https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84298
Bug ID: 84298 Summary: Shared TYPE_SIZE_UNIT ends up with freed SSA names Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: rsandifo at gcc dot gnu.org Target Milestone: --- The testcase: int res, a, b; void *foo; static void f2 (int arg) { res = ((int (*)[arg][b]) foo)[0][0][0]; } void f1 (void) { f2 (a); } when compiled at -O or above causes: 0xff3baf crash_signal /work/richards/shoji/oban/src/gcc/gcc/toplev.c:325 0x12f1b0a make_ssa_name_fn(function*, tree_node*, gimple*, unsigned int) /work/richards/shoji/oban/src/gcc/gcc/tree-ssanames.c:266 0x10a4d68 make_ssa_name /work/richards/shoji/oban/src/gcc/gcc/tree-ssanames.h:115 0x10a5ed7 remap_ssa_name /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:241 0x10aa672 copy_tree_body_r(tree_node**, int*, void*) /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:1091 0x13d2b8f walk_tree_1(tree_node**, tree_node* (*)(tree_node**, int*, void*), void*, hash_set<tree_node*, default_hash_traits<tree _node*> >*, tree_node* (*)(tree_node**, int*, tree_node* (*)(tree_node**, int*, void*), void*, hash_set<tree_node*, default_hash_ traits<tree_node*> >*)) /work/richards/shoji/oban/src/gcc/gcc/tree.c:11390 0x13d41b4 walk_tree_1(tree_node**, tree_node* (*)(tree_node**, int*, void*), void*, hash_set<tree_node*, default_hash_traits<tree _node*> >*, tree_node* (*)(tree_node**, int*, tree_node* (*)(tree_node**, int*, void*), void*, hash_set<tree_node*, default_hash_ traits<tree_node*> >*)) /work/richards/shoji/oban/src/gcc/gcc/tree.c:11706 0x13d41b4 walk_tree_1(tree_node**, tree_node* (*)(tree_node**, int*, void*), void*, hash_set<tree_node*, default_hash_traits<tree _node*> >*, tree_node* (*)(tree_node**, int*, tree_node* (*)(tree_node**, int*, void*), void*, hash_set<tree_node*, default_hash_ traits<tree_node*> >*)) /work/richards/shoji/oban/src/gcc/gcc/tree.c:11706 0x10a8760 remap_type_1 /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:575 0x10a8818 remap_type(tree_node*, copy_body_data*) /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:603 The problem is that the TYPE_SIZE_UNIT of the outer [arg][b] array includes a MULT_EXPR that is shared with the pointer calculation. The pointer calculation is gimplified and eventually the original SSA names are freed, but the gimplified MULT_EXPR is still in TYPE_SIZE_UNIT and still refers to the freed SSA names.