[llvm-branch-commits] [llvm] release/22.x: [SimplifyCFG] Fix null pointer dereference in foldCondBranchOnValueKnownInPredecessorImpl (#178835) (PR #178857)

via llvm-branch-commits llvm-branch-commits at lists.llvm.org
Fri Jan 30 02:13:07 PST 2026 

https://github.com/llvmbot created https://github.com/llvm/llvm-project/pull/178857

Backport 956770a9cb27d56cd04432be90f1241d3e932019

Requested by: @dianqk

>From 3289b579f4123f2f392d80b56e3763a81c9a6f7c Mon Sep 17 00:00:00 2001
From: dianqk <dianqk at dianqk.net>
Date: Fri, 30 Jan 2026 18:04:50 +0800
Subject: [PATCH] [SimplifyCFG] Fix null pointer dereference in
 foldCondBranchOnValueKnownInPredecessorImpl (#178835)

(cherry picked from commit 956770a9cb27d56cd04432be90f1241d3e932019)
---
 llvm/lib/Transforms/Utils/SimplifyCFG.cpp     |  2 +
 .../Transforms/SimplifyCFG/jump-threading.ll  | 41 +++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/llvm/lib/Transforms/Utils/SimplifyCFG.cpp b/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
index 3cb3018a70559..5f4807242581d 100644
--- a/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
+++ b/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
@@ -3605,6 +3605,8 @@ foldCondBranchOnValueKnownInPredecessorImpl(BranchInst *BI, DomTreeUpdater *DTU,
     // Split the predecessors we are threading into a new edge block. We'll
     // clone the instructions into this block, and then redirect it to RealDest.
     BasicBlock *EdgeBB = SplitBlockPredecessors(BB, PredBBs, ".critedge", DTU);
+    if (!EdgeBB)
+      continue;
 
     // TODO: These just exist to reduce test diff, we can drop them if we like.
     EdgeBB->setName(RealDest->getName() + ".critedge");
diff --git a/llvm/test/Transforms/SimplifyCFG/jump-threading.ll b/llvm/test/Transforms/SimplifyCFG/jump-threading.ll
index a4073ae6eb0b4..e99e351dc3df0 100644
--- a/llvm/test/Transforms/SimplifyCFG/jump-threading.ll
+++ b/llvm/test/Transforms/SimplifyCFG/jump-threading.ll
@@ -447,3 +447,44 @@ if.then:
 if.end:
   ret void
 }
+
+define void @cleanuppad() personality ptr null {
+; CHECK-LABEL: @cleanuppad(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    invoke void @foo()
+; CHECK-NEXT:            to label [[BB1:%.*]] unwind label [[CLEANUP:%.*]]
+; CHECK:       cleanup:
+; CHECK-NEXT:    [[C:%.*]] = phi i1 [ true, [[ENTRY:%.*]] ], [ false, [[BB1]] ]
+; CHECK-NEXT:    [[CP:%.*]] = cleanuppad within none []
+; CHECK-NEXT:    [[TMP0:%.*]] = xor i1 [[C]], true
+; CHECK-NEXT:    call void @llvm.assume(i1 [[TMP0]])
+; CHECK-NEXT:    cleanupret from [[CP]] unwind to caller
+; CHECK:       bb1:
+; CHECK-NEXT:    invoke void @bar()
+; CHECK-NEXT:            to label [[EXIT:%.*]] unwind label [[CLEANUP]]
+; CHECK:       exit:
+; CHECK-NEXT:    ret void
+;
+entry:
+  invoke void @foo()
+  to label %bb1 unwind label %cleanup
+
+cleanup:
+  %c = phi i1 [ true, %entry ], [ false, %bb1 ]
+  %cp = cleanuppad within none []
+  br i1 %c, label %cleanup_2, label %cpret
+
+bb1:
+  invoke void @bar()
+  to label %exit unwind label %cleanup
+
+exit:
+  ret void
+
+cpret:
+  cleanupret from %cp unwind to caller
+
+cleanup_2:
+  store i1 false, ptr null, align 1
+  br label %cpret
+}

More information about the llvm-branch-commits mailing list