clang crashes at -O1 and above on x86_64-linux-gnu: Assertion `hiBit <= BitWidth && "hiBit out of range"' failed

[zhendongsu]

It appears to be a regression from 12.0., and affects 13.0 and later.

Compiler Explorer: https://godbolt.org/z/1qsqxarcW

% clangtk -v
clang version 15.0.0 (https://github.com/llvm/llvm-project.git 011d2bf86487520c3515f16e0b1d32994bf2b48f)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/opfuzz/bin
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/10
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11
Candidate multilib: .;@m64
Selected multilib: .;@m64
% 
% clangtk -O0 small.c; ./a.out
% 
% clangtk -O1 small.c
clang-15: /local/suz-local/software/clangbuild/llvm-project/llvm/include/llvm/ADT/APInt.h:1318: void llvm::APInt::setBits(unsigned int, unsigned int): Assertion `hiBit <= BitWidth && "hiBit out of range"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /local/suz-local/software/local/clang-trunk/bin/clang-15 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj --mrelax-relocations -disable-free -clear-ast-before-backend -main-file-name small.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -mllvm -treat-scalable-fixed-error-as-warning -debugger-tuning=gdb -fcoverage-compilation-dir=/local/suz-local/software/emitesting/bugs/20220707-clangtk-m64-O3-mllvm-opaque-pointers-mllvm-enable-constraint-elimination-build-134208/delta -resource-dir /local/suz-local/software/local/clang-trunk/lib/clang/15.0.0 -I /usr/local/include/csmith -I /local/suz-local/software/local/include -internal-isystem /local/suz-local/software/local/clang-trunk/lib/clang/15.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/11/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O1 -fdebug-compilation-dir=/local/suz-local/software/emitesting/bugs/20220707-clangtk-m64-O3-mllvm-opaque-pointers-mllvm-enable-constraint-elimination-build-134208/delta -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/small-e57b3e.o -x c small.c
1.	<eof> parser at end of file
2.	Optimizer
 #0 0x0000555f13e0fcc1 PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
 #1 0x0000555f13e0d334 SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f6317ef4980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #3 0x00007f6316b21e87 raise /build/glibc-CVJwZb/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
 #4 0x00007f6316b237f1 abort /build/glibc-CVJwZb/glibc-2.27/stdlib/abort.c:81:0
 #5 0x00007f6316b133fa __assert_fail_base /build/glibc-CVJwZb/glibc-2.27/assert/assert.c:89:0
 #6 0x00007f6316b13472 (/lib/x86_64-linux-gnu/libc.so.6+0x30472)
 #7 0x0000555f11b93968 (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x1b44968)
 #8 0x0000555f137aa047 llvm::InstCombinerImpl::visitAnd(llvm::BinaryOperator&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x375b047)
 #9 0x0000555f1376a900 llvm::InstCombinerImpl::run() (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x371b900)
#10 0x0000555f1376c7dc combineInstructionsOverFunction(llvm::Function&, llvm::InstructionWorklist&, llvm::AAResults*, llvm::AssumptionCache&, llvm::TargetLibraryInfo&, llvm::TargetTransformInfo&, llvm::DominatorTree&, llvm::OptimizationRemarkEmitter&, llvm::BlockFrequencyInfo*, llvm::ProfileSummaryInfo*, unsigned int, llvm::LoopInfo*) InstructionCombining.cpp:0:0
#11 0x0000555f1376d3f7 llvm::InstCombinePass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x371e3f7)
#12 0x0000555f150ebcc2 llvm::detail::PassModel<llvm::Function, llvm::InstCombinePass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x509ccc2)
#13 0x0000555f134bde0f llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x346ee0f)
#14 0x0000555f115fcbe2 llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function>>, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x15adbe2)
#15 0x0000555f134bca3e llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x346da3e)
#16 0x0000555f115fd4c2 llvm::detail::PassModel<llvm::Module, llvm::ModuleToFunctionPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x15ae4c2)
#17 0x0000555f134ba9eb llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x346b9eb)
#18 0x0000555f141c6655 (anonymous namespace)::EmitAssemblyHelper::RunOptimizationPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile>>&) (.constprop.0) BackendUtil.cpp:0:0
#19 0x0000555f141c9034 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x417a034)
#20 0x0000555f1507bf52 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x502cf52)
#21 0x0000555f15cab3d9 clang::ParseAST(clang::Sema&, bool, bool) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x5c5c3d9)
#22 0x0000555f1493b811 clang::FrontendAction::Execute() (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x48ec811)
#23 0x0000555f148c6016 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x4877016)
#24 0x0000555f149feaa8 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x49afaa8)
#25 0x0000555f112d856b cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x128956b)
#26 0x0000555f112d1d63 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
#27 0x0000555f112d4bc6 clang_main(int, char**) (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x1285bc6)
#28 0x00007f6316b04c87 __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:344:0
#29 0x0000555f112d12ba _start (/local/suz-local/software/local/clang-trunk/bin/clang-15+0x12822ba)
clang-15: error: unable to execute command: Aborted
clang-15: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 15.0.0 (https://github.com/llvm/llvm-project.git 011d2bf86487520c3515f16e0b1d32994bf2b48f)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/opfuzz/bin
clang-15: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-15: note: diagnostic msg: /tmp/small-6eed91.c
clang-15: note: diagnostic msg: /tmp/small-6eed91.sh
clang-15: note: diagnostic msg: 

********************
% 
% cat small.c
int a, b, c;
unsigned long d;
int main() {
  long e = 1, f = 0;
  int g = 2;
  b = (a || e++) * -g;
  if (a)
    f = d % (g % a) | a >> b;
  c = -81 & f;
  return 0;
}

@fhahn

[BertalanD]

Reduced IR:

define dso_local i64 @test(i1, i32, i64) {
entry:
  br i1 %0, label %if.then, label %if.end

if.then:                                          ; preds = %entry
  %shr = ashr i32 %1, -2
  %conv4 = sext i32 %shr to i64
  br label %if.end

if.end:                                           ; preds = %if.then, %entry
  %f.0 = phi i64 [ %conv4, %if.then ], [ 0, %entry ]
  %and = and i64 -81, %f.0
  ret i64 %and
}

This case invokes an undefined right shift by a negative value if %0 is true, or if a is non-zero in the C code. Obviously we shouldn't crash even on invalid input.

Mind if I try to make a patch?

[zhendongsu]

@BertalanD: thanks for looking into this. Note though that the original C source is valid and doesn't have any UBs.

[fhahn]

Mind if I try to make a patch?

That would be great!

[fhahn]

Patch: https://reviews.llvm.org/D129306