From da4992bf8ddb1586268c1aea8dbc6caa81b95030 Mon Sep 17 00:00:00 2001
From: Simon Pilgrim <llvm-dev@redking.me.uk>
Date: Thu, 21 Mar 2019 14:07:18 +0000
Subject: [PATCH] [DAGCombine] SimplifySelectCC - call FoldSetCC with the setcc
 result type

We were calling FoldSetCC with the compare operand type instead of the result type.

Found by OSS-Fuzz #13838 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13838)

llvm-svn: 356667
---
 llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp |  5 +++--
 llvm/test/CodeGen/X86/sse-minmax.ll           | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp b/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
index 5862936a9e81..093da6f6e40f 100644
--- a/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
+++ b/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
@@ -18948,13 +18948,14 @@ SDValue DAGCombiner::SimplifySelectCC(const SDLoc &DL, SDValue N0, SDValue N1,
   if (N2 == N3) return N2;
 
   EVT CmpOpVT = N0.getValueType();
+  EVT CmpResVT = getSetCCResultType(CmpOpVT);
   EVT VT = N2.getValueType();
   auto *N1C = dyn_cast<ConstantSDNode>(N1.getNode());
   auto *N2C = dyn_cast<ConstantSDNode>(N2.getNode());
   auto *N3C = dyn_cast<ConstantSDNode>(N3.getNode());
 
   // Determine if the condition we're dealing with is constant.
-  if (SDValue SCC = DAG.FoldSetCC(VT, N0, N1, CC, DL)) {
+  if (SDValue SCC = DAG.FoldSetCC(CmpResVT, N0, N1, CC, DL)) {
     AddToWorklist(SCC.getNode());
     if (auto *SCCC = dyn_cast<ConstantSDNode>(SCC)) {
       // fold select_cc true, x, y -> x
@@ -19021,7 +19022,7 @@ SDValue DAGCombiner::SimplifySelectCC(const SDLoc &DL, SDValue N0, SDValue N1,
     SDValue Temp, SCC;
     // zext (setcc n0, n1)
     if (LegalTypes) {
-      SCC = DAG.getSetCC(DL, getSetCCResultType(CmpOpVT), N0, N1, CC);
+      SCC = DAG.getSetCC(DL, CmpResVT, N0, N1, CC);
       if (VT.bitsLT(SCC.getValueType()))
         Temp = DAG.getZeroExtendInReg(SCC, SDLoc(N2), VT);
       else
diff --git a/llvm/test/CodeGen/X86/sse-minmax.ll b/llvm/test/CodeGen/X86/sse-minmax.ll
index f79749169c0a..178a74ba546d 100644
--- a/llvm/test/CodeGen/X86/sse-minmax.ll
+++ b/llvm/test/CodeGen/X86/sse-minmax.ll
@@ -1345,3 +1345,19 @@ define <3 x float> @test_minps_illegal_v3f32(<3 x float> %x, <3 x float> %y)  {
   ret <3 x float> %min
 }
 
+; OSS-Fuzz #13838
+; https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13838
+define float @ossfuzz13838(float %x) {
+; ALL-LABEL: ossfuzz13838:
+; ALL:       # %bb.0: # %bb
+; ALL-NEXT:    movss {{.*#+}} xmm0 = mem[0],zero,zero,zero
+; ALL-NEXT:    retq
+bb:
+  %cmp2 = fcmp fast olt float %x, 2.550000e+02
+  %B1 = urem i1 %cmp2, %cmp2
+  %min = select i1 %B1, float %x, float 2.550000e+02
+  %B = frem float %min, 0x47EFFFFFE0000000
+  %cmp1 = fcmp fast olt float %B, 1.000000e+00
+  %r = select i1 %cmp1, float 1.000000e+00, float %min
+  ret float %r
+}