From 4172dbab5dd3dffa8717e090e1912fce598d1a77 Mon Sep 17 00:00:00 2001
From: Andrew Kaylor <andrew.kaylor@intel.com>
Date: Mon, 3 Jun 2019 17:54:15 +0000
Subject: [PATCH] Fix a crash when the default of a switch is removed

This patch fixes a problem that occurs in LowerSwitch when a switch statement has a PHI node as its condition, and the PHI node only has two incoming blocks, and one of those incoming blocks is through an unreachable default in the switch statement. When this condition occurs, LowerSwitch holds a pointer to the condition value, but removes the switch block as a predecessor of the PHI block, causing the PHI node to be replaced. LowerSwitch then tries to use its stale pointer to the original condition value, causing a crash.

Differential Revision: https://reviews.llvm.org/D62560

llvm-svn: 362427
---
 llvm/lib/Transforms/Utils/LowerSwitch.cpp     |  5 +++
 .../condition-phi-unreachable-default.ll      | 36 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 llvm/test/Transforms/LowerSwitch/condition-phi-unreachable-default.ll

diff --git a/llvm/lib/Transforms/Utils/LowerSwitch.cpp b/llvm/lib/Transforms/Utils/LowerSwitch.cpp
index 680b5d31a42c..8062fe499083 100644
--- a/llvm/lib/Transforms/Utils/LowerSwitch.cpp
+++ b/llvm/lib/Transforms/Utils/LowerSwitch.cpp
@@ -584,6 +584,11 @@ void LowerSwitch::processSwitchInst(SwitchInst *SI,
         PopSucc->removePredecessor(OrigBlock);
       return;
     }
+
+    // If the condition was a PHI node with the switch block as a predecessor
+    // removing predecessors may have caused the condition to be erased.
+    // Getting the condition value again here protects against that.
+    Val = SI->getCondition();
   }
 
   // Create a new, empty default block so that the new hierarchy of
diff --git a/llvm/test/Transforms/LowerSwitch/condition-phi-unreachable-default.ll b/llvm/test/Transforms/LowerSwitch/condition-phi-unreachable-default.ll
new file mode 100644
index 000000000000..c53602bcd27a
--- /dev/null
+++ b/llvm/test/Transforms/LowerSwitch/condition-phi-unreachable-default.ll
@@ -0,0 +1,36 @@
+; RUN: opt < %s -lowerswitch -S | FileCheck %s
+
+; This test verifies -lowerswitch does not crash when an removing an
+; unreachable default branch causes a PHI node used as the switch
+; condition to be erased.
+
+define void @f() local_unnamed_addr {
+entry:
+  br label %sw.epilog
+
+sw.epilog:                                        ; preds = %sw.epilog.outer, %for.body
+  %i = phi i32 [ undef, %for.body ], [ 0, %entry ]
+  br i1 undef, label %for.body, label %for.end
+
+for.body:                                         ; preds = %sw.epilog
+  switch i32 %i, label %sw.epilog [
+    i32 0, label %sw.epilog.outer.backedge.loopexit
+    i32 1, label %sw.epilog.outer.backedge
+  ]
+
+sw.epilog.outer.backedge.loopexit:                ; preds = %for.body
+  br label %for.end
+
+sw.epilog.outer.backedge:                         ; preds = %for.body
+  unreachable
+
+for.end:                                          ; preds = %sw.epilog
+  ret void
+}
+
+; The phi and the switch should both be eliminated.
+; CHECK: @f()
+; CHECK: sw.epilog:
+; CHECK-NOT: phi
+; CHECK: for.body:
+; CHECK-NOT: switch