[llvm-bugs] [Bug 180463] mlir-opt crash: Segmentation fault in arith.uitofp folding with $i0$ (zero-bit) integer types

Sun, 08 Feb 2026 19:52:08 -0800

Issue 180463
Summary mlir-opt crash: Segmentation fault in arith.uitofp folding with $i0$ (zero-bit) integer types
Labels new issue
Assignees
Reporter compilerStudyer 
    Mlir-opt Version: 22.1.0-rc1

Bug Op: arith.uitofp

Bug Pass: --canonicalize

Detailed Description:The mlir-opt tool crashes during canonicalization when trying to constant-fold an arith.uitofp operation whose input is a vector of zero-bit integers (vector<nx i0>).The folding logic for arith.uitofp eventually calls llvm::APInt::tcMSB, which expects the integer to have at least one bit to determine the Most Significant Bit. When provided with a bit-width of $0$, the logic performs an out-of-bounds memory access or invalid arithmetic in the IEEEFloat conversion component, leading to a crash.

```mlir
module {
  func.func @main() {
    %1 = vector.constant_mask [1] : vector<1xi1>
 %2 = arith.trunci %1 : vector<1xi1> to vector<1xi0>
    %3 = arith.uitofp %2 : vector<1xi0> to vector<1xf32>
    %4 = vector.transpose %3, [0] : vector<1xf32> to vector<1xf32>
    return
  }
}
```
```
mlir-opt --canonicalize test.mlir
```
```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace and instructions to reproduce the bug.
Stack dump:
0.      Program arguments: mlir-opt --canonicalize test.mlir
 #0 0x00005e3b37149e32 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (mlir-opt+0x252fe32)
 #1 0x00005e3b371465af llvm::sys::RunSignalHandlers() (mlir-opt+0x252c5af)
 #2 0x00005e3b371466fc SignalHandler(int, siginfo_t*, void*) Signals.cpp:0:0
 #3 0x00007b8afea45330 (/lib/x86_64-linux-gnu/libc.so.6+0x45330)
 #4 0x00005e3b371e723b llvm::APInt::tcMSB(unsigned long const*, unsigned int) (mlir-opt+0x25cd23b)
 #5 0x00005e3b371cbbd5 llvm::detail::IEEEFloat::convertFromUnsignedParts(unsigned long const*, unsigned int, llvm::RoundingMode) (mlir-opt+0x25b1bd5)
 #6 0x00005e3b371cbd60 llvm::detail::IEEEFloat::convertFromAPInt(llvm::APInt const&, bool, llvm::RoundingMode) (mlir-opt+0x25b1d60)
 #7 0x00005e3b3e8014be mlir::Attribute mlir::constFoldCastOp<mlir::IntegerAttr, mlir::FloatAttr, llvm::APInt, llvm::APFloat, mlir::ub::PoisonAttr, mlir::arith::UIToFPOp::fold(mlir::arith::UIToFPOpGenericAdaptor<llvm::ArrayRef<mlir::Attribute>>)::'lambda'(llvm::APInt const&, bool&)>(llvm::ArrayRef<mlir::Attribute>, mlir::Type, mlir::arith::UIToFPOp::fold(mlir::arith::UIToFPOpGenericAdaptor<llvm::ArrayRef<mlir::Attribute>>)::'lambda'(llvm::APInt const&, bool&)&&) ArithOps.cpp:0:0
 #8 0x00005e3b3e801713 mlir::arith::UIToFPOp::fold(mlir::arith::UIToFPOpGenericAdaptor<llvm::ArrayRef<mlir::Attribute>>) (mlir-opt+0x9be7713)
 #9 0x00005e3b3e854f44 llvm::LogicalResult llvm::detail::UniqueFunctionBase<llvm::LogicalResult, mlir::Operation*, llvm::ArrayRef<mlir::Attribute>, llvm::SmallVectorImpl<mlir::OpFoldResult>&>::CallImpl<mlir::Op<mlir::arith::UIToFPOp, mlir::OpTrait::ZeroRegions, mlir::OpTrait::OneResult, mlir::OpTrait::OneTypedResult<mlir::Type>::Impl, mlir::OpTrait::ZeroSuccessors, mlir::OpTrait::OneOperand, mlir::OpTrait::OpInvariants, mlir::ConditionallySpeculatable::Trait, mlir::OpTrait::AlwaysSpeculatableImplTrait, mlir::MemoryEffectOpInterface::Trait, mlir::OpTrait::SameOperandsAndResultShape, mlir::CastOpInterface::Trait, mlir::VectorUnrollOpInterface::Trait, mlir::OpTrait::Elementwise, mlir::OpTrait::Scalarizable, mlir::OpTrait::Vectorizable, mlir::OpTrait::Tensorizable>::getFoldHookFn()::'lambda'(mlir::Operation*, llvm::ArrayRef<mlir::Attribute>, llvm::SmallVectorImpl<mlir::OpFoldResult>&) const>(void*, mlir::Operation*, llvm::ArrayRef<mlir::Attribute>, llvm::SmallVectorImpl<mlir::OpFoldResult>&) (mlir-opt+0x9c3af44)
