<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/59317>59317</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [ARM] IselLowering unsigned overflow to crash using APInt in `PerformSHLSimplify`
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
            DataCorrupted
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          DataCorrupted
      </td>
    </tr>
</table>

<pre>
    When compiling the following code with `arm` or `armeb`:

```
define i1 @f(i16 %F) {
BB:
  %E = extractelement <1 x i16> <i16 -1>, i16 %F
 %RP = alloca i64, align 8
  %B = shl i16 %E, %E
  %C1 = icmp ugt i16 %B, %F
  ret i1 %C1
}
```

`llc` crashes. https://godbolt.org/z/vn36qWccj

```
./bin/llc -mtriple=arm crash/armeb/2/arm-instruction-selection/tracedepth_20__hash_0x-2e90230f449f8a1e/id\:000000\,sig\:11\,src\:010396+017924\,time\:163052514\,execs\:7041568\,op\:libAFLCustomIRMutator.so\,pos\:0.bc
llc: /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:1339: void llvm::APInt::setBits(unsigned int, unsigned int): Assertion `loBit <= BitWidth && "loBit out of range"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: ./bin/llc -mtriple=arm crash/armeb/2/arm-instruction-selection/tracedepth_20__hash_0x-2e90230f449f8a1e/id:000000,sig:11,src:010396+017924,time:163052514,execs:7041568,op:libAFLCustomIRMutator.so,pos:0.bc
1. Running pass 'Function Pass Manager' on module 'crash/armeb/2/arm-instruction-selection/tracedepth_20__hash_0x-2e90230f449f8a1e/id:000000,sig:11,src:010396+017924,time:163052514,execs:7041568,op:libAFLCustomIRMutator.so,pos:0.bc'.
2. Running pass 'ARM Instruction Selection' on function '@f'
 #0 0x00007fc51bc6d4ba llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Unix/Signals.inc:567:11
 #1 0x00007fc51bc6d66b PrintStackTraceSignalHandler(void*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Unix/Signals.inc:641:1
 #2 0x00007fc51bc6bcc6 llvm::sys::RunSignalHandlers() /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Signals.cpp:104:5
 #3 0x00007fc51bc6dd95 SignalHandler(int) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Unix/Signals.inc:412:1
 #4 0x00007fc51a42b980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #5 0x00007fc519727e87 raise /build/glibc-CVJwZb/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
 #6 0x00007fc5197297f1 abort /build/glibc-CVJwZb/glibc-2.27/stdlib/abort.c:81:0
 #7 0x00007fc5197193fa __assert_fail_base /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:89:0
 #8 0x00007fc519719472 (/lib/x86_64-linux-gnu/libc.so.6+0x30472)
 #9 0x00007fc52cb9963c llvm::APInt::setBits(unsigned int, unsigned int) /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:1340:5
#10 0x00007fc52cb99571 llvm::APInt::setHighBits(unsigned int) /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:1363:5
#11 0x00007fc52cb9923e llvm::APInt::getHighBitsSet(unsigned int, unsigned int) /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:282:5
#12 0x00007fc52cc32072 PerformSHLSimplify(llvm::SDNode*, llvm::TargetLowering::DAGCombinerInfo&, llvm::ARMSubtarget const*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelLowering.cpp:13779:8
#13 0x00007fc52cc087a9 PerformANDCombine(llvm::SDNode*, llvm::TargetLowering::DAGCombinerInfo&, llvm::ARMSubtarget const*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelLowering.cpp:14231:26
#14 0x00007fc52cc038ea llvm::ARMTargetLowering::PerformDAGCombine(llvm::SDNode*, llvm::TargetLowering::DAGCombinerInfo&) const /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelLowering.cpp:18620:32
#15 0x00007fc51c09b59f (anonymous namespace)::DAGCombiner::combine(llvm::SDNode*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:1843:16
#16 0x00007fc51c09aaa6 (anonymous namespace)::DAGCombiner::Run(llvm::CombineLevel) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:1627:18
#17 0x00007fc51c09a38f llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::AAResults*, llvm::CodeGenOpt::Level) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:25513:3
#18 0x00007fc51c466475 llvm::SelectionDAGISel::CodeGenAndEmitDAG() /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:819:5
#19 0x00007fc51c465b5d llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, bool&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:689:1
#20 0x00007fc51c4655fb llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1604:11
#21 0x00007fc51c462ba6 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:468:3
#22 0x00007fc52cb5dbb5 (anonymous namespace)::ARMDAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelDAGToDAG.cpp:68:5
#23 0x00007fc51f3fbc35 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:8
#24 0x00007fc51e5b39e6 llvm::FPPassManager::runOnFunction(llvm::Function&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1430:23
#25 0x00007fc51e5b8812 llvm::FPPassManager::runOnModule(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1476:16
#26 0x00007fc51e5b42b9 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1545:23
#27 0x00007fc51e5b3e2d llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:535:16
#28 0x00007fc51e5b8af1 llvm::legacy::PassManager::run(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1672:3
#29 0x00000000004199ac compileModule(char**, llvm::LLVMContext&) /home/peter/aflplusplus-isel/llvm-fix/llvm/tools/llc/llc.cpp:736:41
#30 0x0000000000417d52 main /home/peter/aflplusplus-isel/llvm-fix/llvm/tools/llc/llc.cpp:417:13
#31 0x00007fc51970ac87 __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:344:0
#32 0x000000000041755a _start (./bin/llc+0x41755a)
Aborted
```

