DAGCombiner crashes in SelectionDAG::ReplaceAllUsesWith (segfault)

And similar story when I tried compiling the driver: (linked to this one https://github.com/llvm/llvm-project/issues/55736)

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.  Program arguments: /usr/local/bin/llc -filetype=obj -o ./func.o ./driver.pp.ll
1.  Running pass 'Function Pass Manager' on module './driver.pp.ll'.
2.  Running pass 'AArch64 Instruction Selection' on function '@init'
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0  llc                      0x0000000104437db4 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 56
1  llc                      0x0000000104436f58 llvm::sys::RunSignalHandlers() + 112
2  llc                      0x00000001044383fc SignalHandler(int) + 304
3  libsystem_platform.dylib 0x0000000181ca74a4 _sigtramp + 56
4  llc                      0x00000001042e1428 llvm::SelectionDAG::ReplaceAllUsesWith(llvm::SDNode*, llvm::SDValue const*) + 304
5  llc                      0x00000001041638d0 (anonymous namespace)::DAGCombiner::CombineTo(llvm::SDNode*, llvm::SDValue const*, unsigned int, bool) + 84
6  llc                      0x000000010419568c (anonymous namespace)::DAGCombiner::visitLOAD(llvm::SDNode*) + 1428
7  llc                      0x00000001041670ac (anonymous namespace)::DAGCombiner::visit(llvm::SDNode*) + 5820
8  llc                      0x0000000104164ff0 (anonymous namespace)::DAGCombiner::combine(llvm::SDNode*) + 192
9  llc                      0x0000000104164554 llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::AAResults*, llvm::CodeGenOpt::Level) + 1516
10 llc                      0x00000001042f467c llvm::SelectionDAGISel::CodeGenAndEmitDAG() + 132
11 llc                      0x00000001042f4094 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) + 4436
12 llc                      0x00000001042f2494 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) + 2308
13 llc                      0x0000000103b26ca8 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) + 304
14 llc                      0x0000000103e82fa8 llvm::FPPassManager::runOnFunction(llvm::Function&) + 672
15 llc                      0x0000000103e88560 llvm::FPPassManager::runOnModule(llvm::Module&) + 60
16 llc                      0x0000000103e834b8 llvm::legacy::PassManagerImpl::run(llvm::Module&) + 840
17 llc                      0x00000001029fe500 main + 6992
18 dyld                     0x00000001088e908c start + 520
zsh: segmentation fault  /usr/local/bin/llc -filetype=obj -o ./func.o ./driver.pp.ll

driver.pp.ll.log

/usr/local/bin/llc -filetype=obj -o ./func.o ./driver.pp.ll.log

bugpoint reduced:

; ModuleID = 'bugpoint-reduced-simplified.bc'
source_filename = "driver.pp"
target triple = "x86_64-unknown-linux-gnu"

@arr_32 = external global [16 x [10 x [24 x [10 x [14 x i32]]]]]

define void @init() {
bb:
  br label %bb1

bb1:                                              ; preds = %bb1, %bb
  br i1 undef, label %bb1, label %.critedge

.critedge:                                        ; preds = %bb2, %bb1
  %i = trunc i32 undef to i1
  br i1 %i, label %bb2, label %bb12

bb2:                                              ; preds = %bb4, %.critedge
  %i3 = trunc i32 undef to i1
  br i1 %i3, label %bb4, label %.critedge

bb4:                                              ; preds = %bb6, %bb2
  %i5 = trunc i32 undef to i1
  br i1 %i5, label %bb6, label %bb2

bb6:                                              ; preds = %bb8, %bb4
  %i7 = trunc i32 undef to i1
  br i1 %i7, label %bb8, label %bb4

bb8:                                              ; preds = %bb10, %bb6
  %i9 = trunc i32 undef to i1
  br i1 %i9, label %bb10, label %bb6

bb10:                                             ; preds = %bb8
  %i11 = load [16 x [10 x [24 x [10 x [14 x i32]]]]], ptr @arr_32, align 4
  br label %bb8

bb12:                                             ; preds = %.critedge
  br i1 undef, label %.critedge42, label %.critedge106

