From 993f3c61b31d3917e0809bf1925c97fc0a61ce90 Mon Sep 17 00:00:00 2001
From: Simon Pilgrim <llvm-dev@redking.me.uk>
Date: Sat, 25 Sep 2021 10:50:54 +0100
Subject: [PATCH] [TTI] getUserCost - Ensure a vector insert/extract index is
 in unsigned 32-bit range

Otherwise fallback to the generic 'unknown index' path

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29050
---
 .../llvm/Analysis/TargetTransformInfoImpl.h   | 20 +++++++++----------
 llvm/test/Transforms/LICM/crash.ll            | 12 +++++++++++
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h b/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
index 6e432053c4f8..07344fc05036 100644
--- a/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
+++ b/llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
@@ -1068,8 +1068,10 @@ public:
       auto *IE = dyn_cast<InsertElementInst>(U);
       if (!IE)
         return TTI::TCC_Basic; // FIXME
-      auto *CI = dyn_cast<ConstantInt>(IE->getOperand(2));
-      unsigned Idx = CI ? CI->getZExtValue() : -1;
+      unsigned Idx = -1;
+      if (auto *CI = dyn_cast<ConstantInt>(IE->getOperand(2)))
+        if (CI->getValue().getActiveBits() <= 32)
+          Idx = CI->getZExtValue();
       return TargetTTI->getVectorInstrCost(Opcode, Ty, Idx);
     }
     case Instruction::ShuffleVector: {
@@ -1132,17 +1134,15 @@ public:
                                        Shuffle->getShuffleMask(), 0, nullptr);
     }
     case Instruction::ExtractElement: {
-      unsigned Idx = -1;
       auto *EEI = dyn_cast<ExtractElementInst>(U);
       if (!EEI)
         return TTI::TCC_Basic; // FIXME
-
-      auto *CI = dyn_cast<ConstantInt>(EEI->getOperand(1));
-      if (CI)
-        Idx = CI->getZExtValue();
-
-      return TargetTTI->getVectorInstrCost(Opcode, U->getOperand(0)->getType(),
-                                           Idx);
+      unsigned Idx = -1;
+      if (auto *CI = dyn_cast<ConstantInt>(EEI->getOperand(1)))
+        if (CI->getValue().getActiveBits() <= 32)
+          Idx = CI->getZExtValue();
+      Type *DstTy = U->getOperand(0)->getType();
+      return TargetTTI->getVectorInstrCost(Opcode, DstTy, Idx);
     }
     }
     // By default, just classify everything as 'basic'.
diff --git a/llvm/test/Transforms/LICM/crash.ll b/llvm/test/Transforms/LICM/crash.ll
index 6a740219133f..607449b821ad 100644
--- a/llvm/test/Transforms/LICM/crash.ll
+++ b/llvm/test/Transforms/LICM/crash.ll
@@ -73,3 +73,15 @@ define void @test4() noreturn nounwind {
   store i32 undef, i32* @g_47, align 4
   br label %1
 }
+
+; OSS-Fuzz #29050
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29050
+define <2 x i177> @ossfuzz_29050(<2 x i177> %X) {
+bb:
+  br label %BB
+BB:
+  %I3 = insertelement <2 x i177> undef, i177 95780971304118053647396689196894323976171195136475135, i177 95780971304118053647396689196894323976171195136475135
+  br i1 true, label %BB, label %BB1
+BB1:
+  ret <2 x i177> %I3
+}