[CGP] Ensure address scaled offset is representable as int64_t

AddressingModeMatcher::matchScaledValue was calling getSExtValue for a constant before ensuring that we can actually represent the value as int64_t

Fixes OSSFuzz#22723 which is a followup to rGc479052a74b2 (PR46004 / OSSFuzz#22357)

diff --git a/llvm/lib/CodeGen/CodeGenPrepare.cpp b/llvm/lib/CodeGen/CodeGenPrepare.cpp
index ee4b434..c22cf5f 100644 (file)
--- a/llvm/lib/CodeGen/CodeGenPrepare.cpp
+++ b/llvm/lib/CodeGen/CodeGenPrepare.cpp
@@ -3715,10 +3715,11 @@ bool AddressingModeMatcher::matchScaledValue(Value *ScaleReg, int64_t Scale,
   // X*Scale + C*Scale to addr mode.
   ConstantInt *CI = nullptr; Value *AddLHS = nullptr;
   if (isa<Instruction>(ScaleReg) &&  // not a constant expr.
-      match(ScaleReg, m_Add(m_Value(AddLHS), m_ConstantInt(CI)))) {
+      match(ScaleReg, m_Add(m_Value(AddLHS), m_ConstantInt(CI))) &&
+      CI->getValue().isSignedIntN(64)) {
     TestAddrMode.InBounds = false;
     TestAddrMode.ScaledReg = AddLHS;
-    TestAddrMode.BaseOffs += CI->getSExtValue()*TestAddrMode.Scale;
+    TestAddrMode.BaseOffs += CI->getSExtValue() * TestAddrMode.Scale;
 
     // If this addressing mode is legal, commit it and remember that we folded
     // this instruction.

diff --git a/llvm/test/CodeGen/X86/pr46004.ll b/llvm/test/CodeGen/X86/pr46004.ll
index 5b00e59..1935356 100644 (file)
--- a/llvm/test/CodeGen/X86/pr46004.ll
+++ b/llvm/test/CodeGen/X86/pr46004.ll
@@ -19,3 +19,18 @@ define void @fuzz22357(i128 %a0) {
   store i8 0, i8* %3, align 1
   ret void
 }
+
+; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22723
+define void @fuzz22723(i128 %a0) {
+; X86-LABEL: fuzz22723:
+; X86:       # %bb.0:
+; X86-NEXT:    retl
+;
+; X64-LABEL: fuzz22723:
+; X64:       # %bb.0:
+; X64-NEXT:    retq
+  %1 = add i128 %a0, 170141183460469231731687303715884105727
+  %2 = getelementptr i128*, i128** undef, i128 %1
+  store i128* undef, i128** %2, align 8
+  ret void
+}