2 files changed, 31 insertions, 0 deletions

diff --git a/llvm/lib/Transforms/InstCombine/InstCombinePHI.cpp b/llvm/lib/Transforms/InstCombine/InstCombinePHI.cpp
index e217adec7ed..5820ab72663 100644
--- a/llvm/lib/Transforms/InstCombine/InstCombinePHI.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombinePHI.cpp
@@ -1004,6 +1004,11 @@ Instruction *InstCombiner::SliceUpIllegalIntegerPHI(PHINode &FirstPhi) {
           !isa<ConstantInt>(UserI->getOperand(1)))
         return nullptr;
 
+      // Bail on out of range shifts.
+      unsigned SizeInBits = UserI->getType()->getScalarSizeInBits();
+      if (cast<ConstantInt>(UserI->getOperand(1))->getValue().uge(SizeInBits))
+        return nullptr;
+
       unsigned Shift = cast<ConstantInt>(UserI->getOperand(1))->getZExtValue();
       PHIUsers.push_back(PHIUsageRecord(PHIId, Shift, UserI->user_back()));
     }
diff --git a/llvm/test/Transforms/InstCombine/phi-shifts.ll b/llvm/test/Transforms/InstCombine/phi-shifts.ll
new file mode 100644
index 00000000000..cc36c9d9e25
--- /dev/null
+++ b/llvm/test/Transforms/InstCombine/phi-shifts.ll
@@ -0,0 +1,26 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
+; RUN: opt < %s -S -instcombine | FileCheck %s
+
+; OSS Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15217
+define i64 @fuzz15217(i1 %cond, i8* %Ptr, i64 %Val) {
+; CHECK-LABEL: @fuzz15217(
+; CHECK-NEXT:  entry:
+; CHECK-NEXT:    br i1 [[COND:%.*]], label [[END:%.*]], label [[TWO:%.*]]
+; CHECK:       two:
+; CHECK-NEXT:    br label [[END]]
+; CHECK:       end:
+; CHECK-NEXT:    ret i64 0
+;
+entry:
+  br i1 %cond, label %end, label %two
+
+two:
+  br label %end
+
+end:
+  %tmp869.0 = phi i128 [ 0, %entry ], [ 18446744073709551616, %two ]
+  %tmp29 = lshr i128 %tmp869.0, 64
+  %B1 = lshr i128 %tmp29, 170141183460469231731687303715884105727
+  %tmp30 = trunc i128 %B1 to i64
+  ret i64 %tmp30
+}