[llvm] dcb3dc1 - [InstCombine] visitShl - ensure inner shifts have inrange amounts

Simon Pilgrim via llvm-commits llvm-commits at lists.llvm.org
Thu Oct 29 08:30:14 PDT 2020 

Author: Simon Pilgrim
Date: 2020-10-29T15:28:15Z
New Revision: dcb3dc101d80a5786f7f897f0090c081d2912443

URL: https://github.com/llvm/llvm-project/commit/dcb3dc101d80a5786f7f897f0090c081d2912443
DIFF: https://github.com/llvm/llvm-project/commit/dcb3dc101d80a5786f7f897f0090c081d2912443.diff

LOG: [InstCombine] visitShl - ensure inner shifts have inrange amounts

Noticed when fixing OSS Fuzz #26716

Added: 
    

Modified: 
    llvm/lib/Transforms/InstCombine/InstCombineShifts.cpp
    llvm/test/Transforms/InstCombine/shift.ll

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Transforms/InstCombine/InstCombineShifts.cpp b/llvm/lib/Transforms/InstCombine/InstCombineShifts.cpp
index 6f1868a84f93..4eaf1bcc22fe 100644
--- a/llvm/lib/Transforms/InstCombine/InstCombineShifts.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineShifts.cpp
@@ -923,7 +923,8 @@ Instruction *InstCombinerImpl::visitShl(BinaryOperator &I) {
     }
 
     const APInt *ShOp1;
-    if (match(Op0, m_Exact(m_Shr(m_Value(X), m_APInt(ShOp1))))) {
+    if (match(Op0, m_Exact(m_Shr(m_Value(X), m_APInt(ShOp1)))) &&
+        ShOp1->ult(BitWidth)) {
       unsigned ShrAmt = ShOp1->getZExtValue();
       if (ShrAmt < ShAmt) {
         // If C1 < C2: (X >>?,exact C1) << C2 --> X << (C2 - C1)
@@ -943,7 +944,8 @@ Instruction *InstCombinerImpl::visitShl(BinaryOperator &I) {
       }
     }
 
-    if (match(Op0, m_OneUse(m_Shr(m_Value(X), m_APInt(ShOp1))))) {
+    if (match(Op0, m_OneUse(m_Shr(m_Value(X), m_APInt(ShOp1)))) &&
+        ShOp1->ult(BitWidth)) {
       unsigned ShrAmt = ShOp1->getZExtValue();
       if (ShrAmt < ShAmt) {
         // If C1 < C2: (X >>? C1) << C2 --> X << (C2 - C1) & (-1 << C2)
@@ -968,7 +970,7 @@ Instruction *InstCombinerImpl::visitShl(BinaryOperator &I) {
       }
     }
 
-    if (match(Op0, m_Shl(m_Value(X), m_APInt(ShOp1)))) {
+    if (match(Op0, m_Shl(m_Value(X), m_APInt(ShOp1))) && ShOp1->ult(BitWidth)) {
       unsigned AmtSum = ShAmt + ShOp1->getZExtValue();
       // Oversized shifts are simplified to zero in InstSimplify.
       if (AmtSum < BitWidth)

diff  --git a/llvm/test/Transforms/InstCombine/shift.ll b/llvm/test/Transforms/InstCombine/shift.ll
index a19dc34d459b..5fff5e23f50a 100644
--- a/llvm/test/Transforms/InstCombine/shift.ll
+++ b/llvm/test/Transforms/InstCombine/shift.ll
@@ -1721,6 +1721,26 @@ define i177 @lshr_out_of_range(i177 %Y, i177** %A2) {
   ret i177 %B1
 }
 
+; OSS Fuzz #26716
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26716
+define i177 @lshr_out_of_range2(i177 %Y, i177** %A2) {
+; CHECK-LABEL: @lshr_out_of_range2(
+; CHECK-NEXT:    store i177** [[A2:%.*]], i177*** undef, align 8
+; CHECK-NEXT:    ret i177 0
+;
+  %B5 = udiv i177 %Y, -1
+  %B = sdiv i177 %B5, -1
+  %B4 = add i177 %B5, %B
+  %B2 = add i177 %B4, -1
+  %B6 = mul i177 %B5, %B2
+  %B12 = lshr i177 %Y, %B6
+  %C8 = icmp ugt i177 %B12, %B4
+  %G18 = getelementptr i177*, i177** %A2, i1 %C8
+  store i177** %G18, i177*** undef, align 8
+  %B1 = udiv i177 %B5, %B6
+  ret i177 %B1
+}
+
 ; OSS Fuzz #5032
 ; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5032
 define void @ashr_out_of_range(i177* %A) {

More information about the llvm-commits mailing list