https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98599
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> --- As far as I can tell, there are two invocations of lto1: wpa, then ltrans. The analyzer is run in the first invocation. The analyzer updates the gimple stmt uids; if I disable this updating the crash doesn't happen. The crash happens in the 2nd invocation of lto1 at: 1200 for (cedge = node->indirect_calls; cedge; cedge = cedge->next_callee) 1201 { 1202 if (STMT_UID_NOT_IN_RANGE (cedge->lto_stmt_uid)) 1203 fatal_error (input_location, 1204 "Cgraph edge statement index out of range"); I haven't managed to fully debug this yet, but it looks like the stmt uids are stored into the callgraph edge's lto_stmt_uid, and somewhere between the cgraph and LTO infrastructure it doesn't expect an IPA pass (the analyzer) to change the uids in the stmts from under it, even though gimple.h has this for the stmt field: /* UID of this statement. This is used by passes that want to assign IDs to statements. It must be assigned and used by each pass. By default it should be assumed to contain garbage. */ unsigned uid; and gimple_set_uid has: Please note that this UID property is supposed to be undefined at pass boundaries. This means that a given pass should not assume it contains any useful value when the pass starts and thus can set it to any value it sees fit.