From 587fd849f05bec7a8d4673262a884892444387d5 Mon Sep 17 00:00:00 2001 From: Sanjay Patel Date: Mon, 11 Feb 2019 19:26:27 +0000 Subject: [PATCH] [InstCombine] Fix matchRotate bug when one operand is a ConstantExpr shift This bug seems to be harmless in release builds, but will cause an error in UBSAN builds or an assertion failure in debug builds. When it gets to this opcode comparison, it assumes both of the operands are BinaryOperators, but the prior m_LogicalShift will also match a ConstantExpr. The cast will assert in a debug build, or reading an invalid value for BinaryOp from memory with ((BinaryOperator*)constantExpr)->getOpcode() will cause an error in a UBSAN build. The test I added will fail without this change in debug/UBSAN builds, but not in release. Patch by: @AndrewScheidecker (Andrew Scheidecker) Differential Revision: https://reviews.llvm.org/D58049 llvm-svn: 353736 --- .../Transforms/InstCombine/InstCombineAndOrXor.cpp | 10 +++++++--- llvm/test/Transforms/InstCombine/rotate.ll | 14 ++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/llvm/lib/Transforms/InstCombine/InstCombineAndOrXor.cpp b/llvm/lib/Transforms/InstCombine/InstCombineAndOrXor.cpp index 7c195daa3e7b1..aaa883a70370e 100644 --- a/llvm/lib/Transforms/InstCombine/InstCombineAndOrXor.cpp +++ b/llvm/lib/Transforms/InstCombine/InstCombineAndOrXor.cpp @@ -1819,14 +1819,18 @@ static Instruction *matchRotate(Instruction &Or) { // First, find an or'd pair of opposite shifts with the same shifted operand: // or (lshr ShVal, ShAmt0), (shl ShVal, ShAmt1) - Value *Or0 = Or.getOperand(0), *Or1 = Or.getOperand(1); + BinaryOperator *Or0, *Or1; + if (!match(Or.getOperand(0), m_BinOp(Or0)) || + !match(Or.getOperand(1), m_BinOp(Or1))) + return nullptr; + Value *ShVal, *ShAmt0, *ShAmt1; if (!match(Or0, m_OneUse(m_LogicalShift(m_Value(ShVal), m_Value(ShAmt0)))) || !match(Or1, m_OneUse(m_LogicalShift(m_Specific(ShVal), m_Value(ShAmt1))))) return nullptr; - auto ShiftOpcode0 = cast(Or0)->getOpcode(); - auto ShiftOpcode1 = cast(Or1)->getOpcode(); + BinaryOperator::BinaryOps ShiftOpcode0 = Or0->getOpcode(); + BinaryOperator::BinaryOps ShiftOpcode1 = Or1->getOpcode(); if (ShiftOpcode0 == ShiftOpcode1) return nullptr; diff --git a/llvm/test/Transforms/InstCombine/rotate.ll b/llvm/test/Transforms/InstCombine/rotate.ll index abfe74d6b7ada..6e11c68df9261 100644 --- a/llvm/test/Transforms/InstCombine/rotate.ll +++ b/llvm/test/Transforms/InstCombine/rotate.ll @@ -689,3 +689,17 @@ define i24 @rotl_select_weird_type(i24 %x, i24 %shamt) { ret i24 %r } +; Test that the transform doesn't crash when there's an "or" with a ConstantExpr operand. + +@external_global = external global i8 + +define i32 @rotl_constant_expr(i32 %shamt) { +; CHECK-LABEL: @rotl_constant_expr( +; CHECK-NEXT: [[SHR:%.*]] = lshr i32 ptrtoint (i8* @external_global to i32), [[SHAMT:%.*]] +; CHECK-NEXT: [[R:%.*]] = or i32 [[SHR]], shl (i32 ptrtoint (i8* @external_global to i32), i32 11) +; CHECK-NEXT: ret i32 [[R]] +; + %shr = lshr i32 ptrtoint (i8* @external_global to i32), %shamt + %r = or i32 %shr, shl (i32 ptrtoint (i8* @external_global to i32), i32 11) + ret i32 %r +}