Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ARM] IselLowering unsigned overflow to crash using APInt in PerformSHLSimplify #59317

Closed
DataCorrupted opened this issue Dec 3, 2022 · 2 comments
Closed

[ARM] IselLowering unsigned overflow to crash using APInt in PerformSHLSimplify #59317

DataCorrupted opened this issue Dec 3, 2022 · 2 comments
Assignees
@DataCorrupted
Labels
backend:ARM crash Prefer [crash-on-valid] or [crash-on-invalid]

Comments

@DataCorrupted
Copy link
Member

DataCorrupted commented Dec 3, 2022
edited by VoltrexKeyva
Loading

When compiling the following code with arm or armeb:

define i1 @f(i16 %F) {
BB:
  %E = extractelement <1 x i16> <i16 -1>, i16 %F
  %RP = alloca i64, align 8
  %B = shl i16 %E, %E
  %C1 = icmp ugt i16 %B, %F
  ret i1 %C1
}

llc crashes. https://godbolt.org/z/vn36qWccj

$ ./bin/llc -mtriple=arm crash/armeb/2/arm-instruction-selection/tracedepth_20__hash_0x-2e90230f449f8a1e/id\:000000\,sig\:11\,src\:010396+017924\,time\:163052514\,execs\:7041568\,op\:libAFLCustomIRMutator.so\,pos\:0.bc
llc: /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:1339: void llvm::APInt::setBits(unsigned int, unsigned int): Assertion `loBit <= BitWidth && "loBit out of range"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: ./bin/llc -mtriple=arm crash/armeb/2/arm-instruction-selection/tracedepth_20__hash_0x-2e90230f449f8a1e/id:000000,sig:11,src:010396+017924,time:163052514,execs:7041568,op:libAFLCustomIRMutator.so,pos:0.bc
1.      Running pass 'Function Pass Manager' on module 'crash/armeb/2/arm-instruction-selection/tracedepth_20__hash_0x-2e90230f449f8a1e/id:000000,sig:11,src:010396+017924,time:163052514,execs:7041568,op:libAFLCustomIRMutator.so,pos:0.bc'.
2.      Running pass 'ARM Instruction Selection' on function '@f'
 #0 0x00007fc51bc6d4ba llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Unix/Signals.inc:567:11
 #1 0x00007fc51bc6d66b PrintStackTraceSignalHandler(void*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Unix/Signals.inc:641:1
 #2 0x00007fc51bc6bcc6 llvm::sys::RunSignalHandlers() /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Signals.cpp:104:5
 #3 0x00007fc51bc6dd95 SignalHandler(int) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Support/Unix/Signals.inc:412:1
 #4 0x00007fc51a42b980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #5 0x00007fc519727e87 raise /build/glibc-CVJwZb/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
 #6 0x00007fc5197297f1 abort /build/glibc-CVJwZb/glibc-2.27/stdlib/abort.c:81:0
 #7 0x00007fc5197193fa __assert_fail_base /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:89:0
 #8 0x00007fc519719472 (/lib/x86_64-linux-gnu/libc.so.6+0x30472)
 #9 0x00007fc52cb9963c llvm::APInt::setBits(unsigned int, unsigned int) /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:1340:5
#10 0x00007fc52cb99571 llvm::APInt::setHighBits(unsigned int) /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:1363:5
#11 0x00007fc52cb9923e llvm::APInt::getHighBitsSet(unsigned int, unsigned int) /home/peter/aflplusplus-isel/llvm-fix/llvm/include/llvm/ADT/APInt.h:282:5
#12 0x00007fc52cc32072 PerformSHLSimplify(llvm::SDNode*, llvm::TargetLowering::DAGCombinerInfo&, llvm::ARMSubtarget const*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelLowering.cpp:13779:8
#13 0x00007fc52cc087a9 PerformANDCombine(llvm::SDNode*, llvm::TargetLowering::DAGCombinerInfo&, llvm::ARMSubtarget const*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelLowering.cpp:14231:26
#14 0x00007fc52cc038ea llvm::ARMTargetLowering::PerformDAGCombine(llvm::SDNode*, llvm::TargetLowering::DAGCombinerInfo&) const /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelLowering.cpp:18620:32
#15 0x00007fc51c09b59f (anonymous namespace)::DAGCombiner::combine(llvm::SDNode*) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:1843:16
#16 0x00007fc51c09aaa6 (anonymous namespace)::DAGCombiner::Run(llvm::CombineLevel) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:1627:18
#17 0x00007fc51c09a38f llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::AAResults*, llvm::CodeGenOpt::Level) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:25513:3
#18 0x00007fc51c466475 llvm::SelectionDAGISel::CodeGenAndEmitDAG() /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:819:5
#19 0x00007fc51c465b5d llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, bool&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:689:1
#20 0x00007fc51c4655fb llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1604:11
#21 0x00007fc51c462ba6 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:468:3
#22 0x00007fc52cb5dbb5 (anonymous namespace)::ARMDAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/Target/ARM/ARMISelDAGToDAG.cpp:68:5
#23 0x00007fc51f3fbc35 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:8
#24 0x00007fc51e5b39e6 llvm::FPPassManager::runOnFunction(llvm::Function&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1430:23
#25 0x00007fc51e5b8812 llvm::FPPassManager::runOnModule(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1476:16
#26 0x00007fc51e5b42b9 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1545:23
#27 0x00007fc51e5b3e2d llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:535:16
#28 0x00007fc51e5b8af1 llvm::legacy::PassManager::run(llvm::Module&) /home/peter/aflplusplus-isel/llvm-fix/llvm/lib/IR/LegacyPassManager.cpp:1672:3
#29 0x00000000004199ac compileModule(char**, llvm::LLVMContext&) /home/peter/aflplusplus-isel/llvm-fix/llvm/tools/llc/llc.cpp:736:41
#30 0x0000000000417d52 main /home/peter/aflplusplus-isel/llvm-fix/llvm/tools/llc/llc.cpp:417:13
#31 0x00007fc51970ac87 __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:344:0
#32 0x000000000041755a _start (./bin/llc+0x41755a)
Aborted

Going to the crashing site, it seems unreasonable to directly subtract bitwidth with the zero extended value, which may get a huge underflowed unsigned value.

https://github.com/llvm/llvm-project/blob/fccab9f90b0327c00116e593351e1e4cd19b5677/llvm/lib/Target/ARM/ARMISelLowering.cpp#L13777-#L13779

Proposed fix:

add a check before the subtract like this:

  if (C2Int.getBitWidth() < C2->getZExtValue()) 
    return SDValue();
@DataCorrupted DataCorrupted self-assigned this Dec 3, 2022
@DataCorrupted DataCorrupted added backend:ARM crash Prefer [crash-on-valid] or [crash-on-invalid] and removed new issue labels Dec 3, 2022
@llvmbot
Copy link
Member

llvmbot commented Dec 3, 2022

@llvm/issue-subscribers-backend-arm

DataCorrupted added a commit that referenced this issue Dec 6, 2022
@DataCorrupted
[ARM] IselLowering unsigned overflow to crash using APInt in PerformS…
ee31a4a 
…HLSimplify

This diff fixes issue #59317

We should check if bitwidth is lower than the shift amount before we subtract them to avoid unsigned overflow.

Reviewed By: dmgreen

Differential Revision: https://reviews.llvm.org/D139238
@DataCorrupted
Copy link
Member Author

Fixed in ee31a4a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DataCorrupted DataCorrupted

Labels
backend:ARM crash Prefer [crash-on-valid] or [crash-on-invalid]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DataCorrupted @llvmbot