Extended Description

The OptimizeExtractBits() helper function in CodeGenPrepare.cpp is meant to replace certain uses of "lshr" and "ashr" instructions, then erase the original instruction if it is no longer used anywhere. It returns a flag indicating whether it made a change. However, it only sets that flag to "true" when it replaces an instruction. If it is passed an instruction that does not have any users to begin with, it will erase it and still return "false".

This behavior was previously harmless, but rL363511 changed OptimizeExtractBits()'s call site in CodeGenPrepare::optimizeInst() to allow processing of the instruction to continue if OptimizeExtractBits() returns false. The result is that CodeGenPrepare::optimizeInst() continues working on the instruction even though it has been freed. This can cause occasional, unpredictable crashes in normal builds, but it crashes reliably under ASAN.

I've prepared a test case and fix for this issue at https://reviews.llvm.org/D66330.