From bedd7ddb7fb54c24a296ea6c32606f8172d13896 Mon Sep 17 00:00:00 2001
From: Nikita Popov <npopov@redhat.com>
Date: Tue, 1 Jul 2025 15:18:49 +0200
Subject: [PATCH] [InstCombine] Fix use after free

Load the nowrap flags before calling EmitGEPOffset(), as this may
free the instruction.
---
 llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp b/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
index 6de1f8558e8c..2bc2fc6ff01f 100644
--- a/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
@@ -711,9 +711,11 @@ Instruction *InstCombinerImpl::foldGEPICmp(GEPOperator *GEPLHS, Value *RHS,
   Value *PtrBase = GEPLHS->getOperand(0);
   if (PtrBase == RHS && CanFold(GEPLHS->getNoWrapFlags())) {
     // ((gep Ptr, OFFSET) cmp Ptr)   ---> (OFFSET cmp 0).
+    GEPNoWrapFlags NW = GEPLHS->getNoWrapFlags();
+    // Do not access GEPLHS after EmitGEPOffset, as the instruction may be
+    // destroyed.
     Value *Offset = EmitGEPOffset(GEPLHS, /*RewriteGEP=*/true);
-    return NewICmp(GEPLHS->getNoWrapFlags(), Offset,
-                   Constant::getNullValue(Offset->getType()));
+    return NewICmp(NW, Offset, Constant::getNullValue(Offset->getType()));
   }
 
   if (GEPLHS->isInBounds() && ICmpInst::isEquality(Cond) &&