<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/59957>59957</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Inliner tries to make ValueTracking queries on incorrect function during cloning code
</td>
</tr>
<tr>
<th>Labels</th>
<td>
crash
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
d-makogon
</td>
</tr>
</table>
<pre>
Reproducer: https://godbolt.org/z/boP98oT6K
Backtrace:
```c++
opt: /root/llvm-project/llvm/include/llvm/IR/User.h:170: llvm::Value* llvm::User::getOperand(unsigned int) const: Assertion `i < NumUserOperands && "getOperand() out of range!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0. Program arguments: /opt/compiler-explorer/clang-assertions-trunk/bin/opt -o /app/output.s -S -passes=inline <source>
#0 0x00005580a64ab92f llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x3a1792f)
#1 0x00005580a64a92f4 SignalHandler(int) Signals.cpp:0:0
#2 0x00007faee1e1b420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
#3 0x00007faee18e800b raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b)
#4 0x00007faee18c7859 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22859)
#5 0x00007faee18c7729 (/lib/x86_64-linux-gnu/libc.so.6+0x22729)
#6 0x00007faee18d8fd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
#7 0x00005580a5368ab8 (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x28d4ab8)
#8 0x00005580a5370692 llvm::getGuaranteedWellDefinedOps(llvm::Instruction const*, llvm::SmallVectorImpl<llvm::Value const*>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x28dc692)
#9 0x00005580a5370d86 programUndefinedIfUndefOrPoison(llvm::Value const*, bool) ValueTracking.cpp:0:0
#10 0x00005580a537d1fb isGuaranteedNotToBeUndefOrPoison(llvm::Value const*, llvm::AssumptionCache*, llvm::Instruction const*, llvm::DominatorTree const*, unsigned int, bool) ValueTracking.cpp:0:0
#11 0x00005580a538fdb7 computeKnownBitsMul(llvm::Value const*, llvm::Value const*, bool, llvm::APInt const&, llvm::KnownBits&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
#12 0x00005580a53838b2 computeKnownBitsFromOperator(llvm::Operator const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
#13 0x00005580a5386e8d computeKnownBits(llvm::Value const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
#14 0x00005580a5387485 computeKnownBits(llvm::Value const*, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
#15 0x00005580a5389ec5 computeKnownBits(llvm::Value const*, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
#16 0x00005580a538c8c7 llvm::computeKnownBits(llvm::Value const*, llvm::DataLayout const&, unsigned int, llvm::AssumptionCache*, llvm::Instruction const*, llvm::DominatorTree const*, llvm::OptimizationRemarkEmitter*, bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x28f88c7)
#17 0x00005580a51a8903 simplifyShift(llvm::Instruction::BinaryOps, llvm::Value*, llvm::Value*, bool, llvm::SimplifyQuery const&, unsigned int) InstructionSimplify.cpp:0:0
#18 0x00005580a51a930d simplifyLShrInst(llvm::Value*, llvm::Value*, bool, llvm::SimplifyQuery const&, unsigned int) InstructionSimplify.cpp:0:0
#19 0x00005580a51b28e1 simplifyInstructionWithOperands(llvm::Instruction*, llvm::ArrayRef<llvm::Value*>, llvm::SimplifyQuery const&, llvm::OptimizationRemarkEmitter*) (.isra.0) InstructionSimplify.cpp:0:0
#20 0x00005580a51b326d llvm::simplifyInstruction(llvm::Instruction*, llvm::SimplifyQuery const&, llvm::OptimizationRemarkEmitter*) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x271f26d)
#21 0x00005580a651f84d llvm::CloneAndPruneIntoFromInst(llvm::Function*, llvm::Function const*, llvm::Instruction const*, llvm::ValueMap<llvm::Value const*, llvm::WeakTrackingVH, llvm::ValueMapConfig<llvm::Value const*, llvm::sys::SmartMutex<false>>>&, bool, llvm::SmallVectorImpl<llvm::ReturnInst*>&, char const*, llvm::ClonedCodeInfo*) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x3a8b84d)
#22 0x00005580a6520589 llvm::CloneAndPruneFunctionInto(llvm::Function*, llvm::Function const*, llvm::ValueMap<llvm::Value const*, llvm::WeakTrackingVH, llvm::ValueMapConfig<llvm::Value const*, llvm::sys::SmartMutex<false>>>&, bool, llvm::SmallVectorImpl<llvm::ReturnInst*>&, char const*, llvm::ClonedCodeInfo*) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x3a8c589)
#23 0x00005580a658dca3 llvm::InlineFunction(llvm::CallBase&, llvm::InlineFunctionInfo&, bool, llvm::AAResults*, bool, llvm::Function*) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x3af9ca3)
#24 0x00005580a5d87f29 llvm::InlinerPass::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-assertions-trunk/bin/opt+0x32f3f29)
```
The crash happens in `CloneAndPruneIntoFromInst` function during simplification query on `lshr` instruction.