Going to the crashing site, it seems unreasonable to directly subtract bitwidth with the zero extended value, which may get a huge underflowed unsigned value.

https://github.com/llvm/llvm-project/blob/fccab9f90b0327c00116e593351e1e4cd19b5677/llvm/lib/Target/ARM/ARMISelLowering.cpp#L13777-#L13779

Proposed fix:

add a check before the subtract like this:

```cpp
  if (C2Int.getBitWidth() < C2->getZExtValue()) 
    return SDValue();
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzcWl1z46Ya_jXKDRMPAn1e5MIf623OJG0m2dPO9MYDCNl0EfgASpz--jMg2bK02Y92d7OdZlqvBAie53lf4NWLiLViqzi_itJFhNCKOLLUxrR7x6sIoShdXZDW7bS5GlVdUF09X_224wow3eyFFGoL3I6DWkupn_wd0xUHT8LtQJRBYpoog0Cb_obTKIMRnkdwFcHjbwb7_8JtxWuhOBAxiBJYR6gQcQYilK4jVIIoX3StFotTL8DXvgERXgF-cIYwxyVvuHIgwssYHICIswj7Bkvf1WUc4TcRWoJTv10vEUrv70IvRErNCBBZ4psRKbYKFGdjLUIru5PHLkJ34d-h0TIOrQRr9qDdumPTRd_0OCow3AWu_olej3z1ojCnQimZF5UZYnfczsDOub31cqB1hNZbXVEt3UybbYTWf0Zo_ahw9r_fGPvjE6rPIrSmQkVoLSUDl40zYi95hFfENN1IEVp3BkRr1F1fCmWdaZkTWl1aLnm4itDaG4FXfO92GwQ3mx2xuw08XCJeQoRhnSRlXZCYR2gtqihdRngOw5-_Rksrtl1hHPcFhvWtYojLLEILGOclSrpaJxret88wTFEa9xX8wJntanKYxGlWdOV63xVKQefrm2VrnW6u729bR5w2M6u7VnvdPwtnlHUaed2xd5T1Tjce_Z47brwWtdzL1vr_L4XlMqj42FzW4tBfeqqKybbiQ8F89c7_3l0rN9t5-BiXvv9HLSoQ2uB5hOehQXdpuVsIZyNUtCpM3woI5bxHje9DN3NrufEG8VNP6oUI88H75EK430TlJyjKIuTdEnX1unVA18AQteV-EUA5qImQvJp1AtzdvJk_vAG2pY1wgADaboHhe20ccHrqhsLtWjpjuhkYB1H2Rv_BmfOKWNtyG6E1IMojD_qE1SQ4HKCEvQ-u1A__4Ah7D6q22Z_mPpyB8Hdn9NaQBhCzbf3U9zjAj_Ppk0N33hxcufPjD5249-Bz9z367uC4wWs_4bKdv547azwD961SfkXeE2tBhPJ1qwIbcOcLbokiW---OdAKNLpqJfet_sXCoLz3JPShOPP7W3A9UAQPA8UgUH0UL0J5tzHlp40DQwAPnlZeszSmLKsSSs6msH223cWdEcoFN37nVYtQMTQy5GmjrTOcNGFeLvu5_HfXGym89R7avZ-fEVr_V4XaB7FVRNqZUF7zNMs7I5yoxFMqWUbBBHfXx09EVdLjKfyKFaH59wabJbEHO2BFE6yUsewl2e9bNYLsV9BvCPaIku29K8Yw8cIOKPFU0apMwVTCV7B1EqOxfMk5MJIgWhYQbDaGW6cN3xgHgk5974ci22TJpRSqPVxuVdtV7N3OcFLNrJ5BP3UPMSoL6Leg0zDp-TBljnJe5MAQYf1ys6atkJXfL6Sg7HL563-efqenWzRDeYTWNvCI0Hrml3T7bCu-9_tG29G0z_YxoFGtvw1dz4J3e3-BA5JsgqTM6xgQqgPTL0Piqk6N8FQYpJgMko8HiUtcE7DZkLAdb_x-uqHky7l3z50uuiHL8ZDFdMgkR19gO-atFhbcA4ZJjkZWK8_6RIyWZYbZV0Yl3zFySuAw5_wiBqfo0zz-KPqfxHb3IoPviTjDY8TxFDHC_GXE2wHxA3c_UHZUoDEHNOLAMII5Anfc1No0Dz_dPIhmL0X9PNr2HlY_az_I3CMfit8Rs-XuRj9xI9S2K1vN3y51Q4Xi5lrVut8lzzS6v31oqQtPAqaVdd9iU-qQeOL3t93v9QOXR2THRR_nuZ-UxSAGHosBi5yURzHmP696Jv9GLRKE_ZqIskGMZCIGLjgZo32JZK_WwPVbqlV2sryGIEWG_PqE0SDIaFNksKRpWfslmyitnhvdWqBIw-0-RInlByy6AvZpVb7S2Etd8bfch_inWHg1fxuh9RmOE8MEh0B9IJhNCBJCsr9M8L5VI3J97Q1_9MhfkV-GQpx8Nr3zKT9c1GdeOOryHPsn-Izm7_ye21b6TWni3z3sX_b9dvDqYqA0jb218SDGKABhSZYlefoRMfz8GBGZq-pNI1wY7euj8o_ymGLoyRRxOd7DygmVlKbVZ6l0pQtiBVtIzd6PjCyksG4jHDf-pTTCy2lVxR0RfU9KV3yj934EO2p69m7q_cGZlvt_ayJtuAjvYF1i81QWGnVl_zA4VGvZr8Kvau4shM7xydwITs2d1vQLzT2XcrC4HZn8lGnpd97XJxpn4TU0PqMaT6giSrLPUjWt-kXdErYTih9Zjah-UPf6XJOsGC1HaByH0rSiNP3c3jO_v13N377TP5z9yyHFEdvJj0erFhrlGGpcU4bPF-AJzDti7RnBF5l9H4O-AKRnVMaj8BmNkhM8pbjk5966vvPPHnOYr8jl-j5C6xu-Jez5DMEp9MU-0ENnvphOeBRFjL6Ax23Ix459rS_67hzybBzLoWzCIUG0_Nx8uv3nEUuTdGKcfOpkHJ1v9jL01L-LDP1dN_thffgRTFKcTixUTL2M1PHnifxQEnGWo_GyfQy9ur8kLkvC-mNmfnIbtiMmxMSTsPjm5tfbpVaOH75yv3VaS9udGXW_Pd4cZyGJesJ7yvof8eZVikBDhPrWQydxePsYpBpn6cscElbkYLORgrKNdcS4zRHHl-QYmW2PydXuMlSGfkK-ESfJkHD0w6Mp8zQloBvYrwujg7eQX-yanBKMc6qN49Unjrnf6vBlgR6OA_29FS5EksIBy3ljQasMJ1YrQiX3rSthOHPyGdiWhk8BABXuKRx2hk8SfG9_cqMBPziuKl6BRyK70PVpJ9gONOQZbLkDBOzaLQetqrippX7i1ZBWC4_MztH-5aNPKrW3Qs0YoWVdQgoxyhmEcZzxtMQ4jXnME1bFJU2zPP8baQeEb2Kc5_nl8ao8B3xn9F5bXgHvf-PPMUhVAQLYjrP3gPJam-5I9iSoFO99ibAf-4zDj95_3CBCTmOJrpWbbUOaOBw8H1_08BIs0WWE32y5-_3Nwf3a2cJXhvq-l_CRRGsUeFidt8CLycAX1RWuSlySC34VZzmEqChhebG7KlKeZWVRUJqQnOMyIyWhPME5yUmZxexCXCGIUIwghjBNYTrLKCQFSWHJaYIRrqME8oYIOfNmmGmzvQiH11dpieP8QhLKpQ2f0qSrC3MVjE3brY0S6F-p7PCYE06Gj2685dIVuLaD3QYP04-d13mX7s7CW-sbhNwrEOFI_4W8agYvWiOv_v5BfKDz_wAAAP__iPkH6A">