From 4cabbc694f5f946d450c8a1a17084877d3b65e77 Mon Sep 17 00:00:00 2001
From: Simon Pilgrim <llvm-dev@redking.me.uk>
Date: Fri, 5 Jul 2019 10:34:53 +0000
Subject: [PATCH] [X86][SSE] LowerINSERT_VECTOR_ELT - early out for out of
 range indices

Fixes OSS-Fuzz #15662

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@365180 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Target/X86/X86ISelLowering.cpp |  6 +++---
 test/CodeGen/X86/vec_extract.ll    | 25 ++++++++++++++++++++++++-
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/lib/Target/X86/X86ISelLowering.cpp b/lib/Target/X86/X86ISelLowering.cpp
index 1b9312d2c1f..9710534f258 100644
--- a/lib/Target/X86/X86ISelLowering.cpp
+++ b/lib/Target/X86/X86ISelLowering.cpp
@@ -17091,10 +17091,10 @@ SDValue X86TargetLowering::LowerINSERT_VECTOR_ELT(SDValue Op,
   SDValue N0 = Op.getOperand(0);
   SDValue N1 = Op.getOperand(1);
   SDValue N2 = Op.getOperand(2);
-  if (!isa<ConstantSDNode>(N2))
+
+  auto *N2C = dyn_cast<ConstantSDNode>(N2);
+  if (!N2C || N2C->getAPIntValue().uge(NumElts))
     return SDValue();
-  auto *N2C = cast<ConstantSDNode>(N2);
-  assert(N2C->getAPIntValue().ult(NumElts) && "Out of range element index");
   uint64_t IdxVal = N2C->getZExtValue();
 
   bool IsZeroElt = X86::isZeroNode(N1);
diff --git a/test/CodeGen/X86/vec_extract.ll b/test/CodeGen/X86/vec_extract.ll
index 724ac9032e3..3fb669dd45c 100644
--- a/test/CodeGen/X86/vec_extract.ll
+++ b/test/CodeGen/X86/vec_extract.ll
@@ -100,5 +100,28 @@ entry:
   %tmp3 = fadd double %tmp2, %A
   ret double %tmp3
 }
-
 declare <2 x double> @foo()
+
+; OSS-Fuzz #15662
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15662
+define <4 x i32> @ossfuzz15662(<4 x i32*>* %in) {
+; X32-LABEL: ossfuzz15662:
+; X32:       # %bb.0:
+; X32-NEXT:    xorps %xmm0, %xmm0
+; X32-NEXT:    movaps %xmm0, (%eax)
+; X32-NEXT:    xorps %xmm0, %xmm0
+; X32-NEXT:    retl
+;
+; X64-LABEL: ossfuzz15662:
+; X64:       # %bb.0:
+; X64-NEXT:    xorps %xmm0, %xmm0
+; X64-NEXT:    movaps %xmm0, (%rax)
+; X64-NEXT:    xorps %xmm0, %xmm0
+; X64-NEXT:    retq
+   %C10 = icmp ule i1 false, false
+   %C3 = icmp ule i1 true, undef
+   %B = sdiv i1 %C10, %C3
+   %I = insertelement <4 x i32> zeroinitializer, i32 0, i1 %B
+   store <4 x i32> %I, <4 x i32>* undef
+   ret <4 x i32> zeroinitializer
+}
-- 
2.40.0