LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 49495 - A miscompilation bug in InstructionSimplify.cpp (select + icmp gep inbounds)
Summary: A miscompilation bug in InstructionSimplify.cpp (select + icmp gep inbounds)
Status: RESOLVED FIXED
Alias: None
Product: libraries
Classification: Unclassified
Component: Scalar Optimizations (show other bugs)
Version: trunk
Hardware: PC All
: P normal
Assignee: Nikita Popov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-09 12:37 PST by Juneyoung Lee
Modified: 2021-03-22 14:35 PDT (History)
5 users (show)

See Also:
Fixed By Commit(s):

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Juneyoung Lee 2021-03-09 12:37:55 PST 
```
$ cat a.ll
define i1 @f(i8* %a, i8* %b) {
  %cond1 = icmp ne i8* %a, %b
  %a2 = getelementptr inbounds i8, i8* %a, i64 -1
  %cond2 = icmp ugt i8* %a2, %b
  %res = select i1 %cond1, i1 %cond2, i1 false
  ret i1 %res
}

$ opt -instsimplify ./a.ll -S -o -
define i1 @f(i8* %a, i8* %b) {
  %a2 = getelementptr inbounds i8, i8* %a, i64 -1
  %cond2 = icmp ugt i8* %a2, %b
  ret i1 %cond2
}
```

This is incorrect: if a = b = null, %res before opt is false whereas the output after opt is poison.

https://alive2.llvm.org/ce/z/SDy_PX

The reason is that SimplifyWithOpReplaced calls SimplifyCmpInst which folds `(gep inbounds a, -1) >u a` to `false` even if AllowRefinement is false.

A solution that I came up with is to add 'AllowRefinement' field to SimplifyQuery as well and let SimplifyICmpInst() stop this folding if the flag is set, but I found that SimplifyQuery is used in many places other than InstructionSimplify.
Would it be still a reasonable solution though?
Comment 1 Juneyoung Lee 2021-03-10 21:38:57 PST 
A suggested fix: https://reviews.llvm.org/D98391