[llvm] r321634 - [ValueTracking] Don't assume shift values are in range
Simon Pilgrim via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 1 14:44:59 PST 2018
Author: rksimon
Date: Mon Jan 1 14:44:59 2018
New Revision: 321634
URL: http://llvm.org/viewvc/llvm-project?rev=321634&view=rev
Log:
[ValueTracking] Don't assume shift values are in range
Reduced (as best I could...) from oss-fuzz #4857 test case
Modified:
llvm/trunk/lib/Analysis/ValueTracking.cpp
llvm/trunk/test/Transforms/InstCombine/udiv-simplify.ll
Modified: llvm/trunk/lib/Analysis/ValueTracking.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Analysis/ValueTracking.cpp?rev=321634&r1=321633&r2=321634&view=diff
==============================================================================
--- llvm/trunk/lib/Analysis/ValueTracking.cpp (original)
+++ llvm/trunk/lib/Analysis/ValueTracking.cpp Mon Jan 1 14:44:59 2018
@@ -2264,9 +2264,9 @@ static unsigned ComputeNumSignBitsImpl(c
// ashr X, C -> adds C sign bits. Vectors too.
const APInt *ShAmt;
if (match(U->getOperand(1), m_APInt(ShAmt))) {
- unsigned ShAmtLimited = ShAmt->getZExtValue();
- if (ShAmtLimited >= TyBits)
+ if (ShAmt->uge(TyBits))
break; // Bad shift.
+ unsigned ShAmtLimited = ShAmt->getZExtValue();
Tmp += ShAmtLimited;
if (Tmp > TyBits) Tmp = TyBits;
}
@@ -2277,9 +2277,9 @@ static unsigned ComputeNumSignBitsImpl(c
if (match(U->getOperand(1), m_APInt(ShAmt))) {
// shl destroys sign bits.
Tmp = ComputeNumSignBits(U->getOperand(0), Depth + 1, Q);
+ if (ShAmt->uge(TyBits) || // Bad shift.
+ ShAmt->uge(Tmp)) break; // Shifted all sign bits out.
Tmp2 = ShAmt->getZExtValue();
- if (Tmp2 >= TyBits || // Bad shift.
- Tmp2 >= Tmp) break; // Shifted all sign bits out.
return Tmp - Tmp2;
}
break;
Modified: llvm/trunk/test/Transforms/InstCombine/udiv-simplify.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Transforms/InstCombine/udiv-simplify.ll?rev=321634&r1=321633&r2=321634&view=diff
==============================================================================
--- llvm/trunk/test/Transforms/InstCombine/udiv-simplify.ll (original)
+++ llvm/trunk/test/Transforms/InstCombine/udiv-simplify.ll Mon Jan 1 14:44:59 2018
@@ -62,3 +62,24 @@ define i32 @PR30366(i1 %a) {
%d = udiv i32 %z, zext (i16 shl (i16 1, i16 ptrtoint ([1 x i16]* @b to i16)) to i32)
ret i32 %d
}
+
+; OSS-Fuzz #4857
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4857
+define i177 @ossfuzz_4857(i177 %X, i177 %Y) {
+; CHECK-LABEL: @ossfuzz_4857(
+; CHECK-NEXT: store i1 false, i1* undef, align 1
+; CHECK-NEXT: ret i177 0
+;
+ %B5 = udiv i177 %Y, -1
+ %B4 = add i177 %B5, -1
+ %B2 = add i177 %B4, -1
+ %B6 = mul i177 %B5, %B2
+ %B3 = add i177 %B2, %B2
+ %B9 = xor i177 %B4, %B3
+ %B13 = ashr i177 %Y, %B2
+ %B22 = add i177 %B9, %B13
+ %B1 = udiv i177 %B5, %B6
+ %C9 = icmp ult i177 %Y, %B22
+ store i1 %C9, i1* undef
+ ret i177 %B1
+}
More information about the llvm-commits
mailing list