From 0d7db2b0645dd4e2bb3484cf279f1815452087dc Mon Sep 17 00:00:00 2001 From: Simon Pilgrim Date: Mon, 24 Jun 2019 12:47:17 +0000 Subject: [PATCH] [DAGCombine] visitMUL - allow shift by zero in MulByConstant. This can occur under certain circumstances when undefs are created later on in the constant multipliers (e.g. in this case due to SimplifyDemandedVectorElts). Its better to let the shift by zero to occur and perform any cleanup afterward. Fixes OSS Fuzz #15429 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@364179 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/CodeGen/SelectionDAG/DAGCombiner.cpp | 12 ++++++------ test/CodeGen/X86/combine-mul.ll | 24 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/lib/CodeGen/SelectionDAG/DAGCombiner.cpp b/lib/CodeGen/SelectionDAG/DAGCombiner.cpp index 83e5cc1c92c..1e160c4097f 100644 --- a/lib/CodeGen/SelectionDAG/DAGCombiner.cpp +++ b/lib/CodeGen/SelectionDAG/DAGCombiner.cpp @@ -3438,13 +3438,13 @@ SDValue DAGCombiner::visitMUL(SDNode *N) { MathOp = ISD::SUB; if (MathOp != ISD::DELETED_NODE) { - unsigned ShAmt = MathOp == ISD::ADD ? (MulC - 1).logBase2() - : (MulC + 1).logBase2(); - assert(ShAmt > 0 && ShAmt < VT.getScalarSizeInBits() && - "Not expecting multiply-by-constant that could have simplified"); + unsigned ShAmt = + MathOp == ISD::ADD ? (MulC - 1).logBase2() : (MulC + 1).logBase2(); + assert(ShAmt < VT.getScalarSizeInBits() && + "multiply-by-constant generated out of bounds shift"); SDLoc DL(N); - SDValue Shl = DAG.getNode(ISD::SHL, DL, VT, N0, - DAG.getConstant(ShAmt, DL, VT)); + SDValue Shl = + DAG.getNode(ISD::SHL, DL, VT, N0, DAG.getConstant(ShAmt, DL, VT)); SDValue R = DAG.getNode(MathOp, DL, VT, Shl, N0); if (ConstValue1.isNegative()) R = DAG.getNode(ISD::SUB, DL, VT, DAG.getConstant(0, DL, VT), R); diff --git a/test/CodeGen/X86/combine-mul.ll b/test/CodeGen/X86/combine-mul.ll index f05bbbb885e..8c38352c6b2 100644 --- a/test/CodeGen/X86/combine-mul.ll +++ b/test/CodeGen/X86/combine-mul.ll @@ -313,3 +313,27 @@ define <16 x i8> @PR35579(<16 x i8> %x) { ret <16 x i8> %r } +; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15429 +define <4 x i64> @fuzz15429(<4 x i64> %InVec) { +; SSE-LABEL: fuzz15429: +; SSE: # %bb.0: +; SSE-NEXT: movdqa %xmm1, %xmm2 +; SSE-NEXT: psllq $3, %xmm2 +; SSE-NEXT: psllq $2, %xmm1 +; SSE-NEXT: pblendw {{.*#+}} xmm1 = xmm1[0,1,2,3],xmm2[4,5,6,7] +; SSE-NEXT: paddq %xmm0, %xmm0 +; SSE-NEXT: movabsq $9223372036854775807, %rax # imm = 0x7FFFFFFFFFFFFFFF +; SSE-NEXT: pinsrq $0, %rax, %xmm0 +; SSE-NEXT: retq +; +; AVX-LABEL: fuzz15429: +; AVX: # %bb.0: +; AVX-NEXT: vpsllvq {{.*}}(%rip), %ymm0, %ymm0 +; AVX-NEXT: movabsq $9223372036854775807, %rax # imm = 0x7FFFFFFFFFFFFFFF +; AVX-NEXT: vpinsrq $0, %rax, %xmm0, %xmm1 +; AVX-NEXT: vpblendd {{.*#+}} ymm0 = ymm1[0,1,2,3],ymm0[4,5,6,7] +; AVX-NEXT: retq + %mul = mul <4 x i64> %InVec, + %I = insertelement <4 x i64> %mul, i64 9223372036854775807, i64 0 + ret <4 x i64> %I +} -- 2.50.1