[llvm] r361729 - [InstCombine] prevent crashing with invalid extractelement index
Sanjay Patel via llvm-commits
llvm-commits at lists.llvm.org
Sun May 26 07:03:51 PDT 2019
Author: spatel
Date: Sun May 26 07:03:50 2019
New Revision: 361729
URL: http://llvm.org/viewvc/llvm-project?rev=361729&view=rev
Log:
[InstCombine] prevent crashing with invalid extractelement index
This was found/reduced from a fuzzer report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14956
Modified:
llvm/trunk/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
llvm/trunk/test/Transforms/InstCombine/extractelement.ll
Modified: llvm/trunk/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Transforms/InstCombine/InstCombineVectorOps.cpp?rev=361729&r1=361728&r2=361729&view=diff
==============================================================================
--- llvm/trunk/lib/Transforms/InstCombine/InstCombineVectorOps.cpp (original)
+++ llvm/trunk/lib/Transforms/InstCombine/InstCombineVectorOps.cpp Sun May 26 07:03:50 2019
@@ -878,12 +878,13 @@ Instruction *InstCombiner::visitInsertEl
}
// If the inserted element was extracted from some other vector and both
- // indexes are constant, try to turn this into a shuffle.
+ // indexes are valid constants, try to turn this into a shuffle.
uint64_t InsertedIdx, ExtractedIdx;
Value *ExtVecOp;
if (match(IdxOp, m_ConstantInt(InsertedIdx)) &&
match(ScalarOp, m_ExtractElement(m_Value(ExtVecOp),
- m_ConstantInt(ExtractedIdx)))) {
+ m_ConstantInt(ExtractedIdx))) &&
+ ExtractedIdx < ExtVecOp->getType()->getVectorNumElements()) {
// TODO: Looking at the user(s) to determine if this insert is a
// fold-to-shuffle opportunity does not match the usual instcombine
// constraints. We should decide if the transform is worthy based only
Modified: llvm/trunk/test/Transforms/InstCombine/extractelement.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Transforms/InstCombine/extractelement.ll?rev=361729&r1=361728&r2=361729&view=diff
==============================================================================
--- llvm/trunk/test/Transforms/InstCombine/extractelement.ll (original)
+++ llvm/trunk/test/Transforms/InstCombine/extractelement.ll Sun May 26 07:03:50 2019
@@ -310,3 +310,22 @@ define float @bitcasted_inselt_to_and_fr
ret float %r
}
+; This would crash/assert because the logic for collectShuffleElements()
+; does not consider the possibility of invalid insert/extract operands.
+
+define <4 x double> @invalid_extractelement(<2 x double> %a, <4 x double> %b, double* %p) {
+; ANY-LABEL: @invalid_extractelement(
+; ANY-NEXT: [[TMP1:%.*]] = shufflevector <2 x double> [[A:%.*]], <2 x double> undef, <4 x i32> <i32 0, i32 undef, i32 undef, i32 undef>
+; ANY-NEXT: [[T4:%.*]] = shufflevector <4 x double> [[B:%.*]], <4 x double> [[TMP1]], <4 x i32> <i32 undef, i32 1, i32 4, i32 3>
+; ANY-NEXT: [[E:%.*]] = extractelement <4 x double> [[B]], i32 1
+; ANY-NEXT: store double [[E]], double* [[P:%.*]], align 8
+; ANY-NEXT: ret <4 x double> [[T4]]
+;
+ %t3 = extractelement <2 x double> %a, i32 0
+ %t4 = insertelement <4 x double> %b, double %t3, i32 2
+ %e = extractelement <4 x double> %t4, i32 1
+ store double %e, double* %p
+ %e1 = extractelement <2 x double> %a, i32 4 ; invalid index
+ %r = insertelement <4 x double> %t4, double %e1, i64 0
+ ret <4 x double> %r
+}
More information about the llvm-commits
mailing list