[InstCombine] Add missing constant check

[dtcxzyw]

cast<Constant> is not guarded by a type check during canonicalization of predicates. This patch adds a type check in the outer if to avoid the crash. dyn_cast may introduce another nested if, so I just use isa<Constant> instead.

Address the crash reported in #153053 (comment).

[llvmbot]

@llvm/pr-subscribers-llvm-transforms

Author: Yingwei Zheng (dtcxzyw)

Changes

cast<Constant> is not guarded by a type check during canonicalization of predicates. This patch adds a type check in the outer if to avoid the crash. dyn_cast may introduce another nested if, so I just use isa<Constant> instead.

Address the crash reported in #153053 (comment).

---

Full diff: https://github.com/llvm/llvm-project/pull/170068.diff

2 Files Affected:

• (modified) llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp (+1)
• (modified) llvm/test/Transforms/InstCombine/saturating-add-sub.ll (+16)

diff --git a/llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp b/llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp index e7dc366b13798..c9f51e4b294b1 100644 --- a/llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp +++ b/llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp @@ -1163,6 +1163,7 @@ static Value *canonicalizeSaturatedAddSigned(ICmpInst *Cmp, Value *TVal, // (X >= Y) ? INT_MAX : (X + C) --> sadd.sat(X, C) // where Y is INT_MAX - C or INT_MAX - C - 1, and C > 0 if ((Pred == ICmpInst::ICMP_SGT || Pred == ICmpInst::ICMP_SGE) && + isa<Constant>(Cmp1) && match(FVal, m_Add(m_Specific(Cmp0), m_StrictlyPositive(C)))) { APInt IntMax = APInt::getSignedMaxValue(Cmp1->getType()->getScalarSizeInBits()); diff --git a/llvm/test/Transforms/InstCombine/saturating-add-sub.ll b/llvm/test/Transforms/InstCombine/saturating-add-sub.ll index c0ad5818e448a..1294f867f07c0 100644 --- a/llvm/test/Transforms/InstCombine/saturating-add-sub.ll +++ b/llvm/test/Transforms/InstCombine/saturating-add-sub.ll @@ -2671,3 +2671,19 @@ define i8 @neg_neg_constant(i8 %x, i8 %y) { %s = select i1 %cmp, i8 127, i8 %d ret i8 %s } + +; Make sure we don't crash in this case. +define i32 @pr153053_strict_pred_with_nonconstant_rhs(i32 %x, i32 %y) { +; CHECK-LABEL: @pr153053_strict_pred_with_nonconstant_rhs( +; CHECK-NEXT: entry: +; CHECK-NEXT: [[CMP:%.*]] = icmp slt i32 [[X:%.*]], [[Y:%.*]] +; CHECK-NEXT: [[ADD:%.*]] = add i32 [[X]], 1 +; CHECK-NEXT: [[RES:%.*]] = select i1 [[CMP]], i32 [[ADD]], i32 2147483647 +; CHECK-NEXT: ret i32 [[RES]] +; +entry: + %cmp = icmp slt i32 %x, %y + %add = add i32 %x, 1 + %res = select i1 %cmp, i32 %add, i32 2147483647 + ret i32 %res +} 

[dtcxzyw]

I am unavailable for the next few hours. If the CI is green and this patch is approved, feel free to merge this PR. Thanks.

[XChy]

LGTM

[alexfh]

Thank you for the fix! I verified that it resolves the problem with the original non-reduced input.

[llvm-ci]

LLVM Buildbot has detected a new failure on builder clang-aarch64-sve-vla-2stage running on linaro-g3-01 while building llvm at step 12 "ninja check 2".

