<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - A miscompilation bug in InstructionSimplify.cpp (select + icmp gep inbounds)"
   href="https://bugs.llvm.org/show_bug.cgi?id=49495">49495</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>A miscompilation bug in InstructionSimplify.cpp (select + icmp gep inbounds)
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Scalar Optimizations
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>juneyoung.lee@sf.snu.ac.kr
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>```
$ cat a.ll
define i1 @f(i8* %a, i8* %b) {
  %cond1 = icmp ne i8* %a, %b
  %a2 = getelementptr inbounds i8, i8* %a, i64 -1
  %cond2 = icmp ugt i8* %a2, %b
  %res = select i1 %cond1, i1 %cond2, i1 false
  ret i1 %res
}

$ opt -instsimplify ./a.ll -S -o -
define i1 @f(i8* %a, i8* %b) {
  %a2 = getelementptr inbounds i8, i8* %a, i64 -1
  %cond2 = icmp ugt i8* %a2, %b
  ret i1 %cond2
}
```

This is incorrect: if a = b = null, %res before opt is false whereas the output
after opt is poison.

<a href="https://alive2.llvm.org/ce/z/SDy_PX">https://alive2.llvm.org/ce/z/SDy_PX</a>

The reason is that SimplifyWithOpReplaced calls SimplifyCmpInst which folds
`(gep inbounds a, -1) >u a` to `false` even if AllowRefinement is false.

A solution that I came up with is to add 'AllowRefinement' field to
SimplifyQuery as well and let SimplifyICmpInst() stop this folding if the flag
is set, but I found that SimplifyQuery is used in many places other than
InstructionSimplify.
Would it be still a reasonable solution though?</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>