From fc8f1e4419d338a347bade7cfc76f73052f00739 Mon Sep 17 00:00:00 2001
From: Simon Pilgrim <llvm-dev@redking.me.uk>
Date: Tue, 21 Sep 2021 12:23:52 +0100
Subject: [PATCH] [InstCombine] foldConstantInsEltIntoShuffle - bail if we fail
 to find constant element (PR51824)

If getAggregateElement() returns null for any element, early out as otherwise we will assert when creating a new constant vector

Fixes PR51824 + ; OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38057
---
 .../InstCombine/InstCombineVectorOps.cpp           |  4 ++
 llvm/test/Transforms/InstCombine/pr51824.ll        | 46 ++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 llvm/test/Transforms/InstCombine/pr51824.ll

diff --git a/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp b/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
index 47ab278..3b4d044 100644
--- a/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineVectorOps.cpp
@@ -1356,6 +1356,10 @@ static Instruction *foldConstantInsEltIntoShuffle(InsertElementInst &InsElt) {
         NewShufElts[I] = ShufConstVec->getAggregateElement(I);
         NewMaskElts[I] = Mask[I];
       }
+
+      // Bail if we failed to find an element.
+      if (!NewShufElts[I])
+        return nullptr;
     }
 
     // Create new operands for a shuffle that includes the constant of the
diff --git a/llvm/test/Transforms/InstCombine/pr51824.ll b/llvm/test/Transforms/InstCombine/pr51824.ll
new file mode 100644
index 0000000..1e0ab77
--- /dev/null
+++ b/llvm/test/Transforms/InstCombine/pr51824.ll
@@ -0,0 +1,46 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
+; RUN: opt < %s -instcombine -S | FileCheck %s
+
+; OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38057
+define void @PR51824() {
+; CHECK-LABEL: @PR51824(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    br label [[BB:%.*]]
+; CHECK:       BB:
+; CHECK-NEXT:    br i1 undef, label [[BB]], label [[BB1:%.*]]
+; CHECK:       BB1:
+; CHECK-NEXT:    ret void
+;
+entry:
+  %C7 = icmp sgt i1 false, true
+  %B2 = lshr i16 -32768, 0
+  %C1 = icmp uge i16 %B2, %B2
+  %E9 = extractelement <4 x i16> zeroinitializer, i16 %B2
+  %I2 = insertelement <4 x i16> undef, i16 %E9, i16 0
+  %i = sext <4 x i16> %I2 to <4 x i32>
+  %i1 = getelementptr inbounds i64, i64* null, <4 x i32> %i
+  %i2 = ptrtoint <4 x i64*> %i1 to <4 x i32>
+  %E2 = extractelement <4 x i32> %i2, i16 0
+  br label %BB
+
+BB:                                               ; preds = %BB, %entry
+  %A15 = alloca <4 x i32>, align 16
+  %L2 = load <4 x i32>, <4 x i32>* %A15, align 16
+  %G1 = getelementptr i64, i64* null, i32 %E2
+  %i3 = getelementptr inbounds i64, i64* %G1, <4 x i16> undef
+  %i4 = ptrtoint <4 x i64*> %i3 to <4 x i32>
+  %E22 = extractelement <4 x i32> %L2, i1 false
+  %E8 = extractelement <4 x i32> %i4, i1 false
+  %I10 = insertelement <4 x i32> undef, i32 undef, i32 %E8
+  %I19 = insertelement <4 x i32> %I10, i32 %E22, i16 0
+  %S7 = shufflevector <4 x i32> %I19, <4 x i32> %L2, <4 x i32> undef
+  %I8 = insertelement <4 x i32> %I19, i32 0, i1 %C1
+  %E10 = extractelement <4 x i32> %I8, i1 undef
+  store i32 %E10, i32* undef, align 4
+  br i1 undef, label %BB, label %BB1
+
+BB1:                                              ; preds = %BB
+  %S8 = shufflevector <4 x i32> %I10, <4 x i32> %S7, <4 x i32> undef
+  store <4 x i32> %S8, <4 x i32>* undef, align 16
+  ret void
+}
-- 
2.7.4