From 13df7e16ef7ae9e21bea0a8aab31cd8d7bad7c2c Mon Sep 17 00:00:00 2001
From: Eugene Leviant <eleviant@accesssoftek.com>
Date: Tue, 12 Mar 2019 10:10:29 +0000
Subject: [PATCH] [CGP] Fix UB when GEP is bound to trivial PHINode

Differential revision: https://reviews.llvm.org/D59140


git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@355904 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/CodeGen/CodeGenPrepare.cpp               |  1 +
 test/CodeGen/AArch64/cgp-trivial-phi-node.ll | 33 ++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 test/CodeGen/AArch64/cgp-trivial-phi-node.ll

diff --git a/lib/CodeGen/CodeGenPrepare.cpp b/lib/CodeGen/CodeGenPrepare.cpp
index af1b65253f8..1d61d326372 100644
--- a/lib/CodeGen/CodeGenPrepare.cpp
+++ b/lib/CodeGen/CodeGenPrepare.cpp
@@ -6849,6 +6849,7 @@ bool CodeGenPrepare::optimizeInst(Instruction *I, DominatorTree &DT,
     // to introduce PHI nodes too late to be cleaned up.  If we detect such a
     // trivial PHI, go ahead and zap it here.
     if (Value *V = SimplifyInstruction(P, {*DL, TLInfo})) {
+      LargeOffsetGEPMap.erase(P);
       P->replaceAllUsesWith(V);
       P->eraseFromParent();
       ++NumPHIsElim;
diff --git a/test/CodeGen/AArch64/cgp-trivial-phi-node.ll b/test/CodeGen/AArch64/cgp-trivial-phi-node.ll
new file mode 100644
index 00000000000..6e2d4a251ab
--- /dev/null
+++ b/test/CodeGen/AArch64/cgp-trivial-phi-node.ll
@@ -0,0 +1,33 @@
+; Checks that case when GEP is bound to trivial PHI node is correctly handled.
+; RUN: opt %s -mtriple=aarch64-linux-gnu -codegenprepare -S -o - | FileCheck %s
+
+; CHECK:      define void @crash([65536 x i32]** %s, i32 %n) {
+; CHECK-NEXT: entry:
+; CHECK-NEXT:   %struct = load [65536 x i32]*, [65536 x i32]** %s
+; CHECK-NEXT:   %gep0 = getelementptr [65536 x i32], [65536 x i32]* %struct, i64 0, i32 20000
+; CHECK-NEXT:   store i32 %n, i32* %gep0
+; CHECK-NEXT:   ret void
+; CHECK-NEXT: }
+
+define void @crash([65536 x i32]** %s, i32 %n) {
+entry:
+  %struct = load [65536 x i32]*, [65536 x i32]** %s
+  %cmp = icmp slt i32 0, %n
+  br i1 %cmp, label %baz, label %bar
+baz:
+  br label %bar
+
+foo:
+  %gep0 = getelementptr [65536 x i32], [65536 x i32]* %phi2, i64 0, i32 20000
+  br label %st
+
+st:
+  store i32 %n, i32* %gep0
+  br label %out
+
+bar:
+  %phi2 = phi [65536 x i32]* [ %struct, %baz ], [ %struct, %entry ]
+  br label %foo
+out:
+  ret void
+}
-- 
2.50.1