[clang] Crash in DAGCombiner::visitSTORE during X86 DAG->DAG Instruction Selection

[AbyssStaror]

Link for quick verification: https://godbolt.org/z/xTnxYv19r

I use the large bitfield size that may overflow.

#define N 10
typedef struct {
    unsigned long long f : 922337203685477580LL; 
} S;

S a[N][N]; 

int main() {
    for (long long i = 0; i < N; i++) { 
        a[i][i].f = 1;
    }
}

The stack dump:

0.	Program arguments: /opt/compiler-explorer/clang-trunk/bin/clang++ -g -o /app/output.s -mllvm --x86-asm-syntax=intel -fno-verbose-asm -S --gcc-toolchain=/opt/compiler-explorer/gcc-snapshot -fcolor-diagnostics -fno-crash-diagnostics <source>
1.	<eof> parser at end of file
2.	Code generation
3.	Running pass 'Function Pass Manager' on module '<source>'.
4.	Running pass 'X86 DAG->DAG Instruction Selection' on function '@main'
 #0 0x0000000003cab688 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3cab688)
 #1 0x0000000003ca905c llvm::sys::CleanupOnSignal(unsigned long) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3ca905c)
 #2 0x0000000003beef68 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
 #3 0x000077c1a1242520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x0000000003bc8d6c llvm::APInt::setBitsSlowCase(unsigned int, unsigned int) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3bc8d6c)
 #5 0x000000000507c042 (anonymous namespace)::DAGCombiner::visitSTORE(llvm::SDNode*) DAGCombiner.cpp:0:0
 #6 0x0000000005083965 (anonymous namespace)::DAGCombiner::visit(llvm::SDNode*) DAGCombiner.cpp:0:0
 #7 0x0000000005085605 (anonymous namespace)::DAGCombiner::combine(llvm::SDNode*) DAGCombiner.cpp:0:0
 #8 0x0000000005086580 (anonymous namespace)::DAGCombiner::Run(llvm::CombineLevel) DAGCombiner.cpp:0:0
 #9 0x0000000005089714 llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::BatchAAResults*, llvm::CodeGenOptLevel) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x5089714)
#10 0x00000000051b2f10 llvm::SelectionDAGISel::CodeGenAndEmitDAG() (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51b2f10)
#11 0x00000000051b5651 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51b5651)
#12 0x00000000051b7605 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51b7605)
#13 0x00000000051a6521 llvm::SelectionDAGISelLegacy::runOnMachineFunction(llvm::MachineFunction&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51a6521)
#14 0x00000000030c2bcd llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x30c2bcd)
#15 0x0000000003613aa2 llvm::FPPassManager::runOnFunction(llvm::Function&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3613aa2)
#16 0x0000000003613d31 llvm::FPPassManager::runOnModule(llvm::Module&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3613d31)
#17 0x00000000036155a7 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x36155a7)
#18 0x0000000003f3c520 clang::emitBackendOutput(clang::CompilerInstance&, clang::CodeGenOptions&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>, clang::BackendConsumer*) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3f3c520)
#19 0x00000000045690db clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x45690db)
#20 0x00000000061895cc clang::ParseAST(clang::Sema&, bool, bool) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x61895cc)
#21 0x0000000004569c35 clang::CodeGenAction::ExecuteAction() (/opt/compiler-explorer/clang-trunk/bin/clang+++0x4569c35)
#22 0x000000000486ce3a clang::FrontendAction::Execute() (/opt/compiler-explorer/clang-trunk/bin/clang+++0x486ce3a)
#23 0x00000000047ebc8b clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x47ebc8b)
#24 0x0000000004962feb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x4962feb)
#25 0x0000000000dcd275 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/opt/compiler-explorer/clang-trunk/bin/clang+++0xdcd275)
#26 0x0000000000dc512b ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>) driver.cpp:0:0
#27 0x0000000000dc51cd int llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::callback_fn<clang_main(int, char**, llvm::ToolContext const&)::'lambda'(llvm::SmallVectorImpl<char const*>&)>(long, llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
#28 0x00000000045d6e69 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const::'lambda'()>(long) Job.cpp:0:0
#29 0x0000000003bef383 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3bef383)
#30 0x00000000045d7089 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) Job.cpp:0:0
#31 0x0000000004599b12 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/opt/compiler-explorer/clang-trunk/bin/clang+++0x4599b12)
#32 0x000000000459a9f1 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (/opt/compiler-explorer/clang-trunk/bin/clang+++0x459a9f1)
#33 0x00000000045a376c clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x45a376c)
#34 0x0000000000dc9bf9 clang_main(int, char**, llvm::ToolContext const&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0xdc9bf9)
#35 0x0000000000c74454 main (/opt/compiler-explorer/clang-trunk/bin/clang+++0xc74454)
#36 0x000077c1a1229d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#37 0x000077c1a1229e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#38 0x0000000000dc4bc5 _start (/opt/compiler-explorer/clang-trunk/bin/clang+++0xdc4bc5)
clang++: error: clang frontend command failed with exit code 139 (use -v to see invocation)
Compiler returned: 139

The clang version:

clang version 21.1.4 (https://github.com/llvm/llvm-project.git 222fc11f2b8f25f6a0f4976272ef1bb7bf49521d)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /workspace/install/llvm/build_21.1.4/bin
Build config: +assertions
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/13
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/13
Candidate multilib: .;@m64
Selected multilib: .;@m64

[llvmbot]

@llvm/issue-subscribers-backend-x86

Author: None (AbyssStaror)

### Link for quick verification: https://godbolt.org/z/xTnxYv19r I use the large bitfield size that may overflow. ```c #define N 10 typedef struct { unsigned long long f : 922337203685477580LL; } S;

