[llvm] 49e463f - [IR] Constant::getAggregateElement - early-out for ScalableVectorType

Simon Pilgrim via llvm-commits llvm-commits at lists.llvm.org
Tue Nov 24 04:03:53 PST 2020 

Author: Simon Pilgrim
Date: 2020-11-24T12:03:27Z
New Revision: 49e463ff803d144bec510d6c1e061aafbf3b27cf

URL: https://github.com/llvm/llvm-project/commit/49e463ff803d144bec510d6c1e061aafbf3b27cf
DIFF: https://github.com/llvm/llvm-project/commit/49e463ff803d144bec510d6c1e061aafbf3b27cf.diff

LOG: [IR] Constant::getAggregateElement - early-out for ScalableVectorType

We can't call getNumElements() for ScalableVectorType types - just bail for now, although ConstantAggregateZero/UndefValue could return a reasonable value.

Fixes crash shown in OSS-Fuzz #25272 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25272

Added: 
    

Modified: 
    llvm/lib/IR/Constants.cpp
    llvm/test/Transforms/InstCombine/vscale_extractelement.ll

Removed: 
    


################################################################################
diff  --git a/llvm/lib/IR/Constants.cpp b/llvm/lib/IR/Constants.cpp
index 732d6e69ba92..b87fc2484d22 100644
--- a/llvm/lib/IR/Constants.cpp
+++ b/llvm/lib/IR/Constants.cpp
@@ -408,16 +408,20 @@ Constant *Constant::getAllOnesValue(Type *Ty) {
 }
 
 Constant *Constant::getAggregateElement(unsigned Elt) const {
-  if (const ConstantAggregate *CC = dyn_cast<ConstantAggregate>(this))
+  if (const auto *CC = dyn_cast<ConstantAggregate>(this))
     return Elt < CC->getNumOperands() ? CC->getOperand(Elt) : nullptr;
 
-  if (const ConstantAggregateZero *CAZ = dyn_cast<ConstantAggregateZero>(this))
+  // FIXME: getNumElements() will fail for non-fixed vector types.
+  if (isa<ScalableVectorType>(getType()))
+    return nullptr;
+
+  if (const auto *CAZ = dyn_cast<ConstantAggregateZero>(this))
     return Elt < CAZ->getNumElements() ? CAZ->getElementValue(Elt) : nullptr;
 
-  if (const UndefValue *UV = dyn_cast<UndefValue>(this))
+  if (const auto *UV = dyn_cast<UndefValue>(this))
     return Elt < UV->getNumElements() ? UV->getElementValue(Elt) : nullptr;
 
-  if (const ConstantDataSequential *CDS =dyn_cast<ConstantDataSequential>(this))
+  if (const auto *CDS = dyn_cast<ConstantDataSequential>(this))
     return Elt < CDS->getNumElements() ? CDS->getElementAsConstant(Elt)
                                        : nullptr;
   return nullptr;

diff  --git a/llvm/test/Transforms/InstCombine/vscale_extractelement.ll b/llvm/test/Transforms/InstCombine/vscale_extractelement.ll
index 0b148172a42a..8d49ae712a19 100644
--- a/llvm/test/Transforms/InstCombine/vscale_extractelement.ll
+++ b/llvm/test/Transforms/InstCombine/vscale_extractelement.ll
@@ -168,3 +168,18 @@ define i1 @extractelement_is_zero(<vscale x 2 x i32> %d, i1 %b, i32 %z) {
   %bb = icmp eq i32 %ext, 0
   ret i1 %bb
 }
+
+; OSS-Fuzz #25272
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25272
+define i32 @ossfuzz_25272(float %f) {
+; CHECK-LABEL: @ossfuzz_25272(
+; CHECK-NEXT:    [[VEC_FLOAT:%.*]] = insertelement <vscale x 4 x float> undef, float [[F:%.*]], i32 0
+; CHECK-NEXT:    [[VEC_INT:%.*]] = bitcast <vscale x 4 x float> [[VEC_FLOAT]] to <vscale x 4 x i32>
+; CHECK-NEXT:    [[E:%.*]] = extractelement <vscale x 4 x i32> [[VEC_INT]], i32 2147483647
+; CHECK-NEXT:    ret i32 [[E]]
+;
+  %vec_float = insertelement <vscale x 4 x float> undef, float %f, i32 0
+  %vec_int = bitcast <vscale x 4 x float> %vec_float to <vscale x 4 x i32>
+  %E = extractelement <vscale x 4 x i32> %vec_int, i32 2147483647
+  ret i32 %E
+}

More information about the llvm-commits mailing list