[Bug c/106764] New: ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[Bug c/106764] New: ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[k.even-mendoza at imperial dot ac.uk]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

            Bug ID: 106764
           Summary: ICE on invalid code in tree check: expected
                    function_type or method_type, have error_mark in
                    gimplify_call_expr, at gimplify.cc
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: k.even-mendoza at imperial dot ac.uk
  Target Milestone: ---

This code leads to ICE in GCC-12 and 13:
===
(*a)();
b(){a()} a;
===

We are doing a study about compiler fuzzers. We got this from one of the tools.
I wonder if such a bug is interesting even if the program is chopped in the
middle?

1/1934d6e2aee70d21f4a7d16c0d1ff2867764c085.c: In function 'b':
1/1934d6e2aee70d21f4a7d16c0d1ff2867764c085.c:2:5: internal compiler error: tree
check: expected function_type or method_type, have error_mark in
gimplify_call_expr, at gimplify.cc:3681
    2 | b(){a()} a;
      |     ^~~
0x7ee3f2 tree_check_failed(tree_node const*, char const*, int, char const*,
...)
        .././../gcc-source/gcc/tree.cc:8817
0x72df76 tree_check2(tree_node*, char const*, int, char const*, tree_code,
tree_code)
        .././../gcc-source/gcc/tree.h:3527
0x72df76 gimplify_call_expr
        .././../gcc-source/gcc/gimplify.cc:3681
0xc3efa5 gimplify_expr(tree_node**, gimple**, gimple**, bool (*)(tree_node*),
int)
        .././../gcc-source/gcc/gimplify.cc:15178
0xc426e6 gimplify_stmt(tree_node**, gimple**)
        .././../gcc-source/gcc/gimplify.cc:7153
0xc42ea5 gimplify_bind_expr
        .././../gcc-source/gcc/gimplify.cc:1434
0xc3f176 gimplify_expr(tree_node**, gimple**, gimple**, bool (*)(tree_node*),
int)
        .././../gcc-source/gcc/gimplify.cc:15407
0xc50fbf gimplify_stmt(tree_node**, gimple**)
        .././../gcc-source/gcc/gimplify.cc:7153
0xc50fbf gimplify_body(tree_node*, bool)
        .././../gcc-source/gcc/gimplify.cc:16463
0xc5140b gimplify_function_tree(tree_node*)
        .././../gcc-source/gcc/gimplify.cc:16662
0xa7d1b7 cgraph_node::analyze()
        .././../gcc-source/gcc/cgraphunit.cc:676
0xa7fc87 analyze_functions
        .././../gcc-source/gcc/cgraphunit.cc:1240
0xa8095d symbol_table::finalize_compilation_unit()
        .././../gcc-source/gcc/cgraphunit.cc:2500
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
user42@srg01:~/git/directed-compiler-fuzzing-code/scripts/8-crash-testing/reduce$
more 1/1934d6e2aee70d21f4a7d16c0d1ff2867764c085.c

[Bug c/106764] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |trivial

[Bug c/106764] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
fuzzing source is going to turn up a lot of error-recovery cases - while
somewhat interesting they will inevitably be very low priority since GCC has
mechanisms to present the user with a nicer error message in such case for
production builds.

So yes, they are interesting - they would be even more interesting if you
provide fixes alongside with the bugreports ;)

(you can search bugzilla for ice-on-invalid-code + error-recovery)

More interesting are ICEs that do not report an error before.

[Bug c/106764] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marxin at gcc dot gnu.org,
                   |                            |roger at nextmovesoftware dot com
   Last reconfirmed|                            |2022-08-29
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r12-3278-g823685221de986af.

