From 1b3b8e5be8a8ec1b5f207c57b7a0b301f7f6a220 Mon Sep 17 00:00:00 2001
From: Owen Anderson <resistor@mac.com>
Date: Wed, 11 Mar 2015 06:57:30 +0000
Subject: [PATCH] Fix another verifier crash where a GC intrinsic would look at
 the internals of another intrinsic in order to verify itself.

This causes a crash if the referenced intrinsic was malformed.  In this case, we
would already have reported an error on the referenced intrinsic, but then
crashed on the second one when it tried to introspect the first without
error checking.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@231910 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/IR/Verifier.cpp                  |  5 +++++
 test/Verifier/invalid-statepoint2.ll | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 test/Verifier/invalid-statepoint2.ll

diff --git a/lib/IR/Verifier.cpp b/lib/IR/Verifier.cpp
index 10f934bedac..eaad5fb1b98 100644
--- a/lib/IR/Verifier.cpp
+++ b/lib/IR/Verifier.cpp
@@ -2971,10 +2971,15 @@ void Verifier::visitIntrinsicFunctionCall(Intrinsic::ID ID, CallInst &CI) {
     // section of the statepoint's argument
     Assert(StatepointCS.arg_size() > 0,
            "gc.statepoint: insufficient arguments");
+    Assert(isa<ConstantInt>(StatepointCS.getArgument(1)),
+           "gc.statement: number of call arguments must be constant integer");
     const unsigned NumCallArgs =
       cast<ConstantInt>(StatepointCS.getArgument(1))->getZExtValue();
     Assert(StatepointCS.arg_size() > NumCallArgs+3,
            "gc.statepoint: mismatch in number of call arguments");
+    Assert(isa<ConstantInt>(StatepointCS.getArgument(NumCallArgs+3)),
+           "gc.statepoint: number of deoptimization arguments must be "
+           "a constant integer");
     const int NumDeoptArgs =
       cast<ConstantInt>(StatepointCS.getArgument(NumCallArgs + 3))->getZExtValue();
     const int GCParamArgsStart = NumCallArgs + NumDeoptArgs + 4;
diff --git a/test/Verifier/invalid-statepoint2.ll b/test/Verifier/invalid-statepoint2.ll
new file mode 100644
index 00000000000..0d8b2a8cbe3
--- /dev/null
+++ b/test/Verifier/invalid-statepoint2.ll
@@ -0,0 +1,19 @@
+; RUN: not opt -S < %s -verify 2>&1 | FileCheck %s
+
+; CHECK: gc.statepoint: number of deoptimization arguments must be a constant integer
+
+declare void @use(...)
+declare i8 addrspace(1)* @llvm.experimental.gc.relocate.p1i8(i32, i32, i32)
+declare i64 addrspace(1)* @llvm.experimental.gc.relocate.p1i64(i32, i32, i32)
+declare i32 @llvm.experimental.gc.statepoint.p0f_isVoidf(void ()*, i32, i32, ...)
+declare i32 @"personality_function"()
+
+;; Basic usage
+define i64 addrspace(1)* @test1(i8 addrspace(1)* %arg, i32 %val) gc "statepoint-example" {
+entry:
+  %cast = bitcast i8 addrspace(1)* %arg to i64 addrspace(1)*
+  %safepoint_token = call i32 (void ()*, i32, i32, ...)* @llvm.experimental.gc.statepoint.p0f_isVoidf(void ()* undef, i32 0, i32 0, i32 %val, i32 0, i32 0, i32 0, i32 10, i32 0, i8 addrspace(1)* %arg, i64 addrspace(1)* %cast, i8 addrspace(1)* %arg, i8 addrspace(1)* %arg)
+  %reloc = call i64 addrspace(1)* @llvm.experimental.gc.relocate.p1i64(i32 %safepoint_token, i32 9, i32 10)
+  ret i64 addrspace(1)* %reloc
+}
+