[Bug tree-optimization/98597] [11 Regression] ICE in print_mem_ref since r11-6508-gabb1b6058c09a7c0

Mon Jan 11 23:29:08 GMT 2021

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98597

--- Comment #1 from Sergei Trofimovich <slyfox at gcc dot gnu.org> ---
I also found a similar crash (from `RTL pass: expand` for some reason) in
print_mem_ref:

```c++
struct QQmlRefCount {
  void release() const;
  virtual ~QQmlRefCount();
};
QQmlRefCount::~QQmlRefCount() {}
void QQmlRefCount::release() const { delete this; }
struct QQmlJavaScriptExpression {
  virtual int sourceLocation();
};
struct QQmlBoundSignalExpression : QQmlJavaScriptExpression, QQmlRefCount {};
struct QQmlProfilerDefinitions {
  enum RangeType { HandlingSignal };
};
struct QQmlProfiler : QQmlProfilerDefinitions {
  struct RefLocation {
    RefLocation() {
      switch (locationType)
      case HandlingSignal:
        boundSignal->release();
    }
    RangeType locationType;
    QQmlBoundSignalExpression *boundSignal;
  };
  void startCompiling() { RefLocation(); }
};
struct QQmlCompilingProfiler {
  QQmlProfiler QQmlCompilingProfiler_profiler;
  QQmlCompilingProfiler(int *) {
    QQmlCompilingProfiler_profiler.startCompiling();
  }
};
int notifyComplete_blob;
void QQmlDataBlobnotifyComplete() {
  QQmlCompilingProfiler prof(&notifyComplete_blob);
}
```

```
$ x86_64-pc-linux-gnu-g++ -O2 -std=c++1z -c a.cpp.cpp

during RTL pass: expand
In function 'void QQmlDataBlobnotifyComplete()':
Segmentation fault
    5 | QQmlRefCount::~QQmlRefCount() {}
      |                                ^
0x120986f crash_signal
        ../../gcc/gcc/toplev.c:327
0x7fbb6ee06b6f ???

/usr/src/debug/sys-libs/glibc-2.32-r7/glibc-2.32/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
0x9122bb print_mem_ref
        ../../gcc/gcc/c-family/c-pretty-print.c:1851
0x912c07 c_pretty_printer::unary_expression(tree_node*)
        ../../gcc/gcc/c-family/c-pretty-print.c:2005
0x596063 dump_expr
        ../../gcc/gcc/cp/error.c:2421
...
```

I poked slightly at the crash in gdb:

print_mem_ref():
https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/c-family/c-pretty-print.c#l1812

(gdb) call debug_generic_expr(e)
MEM[(struct QQmlBoundSignalExpression * *)&D.2397 + 8B]

(gdb) call debug_generic_expr(arg)
D.2397

1836   const bool addr = TREE_CODE (arg) == ADDR_EXPR;
1837   if (addr)
1838     {
1839       arg = TREE_OPERAND (arg, 0);
1840       if (byte_off == 0)
1841         {
1842           pp->expression (arg);
1843           return;
1844         }
1845     }

Does not match as an address and falls through (should it?).

1847   tree access_type = TREE_TYPE (e);
1848   if (TREE_CODE (access_type) == ARRAY_TYPE)
1849     access_type = TREE_TYPE (access_type);
1850   tree arg_type = TREE_TYPE (TREE_TYPE (arg));
1851   if (TREE_CODE (arg_type) == ARRAY_TYPE)
1852     arg_type = TREE_TYPE (arg_type);

(gdb) call debug_generic_expr(access_type)
struct QQmlBoundSignalExpression *

(gdb) call TREE_CODE (access_type)
$1 = POINTER_TYPE

(gdb) call debug_generic_expr(TREE_TYPE (arg))
struct RefLocation

(gdb) call TREE_TYPE (TREE_TYPE (arg))
$3 = (tree) 0x0

Null deref at '1851   if (TREE_CODE (arg_type) == ARRAY_TYPE)'.