Prevent nullptr dereference in GenerateBlockMemOpsPass

smilczek · igcbot · commit ae235f00f44d · 2025-02-06T11:55:38.000+01:00
GenerateBlockMemOpsPass::checkGep() assumes that if there's a phi value,
the instruction belongs to a loop. While it is a common use for phi
instructions, the spirv spec doesn't disallow their use outside of
loops. This commit adds a null check.
diff --git a/IGC/Compiler/CISACodeGen/GenerateBlockMemOpsPass.cpp b/IGC/Compiler/CISACodeGen/GenerateBlockMemOpsPass.cpp
@@ -726,23 +726,20 @@ Value *GenerateBlockMemOpsPass::checkGep(Instruction *PtrInstr) {
     if (!PtrInstr)
         return nullptr;
 
-    PHINode *Phi = dyn_cast<PHINode>(PtrInstr);
     GetElementPtrInst *Gep = nullptr;
-    if (Phi) {
+    if (PHINode *Phi = dyn_cast<PHINode>(PtrInstr)) {
         unsigned NumIncomingValues = Phi->getNumIncomingValues();
-        if (NumIncomingValues != 2)
+        if (NumIncomingValues != 2) {
             return nullptr;
+        }
 
         BasicBlock *BB = PtrInstr->getParent();
-        Loop *L = LI->getLoopFor(BB);
-        BasicBlock *Preheader = L->getLoopPreheader();
-
-        Value *IncomingVal1 = Phi->getIncomingValueForBlock(Preheader);
-
-        Gep = dyn_cast<GetElementPtrInst>(IncomingVal1);
-
-        if (!Gep)
-            return nullptr;
+        // If this is not a loop, we can't be sure of the flow. Better do nothing.
+        if (Loop *L = LI->getLoopFor(BB)) {
+            BasicBlock *Preheader = L->getLoopPreheader();
+            Value *IncomingVal1 = Phi->getIncomingValueForBlock(Preheader);
+            Gep = dyn_cast<GetElementPtrInst>(IncomingVal1);
+        }
     } else {
         Gep = dyn_cast<GetElementPtrInst>(PtrInstr);
     }
diff --git a/IGC/Compiler/tests/GenerateBlockMemOpsPass/phi_outside_loop_no_crash-typed-pointers.ll b/IGC/Compiler/tests/GenerateBlockMemOpsPass/phi_outside_loop_no_crash-typed-pointers.ll
@@ -0,0 +1,49 @@
+;=========================== begin_copyright_notice ============================
+;
+; Copyright (C) 2025 Intel Corporation
+;
+; SPDX-License-Identifier: MIT
+;
+;============================ end_copyright_notice =============================
+
+; Check that we don't dereference nullptr
+
+; REQUIRES: llvm-14-plus
+; RUN: igc_opt %s -S -o - -generate-block-mem-ops -platformpvc | FileCheck %s
+
+
+define spir_kernel void @test() {
+; CHECK: @test() {
+entry:
+  %alloc = alloca i32
+  br i1 true, label %BB0, label %BB1
+
+BB0:
+  %gep0 = getelementptr i32, i32* %alloc, i32 0
+  br label %store_BB
+
+BB1:
+  %gep1 = getelementptr i32, i32* %alloc, i32 0
+  br label %store_BB
+
+store_BB:
+  %store_addr = phi i32* [%gep0, %BB0], [%gep1, %BB1]
+  store i32 1, i32* %store_addr
+  ret void
+}
+
+!igc.functions = !{!0}
+!IGCMetadata = !{!3}
+
+!0 = !{void ()* @test, !1}
+!1 = !{!2, !11}
+!2 = !{!"function_type", i32 0}
+!3 = !{!"ModuleMD", !4}
+!4 = !{!"FuncMD", !5, !6}
+!5 = !{!"FuncMDMap[0]", void ()* @test}
+!6 = !{!"FuncMDValue[0]", !7}
+!7 = !{!"workGroupWalkOrder", !8, !9, !10}
+!8 = !{!"dim0", i32 0}
+!9 = !{!"dim1", i32 1}
+!10 = !{!"dim2", i32 2}
+!11 = !{!"thread_group_size", i32 32, i32 32, i32 32}
diff --git a/IGC/Compiler/tests/GenerateBlockMemOpsPass/phi_outside_loop_no_crash.ll b/IGC/Compiler/tests/GenerateBlockMemOpsPass/phi_outside_loop_no_crash.ll
@@ -0,0 +1,49 @@
+;=========================== begin_copyright_notice ============================
+;
+; Copyright (C) 2025 Intel Corporation
+;
+; SPDX-License-Identifier: MIT
+;
+;============================ end_copyright_notice =============================
+
+; Check that we don't dereference nullptr
+
+; REQUIRES: llvm-14-plus
+; RUN: igc_opt --opaque-pointers %s -S -o - -generate-block-mem-ops -platformpvc | FileCheck %s
+
+
+define spir_kernel void @test() {
+; CHECK: @test() {
+entry:
+  %alloc = alloca i32, align 4
+  br i1 true, label %BB0, label %BB1
+
+BB0:                                              ; preds = %entry
+  %gep0 = getelementptr i32, ptr %alloc, i32 0
+  br label %store_BB
+
+BB1:                                              ; preds = %entry
+  %gep1 = getelementptr i32, ptr %alloc, i32 0
+  br label %store_BB
+
+store_BB:                                         ; preds = %BB1, %BB0
+  %store_addr = phi ptr [ %gep0, %BB0 ], [ %gep1, %BB1 ]
+  store i32 1, ptr %store_addr, align 4
+  ret void
+}
+
+!igc.functions = !{!0}
+!IGCMetadata = !{!4}
+
+!0 = !{ptr @test, !1}
+!1 = !{!2, !3}
+!2 = !{!"function_type", i32 0}
+!3 = !{!"thread_group_size", i32 32, i32 32, i32 32}
+!4 = !{!"ModuleMD", !5}
+!5 = !{!"FuncMD", !6, !7}
+!6 = !{!"FuncMDMap[0]", ptr @test}
+!7 = !{!"FuncMDValue[0]", !8}
+!8 = !{!"workGroupWalkOrder", !9, !10, !11}
+!9 = !{!"dim0", i32 0}
+!10 = !{!"dim1", i32 1}
+!11 = !{!"dim2", i32 2}
