transforms/Utils/SimplifyCFG.cpp b/lib/Transforms/Utils/SimplifyCFG.cpp index ee8632621b5..a0224a9a18d 100644 --- a/lib/Transforms/Utils/SimplifyCFG.cpp +++ b/lib/Transforms/Utils/SimplifyCFG.cpp @@ -2713,6 +2713,12 @@ static bool FoldTwoEntryPHINode(PHINode *PN, const TargetTransformInfo &TTI, isa(IfCond)) return false; + // Don't try to fold an unreachable block. For example, the phi node itself + // can't be the candidate if-condition for a select that we want to form. + if (auto *IfCondPhiInst = dyn_cast(IfCond)) + if (IfCondPhiInst->getParent() == BB) + return false; + // Okay, we found that we can merge this two-entry phi node into a select. // Doing so would require us to fold *all* two entry phi nodes in this block. // At some point this becomes non-profitable (particularly if the target diff --git a/test/Transforms/SimplifyCFG/two-entry-phi-return.ll b/test/Transforms/SimplifyCFG/two-entry-phi-return.ll index e9b52f49b96..2bb25464670 100644 --- a/test/Transforms/SimplifyCFG/two-entry-phi-return.ll +++ b/test/Transforms/SimplifyCFG/two-entry-phi-return.ll @@ -23,4 +23,33 @@ UnifiedReturnBlock: } +@a = external dso_local global i32, align 4 + +define i32 @PR50638() { +; CHECK-LABEL: @PR50638( +; CHECK-NEXT: entry: +; CHECK-NEXT: store i32 0, i32* @a, align 4 +; CHECK-NEXT: ret i32 0 +; +entry: + store i32 0, i32* @a, align 4 + br label %pre.for + +pre.for: + %tobool.not = phi i1 [ false, %for ], [ true, %entry ] + br i1 %tobool.not, label %end, label %for + +for: + %cmp = phi i1 [ true, %pre.for ], [ false, %post.for ] + %storemerge = phi i32 [ 0, %pre.for ], [ 1, %post.for ] + store i32 %storemerge, i32* @a, align 4 + br i1 %cmp, label %post.for, label %pre.for + +post.for: + br label %for + +end: + ret i32 0 +} + !0 = !{!"branch_weights", i32 4, i32 64}