#10 0x00005e3b3e8582d1 mlir::RegisteredOperationName::Model<mlir::arith::UIToFPOp>::foldHook(mlir::Operation*, llvm::ArrayRef<mlir::Attribute>, llvm::SmallVectorImpl<mlir::OpFoldResult>&) (mlir-opt+0x9c3e2d1)
#11 0x00005e3b3ed5f074 mlir::Operation::fold(llvm::ArrayRef<mlir::Attribute>, llvm::SmallVectorImpl<mlir::OpFoldResult>&) (mlir-opt+0xa145074)
#12 0x00005e3b3ed5f4e3 mlir::Operation::fold(llvm::SmallVectorImpl<mlir::OpFoldResult>&) (mlir-opt+0xa1454e3)
#13 0x00005e3b3e93b603 (anonymous namespace)::GreedyPatternRewriteDriver::processWorklist() GreedyPatternRewriteDriver.cpp:0:0
#14 0x00005e3b3e940060 mlir::applyPatternsGreedily(mlir::Region&, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig, bool*) (mlir-opt+0x9d26060)
#15 0x00005e3b3e88bac3 (anonymous namespace)::Canonicalizer::runOnOperation() Canonicalizer.cpp:0:0
#16 0x00005e3b3e9e9756 mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) (mlir-opt+0x9dcf756)
#17 0x00005e3b3e9e9a8e mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) (mlir-opt+0x9dcfa8e)
#18 0x00005e3b3e9ea1e2 mlir::PassManager::runPasses(mlir::Operation*, mlir::AnalysisManager) (mlir-opt+0x9dd01e2)
#19 0x00005e3b3e9eb400 mlir::PassManager::run(mlir::Operation*) (mlir-opt+0x9dd1400)
#20 0x00005e3b37210767 performActions(llvm::raw_ostream&, std::shared_ptr<llvm::SourceMgr> const&, mlir::MLIRContext*, mlir::MlirOptMainConfig const&) MlirOptMain.cpp:0:0
#21 0x00005e3b372114ea llvm::LogicalResult llvm::function_ref<llvm::LogicalResult (std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, llvm::MemoryBufferRef const&, llvm::raw_ostream&)>::callback_fn<mlir::MlirOptMain(llvm::raw_ostream&, std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, mlir::DialectRegistry&, mlir::MlirOptMainConfig const&)::'lambda'(std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, llvm::MemoryBufferRef, llvm::raw_ostream&)>(long, std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, llvm::MemoryBufferRef const&, llvm::raw_ostream&) MlirOptMain.cpp:0:0
#22 0x00005e3b3edb9731 mlir::splitAndProcessBuffer(std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<llvm::LogicalResult (std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, llvm::MemoryBufferRef const&, llvm::raw_ostream&)>, llvm::raw_ostream&, llvm::StringRef, llvm::StringRef) (mlir-opt+0xa19f731)
#23 0x00005e3b372088d0 mlir::MlirOptMain(llvm::raw_ostream&, std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>, mlir::DialectRegistry&, mlir::MlirOptMainConfig const&) (.part.0) MlirOptMain.cpp:0:0
#24 0x00005e3b37211b70 mlir::MlirOptMain(int, char**, llvm::StringRef, llvm::StringRef, mlir::DialectRegistry&) (mlir-opt+0x25f7b70)
#25 0x00005e3b37211da9 mlir::MlirOptMain(int, char**, llvm::StringRef, mlir::DialectRegistry&) (mlir-opt+0x25f7da9)
#26 0x00005e3b37043023 main (mlir-opt+0x2429023)
#27 0x00007b8afea2a1ca __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#28 0x00007b8afea2a28b call_init ./csu/../csu/libc-start.c:128:20
#29 0x00007b8afea2a28b __libc_start_main ./csu/../csu/libc-start.c:347:5
#30 0x00005e3b37128405 _start (mlir-opt+0x250e405)
Segmentation fault (core dumped)
```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to