[llvm] 3c06eca - [instcombine] Fix oss-fuzz 39934 (mul matcher can match non-instruction)

Philip Reames via llvm-commits llvm-commits at lists.llvm.org
Sun Oct 24 14:42:29 PDT 2021 

Author: Philip Reames
Date: 2021-10-24T14:42:03-07:00
New Revision: 3c06ecaa1e8d0267fe67c1e5c8fa5f294de2aab8

URL: https://github.com/llvm/llvm-project/commit/3c06ecaa1e8d0267fe67c1e5c8fa5f294de2aab8
DIFF: https://github.com/llvm/llvm-project/commit/3c06ecaa1e8d0267fe67c1e5c8fa5f294de2aab8.diff

LOG: [instcombine] Fix oss-fuzz 39934 (mul matcher can match non-instruction)

Fixes a crash observed by oss-fuzz in 39934.  Issue at hand is that code expects a pattern match on m_Mul to imply the operand is a mul instruction, however mul constexprs are also valid here.

Added: 
    

Modified: 
    llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
    llvm/test/Transforms/InstCombine/icmp-mul.ll

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp b/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
index 481f4dd4a792f..54d751e30ee3c 100644
--- a/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
@@ -4184,8 +4184,8 @@ Instruction *InstCombinerImpl::foldICmpBinOp(ICmpInst &I,
     if (match(Op0, m_Mul(m_Value(X), m_APInt(C))) && *C != 0 &&
         match(Op1, m_Mul(m_Value(Y), m_SpecificInt(*C))) && I.isEquality())
       if (!C->countTrailingZeros() ||
-          (BO0->hasNoSignedWrap() && BO1->hasNoSignedWrap()) ||
-          (BO0->hasNoUnsignedWrap() && BO1->hasNoUnsignedWrap()))
+          (BO0 && BO1 && BO0->hasNoSignedWrap() && BO1->hasNoSignedWrap()) ||
+          (BO0 && BO1 && BO0->hasNoUnsignedWrap() && BO1->hasNoUnsignedWrap()))
       return new ICmpInst(Pred, X, Y);
   }
 

diff  --git a/llvm/test/Transforms/InstCombine/icmp-mul.ll b/llvm/test/Transforms/InstCombine/icmp-mul.ll
index e2aff1c304adf..9f6cfe149d695 100644
--- a/llvm/test/Transforms/InstCombine/icmp-mul.ll
+++ b/llvm/test/Transforms/InstCombine/icmp-mul.ll
@@ -668,3 +668,11 @@ define <2 x i1> @eq_mul_constants_with_tz_splat(<2 x i32> %x, <2 x i32> %y) {
   %C = icmp eq <2 x i32> %A, %B
   ret <2 x i1> %C
 }
+
+ at g = extern_weak global i32
+
+define i1 @oss_fuzz_39934(i32 %arg) {
+  %B13 = mul nsw i32 %arg, -65536
+  %C10 = icmp ne i32 mul (i32 or (i32 zext (i1 icmp eq (i32* @g, i32* null) to i32), i32 65537), i32 -65536), %B13
+  ret i1 %C10
+}

More information about the llvm-commits mailing list