<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/57187>57187</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[IndVars] Miscompile: UB introduced to a simple program by indvars
</td>
</tr>
<tr>
<th>Labels</th>
<td>
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
max-quazan
</td>
</tr>
</table>
<pre>
https://godbolt.org/z/xdce1e8P4
Run opt -passes=indvars on the following IR:
```
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128-ni:1-p2:32:8:8:32-ni:2"
target triple = "x86_64-unknown-linux-gnu"
define void @test(i32 %tmp) {
bb:
br label %bb2
bb1: ; preds = %bb12
br label %bb2
bb2: ; preds = %bb1, %bb
%tmp3 = phi i32 [ %tmp, %bb ], [ %tmp7, %bb1 ]
%tmp4 = zext i32 %tmp3 to i64
%tmp5 = getelementptr inbounds i64, i64 addrspace(1)* undef, i64 %tmp4
br label %bb6
bb6: ; preds = %bb2
%tmp7 = add i32 %tmp3, -1
%tmp8 = icmp slt i32 %tmp7, 11
br i1 %tmp8, label %bb9, label %bb11
bb9: ; preds = %bb6
%tmp10 = phi i32 [ %tmp7, %bb6 ]
ret void
bb11: ; preds = %bb6
br label %bb12
bb12: ; preds = %bb12, %bb11
br i1 false, label %bb1, label %bb12
}
```
Output:
```
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128-ni:1-p2:32:8:8:32-ni:2"
target triple = "x86_64-unknown-linux-gnu"
define void @test(i32 %tmp) {
bb:
%0 = zext i32 %tmp to i64
br label %bb2
bb1: ; preds = %bb12
br label %bb2
bb2: ; preds = %bb1, %bb
%indvars.iv = phi i64 [ %indvars.iv.next, %bb1 ], [ %0, %bb ]
br label %bb6
bb6: ; preds = %bb2
%indvars.iv.next = add nuw nsw i64 %indvars.iv, -1
%indvars = trunc i64 %indvars.iv.next to i32
%tmp8 = icmp slt i32 %indvars, 11
br i1 %tmp8, label %bb9, label %bb11
bb9: ; preds = %bb6
%tmp10 = phi i32 [ %indvars, %bb6 ]
ret void
bb11: ; preds = %bb6
br label %bb12
bb12: ; preds = %bb12, %bb11
br i1 false, label %bb1, label %bb12
}
```
The original program is well-defined. The new program will have poison in `%indvars.iv.next` for any other input than zero, and then branch by poisoned condition.
The issue appeared with
```
commit 34ae308c73e4d76dbdab25a6206d3fbc5ebafdf5
Author: Max Kazantsev <mkazantsev@azul.com>
Date: Wed Aug 3 13:10:56 2022 +0700
[SCEV] Use context to strengthen flags of BinOps
Sometimes SCEV cannot infer nuw/nsw from something as simple as
```
len in [0, MAX_INT]
...
iv = phi(0, iv.next)
guard(iv <s len)
guard(iv <u len)
iv.next = iv + 1
```
just because flag strenthening only relies on definition and does not use local facts.
This patch adds support for the simplest case: inference of flags of `add(x, constant)`
if we can contextually prove that `x <= max_int - constant`.
In case if it has negative CT impact, we can add an option to switch it off. I woudln't
expect that though.
