From: Simon Pilgrim <llvm-dev@redking.me.uk>
Date: Mon, 24 Jun 2019 12:47:17 +0000 (+0000)
Subject: [DAGCombine] visitMUL - allow shift by zero in MulByConstant.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0d7db2b0645dd4e2bb3484cf279f1815452087dc;p=llvm

[DAGCombine] visitMUL - allow shift by zero in MulByConstant.

This can occur under certain circumstances when undefs are created later on in the constant multipliers (e.g. in this case due to SimplifyDemandedVectorElts). Its better to let the shift by zero to occur and perform any cleanup afterward.

Fixes OSS Fuzz #15429

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@364179 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/CodeGen/SelectionDAG/DAGCombiner.cpp b/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
index 83e5cc1c92c..1e160c4097f 100644
--- a/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
+++ b/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
@@ -3438,13 +3438,13 @@ SDValue DAGCombiner::visitMUL(SDNode *N) {
       MathOp = ISD::SUB;
 
     if (MathOp != ISD::DELETED_NODE) {
-      unsigned ShAmt = MathOp == ISD::ADD ? (MulC - 1).logBase2()
-                                          : (MulC + 1).logBase2();
-      assert(ShAmt > 0 && ShAmt < VT.getScalarSizeInBits() &&
-             "Not expecting multiply-by-constant that could have simplified");
+      unsigned ShAmt =
+          MathOp == ISD::ADD ? (MulC - 1).logBase2() : (MulC + 1).logBase2();
+      assert(ShAmt < VT.getScalarSizeInBits() &&
+             "multiply-by-constant generated out of bounds shift");
       SDLoc DL(N);
-      SDValue Shl = DAG.getNode(ISD::SHL, DL, VT, N0,
-                                DAG.getConstant(ShAmt, DL, VT));
+      SDValue Shl =
+          DAG.getNode(ISD::SHL, DL, VT, N0, DAG.getConstant(ShAmt, DL, VT));
       SDValue R = DAG.getNode(MathOp, DL, VT, Shl, N0);
       if (ConstValue1.isNegative())
         R = DAG.getNode(ISD::SUB, DL, VT, DAG.getConstant(0, DL, VT), R);
diff --git a/test/CodeGen/X86/combine-mul.ll b/test/CodeGen/X86/combine-mul.ll
index f05bbbb885e..8c38352c6b2 100644
--- a/test/CodeGen/X86/combine-mul.ll
+++ b/test/CodeGen/X86/combine-mul.ll
@@ -313,3 +313,27 @@ define <16 x i8> @PR35579(<16 x i8> %x) {
   ret <16 x i8> %r
 }
 
+; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15429
+define <4 x i64> @fuzz15429(<4 x i64> %InVec) {
+; SSE-LABEL: fuzz15429:
+; SSE:       # %bb.0:
+; SSE-NEXT:    movdqa %xmm1, %xmm2
+; SSE-NEXT:    psllq $3, %xmm2
+; SSE-NEXT:    psllq $2, %xmm1
+; SSE-NEXT:    pblendw {{.*#+}} xmm1 = xmm1[0,1,2,3],xmm2[4,5,6,7]
+; SSE-NEXT:    paddq %xmm0, %xmm0
+; SSE-NEXT:    movabsq $9223372036854775807, %rax # imm = 0x7FFFFFFFFFFFFFFF
+; SSE-NEXT:    pinsrq $0, %rax, %xmm0
+; SSE-NEXT:    retq
+;
+; AVX-LABEL: fuzz15429:
+; AVX:       # %bb.0:
+; AVX-NEXT:    vpsllvq {{.*}}(%rip), %ymm0, %ymm0
+; AVX-NEXT:    movabsq $9223372036854775807, %rax # imm = 0x7FFFFFFFFFFFFFFF
+; AVX-NEXT:    vpinsrq $0, %rax, %xmm0, %xmm1
+; AVX-NEXT:    vpblendd {{.*#+}} ymm0 = ymm1[0,1,2,3],ymm0[4,5,6,7]
+; AVX-NEXT:    retq
+  %mul = mul <4 x i64> %InVec, <i64 1, i64 2, i64 4, i64 8>
+  %I = insertelement <4 x i64> %mul, i64 9223372036854775807, i64 0
+  ret <4 x i64> %I
+}