InstCombine can't fold "select %c, undef, %foo" to %foo (miscompile) #30981
Description
| Bugzilla Link | 31633 |
| Resolution | FIXED |
| Resolved on | Mar 22, 2021 01:48 |
| Version | trunk |
| OS | All |
| Blocks | #47292 |
| CC | @majnemer,@hiraditya,@aqjune,@regehr,@sanjoy,@rotateright,@zsrkmyn |
Extended Description
InstCombine currently folds "select %c, undef, %foo" into %foo, because it assumes that undef can take any value that %foo may take.
This is not correct since %foo may be poison.
This problem has long been know, but I'm adding now an end-to-end miscompilation example triggered by this bug.
$ cat select-undef.ll
define i1 @f(i1 %c, i32 %y) {
%y2 = add nsw i32 %y, 1
%s = select i1 %c, i32 undef, i32 %y2
%r = icmp sgt i32 %s, %y
ret i1 %r
}
$ opt -S select-undef.ll -instcombine
define i1 @f(i1 %c, i32 %y) {
ret i1 true
}
Which is wrong for the case %y=0x7FFFFFFF and %c=true. %y2 overflows and becomes poison, but the select should return undef only, not poison.
Alive report: http://rise4fun.com/Alive/XGW
Related with #30980 .