<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/78045>78045</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Potential Undefined Behavior Due to Integer Overflow in LLVM IR Transformation with 'shl' Instruction
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
wyanzhao
</td>
</tr>
</table>
<pre>
## Issue Description:
There appears to be a potential issue with an LLVM IR transformation that introduces undefined behavior (UB) due to integer overflow, not present in the original code. This behavior is specifically related to the `shl` (shift left) instruction in the transformed code. According to the LLVM Language Reference Manual, while `add` and `mul` instructions have well-defined behaviors for overflow (returning the mathematical result modulo 2^n), the `shl` instruction lacks a similar specification.
### Command Executed:
`llvm-project/build/bin/opt ./test.ll -passes=instcombine -print-after-all`
### Original Code:
```llvm
declare void @TEST(i32)
define void @f(i32) {
entry:
%blockSize100k = alloca i32
store i32 %0, ptr %blockSize100k
%n = alloca i32
load i32, ptr %blockSize100k
store i32 %1, ptr %n
load i32, ptr %n
add i32 %2, 2
mul i32 %3, ptrtoint (ptr getelementptr (i32, ptr null, i32 1) to i32)
call void @TEST( i32 %4 )
br label %return
return:
ret void
}
````
### Transformed Code:
````llvm
; *** IR Dump After InstCombinePass on f ***
define void @f(i32 %0) {
entry:
%1 = shl i32 %0, 2
%2 = add i32 %1, 8
call void @TEST(i32 %2)
br label %return
return:
ret void
}
````
In the transformed code, the `shl` instruction (%1 = shl i32 %0, 2) is used to left-shift the input parameter %0 by two bits. If this operation causes the value to exceed the 32-bit integer limit, it possible results in undefined behavior. This situation occurs when %0 is greater than 0x3FFFFFFF. For example, if %0 is 0x40000000.
In contrast, the original code does not utilize the `shl` instruction, and all operations (including additions and multiplications) have well-defined behaviors in overflow situations. Thus, the transformation introduces a new potential for undefined behavior that was not present in the original LLVM IR code.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJykVs1u2zoTfRp6M7AhU1bsLLxI4hoI0KJFm357Shxb_EqRAjmMkz79xVD-kdM2vcANDBuh5o9njuaMitHsHeJaVPei2kxUotaH9eFVuZ-t8pPa69e1kKWQJTzGmBA2GJtgejLeifJOFBtRHL-fWgwIqu9RhQjkoUZQ0HtCR0ZZMNn_YKgF5eDjx_99gsevQEG5uPOhUxwSqFUExlHwOjUYITmNO-NQQ42tejY-gJCr7_dC3oJOyGmMI9xjAP-MYWf9QcgHcJ6gDxjRcTSgFsEHszdOWWi8xhk8tSZeYpoIscfG7EyjrH2FgFYRag7PvuKmiK0VNwUnj63ZEVjcERdhXKSQmlz8MdP5SqiPye6axgdt3P4UMN_-o3L7pPYIX3GHAV2D8Em5pCzf4NAamxMrrTmxcpr_61IuY5Q1QqueEQ5o7fQtVhF2_gIMFx-QUnC5khahU9QiI98oCwFjsgSd18l6kKL64IS85VquIRjf2KrmRwQF0XTGqnABkZ_OxuwYSMQ8evBdx7f58IJNItSivIMry5vC2udu2gf_f2xIyG2djNX8a5yQW98TzITcEkaaWQvTXsWIUZQbrqzxXW0cwrQPxtFU7QjDVFmu_CrJm6I-n9jx4DW-ITa75g-XNRxpbKwKCM_eaBCL4unDtychV6aUDNnId-jI2W53NgKxvB9M0FF4PacEABCyqq1vfnwzP3FeFD9AlBtQ1vpGAXufDSP5gHzELgW3qqfwi_tVYPfHYNYrnU_-GuYq7Xxk7442vwnlLu5K65NzthjV0CV7elQenckbR0xdDrRHQosdOhrCrkZJXLL5zWH_OSPMs2HUEI7Pb_fbpp0SLuDKtA5gVY2WHw1vzbivx5Nx1wJSDn00W27esOfCwDPrnkaT4pp4I6cL60R5D0LeDR8enpvU9XDHFIdHF-lh4P4XFSN4B7uL8XtkPHLnb4ycZ-LE1l7xTV7ZyIFcl_5mcqzex_9ChX-B_n_CPX8__n5Ivz_nhFy9AwHLQIQUB8FgZZgOIsEBjesTQa-C6pAbxW5QvwIdPNSG4gwed0CsRr7HMKhgo1LEmN2flR1kDl8a5AQtQimntaGz8FnTGcrMJ-h9jKa2eJzmkTXpVw09yl80lIaEvmlSiHBo0Q0Fmgj7gIoLplY5KF7K7fA3g60PgC-q621GzezOLsXLohj-Zm8gb7yjoCKdYL5SY9AeY9bsRMaan_jnTrA_iwfz6IxXzJPANTZljVVam-GYLbtkyfT2qEmRm_WeYBp30cszPpEBS_FU_JudZbSuKHB4GO08LL-_WWHylnNQ8d095bQh5RViotelvi1v1QTX82VRzW_mZXkzadfzAlfFvC4Wy_p2VSxvpUIsqkVVFYtKVatyYtaykItiPi_nVVWVN7Nb2ZSoVgtd6vmyXEmxKLBTxs540Mx82E_yprZeropFNclvYcz7oZR8ufxQSMnrYlhnpa7TPopFYU2keIlChiyuv5yx-H7G4f6Ew2ag9uORyJ9PwJvLfvh0jXVeH4VcMjPkMk-9IzMmKdh1S9RHng5yK-R2b6hN9azxnZDbPEaHn9FqkW8Thdzm2_4TAAD__1g6bbE">