S a[N][N];

int main() {
for (long long i = 0; i < N; i++) {
a[i][i].f = 1;
}
}

## The stack dump:

0. Program arguments: /opt/compiler-explorer/clang-trunk/bin/clang++ -g -o /app/output.s -mllvm --x86-asm-syntax=intel -fno-verbose-asm -S --gcc-toolchain=/opt/compiler-explorer/gcc-snapshot -fcolor-diagnostics -fno-crash-diagnostics <source>
1. <eof> parser at end of file
2. Code generation
3. Running pass 'Function Pass Manager' on module '<source>'.
4. Running pass 'X86 DAG->DAG Instruction Selection' on function '@main'
   #0 0x0000000003cab688 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3cab688)
   #1 0x0000000003ca905c llvm::sys::CleanupOnSignal(unsigned long) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3ca905c)
   #2 0x0000000003beef68 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
   #3 0x000077c1a1242520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
   #4 0x0000000003bc8d6c llvm::APInt::setBitsSlowCase(unsigned int, unsigned int) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3bc8d6c)
   #5 0x000000000507c042 (anonymous namespace)::DAGCombiner::visitSTORE(llvm::SDNode*) DAGCombiner.cpp:0:0
   #6 0x0000000005083965 (anonymous namespace)::DAGCombiner::visit(llvm::SDNode*) DAGCombiner.cpp:0:0
   #7 0x0000000005085605 (anonymous namespace)::DAGCombiner::combine(llvm::SDNode*) DAGCombiner.cpp:0:0
   #8 0x0000000005086580 (anonymous namespace)::DAGCombiner::Run(llvm::CombineLevel) DAGCombiner.cpp:0:0
   #9 0x0000000005089714 llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::BatchAAResults*, llvm::CodeGenOptLevel) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x5089714)
   #10 0x00000000051b2f10 llvm::SelectionDAGISel::CodeGenAndEmitDAG() (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51b2f10)
   #11 0x00000000051b5651 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51b5651)
   #12 0x00000000051b7605 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51b7605)
   #13 0x00000000051a6521 llvm::SelectionDAGISelLegacy::runOnMachineFunction(llvm::MachineFunction&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x51a6521)
   #14 0x00000000030c2bcd llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x30c2bcd)
   #15 0x0000000003613aa2 llvm::FPPassManager::runOnFunction(llvm::Function&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3613aa2)
   #16 0x0000000003613d31 llvm::FPPassManager::runOnModule(llvm::Module&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3613d31)
   #17 0x00000000036155a7 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x36155a7)
   #18 0x0000000003f3c520 clang::emitBackendOutput(clang::CompilerInstance&, clang::CodeGenOptions&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>, clang::BackendConsumer*) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3f3c520)
   #19 0x00000000045690db clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x45690db)
   #20 0x00000000061895cc clang::ParseAST(clang::Sema&, bool, bool) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x61895cc)
   #21 0x0000000004569c35 clang::CodeGenAction::ExecuteAction() (/opt/compiler-explorer/clang-trunk/bin/clang+++0x4569c35)
   #22 0x000000000486ce3a clang::FrontendAction::Execute() (/opt/compiler-explorer/clang-trunk/bin/clang+++0x486ce3a)
   #23 0x00000000047ebc8b clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x47ebc8b)
   #24 0x0000000004962feb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x4962feb)
   #25 0x0000000000dcd275 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/opt/compiler-explorer/clang-trunk/bin/clang+++0xdcd275)
   #26 0x0000000000dc512b ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>) driver.cpp:0:0
   #27 0x0000000000dc51cd int llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::callback_fn<clang_main(int, char**, llvm::ToolContext const&)::'lambda'(llvm::SmallVectorImpl<char const*>&)>(long, llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
   #28 0x00000000045d6e69 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool) const::'lambda'()>(long) Job.cpp:0:0
   #29 0x0000000003bef383 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x3bef383)
   #30 0x00000000045d7089 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool) const (.part.0) Job.cpp:0:0
   #31 0x0000000004599b12 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/opt/compiler-explorer/clang-trunk/bin/clang+++0x4599b12)
   #32 0x000000000459a9f1 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (/opt/compiler-explorer/clang-trunk/bin/clang+++0x459a9f1)
   #33 0x00000000045a376c clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0x45a376c)
   #34 0x0000000000dc9bf9 clang_main(int, char**, llvm::ToolContext const&) (/opt/compiler-explorer/clang-trunk/bin/clang+++0xdc9bf9)
   #35 0x0000000000c74454 main (/opt/compiler-explorer/clang-trunk/bin/clang+++0xc74454)
   #36 0x000077c1a1229d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
   #37 0x000077c1a1229e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
   #38 0x0000000000dc4bc5 _start (/opt/compiler-explorer/clang-trunk/bin/clang+++0xdc4bc5)
   clang++: error: clang frontend command failed with exit code 139 (use -v to see invocation)
   Compiler returned: 139

## The clang version:

clang version 21.1.4 (https://github.com/llvm/llvm-project.git 222fc11)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /workspace/install/llvm/build_21.1.4/bin
Build config: +assertions
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/13
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/13
Candidate multilib: .;@m64
Selected multilib: .;@m64

</details>

[RKSimon]

That bitfield length is "exotic", and clang does warn about it - is this from real world code or from a fuzz test?

[AbyssStaror]

That bitfield length is "exotic", and clang does warn about it - is this from real world code or from a fuzz test?

yes , it is from a fuzz test.

[AbyssStaror]

That bitfield length is "exotic", and clang does warn about it - is this from real world code or from a fuzz test?

More precisely, it is generated by a tool similar to fuzzing, which leverages a large language model.