From dc29901efb18880679b965538ae8bc3f6dd5ecd8 Mon Sep 17 00:00:00 2001 From: Robert Imschweiler Date: Wed, 21 May 2025 15:28:30 +0200 Subject: [PATCH] [AMDGPU] PromoteAlloca: handle out-of-bounds GEP for shufflevector (#139700) This LLVM defect was identified via the AMD Fuzzing project. --------- Co-authored-by: Matt Arsenault --- .../lib/Target/AMDGPU/AMDGPUPromoteAlloca.cpp | 4 +- .../AMDGPU/promote-alloca-shufflevector.ll | 44 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 llvm/test/CodeGen/AMDGPU/promote-alloca-shufflevector.ll diff --git a/llvm/lib/Target/AMDGPU/AMDGPUPromoteAlloca.cpp b/llvm/lib/Target/AMDGPU/AMDGPUPromoteAlloca.cpp index 933ee6ceeaf4..517d05f6514d 100644 --- a/llvm/lib/Target/AMDGPU/AMDGPUPromoteAlloca.cpp +++ b/llvm/lib/Target/AMDGPU/AMDGPUPromoteAlloca.cpp @@ -666,7 +666,9 @@ static Value *promoteAllocaUserToVector( SmallVector Mask; for (unsigned Idx = 0; Idx < VectorTy->getNumElements(); ++Idx) { if (Idx >= DestBegin && Idx < DestBegin + NumCopied) { - Mask.push_back(SrcBegin++); + Mask.push_back(SrcBegin < VectorTy->getNumElements() + ? SrcBegin++ + : PoisonMaskElem); } else { Mask.push_back(Idx); } diff --git a/llvm/test/CodeGen/AMDGPU/promote-alloca-shufflevector.ll b/llvm/test/CodeGen/AMDGPU/promote-alloca-shufflevector.ll new file mode 100644 index 000000000000..c16d0e8381ec --- /dev/null +++ b/llvm/test/CodeGen/AMDGPU/promote-alloca-shufflevector.ll @@ -0,0 +1,44 @@ +; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 5 +; RUN: opt -mtriple amdgcn -passes=amdgpu-promote-alloca-to-vector -S < %s | FileCheck %s + +; Skip promote-alloca in case of an index which is known to be out of bounds. + +define amdgpu_kernel void @out_of_bounds() { +; CHECK-LABEL: define amdgpu_kernel void @out_of_bounds() { +; CHECK-NEXT: [[PTR:%.*]] = freeze <4 x float> poison +; CHECK-NEXT: [[TMP1:%.*]] = shufflevector <4 x float> [[PTR]], <4 x float> poison, <4 x i32> +; CHECK-NEXT: ret void +; + %ptr = alloca [4 x float], align 4, addrspace(5) + %elem_ptr = getelementptr [4 x float], ptr addrspace(5) %ptr, i32 0, i32 42 + call void @llvm.memcpy.p5.p5.i32(ptr addrspace(5) %ptr, ptr addrspace(5) %elem_ptr, i32 8, i1 false) + ret void +} + +define amdgpu_kernel void @memcpy_partially_out_of_bounds() { +; CHECK-LABEL: define amdgpu_kernel void @memcpy_partially_out_of_bounds() { +; CHECK-NEXT: [[PTR:%.*]] = freeze <3 x float> poison +; CHECK-NEXT: [[TMP1:%.*]] = shufflevector <3 x float> [[PTR]], <3 x float> poison, <3 x i32> +; CHECK-NEXT: ret void +; + %ptr = alloca [3 x float], align 4, addrspace(5) + %elem_ptr = getelementptr [3 x float], ptr addrspace(5) %ptr, i32 0, i32 2 + call void @llvm.memcpy.p5.p5.i32(ptr addrspace(5) %ptr, ptr addrspace(5) %elem_ptr, i32 8, i1 false) + ret void +} + +define amdgpu_kernel void @in_bounds() { +; CHECK-LABEL: define amdgpu_kernel void @in_bounds() { +; CHECK-NEXT: [[PTR:%.*]] = freeze <4 x float> poison +; CHECK-NEXT: [[TMP1:%.*]] = shufflevector <4 x float> [[PTR]], <4 x float> poison, <4 x i32> +; CHECK-NEXT: ret void +; + %ptr = alloca [4 x float], align 4, addrspace(5) + %elem_ptr = getelementptr [4 x float], ptr addrspace(5) %ptr, i32 0, i32 2 + call void @llvm.memcpy.p5.p5.i32(ptr addrspace(5) %ptr, ptr addrspace(5) %elem_ptr, i32 8, i1 false) + ret void +} + +declare void @llvm.memcpy.p5.p5.i32(ptr addrspace(5) writeonly captures(none), ptr addrspace(5) readonly captures(none), i32, i1 immarg) #0 + +attributes #0 = { nocallback nofree nounwind willreturn memory(argmem: readwrite) }