From 4935faa4ee36a744cf167388894e60c0c448090e Mon Sep 17 00:00:00 2001
From: Owen Anderson <resistor@mac.com>
Date: Tue, 10 Mar 2015 05:58:21 +0000
Subject: [PATCH] Fix an issue in the verifier where we could try to read
 information out of a malformed statepoint intrinsic.

In this situation we would always have already flagged an error on the statepoint intrinsic,
but then we carry on to parse other, related GC intrinsics, and could end up crashing during that
verification when they try to access data from the malformed statepoint.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@231759 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/IR/Verifier.cpp                 |  6 +++++-
 test/Verifier/invalid-statepoint.ll | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 test/Verifier/invalid-statepoint.ll

diff --git a/lib/IR/Verifier.cpp b/lib/IR/Verifier.cpp
index 06104d54cba..10f934bedac 100644
--- a/lib/IR/Verifier.cpp
+++ b/lib/IR/Verifier.cpp
@@ -2969,8 +2969,12 @@ void Verifier::visitIntrinsicFunctionCall(Intrinsic::ID ID, CallInst &CI) {
 
     // Check that BaseIndex and DerivedIndex fall within the 'gc parameters'
     // section of the statepoint's argument
-    const int NumCallArgs =
+    Assert(StatepointCS.arg_size() > 0,
+           "gc.statepoint: insufficient arguments");
+    const unsigned NumCallArgs =
       cast<ConstantInt>(StatepointCS.getArgument(1))->getZExtValue();
+    Assert(StatepointCS.arg_size() > NumCallArgs+3,
+           "gc.statepoint: mismatch in number of call arguments");
     const int NumDeoptArgs =
       cast<ConstantInt>(StatepointCS.getArgument(NumCallArgs + 3))->getZExtValue();
     const int GCParamArgsStart = NumCallArgs + NumDeoptArgs + 4;
diff --git a/test/Verifier/invalid-statepoint.ll b/test/Verifier/invalid-statepoint.ll
new file mode 100644
index 00000000000..7000973289e
--- /dev/null
+++ b/test/Verifier/invalid-statepoint.ll
@@ -0,0 +1,20 @@
+; RUN: not opt -verify 2>&1 < %s | FileCheck %s
+
+; CHECK: gc.statepoint: mismatch in number of call arguments 
+
+declare zeroext i1 @return0i1()
+
+; Function Attrs: nounwind
+declare i32 @llvm.experimental.gc.statepoint.p0f0i1f(i1 ()*, i32, i32, ...) #0
+
+; Function Attrs: nounwind
+declare i32 addrspace(1)* @llvm.experimental.gc.relocate.p1i32(i32, i32, i32) #0
+
+define i32 addrspace(1)* @0(i32 addrspace(1)* %dparam) {
+  %a00 = load i32, i32 addrspace(1)* %dparam
+  %to0 = call i32 (i1 ()*, i32, i32, ...)* @llvm.experimental.gc.statepoint.p0f0i1f(i1 ()* @return0i1, i32 9, i32 0, i2 0, i32 addrspace(1)* %dparam)
+  %relocate = call i32 addrspace(1)* @llvm.experimental.gc.relocate.p1i32(i32 %to0, i32 0, i32 4)
+  ret i32 addrspace(1)* %relocate
+}
+
+attributes #0 = { nounwind }