Calling BasicBlock::getFirstNonPHIOrDbgOrAlloca on a catchswitch block yields an invalid (end) iterator. #136048
Description
When calling BasicBlock::getFirstNonPHIOrDbgOrAlloca() on a basic block like the following:
catch.dispatch: ; preds = %init.attempt.i664
%0 = catchswitch within none [label %catch] unwind to callerInstead of yielding an iterator to %0, we get the end iterator. This is because getFirstNonPHIOrDbgOrAlloca() tries to skip over EHPad instructions (like catchswitch) but doesn't account for the fact that catchswitch is both an EHPad instruction and a terminator.
This was found when testing builds with assertions/sentinel-tracking enabled: with certain input IRs, a crash in SLPVectorizer occurs, as the iterator from getFirstNonPHIOrDbgOrAlloca() gets dereferenced unconditionally without checking if it is the end iterator (see SLPVectorizer.cpp:14128). But logically, it shouldn't have to do so; calling this method on a non-empty block with a terminator should always yield a valid iterator (besides, a catchswitch instruction is a valid non-PHI or dbg or alloca instruction). This is supported by its use throughout LLVM: a simple search of the codebase shows that most of the time this method is called, the resulting iterator is unconditionally dereferenced.
Example failing test (reduced from Boost 1.75.0 sources):
; REQUIRES: asserts
; RUN: opt -passes=slp-vectorizer < %s -disable-output
target datalayout = "e-m:w-p270:32:32-p271:32:32-p272:64:64-i64:64-i128:128-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-windows-msvc19.40.33811"
%"class.boost::execution_exception" = type { i32, %"class.boost::unit_test::basic_cstring", %"struct.boost::execution_exception::location" }
%"class.boost::unit_test::basic_cstring" = type { ptr, ptr }
%"struct.boost::execution_exception::location" = type { %"class.boost::unit_test::basic_cstring", i64, %"class.boost::unit_test::basic_cstring" }
define void @"?run@framework@unit_test@boost@@YAXK_N@Z"() personality ptr null {
entry:
br label %for.cond109
for.cond109: ; preds = %if.end153, %entry
%setup_error.sroa.0.1 = phi ptr [ null, %entry ], [ null, %if.end153 ]
%setup_error.sroa.6.1 = phi ptr [ null, %entry ], [ null, %if.end153 ]
br label %init.attempt.i664
init.attempt.i664: ; preds = %for.cond109
%call.i666 = invoke ptr null(ptr null)
to label %invoke.cont.i668 unwind label %catch.dispatch
invoke.cont.i668: ; preds = %init.attempt.i664
ret void
catch.dispatch: ; preds = %init.attempt.i664
%0 = catchswitch within none [label %catch] unwind to caller
catch: ; preds = %catch.dispatch
%1 = catchpad within %0 [ptr null, i32 0, ptr null]
br i1 false, label %if.end153, label %invoke.cont149
invoke.cont149: ; preds = %catch
%m_begin2.i.i = getelementptr %"class.boost::execution_exception", ptr null, i64 0, i32 1, i32 0
%2 = load ptr, ptr %m_begin2.i.i, align 8
%3 = load ptr, ptr null, align 8
br label %if.end153
if.end153: ; preds = %invoke.cont149, %catch
%setup_error.sroa.0.2 = phi ptr [ %setup_error.sroa.0.1, %catch ], [ %2, %invoke.cont149 ]
%setup_error.sroa.6.2 = phi ptr [ %setup_error.sroa.6.1, %catch ], [ %3, %invoke.cont149 ]
catchret from %1 to label %for.cond109
}