.critedge42:                                      ; preds = %.critedge42, %bb12
  br i1 undef, label %.critedge42, label %.critedge106

.critedge106:                                     ; preds = %.critedge42, %bb12
  ret void
}

The crash seems to be induced by creation of a SDNode with NumOperands/NumValues exceeding 65535 (it is 537600), in that case NumValues/NumOperands overflows. With enabled assertions llc crashes with following stack trace:

llc: /home/filipp/Development/llvm-project/llvm/include/llvm/CodeGen/SelectionDAGNodes.h:1090: llvm::SDNode::SDNode(unsigned int, unsigned int, llvm::DebugLoc, llvm::SDVTList): Assertion `NumValues == VTs.NumVTs && "NumValues wasn't wide enough for its operands!"' failed.
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace.
Stack dump:
0.  Program arguments: /home/filipp/Development/llvm-project/build/bin/llc -filetype=obj crash.ll
1.  Running pass 'Function Pass Manager' on module 'crash.ll'.
2.  Running pass 'X86 DAG->DAG Instruction Selection' on function '@init'
 #0 0x00000000048152da llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/filipp/Development/llvm-project/llvm/lib/Support/Unix/Signals.inc:567:11
 #1 0x000000000481548b PrintStackTraceSignalHandler(void*) /home/filipp/Development/llvm-project/llvm/lib/Support/Unix/Signals.inc:641:1
 #2 0x0000000004813ae6 llvm::sys::RunSignalHandlers() /home/filipp/Development/llvm-project/llvm/lib/Support/Signals.cpp:104:5
 #3 0x0000000004815bb5 SignalHandler(int) /home/filipp/Development/llvm-project/llvm/lib/Support/Unix/Signals.inc:412:1
 #4 0x00007f88d0933420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #5 0x00007f88d038e00b raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #6 0x00007f88d036d859 abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:81:7
 #7 0x00007f88d036d729 get_sysdep_segment_value /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:509:8
 #8 0x00007f88d036d729 _nl_load_domain /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:970:34
 #9 0x00007f88d037efd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
#10 0x0000000001a7df4d llvm::SDNode::SDNode(unsigned int, unsigned int, llvm::DebugLoc, llvm::SDVTList) /home/filipp/Development/llvm-project/llvm/include/llvm/CodeGen/SelectionDAGNodes.h:1091:3
#11 0x000000000454bd24 llvm::SDNode* llvm::SelectionDAG::newSDNode<llvm::SDNode, unsigned int&, unsigned int, llvm::DebugLoc const&, llvm::SDVTList&>(unsigned int&, unsigned int&&, llvm::DebugLoc const&, llvm::SDVTList&) /home/filipp/Development/llvm-project/llvm/include/llvm/CodeGen/SelectionDAG.h:402:5
#12 0x00000000045353dd llvm::SelectionDAG::getNode(unsigned int, llvm::SDLoc const&, llvm::SDVTList, llvm::ArrayRef<llvm::SDValue>, llvm::SDNodeFlags) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:9302:9
#13 0x0000000004526d5d llvm::SelectionDAG::getNode(unsigned int, llvm::SDLoc const&, llvm::SDVTList, llvm::ArrayRef<llvm::SDValue>) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:9193:10
#14 0x00000000044849f8 llvm::SelectionDAGBuilder::visitLoad(llvm::LoadInst const&) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:4194:20
#15 0x000000000447ea07 llvm::SelectionDAGBuilder::visit(unsigned int, llvm::User const&) /home/filipp/Development/llvm-project/llvm/include/llvm/IR/Instruction.def:172:1
#16 0x000000000447dd9f llvm::SelectionDAGBuilder::visit(llvm::Instruction const&) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:1156:8
#17 0x0000000004574158 llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, bool&) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:679:3
#18 0x0000000004573c9b llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1604:11
#19 0x0000000004571246 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:468:3
#20 0x000000000264890a (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /home/filipp/Development/llvm-project/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:191:7
#21 0x00000000035ba245 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /home/filipp/Development/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:8
#22 0x0000000003caa716 llvm::FPPassManager::runOnFunction(llvm::Function&) /home/filipp/Development/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1430:23
#23 0x0000000003caf542 llvm::FPPassManager::runOnModule(llvm::Module&) /home/filipp/Development/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1476:16
#24 0x0000000003caafe9 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/filipp/Development/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1545:23
#25 0x0000000003caab5d llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/filipp/Development/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:535:16
#26 0x0000000003caf821 llvm::legacy::PassManager::run(llvm::Module&) /home/filipp/Development/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1672:3
#27 0x0000000000d0a02c compileModule(char**, llvm::LLVMContext&) /home/filipp/Development/llvm-project/llvm/tools/llc/llc.cpp:736:41
...

