[llvm] 993f3c6 - [TTI] getUserCost - Ensure a vector insert/extract index is in unsigned 32-bit range

Sat Sep 25 02:51:13 PDT 2021

Author: Simon Pilgrim
Date: 2021-09-25T10:50:54+01:00
New Revision: 993f3c61b31d3917e0809bf1925c97fc0a61ce90

URL: https://github.com/llvm/llvm-project/commit/993f3c61b31d3917e0809bf1925c97fc0a61ce90
DIFF: https://github.com/llvm/llvm-project/commit/993f3c61b31d3917e0809bf1925c97fc0a61ce90.diff

LOG: [TTI] getUserCost - Ensure a vector insert/extract index is in unsigned 32-bit range

Otherwise fallback to the generic 'unknown index' path

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29050

Added: 
    

Modified: 
    llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
    llvm/test/Transforms/LICM/crash.ll

Removed: 
    


################################################################################
diff  --git a/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h b/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
index 6e432053c4f82..07344fc05036c 100644

--- a/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
+++ b/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
@@ -1068,8 +1068,10 @@ class TargetTransformInfoImplCRTPBase : public TargetTransformInfoImplBase {
       auto *IE = dyn_cast<InsertElementInst>(U);
       if (!IE)
         return TTI::TCC_Basic; // FIXME
-      auto *CI = dyn_cast<ConstantInt>(IE->getOperand(2));
-      unsigned Idx = CI ? CI->getZExtValue() : -1;
+      unsigned Idx = -1;
+      if (auto *CI = dyn_cast<ConstantInt>(IE->getOperand(2)))
+        if (CI->getValue().getActiveBits() <= 32)
+          Idx = CI->getZExtValue();
       return TargetTTI->getVectorInstrCost(Opcode, Ty, Idx);
     }
     case Instruction::ShuffleVector: {
@@ -1132,17 +1134,15 @@ class TargetTransformInfoImplCRTPBase : public TargetTransformInfoImplBase {
                                        Shuffle->getShuffleMask(), 0, nullptr);
     }
     case Instruction::ExtractElement: {
-      unsigned Idx = -1;
       auto *EEI = dyn_cast<ExtractElementInst>(U);
       if (!EEI)
         return TTI::TCC_Basic; // FIXME
-
-      auto *CI = dyn_cast<ConstantInt>(EEI->getOperand(1));
-      if (CI)
-        Idx = CI->getZExtValue();
-
-      return TargetTTI->getVectorInstrCost(Opcode, U->getOperand(0)->getType(),
-                                           Idx);
+      unsigned Idx = -1;
+      if (auto *CI = dyn_cast<ConstantInt>(EEI->getOperand(1)))
+        if (CI->getValue().getActiveBits() <= 32)
+          Idx = CI->getZExtValue();
+      Type *DstTy = U->getOperand(0)->getType();
+      return TargetTTI->getVectorInstrCost(Opcode, DstTy, Idx);
     }
     }
     // By default, just classify everything as 'basic'.

diff  --git a/llvm/test/Transforms/LICM/crash.ll b/llvm/test/Transforms/LICM/crash.ll
index 6a740219133f9..607449b821ad0 100644
--- a/llvm/test/Transforms/LICM/crash.ll
+++ b/llvm/test/Transforms/LICM/crash.ll
@@ -73,3 +73,15 @@ define void @test4() noreturn nounwind {
   store i32 undef, i32* @g_47, align 4
   br label %1
 }
+
+; OSS-Fuzz #29050
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29050
+define <2 x i177> @ossfuzz_29050(<2 x i177> %X) {
+bb:
+  br label %BB
+BB:
+  %I3 = insertelement <2 x i177> undef, i177 95780971304118053647396689196894323976171195136475135, i177 95780971304118053647396689196894323976171195136475135
+  br i1 true, label %BB, label %BB1
+BB1:
+  ret <2 x i177> %I3
+}


        