Full details are available at: https://lab.llvm.org/buildbot/#/builders/41/builds/10616

Here is the relevant piece of the build log for the reference

Step 12 (ninja check 2) failure: stage 2 checked (failure) ******************** TEST 'MemorySanitizer-AARCH64 :: release_origin.c' FAILED ******************** Exit Code: 1 Command Output (stderr): -- /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/./bin/clang -fsanitize=memory -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta -gline-tables-only -fsanitize-memory-track-origins=0 -O0 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -o /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp && env MSAN_OPTIONS=soft_rss_limit_mb=18:verbosity=1:allocator_may_return_null=1 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp 2>&1 | FileCheck /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -implicit-check-not="soft rss limit" -check-prefixes=CHECK,NOORIG # RUN: at line 1 + /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/./bin/clang -fsanitize=memory -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta -gline-tables-only -fsanitize-memory-track-origins=0 -O0 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -o /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp + FileCheck /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c '-implicit-check-not=soft rss limit' -check-prefixes=CHECK,NOORIG + env MSAN_OPTIONS=soft_rss_limit_mb=18:verbosity=1:allocator_may_return_null=1 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/./bin/clang -fsanitize=memory -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta -gline-tables-only -fsanitize-memory-track-origins=2 -O0 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -o /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp && env MSAN_OPTIONS=soft_rss_limit_mb=36:verbosity=1:allocator_may_return_null=1 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp 2>&1 | FileCheck /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -implicit-check-not="soft rss limit" -check-prefixes=CHECK,ORIGIN # RUN: at line 2 + /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/./bin/clang -fsanitize=memory -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta -gline-tables-only -fsanitize-memory-track-origins=2 -O0 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -o /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp + FileCheck /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c '-implicit-check-not=soft rss limit' -check-prefixes=CHECK,ORIGIN + env MSAN_OPTIONS=soft_rss_limit_mb=36:verbosity=1:allocator_may_return_null=1 /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/stage2/runtimes/runtimes-bins/compiler-rt/test/msan/AARCH64/Output/release_origin.c.tmp /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c:37:12: error: ORIGIN: expected string not found in input // ORIGIN: soft rss limit unexhausted ^ <stdin>:94:7: note: scanning from here memset ^ <stdin>:95:1: note: possible intended match here free ^ command line:1:22: error: IMPLICIT-CHECK-NOT: excluded string found in input -implicit-check-not='soft rss limit' ^ <stdin>:96:29: note: found here ==2381879==MemorySanitizer: soft rss limit unexhausted (36Mb vs 3Mb) ^~~~~~~~~~~~~~ Input file: <stdin> Check file: /home/tcwg-buildbot/worker/clang-aarch64-sve-vla-2stage/llvm/compiler-rt/test/msan/release_origin.c -dump-input=help explains the following input dump. Input was: <<<<<< . . . 89: MemorySanitizer: Started BackgroundThread 90: malloc 91: MemorySanitizer: RSS: 43Mb 92: MemorySanitizer: StackDepot: 3 ids; 9M allocated 93: ==2381879==MemorySanitizer: soft rss limit exhausted (36Mb vs 43Mb) 94: memset check:37'0 X error: no match found 95: free check:37'0 ~~~~ check:37'1 ? possible intended match 96: ==2381879==MemorySanitizer: soft rss limit unexhausted (36Mb vs 3Mb) ... 

[llvm-ci]

LLVM Buildbot has detected a new failure on builder ppc64le-flang-rhel-clang running on ppc64le-flang-rhel-test while building llvm at step 6 "test-build-unified-tree-check-flang".

Full details are available at: https://lab.llvm.org/buildbot/#/builders/157/builds/42648

Here is the relevant piece of the build log for the reference

Step 6 (test-build-unified-tree-check-flang) failure: 1200 seconds without output running [b'ninja', b'check-flang'], attempting to kill ... XFAIL: Flang :: Semantics/unlockstmt02.f90 (4020 of 4031) PASS: Flang :: Semantics/unlockstmt01.f90 (4021 of 4031) PASS: Flang :: Transforms/external-name-interop-symref-array.fir (4022 of 4031) PASS: Flang :: Semantics/widening.f90 (4023 of 4031) PASS: Flang :: Transforms/debug-line-table.fir (4024 of 4031) PASS: Flang :: Transforms/stack-arrays.f90 (4025 of 4031) PASS: Flang :: Semantics/undef-result01.f90 (4026 of 4031) PASS: Flang :: Transforms/OpenACC/acc-implicit-data-fortran.F90 (4027 of 4031) PASS: Flang :: Transforms/debug-dwarf-version.fir (4028 of 4031) PASS: Flang :: Driver/linker-options.f90 (4029 of 4031) command timed out: 1200 seconds without output running [b'ninja', b'check-flang'], attempting to kill process killed by signal 9 program finished with exit code -1 elapsedTime=3556.691538