From: Simon Pilgrim <llvm-dev@redking.me.uk>
Date: Mon, 24 Jun 2019 13:13:36 +0000 (+0000)
Subject: [InstCombine] SliceUpIllegalIntegerPHI - bail on out of range shifts
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=31269a0a08c67a5d9e8473f60049ded6793ca777;p=llvm

[InstCombine] SliceUpIllegalIntegerPHI - bail on out of range shifts

trunc(lshr) handling - if the shift is out of range (undefined) then bail like we do for non-constant shifts.

Fixes OSS Fuzz #15217


git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@364181 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/Transforms/InstCombine/InstCombinePHI.cpp b/lib/Transforms/InstCombine/InstCombinePHI.cpp
index e217adec7ed..5820ab72663 100644
--- a/lib/Transforms/InstCombine/InstCombinePHI.cpp
+++ b/lib/Transforms/InstCombine/InstCombinePHI.cpp
@@ -1004,6 +1004,11 @@ Instruction *InstCombiner::SliceUpIllegalIntegerPHI(PHINode &FirstPhi) {
           !isa<ConstantInt>(UserI->getOperand(1)))
         return nullptr;
 
+      // Bail on out of range shifts.
+      unsigned SizeInBits = UserI->getType()->getScalarSizeInBits();
+      if (cast<ConstantInt>(UserI->getOperand(1))->getValue().uge(SizeInBits))
+        return nullptr;
+
       unsigned Shift = cast<ConstantInt>(UserI->getOperand(1))->getZExtValue();
       PHIUsers.push_back(PHIUsageRecord(PHIId, Shift, UserI->user_back()));
     }
diff --git a/test/Transforms/InstCombine/phi-shifts.ll b/test/Transforms/InstCombine/phi-shifts.ll
new file mode 100644
index 00000000000..cc36c9d9e25
--- /dev/null
+++ b/test/Transforms/InstCombine/phi-shifts.ll
@@ -0,0 +1,26 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
+; RUN: opt < %s -S -instcombine | FileCheck %s
+
+; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15217
+define i64 @fuzz15217(i1 %cond, i8* %Ptr, i64 %Val) {
+; CHECK-LABEL: @fuzz15217(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    br i1 [[COND:%.*]], label [[END:%.*]], label [[TWO:%.*]]
+; CHECK:       two:
+; CHECK-NEXT:    br label [[END]]
+; CHECK:       end:
+; CHECK-NEXT:    ret i64 0
+;
+entry:
+  br i1 %cond, label %end, label %two
+
+two:
+  br label %end
+
+end:
+  %tmp869.0 = phi i128 [ 0, %entry ], [ 18446744073709551616, %two ]
+  %tmp29 = lshr i128 %tmp869.0, 64
+  %B1 = lshr i128 %tmp29, 170141183460469231731687303715884105727
+  %tmp30 = trunc i128 %B1 to i64
+  ret i64 %tmp30
+}