SelectionDAG::getNode may fold UNDEF to POISON #141034
Description
When for example doing
U = DAG.getUNDEF(...);
V = DAG.getNode(ISD::INSERT_VECTOR_ELT, DL, VT, N1, N2, N3)
SelectionDAG::getNode will just return N1 if N2.isUndef.().
The code in SelectionDAG::getNode looks like this
case ISD::INSERT_VECTOR_ELT: {
...
// If the inserted element is an UNDEF, just use the input vector.
if (N2.isUndef())
return N1;
But the source element in N1 may be POISON, and we can't just fold UNDEF into POISON (otherwise SelectionDAG::getUNDEF could just return ISD::POISON as well).
I think that piece of code need to be more careful checking that the overwritten element from the source vector N1 is guaranteed not to be poison when doing that fold.
Same kind of problem seem to exist for ISD::INSERT_SUBVECTOR:
// If this is an insert of an extracted vector into an undef vector, we
// can just use the input to the extract.
if (N1.isUndef() && N2.getOpcode() == ISD::EXTRACT_SUBVECTOR &&
N2.getOperand(1) == N3 && N2.getOperand(0).getValueType() == VT)
return N2.getOperand(0);
The above feels like a footgun to me.