From b9826c10866997a8869a7356a37aade759338b08 Mon Sep 17 00:00:00 2001 From: Simon Pilgrim Date: Fri, 29 May 2020 12:25:27 +0100 Subject: [PATCH] [CGP] Ensure address scaled offset is representable as int64_t AddressingModeMatcher::matchScaledValue was calling getSExtValue for a constant before ensuring that we can actually represent the value as int64_t Fixes OSSFuzz#22723 which is a followup to rGc479052a74b2 (PR46004 / OSSFuzz#22357) --- llvm/lib/CodeGen/CodeGenPrepare.cpp | 5 +++-- llvm/test/CodeGen/X86/pr46004.ll | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/llvm/lib/CodeGen/CodeGenPrepare.cpp b/llvm/lib/CodeGen/CodeGenPrepare.cpp index ee4b43446ee..c22cf5f81ee 100644 --- a/llvm/lib/CodeGen/CodeGenPrepare.cpp +++ b/llvm/lib/CodeGen/CodeGenPrepare.cpp @@ -3715,10 +3715,11 @@ bool AddressingModeMatcher::matchScaledValue(Value *ScaleReg, int64_t Scale, // X*Scale + C*Scale to addr mode. ConstantInt *CI = nullptr; Value *AddLHS = nullptr; if (isa(ScaleReg) && // not a constant expr. - match(ScaleReg, m_Add(m_Value(AddLHS), m_ConstantInt(CI)))) { + match(ScaleReg, m_Add(m_Value(AddLHS), m_ConstantInt(CI))) && + CI->getValue().isSignedIntN(64)) { TestAddrMode.InBounds = false; TestAddrMode.ScaledReg = AddLHS; - TestAddrMode.BaseOffs += CI->getSExtValue()*TestAddrMode.Scale; + TestAddrMode.BaseOffs += CI->getSExtValue() * TestAddrMode.Scale; // If this addressing mode is legal, commit it and remember that we folded // this instruction. diff --git a/llvm/test/CodeGen/X86/pr46004.ll b/llvm/test/CodeGen/X86/pr46004.ll index 5b00e5998a3..19353560e73 100644 --- a/llvm/test/CodeGen/X86/pr46004.ll +++ b/llvm/test/CodeGen/X86/pr46004.ll @@ -19,3 +19,18 @@ define void @fuzz22357(i128 %a0) { store i8 0, i8* %3, align 1 ret void } + +; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22723 +define void @fuzz22723(i128 %a0) { +; X86-LABEL: fuzz22723: +; X86: # %bb.0: +; X86-NEXT: retl +; +; X64-LABEL: fuzz22723: +; X64: # %bb.0: +; X64-NEXT: retq + %1 = add i128 %a0, 170141183460469231731687303715884105727 + %2 = getelementptr i128*, i128** undef, i128 %1 + store i128* undef, i128** %2, align 8 + ret void +} -- 2.11.0