This document lists the bugs found so far by Alive2 in LLVM & Z3. Please contact us or submit a PR if something is missing or inaccurate.
- Incorrect fold of 'x & (-1 >> y) s>= x' (https://llvm.org/PR39861)
- Incorrect instcombine fold for icmp sgt (https://llvm.org/PR42198)
- Instsimplify: uadd_overflow(X, undef) is not undef (https://llvm.org/PR42209)
- CVP: adding nuw flags not correct in the presence of undef (https://llvm.org/PR42618)
- DivRemPairs is incorrect in the presence of undef (https://llvm.org/PR42619)
- EmitGEPOffset() incorrectly adds NUW to multiplications (https://llvm.org/PR42699)
- Incorrect fold of uadd.with.overflow with undef (https://llvm.org/PR43188)
- Incorrect transformation of bitcast->gep inbounds (https://llvm.org/PR43501)
- globalopt leaves store to a constant global (https://llvm.org/PR43616)
- Incorrect fold of ashr+xor -> lshr w/ vectors (https://llvm.org/PR43665)
- Incorrect 'icmp sle' -> 'icmp slt' w/ vectors (https://llvm.org/PR43730)
- expandmemcmp generates loads with incorrect alignment (https://llvm.org/PR43880)
- Shuffle undef mask on vectors with poison elements (https://llvm.org/PR43958)
- Can't remove shufflevector if input might be poison (https://llvm.org/PR44185)
- Incorrect instcombine transform: urem -> icmp+zext with vectors (https://llvm.org/PR44186)
- InstCombine incorrectly shrinks the size of store (https://llvm.org/PR44306)
- InstCombine incorrectly folds 'gep(bitcast ptr), idx' into 'gep ptr, idx' (https://llvm.org/PR44321)
- Instcombine: incorrect transformation 'x > (x & undef)' -> 'x > undef' (https://llvm.org/PR44383)
- memcpyopt adds incorrect align to memset (https://llvm.org/PR44388)
- Folding 'gep p, (q - p)' to q should check it is never used for loads & stores (https://llvm.org/PR44403)
- StraightLineStrengthReduce can introduce UB when optimizing 2-dim array gep (https://llvm.org/PR44533)
- SLPVectorizer should drop nsw flags from add (https://llvm.org/PR44536)
- InstCombine doesn't propagate correct alignment (https://llvm.org/PR44543)
- DSE not checking decl of libcalls (https://github.com/llvm/llvm-project/commit/87407fc03c82d880cc42330a8e230e7a48174e3c & https://github.com/llvm/llvm-project/commit/7f903873b8a937acec2e2cc232e70cba53061352)
- InstCombine incorrectly rewrites indices of gep inbounds (https://llvm.org/PR44861)
- InstCombine incorrectly transforms store i64 -> store double (https://llvm.org/PR45152)
- Incorrect optimization of gep without inbounds + load -> icmp eq (https://llvm.org/PR45210)
- gep(ptr, undef) isn't undef (https://llvm.org/PR45445)
- Incorrect transformation: (undef u>> a) ^ -1 -> undef >> a, when a != 0 (https://llvm.org/PR45447)
- Invalid undef splat in instcombine (https://llvm.org/PR45455)
- Incorrect transformation of minnum with nnan (https://llvm.org/PR45478)
- Can't remove insertelement undef (https://llvm.org/PR45481)
- InstSimplify: fadd (nsz op), +0 incorrectly removed (https://llvm.org/PR45778)
- Incorrect instcombine fold of control-flow to umul.with.overflow (https://llvm.org/PR45952)
- Incorrect instcombine fold of vector ult -> sgt (https://llvm.org/PR45954)
- Jumpthreading introduces jump on poison (https://llvm.org/PR45956)
- X86InterleavedAccess introduces misaligned loads (https://llvm.org/PR45957)
- load-store-vectorizer vectorizes non consecutive loads (https://llvm.org/PR46591)
- Incorrect transformation: mul foo, undef -> shl foo, undef (https://llvm.org/PR47133)
- Incorrect transformation: (llvm.maximum undef, %x) -> undef (https://llvm.org/PR47567)
- LoopReroll incorrectly reorders stores across loads when they may alias (https://llvm.org/PR47658)
- InstCombine: incorrect select operand simplification with undef (https://llvm.org/PR47696)
- MemCpyOpt: uses sext instead of zext for memcpy/memset size subtraction (https://llvm.org/PR47697)
- SCEVExpander introduces branch on poison (https://llvm.org/PR47769)
- Incorrect transformation of fabs with nnan flag (https://llvm.org/PR47960)
- Loop peeling introduces OOB stores (https://llvm.org/PR48125)
- Loop vectorizer introduces gep inbounds with negative offset (https://llvm.org/PR48126)
- DSE incorrectly removes store in function that only triggers UB in one of the branches (https://llvm.org/PR48521)
- Incorrect swap of fptrunc with fast-math instructions (https://llvm.org/PR49080)
- Incorrect propagation of nsz from fneg to fdiv (https://llvm.org/PR49654)
- Incorrect offset calculation when adding align to load from assume (https://reviews.llvm.org/D98759)
- InstSimplify: incorrect fold of pointer comparison between globals (https://llvm.org/PR50208)
- ConstraintElimination: incorrect fold of pointer comparison (https://llvm.org/PR50280)
- InstCombine: incorrect select fast-math folds (https://llvm.org/PR50281)
- LoopIdiomRecognize: Overflow in ctlz shifting loop (https://llvm.org/PR51669)
- LoopUnroll: runtime check introduces branch on poison if fn call doesn't return (https://llvm.org/PR51670)