The issue was previously reported as https://github.com/llvm/llvm-project/issues/7622

This particular crash could be fixed by changing SDNode::NumValues and SDNode::NumOperands type to unsigned, by reordering some SDValue's fields its size could be preserved on 64-bit platforms after that change: https://reviews.llvm.org/D140114 (not sure if the problem with extremely large inputs/values count should be fixed this way though, with widened fields llc will crash on another assertion while processing the file from the linked issue).

From the rust issue - a very concise repro:

define void @crash([65536 x i8] %foo, ptr %_0) {
  store [65536 x i8] %foo, ptr %_0, align 1
  ret void
}

@llvm/issue-subscribers-backend-aarch64

Author: None (AnFunctionArray)

And similar story when I tried compiling the driver: (linked to this one https://github.com/llvm/llvm-project/issues/55736) ``` PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump: 0. Program arguments: /usr/local/bin/llc -filetype=obj -o ./func.o ./driver.pp.ll 1. Running pass 'Function Pass Manager' on module './driver.pp.ll'. 2. Running pass 'AArch64 Instruction Selection' on function '@init' Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it): 0 llc 0x0000000104437db4 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 56 1 llc 0x0000000104436f58 llvm::sys::RunSignalHandlers() + 112 2 llc 0x00000001044383fc SignalHandler(int) + 304 3 libsystem_platform.dylib 0x0000000181ca74a4 _sigtramp + 56 4 llc 0x00000001042e1428 llvm::SelectionDAG::ReplaceAllUsesWith(llvm::SDNode*, llvm::SDValue const*) + 304 5 llc 0x00000001041638d0 (anonymous namespace)::DAGCombiner::CombineTo(llvm::SDNode*, llvm::SDValue const*, unsigned int, bool) + 84 6 llc 0x000000010419568c (anonymous namespace)::DAGCombiner::visitLOAD(llvm::SDNode*) + 1428 7 llc 0x00000001041670ac (anonymous namespace)::DAGCombiner::visit(llvm::SDNode*) + 5820 8 llc 0x0000000104164ff0 (anonymous namespace)::DAGCombiner::combine(llvm::SDNode*) + 192 9 llc 0x0000000104164554 llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::AAResults*, llvm::CodeGenOpt::Level) + 1516 10 llc 0x00000001042f467c llvm::SelectionDAGISel::CodeGenAndEmitDAG() + 132 11 llc 0x00000001042f4094 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) + 4436 12 llc 0x00000001042f2494 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) + 2308 13 llc 0x0000000103b26ca8 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) + 304 14 llc 0x0000000103e82fa8 llvm::FPPassManager::runOnFunction(llvm::Function&) + 672 15 llc 0x0000000103e88560 llvm::FPPassManager::runOnModule(llvm::Module&) + 60 16 llc 0x0000000103e834b8 llvm::legacy::PassManagerImpl::run(llvm::Module&) + 840 17 llc 0x00000001029fe500 main + 6992 18 dyld 0x00000001088e908c start + 520 zsh: segmentation fault /usr/local/bin/llc -filetype=obj -o ./func.o ./driver.pp.ll ``` [driver.pp.ll.log](https://github.com/llvm/llvm-project/files/8787932/driver.pp.ll.log) `/usr/local/bin/llc -filetype=obj -o ./func.o ./driver.pp.ll.log`

@EugeneZelenko I don't think this is aarch64-specific, @coolreader18's repro happens on x86 too https://llvm.godbolt.org/z/cWThs4dTb

llvm / llvm-project

DAGCombiner crashes in SelectionDAG::ReplaceAllUsesWith (segfault) #55737