Reduced from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33395 define void @objsize1_custom_idx() { entry: %A = alloca i8, i32 undef, align 1 %G1 = getelementptr i8, i8* %A, i8 undef %ptr2 = getelementptr inbounds i8, i8* %G1, i32 2 %calc_size = call i64 @llvm.objectsize.i64.p0i8(i8* %ptr2, i1 false, i1 true, i1 true) ret void } declare i64 @llvm.objectsize.i64.p0i8(i8*, i1 immarg, i1 immarg, i1 immarg) llc -mtriple=x86_64-- .text .file "fuzz.ll" llc: /home/simon/LLVM/llvm-project/llvm/lib/IR/Constants.cpp:2277: static llvm::Constant* llvm::ConstantExpr::get(unsigned int, llvm::Constant*, llvm::Constant*, unsigned int, llvm::Type*): Assertion `C1->getType() == C2->getType() && "Operand types in binary constant expression should match"' failed. PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace. Stack dump: 0. Program arguments: llc -mtriple=x86_64-- /mnt/e/llvm/fuzz.ll -o - 1. Running pass 'Function Pass Manager' on module '/mnt/e/llvm/fuzz.ll'. 2. Running pass 'Lower constant intrinsics' on function '@objsize1_custom_idx' #0 0x000056354779abc1 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/simon/LLVM/llvm-project/llvm/lib/Support/Unix/Signals.inc:569:3 #1 0x0000563547798af4 llvm::sys::RunSignalHandlers() /home/simon/LLVM/llvm-project/llvm/lib/Support/Signals.cpp:76:20 #2 0x00005635477993a5 SignalHandler(int) /home/simon/LLVM/llvm-project/llvm/lib/Support/Unix/Signals.inc:397:31 #3 0x00007fb184d493c0 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x153c0) #4 0x00007fb18481918b raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618b) #5 0x00007fb1847f8859 abort (/lib/x86_64-linux-gnu/libc.so.6+0x25859) #6 0x00007fb1847f8729 (/lib/x86_64-linux-gnu/libc.so.6+0x25729) #7 0x00007fb184809f36 (/lib/x86_64-linux-gnu/libc.so.6+0x36f36) #8 0x0000563546ebdfd9 llvm::ConstantExpr::get(unsigned int, llvm::Constant*, llvm::Constant*, unsigned int, llvm::Type*) /home/simon/LLVM/llvm-project/llvm/lib/IR/Constants.cpp:2275:3 #9 0x000056354670537d llvm::TargetFolder::Fold(llvm::Constant*) const /home/simon/LLVM/llvm-project/llvm/include/llvm/Analysis/TargetFolder.h:37:32 #10 0x000056354670537d llvm::TargetFolder::CreateSub(llvm::Constant*, llvm::Constant*, bool, bool) const /home/simon/LLVM/llvm-project/llvm/include/llvm/Analysis/TargetFolder.h:58:16 #11 0x0000563546795668 llvm::IRBuilderBase::CreateSub(llvm::Value*, llvm::Value*, llvm::Twine const&, bool, bool) /home/simon/LLVM/llvm-project/llvm/include/llvm/IR/IRBuilder.h:1211:22 #12 0x0000563546795668 llvm::lowerObjectSizeCall(llvm::IntrinsicInst*, llvm::DataLayout const&, llvm::TargetLibraryInfo const*, bool) /home/simon/LLVM/llvm-project/llvm/lib/Analysis/MemoryBuiltins.cpp:567:28 #13 0x00005635471a8b4a lowerConstantIntrinsics(llvm::Function&, llvm::TargetLibraryInfo const*, llvm::DominatorTree*) /home/simon/LLVM/llvm-project/llvm/lib/Transforms/Scalar/LowerConstantIntrinsics.cpp:137:37 #14 0x00005635471a9da4 (anonymous namespace)::LowerConstantIntrinsics::runOnFunction(llvm::Function&) /home/simon/LLVM/llvm-project/llvm/lib/Transforms/Scalar/LowerConstantIntrinsics.cpp:182:3 #15 0x0000563546fa89c8 llvm::FPPassManager::runOnFunction(llvm::Function&) /home/simon/LLVM/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1449:7 #16 0x0000563546fa9499 llvm::ilist_node_impl<llvm::ilist_detail::node_options<llvm::Function, true, false, void> >::getNext() /home/simon/LLVM/llvm-project/llvm/include/llvm/ADT/ilist_node.h:66:66 #17 0x0000563546fa9499 llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Function, true, false, void>, false, false>::operator++() /home/simon/LLVM/llvm-project/llvm/include/llvm/ADT/ilist_iterator.h:157:25 #18 0x0000563546fa9499 llvm::FPPassManager::runOnModule(llvm::Module&) /home/simon/LLVM/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1484:22 #19 0x0000563546fa7b18 runOnModule /home/simon/LLVM/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1561:7 #20 0x0000563546fa7b18 llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/simon/LLVM/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:542:55 #21 0x000056354532e4f2 compileModule(char**, llvm::LLVMContext&) /home/simon/LLVM/llvm-project/llvm/tools/llc/llc.cpp:690:66 #22 0x0000563545269352 main /home/simon/LLVM/llvm-project/llvm/tools/llc/llc.cpp:388:5 #23 0x00007fb1847fa0b3 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b3) #24 0x000056354532696e _start (/home/simon/LLVM/stage1/bin/llc+0x9a596e)
From the assert, we can see that the problem is mismatched operand sizes (in this case in a subtraction of base and offset values). We only need one GEP to trigger the failure (default x86_64-- data layout will specify the pointer size as 64-bit, so that doesn't match the i8 offset): define i64 @PR50023(i32 %x, i8 %y) { %A = alloca i8, i32 %x, align 1 %G1 = getelementptr i8, i8* %A, i8 %y %objsize = call i64 @llvm.objectsize.i64.p0i8(i8* %G1, i1 false, i1 true, i1 true) ret i64 %objsize } I've never looked at the objectsize intrinsic before or its lowering, but we can sext/trunc to make the offset match the base type? I'll post a patch.
https://reviews.llvm.org/D100766
https://reviews.llvm.org/rG9d43f6d7cee8