- MergeICmps reorders comparisons and introduces UB (https://llvm.org/PR51845)
- Sink: moves calls that may not return (https://llvm.org/PR51846)
- LLVM introduces load in writeonly function (https://llvm.org/PR51906)
- InstSimplify incorrectly folds signed comparisons of 'gep inbounds' (https://llvm.org/PR52429)
- LoadStoreVectorizer assumes non-willreturn calls always return (https://llvm.org/PR52950)
- SROA sub-vector memcpy w/subsequent load loses the store (https://llvm.org/PR52971)
- NewGVN miscompiles with equal instructions modulo attributes (https://llvm.org/PR53218)
- InstCombine miscompiles combination of signed comparisons (https://llvm.org/PR53252)
- InstCombine propagates nsz flag from select to fneg incorrectly (https://llvm.org/PR54077)
- SLPVectorizer replaces add nsw undef with add poison (https://llvm.org/PR55653)
- InstCombine swaps inbounds geps originating OOB pointer (https://llvm.org/PR55722)
- SLP vectorizer's reduce_and formation introduces poison (https://llvm.org/PR55734)
- IRCE introduces UB by changing order of condition checks (https://llvm.org/PR57523)
- LoopIdiomRecognizer creates memset_pattern16 with incorrect size type with custom dl (https://llvm.org/PR57679)
- InstSimplify: xor pattern miscompiles undef lane (https://llvm.org/PR58977)
- llvm.canonicalize() folding incorrect for denormals (https://llvm.org/PR59245)
- InstCombine: incorrect fabs formation (https://llvm.org/PR59279)
- InstCombine: incorrect select + fast-math swap (https://llvm.org/PR59451)
- SCEV expander introduces poison when hoisting IV (https://llvm.org/PR59777)
- InstCombine: incorrect overflow check simplification (https://llvm.org/PR59836)
- Loop reroll creates incorrect IV increment (https://llvm.org/PR59841)
- InstCombine: incorrect transformation of smul_overflow with i1 (https://llvm.org/PR59876)
- CVP: incorrect transformation of abs (https://llvm.org/PR59887)
- InstCombine generates incorrect range metadata for ctpop (https://llvm.org/PR59888)
- InstCombine introduces UB when moving rem instructions (https://llvm.org/PR60906)
- SimpleLoopUnswitch reverses branch condition incorrectly (https://llvm.org/PR63962)
- Vectorization of loop reduction introduces an aligned store incorrectly (https://llvm.org/PR65212)
- InstCombine: incorrect sink of FP math through select changes NaN payload (https://llvm.org/PR74297)
- InstCombine: fold of shuffle into fadd changes NaN payload (https://llvm.org/PR74326)
- Attributor & Function-attrs mark function as noundef incorrectly due to return value not in range (https://llvm.org/PR88026)
- InstCombine: incorrect vector fshr->shl transformation (https://llvm.org/PR89338)
- VectorCombine: shufflevector reorder leads to srem by poison (https://llvm.org/PR89390)
- InstCombine: incorrect srem rewrite (https://llvm.org/PR89516)
- InstCombine: incorrect swap of select vector operands (https://llvm.org/PR89669)
- SimplifyCFG: coalesced store retains the wrong alignment (https://llvm.org/PR89672)
- LoopVectorize introduces division by zero (https://llvm.org/PR89958)
- InstCombine: align attribute doesn't dereferenceability (https://llvm.org/PR90446)
- Reassociate: invalid propagation of overflow attributes at low bit-width (https://llvm.org/PR91417)
- InstCombine: removes a select, making the code more poisonous (https://llvm.org/PR91691)
- DSE removes store before free() incorrectly (https://llvm.org/PR97956)
- GlobalOpt breaks !callees metadata (https://llvm.org/PR121265)
- Incorrect bitblast for fprem (Z3Prover/z3#2369)
- Bug in FPA w/ quantifiers (Z3Prover/z3#2596)
- Bug in FPA w/ quantifiers (Z3Prover/z3#2631)
- Crash in partial model mode (Z3Prover/z3#2652)
- Crash when printing multi-precision integer (Z3Prover/z3#2761)
- Bug with lambdas and quantified variables (Z3Prover/z3#2792)
- Bug in MBQI (Z3Prover/z3#2822)
- Bug with equality of arrays w/ lambdas (https://github.com/Z3Prover/z3/commit/0b14f1b6f6bb33b555bace93d644163987b0c54f)
- Crash in FPA model construction (Z3Prover/z3#2865)
- Crash in BV theory assertion (Z3Prover/z3#2878)
- Assertion violation in SMT equality propagation (Z3Prover/z3#2879)
- Assertion violation in qe_lite (https://github.com/Z3Prover/z3/commit/bb5edb7c653f9351fe674630d63cdd2b10338277)
- SMT internalize doesn't respect the timeout (Z3Prover/z3#4192)
- Unsoundness with smt.bv.size_reduce=true (Z3Prover/z3#6314)
- Incorrect sort after lambda rewrite (Z3Prover/z3#6340)
- Incorrect BV rewrite (Z3Prover/z3#6426)
- Crash with FP<->BV conversions (Z3Prover/z3#6460)
- Integer overflow (https://github.com/Z3Prover/z3/commit/a96f5a9b425b6f5ba7e8ce1c1a75db6683c4bdc9)
- Memory leak with arrays on timeout (https://github.com/Z3Prover/z3/commit/dda0c8ff4200faa6a441855716b47ec7f93e026e)
- Unsoundness in elim-uncnstr2 (Z3Prover/z3#6488)
- Unsoundness in elim-uncnstr2 (Z3Prover/z3#6506)
- Unsound NaN encoding (Z3Prover/z3#6972)
- fp.roundToIntegral gives invalid zero_extend application (Z3Prover/z3#7056)