Differential Revision: https://reviews.llvm.org/D129643
Reviewed By: apilipenko
```
but this patch only exposed the issue, not caused it. Note that in the original program loop lever goes on 2nd iteration, and this patch managed to infer `nuw` for IV increment in (never executed) backedge. But then the another part of IndVars has moved this increment out of dead block and introduced uses to it.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJztWG1v2zYQ_jX2F8KCXmzJ_uAPcdMAwdB2SNNu3wpKPMlsKFITqdjJr98dJfktWbFiBYZhDRxZEu-Od8_dPSSdG_G03jrX2ElyNYlv8FMZkRvlAtNW-PSM_3tRQATLX-eT8HoSXvXXu04z0zg2a7i1gOrXUotH3lpmNHNbYKVRyuykrtjtHRnvddNw-PhHx9sKHBPcccWfTOcY2mGTOIZZjTowa-IsxJsk9hd6jM4f6S6d-8tMjjflkpSieDnTS7pJRx0c--hfS3qN-uPAcvhHo34sRh_OXHStbBSM7u2X6Re01ekHbXZ6pqTu9rNKdwet_iqglBrYo5GCTeahA-sm8VImMdpYuLqZxCs2yTa9cJ4fUGIsb5niOSgSzPMzo3lOELDv-pskG9a0IOwQANqM4r81V_xD5prEb_q7cc4-_sSLNFvJPCaLzQGXQRzfXfuHw1B2GIv84Jm9ubf3DHvHjiAnzBlGpXEmuvCimFlQUIN2jWuZ1LnpNDpO0jgNfjEuRGsbXgAmDsNYTeIrhjJQjgLDzK-DmZ6Dmf4IMOPzQDI_gm6ehkzOzaJzwaUXlEXdMKtOAfKQRtFJBDIadWjoJJ7VxfOoNQa4-hEBpud-R-FfVMmxFNLTUmixW6njLnrmu5vmW56dZzm67M_vbprX-_NQ6Re5KbmycJmJy-fRp-z6Vebtrx8613TuJzt_JzvjePga1Vwwzf-AxIc1P5CPxyYlUuyb9DgaaETqgrqPvB6eE_6_QqUXvh5YVXc7pu1u5Pqj2AuOHfc_pOnaThcvdXrTVCXJBY2_zs6D5n-RoE9c_8nR_4Sj73EvbVpZSc0VOmCqltdMWrYDpWY9h4mAkZSG3UFgJ5ViW_4IrDHS4pZcakaGXzZlGuJWvWVcPzGD-3baBuGagFt4rpHfWkNOcy1oT68xOK6LLcufBrMgWGG0kE4aHVx6La3tgPGmAY64oUtu-2qchalr6Vgy55CEyyJLYC6yVOSC5_GCp3GYiqTMiwXkvBTlole66tzWtJTEd3zPfuHPXDsLRENv6ofxCWmdP3cqwBkmydte8Zo76HP_Gzp11VUsYVFCKw4tS4uUxWFMzbcJs_AsEb4IFpuPb95-xlJmnyxQ7G7oaOta0JUHqVS8wmNQyTZSf8CT1YWNj6YGJ2uwjEyxgmttsON1idgj2-CBi_imbE3NLIlu6QzFLbOypkWO2xN3zoHsC1VBn-3FxvPqu6vfv9y-vz_pPsaCIDjVOLI3LoBe6cDYq1O5quOtoDXSw2xppm9KdK9InPIrScUbFn0zoK-ddSyHgncIOEHbQ01IEzBGqyfkEyXBnzx9Q_hy9EUrDL4meElZmQJbqOSFsyfh32-xmRrusKyR7xHmrmlM63xT0Dm2hx19KLj1heMzBboASvEh1-gzqmPoe8IPC8M6rEEK_jQYWWLfUsrH0um4Qv-xa7FTseUc2dkTdoRPzfdfpMYz9tFeGgaX9XSrvWtkG7toi5WioeJOosU39wy9x4DJp2FiWtS4P7sTSFS52JgYPOqasgzYLduZTijMW-aOk8C-gcL1LmLjddX2hR_XsvTAOIko38GjtDgBAXb--0KLI7CzgVKP9fAjw3UUr9J5cjR152WwPTdPZIA3UskG9IM5nfOiVnJPWodc-rpAr40Fz109GxEOVA6-mvDI5AL23rgBetn_cPGCbJUxDVbyI_ZnZfoyizUpQ8sJxCNDHmavueYVTWyGxkY3qbcHsr39jK-L1p88fa_GS-3twx6KzoGgvWfOiwcQFQRs40OD3j2ue5pueEsZw_SLz7TtoMTXWEaDH0f7tHFHOQFcsBx74ME7i3XVGtEVKI9QWO-pC6awjtI0zOIkDMOpWCdilaz41EmnYI2MMkxG_PdOWqRVzIxvik-bU4tojI98NaKIa8aw9Ey7Vl3-6IRrQ5d7no5vqDKGrxlqfwWq3xufP9xP3CyyaJlNt-scayafh4s4X87DJcyzJIaQp2lcrNIlnkymfqm15Db6O5VrIvZwGWVhtkjnYRAncZRkHIs2C8WiWOBiATWX6lCZ03btfci7yuKgktYdy3bKrZWVBhjtc78grbFnZ390tABNvcdr7-6fNKhM1A">