commit 9317963920a0d9b55b701326ee4f0c5e392d6aec
author Sanjay Patel <spatel@rotateright.com> Sun May 26 14:03:50 2019 +0000
committer Sanjay Patel <spatel@rotateright.com> Sun May 26 14:03:50 2019 +0000
tree 16cae3c5100c14b1a66b34e7c3339589cab97d5a
parent fa91ab85d9f84f8f8691aa5d625c7b3ec4467e21

[InstCombine] prevent crashing with invalid extractelement index

This was found/reduced from a fuzzer report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14956

llvm-svn: 361729

llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp

diff --git a/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp b/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
index 3085693..d812c5b 100644
--- a/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
@@ -878,12 +878,13 @@
   }
 
   // If the inserted element was extracted from some other vector and both
-  // indexes are constant, try to turn this into a shuffle.
+  // indexes are valid constants, try to turn this into a shuffle.
   uint64_t InsertedIdx, ExtractedIdx;
   Value *ExtVecOp;
   if (match(IdxOp, m_ConstantInt(InsertedIdx)) &&
       match(ScalarOp, m_ExtractElement(m_Value(ExtVecOp),
-                                       m_ConstantInt(ExtractedIdx)))) {
+                                       m_ConstantInt(ExtractedIdx))) &&
+      ExtractedIdx < ExtVecOp->getType()->getVectorNumElements()) {
     // TODO: Looking at the user(s) to determine if this insert is a
     // fold-to-shuffle opportunity does not match the usual instcombine
     // constraints. We should decide if the transform is worthy based only