The caller IR right before the `simplifyInstruction` is called:
```llvm
define noundef i32 @test() {
entry:
call void @foo() #0
ret i32 0
entry.i: ; No predecessors!
br label %common.ret.i
common.ret.i: ; preds = %entry.i
%0 = load i32, ptr addrspace(1) null, align 4
%1 = mul i32 %0, %0
%2 = lshr i32 1, %1
ret void
}
```
So when we try to simplify `lshr`, we call `computeKnownBits` on its operands. It tries to prove that some value cannot be undef or poison so it traverses the `common.ret.i` block and collects well defined operands for each instruction. When it processes the `ret void`, it sees that the `caller` function is marked `noundef` so its return value (which is expected because the function returns i32) is well defined. However it's a `ret void`, so it has no operands and this is where the crash happens.
The IR is incorrect during the cloning and pruning stage and yet we make analysis queries on it.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzsWVtz46jW_TXkhYoLIev2kAfHac-kpnsmX9Iz_diFxJbFFwQ6gJJ4fv0pkC-Sncy4-6R6zsPpcqdsLgvW2osNQsxasVYAVyi5RsnNBetdo80Vv2zZo15rdVFqvrm6h85o3ldgULzAjXOdRfEC0RWiq7XmpZZups0a0dWfiK5KfVfk-nP6CyI3iCyGv9esenSGVeARthUpGT4Votf-E0p150ITujJaO0RXUj61l53R_w_V7ieiK6Eq2XM4FNzeI7r63YKZNSheRBnxKKEuXqB48QeTPSA6LvKNh29rcL91YJjiiOa9CpJwLJRDtMCVVjZMaWEtGCe0wiglAqN4iX_tW4-y7WwxoimiKUaUTiA9jO4d1jU2TK0B0QhRimiGayYk8NlA_e7jh8XDB2z7shUOM1z2a2yg08Zhp49lF67py1ml24MER0oJa3uwiK4wU55NEAy7BnBlmG1wuQvJdvgHx6pHzPu286OEIjJDpLgzem1Yi5lZ9y0oZ7fx8ZGiq0q3nZBgLuGlk9qA8WWSqfUl2-llL53p1aO3hlBDR3ypPQTrOv-7d13vZhZfPuDLznezKL4RSgoFXmare-ON82GYFEY0Jpi8EEJIkuSEpXNWFrQehdZu7PDlzgjlArHPwXw0PzQy7Pmrts4Aa0PclruIh4j9R_QQvSYvMYuygtaIFod5R0fzLmg9xw9irZj8mSkuPX6-ncZQbGdV5wNCwv89EN0CZTUDiCAq55Tgr18NWKcNfDVuy0KKEtHVS55-TeeXUqj-5XKt-qGic40BxmdWz0iYcTSfUzKZbzwZJoeckBIbJiycgV955DQgz2NCygnyfIpcZXlSYFbqs2Y-QqY0T4oJcnKMnO1jejZmRqeY6RST5zVPvw0zjmueTjCzsReSOM1Zmb-X92jO56zMJ-Pl0_EykhZ0tGbW4H7qmWHKAfAvIOUN1EIB_62zk2Vzq6wzfRUS4ZAb6cIvnkOLh5ZJ-QdUTpvbtpMoXh7l4UO_-ENYeu-25mjOq7SgE97FMW-ep7gbktrvig8sb-vw9Tdzp4XVasL4aM50iUutpZ91qPGZ5VGo9elC9QueHI3Oo7rEwh6k_lW7z_oavmX4Q93C2r7tvCJLVjVwUv_3wbrRrVDMafPZwHSU6Ub4TaSjKem85mWGfVh7B78o_ayuhbOfenk2z7dCMNHi7la5XZt0Wrcf9G9rjlkjmjOl1abVvcWKtWC7sJEUQ_f_68FsRoOeJQ89kifOS3oiz8roNhwhnDYTnXaFb1niG2T4EWTjI7Ip5PyE7PmG_y9jNz9il83z5PvZ_RMMkiMGBVTfzOBHzDM9mmeVV9lIuu_W_IY59pFt_Pl8bKtjSj8m545XuROt-JN5mHtomXn80Arn_GY42YLebeOs87zK9hunV3x6QIlYXpAYW9F2UtSbh0bU7q2DwVBwLRQzm3B-OMnlr2f4N3P7w3bUY-ccx6nAo1nsOr3up_yIXRETvmf38aExt2GQYxf98xOfnmeikuYQ7Sc-QvkiXLN7Mn0zUCf51Ri2uYf69NC2O66dx-5cIwcDz4Q1zD-DnK8CJUcqxDTl4yfAUz3O1uCdWL3LssyimqZ8vCzp9Bkyiep8Pma-lFrBQvE70yu4VU77g8SJl1e9ep38ruKNtPT3yS2Y5RPr_urYP-nwBdjjLvX_8fPrYEutarE-G3L__P_QMuM-9Q5eULysmbThGmH4DCF9Zcn-xePLPbjeqNvp08sSVw176zgWwsGXmsOtqvX7uiNmeZnPp-6gU3dQkuTFW-7Yxdq75F3c8b_Y_8jYV0leTGIfT2Of84rFk7UrxSHok4AvmZTXzMJJnpv2GWi8od1icQ-2l_7o9cZmOLHVOypRFxWLJ0pMj-U8z2panLAyd8xuvWL6qR4f2Z8br8lPhnXN1hrL5Yk6C8Xkxgr7iSm2BjOxy1sQ4_7TNjQ9uOov2kwt9tPDcvl7x5mDQf33vU-JaR3Xo7uw_Z39-G7_8_5KuWFdB8piEe7I396JUoLrXSbhvRFqvTvAiCpsqfhfYe8d7tqlbYzvIg57z2w0MpMSDL69x0asG4dLqLUZ7rlRSl47B3goO_Tj-6vuPbOgbSgaroaw0r3iUGMRU4zmxEHYSoPI2falBShnNnsoHLDxkxbcd6i13rWn8e4KFxtwAXGiZMCZiXDBHl_jXzXuDHCowFptLKLRrndpsGQlSIxoUum21WpmwM3EGGxSHi_wOf_8qH5Ii1F848F3M9qOi2hCQpXUjPv5ezd2zmDGudk-5OWR56p6GVY_k2Kt8HwEEAWAtpeDojQhwyNjQkaN6DCKbUxoFW2bRGP5vMBbwtnNq_580Pi5AYWfATuzwU7vz8kjX3no58FHvvTkQTIl3ofCWay3p-kZvnXYGQHWQ3ZGP3m_MYetbgE_DZsTU0p7N-LBPdrgLtztYaux8N3ZExjrIQanTsKVElxKXT2GVzeVlhIqZ_EzSIm3F5b7yeBaGwysaibrA3_xvIXzs_P2OYyzV25gLhy2EGqZ208lLKnJKhUW-0MucF-_XRG-QSBjfTh6o7bUEc2fG-EnZDG8dFA54LiEivV2WJd71KGbHYxU-PZjijP8s36GJzBYOEQzi9kr8x_UbJjFSh808bK5RtgA2YAZv_faJqnZcQq7vfethaq0MVC5XWIKHaVW_ruH7UwfvlvH1hBKNuC8gVr26H8PO0JIYN4gwTqzC34V8yIu2AVcRWkWJ1E8n9OL5irO6irJ8pQykic8q4AUcwqQRyxlCSPZhbiihMYkiijJEzKnM1IzChXnpKZVVdMIzQm0TMiZT1wzbdYX4cXfVVIUSXYRsoQNr3cpDfwRpSi5uTBX4XVh2a8tmhMprLMHBCechKvtLnlwemA4uaqZ0Nwrd5zbd_JVmsNFb-TV97_LDKz-HQAA__8iF5Ns">