Confirmed and I guess mine.

Reduced test-case:

typedef int a;
enum b : a;
class c {
public:
  enum { d };
  virtual b e(int *, int, const int *) = 0;
};
class f : c {
  b e(int *, int, const int *);
  b g();
};
b f::e(int *h, int i, const int *j) {
  if (i == d)
    return g();
  for (;;)
    e(h, i, j);
}
int k;
c *l;
void m() { l->e(&k, c::d, nullptr); }

The problem here is that IPA-CP clones node cgraph_edge Notify/1680
which has a speculative self-recursive edge.  Because it now needs to
make sure that eventually clones of such edges call the node clone and
not the original node (while the original edge is not redirected and
still leads to the original node), it takes such edges out of
redirect_callers and stores in a vector to deal with post-cloning.

Normally, after create_virtual_clone returns, it walks this vector,
finds clones of these self-recursive edges in array next_edge_clone
because that is where they are linked by ipcp_edge_duplication_hook,
and redirects the clone.

However, in this case, before create_virtual_clone returns
ipa_fn_summary_t::duplicate is invoked and it re-evaluates edge
predicates, during which it decides the edge is impossible, which
leads to speculation resolution removing the new edge, clone,
ipcp_edge_removal_hook being invoked which deletes it from the linked
list of edge clones and subsequently ipa-cp code not finding it there.



Breakpoint 6, ipcp_edge_removal_hook (cs=<cgraph_edge Notify.constprop/7327 -> Notify/1680>)
    at /home/mjambor/gcc/icln/src/gcc/ipa-cp.c:3435
3435      grow_edge_clone_vectors ();
(gdb) bt
#0  ipcp_edge_removal_hook (cs=<cgraph_edge Notify.constprop/7327 -> Notify/1680>)
    at /home/mjambor/gcc/icln/src/gcc/ipa-cp.c:3435
#1  0x0000000000be7669 in symbol_table::call_edge_removal_hooks (this=0x7ffff67aa100, 
    e=<cgraph_edge Notify.constprop/7327 -> Notify/1680>) at /home/mjambor/gcc/icln/src/gcc/cgraph.c:329
#2  0x0000000000be8e66 in cgraph_edge::remove (this=<cgraph_edge Notify.constprop/7327 -> Notify/1680>)
    at /home/mjambor/gcc/icln/src/gcc/cgraph.c:1028
#3  0x0000000000be94c0 in cgraph_edge::resolve_speculation (
    this=<cgraph_edge Notify.constprop/7327 -> Notify/1680>, 
    callee_decl=<function_decl 0x7ffff68a2900 __builtin_unreachable>)
    at /home/mjambor/gcc/icln/src/gcc/cgraph.c:1200
#4  0x0000000000eb8f97 in redirect_to_unreachable (e=<cgraph_edge Notify.constprop/7327 -> Notify/1680>)
    at /home/mjambor/gcc/icln/src/gcc/ipa-fnsummary.c:239
#5  0x0000000000eb90a0 in edge_set_predicate (e=<cgraph_edge Notify.constprop/7327 -> Notify/1680>, 
    predicate=0x7fffffffd680) at /home/mjambor/gcc/icln/src/gcc/ipa-fnsummary.c:267
#6  0x0000000000eba5ef in ipa_fn_summary_t::duplicate (this=0x7fffe7c702a0, 
    src=<symtab_function 0x7fffec0cb170 Notify/1680>, 
    dst=<symtab_function 0x7ffff519c5c0 Notify.constprop/7327>, info=0x7fffe7c54e70)
    at /home/mjambor/gcc/icln/src/gcc/ipa-fnsummary.c:714
#7  0x0000000000ec7339 in function_summary<ipa_fn_summary*>::symtab_duplication (
    node=<symtab_function 0x7fffec0cb170 Notify/1680>, 
    node2=<symtab_function 0x7ffff519c5c0 Notify.constprop/7327>, data=0x7fffe7c702a0)
    at /home/mjambor/gcc/icln/src/gcc/symbol-summary.h:189
#8  0x0000000000be7b2c in symbol_table::call_cgraph_duplication_hooks (this=0x7ffff67aa100, 
    node=<symtab_function 0x7fffec0cb170 Notify/1680>, 
    node2=<symtab_function 0x7ffff519c5c0 Notify.constprop/7327>)
    at /home/mjambor/gcc/icln/src/gcc/cgraph.c:495
#9  0x0000000000c04800 in cgraph_node::create_virtual_clone (
    this=<symtab_function 0x7fffec0cb170 Notify/1680>, redirect_callers=..., tree_map=0x7fffee721370, 
    args_to_skip=0x7fffef8570c0, suffix=0x24396e0 "constprop")
    at /home/mjambor/gcc/icln/src/gcc/cgraphclones.c:618
#10 0x0000000001bf5341 in create_specialized_node (node=<symtab_function 0x7fffec0cb170 Notify/1680>, 
    known_csts=..., known_contexts=..., aggvals=0x0, callers=...)
    at /home/mjambor/gcc/icln/src/gcc/ipa-cp.c:3863

I guess the best fix is to move the clone-redirecting logic to cgraph::create_clone.

Created attachment 43979 [details]
Untested WIP fix

I have to leave office for a few hours, I'm attaching an untested fix I have so far.  I will continue with it after I try to reproduce PR 85449 (which on the face of it looks more sinister).

Created attachment 43981 [details]
Fix undergoing testing

The previous patch was missing one hunk.  This is what I am currently testing.

Thinking about this a bit more, there can be cases where only a subset (potentially empty) of clones of self-recursive edges of the cloned edges are to be redirected... I will adjust the patch accordingly.

Created attachment 43989 [details]
Fix undergoing testing

This version of the fix replaces a bool parameter with a hash_set, which actually corresponds to what I intended to do in the first place.  It also contains a testcase that was miscompiled with the previous version.

Eventually, we have decided to go for a more limited fix which I have posted to the mailing list: https://gcc.gnu.org/ml/gcc-patches/2018-04/msg00995.html

I forgot to put letters "PR" to the bug reference, anyway fixed with:

Author: jamborm
Date: Fri Apr 20 09:19:39 2018
New Revision: 259517

URL: https://gcc.gnu.org/viewcvs?rev=259517&root=gcc&view=rev
Log:
Check that clones of edges exist during IPA-CP

2018-04-20  Martin Jambor  <mjambor@suse.cz>

	ipa/85447
	* ipa-cp.c (create_specialized_node): Check that clones of
	self-recursive edges exist during IPA-CP.

testsuite/
	* g++.dg/ipa/pr85447.C: New file.
	* gcc.dg/ipa/ipcp-self-recursion-1.c: Likewise.


Added:
    trunk/gcc/testsuite/g++.dg/ipa/pr85447.C
    trunk/gcc/testsuite/gcc.dg/ipa/ipcp-self-recursion-1.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/ipa-cp.c
    trunk/gcc/testsuite/ChangeLog