[Bug c/106764] [12/13 Regression] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |12.3
            Summary|ICE on invalid code in tree |[12/13 Regression] ICE on
                   |check: expected             |invalid code in tree check:
                   |function_type or            |expected function_type or
                   |method_type, have           |method_type, have
                   |error_mark in               |error_mark in
                   |gimplify_call_expr, at      |gimplify_call_expr, at
                   |gimplify.cc                 |gimplify.cc

[Bug c/106764] [12/13 Regression] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |pinskia at gcc dot gnu.org
             Status|NEW                         |ASSIGNED

[Bug c/106764] [12/13 Regression] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
At the point where the CALL_EXPR is built:
Breakpoint 5, build_function_call_vec (loc=258624, arg_loc=...,
function=<var_decl 0x7ffff7251cf0 a>, params=0x0, origtypes=0x0,
orig_fundecl=<tree 0x0>) at
/home/apinski/src/upstream-gcc/gcc/gcc/c/c-typeck.cc:3250
3250      fntype = TREE_TYPE (function);

function is:
(gdb) p debug_tree(function)
 <var_decl 0x7ffff7251cf0 a
    type <pointer_type 0x7ffff73e5930
        type <function_type 0x7ffff726e9d8 type <integer_type 0x7ffff72615e8
int>
            QI
            size <integer_cst 0x7ffff7242e88 constant 8>
            unit-size <integer_cst 0x7ffff7242ea0 constant 1>
            align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7ffff726e9d8
            pointer_to_this <pointer_type 0x7ffff73e5930>>
        unsigned DI
        size <integer_cst 0x7ffff7242d98 constant 64>
        unit-size <integer_cst 0x7ffff7242db0 constant 8>
        align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7ffff73e5930>
    used public static unsigned read DI defer-output t.c:1:3 size <integer_cst
0x7ffff7242d98 64> unit-size <integer_cst 0x7ffff7242db0 8>
    align:64 warn_if_not_align:0>

And the type is fine.
And then the code in duplicate_decls goes and replaces the type to be
error_mark_node.
And then we don't check for error_mark_node later on during gimplification.

Trying to figure out the best place to put the check for error_mark_node now.


Note while looking into the gimplification code, I found some odd looking code
dealing with the location so I filed PR 107737.

[Bug c/106764] [12/13 Regression] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Actually the fix is just check the return value of gimplify_expr to make sure
it was not GS_ERROR.


diff --git a/gcc/gimplify.cc b/gcc/gimplify.cc
index f06ce3cc77a..9b74f957308 100644
--- a/gcc/gimplify.cc
+++ b/gcc/gimplify.cc
@@ -3709,6 +3709,9 @@ gimplify_call_expr (tree *expr_p, gimple_seq *pre_p, bool
want_value)
   ret = gimplify_expr (&CALL_EXPR_FN (*expr_p), pre_p, NULL,
                       is_gimple_call_addr, fb_rvalue);

+  if (ret == GS_ERROR)
+    return GS_ERROR;
+
   nargs = call_expr_nargs (*expr_p);

   /* Get argument types for verification.  */

[Bug c/106764] [12/13 Regression] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The trunk branch has been updated by Andrew Pinski <pinskia@gcc.gnu.org>:

https://gcc.gnu.org/g:bd0c9d9e706adaeea0d96152daade0a6819a8715

commit r13-4143-gbd0c9d9e706adaeea0d96152daade0a6819a8715
Author: Andrew Pinski <apinski@marvell.com>
Date:   Thu Nov 17 22:08:07 2022 +0000

    Fix PRs 106764, 106765, and 107307, all ICE after invalid re-declaration

    The problem here is the gimplifier returns GS_ERROR but
    in some cases we don't check that soon enough and try
    to do other work which could crash.
    So the fix in these two cases is to return GS_ERROR
    early if the gimplify_* functions had return GS_ERROR.

    OK? Bootstrapped and tested on x86_64-linux-gnu with no regressions.

    Thanks,
    Andrew Pinski

    gcc/ChangeLog:

            PR c/106764
            PR c/106765
            PR c/107307
            * gimplify.cc (gimplify_compound_lval): Return GS_ERROR
            if gimplify_expr had return GS_ERROR.
            (gimplify_call_expr): Likewise.

    gcc/testsuite/ChangeLog:

            PR c/106764
            PR c/106765
            PR c/107307
            * gcc.dg/redecl-19.c: New test.
            * gcc.dg/redecl-20.c: New test.
            * gcc.dg/redecl-21.c: New test.

[Bug c/106764] [12/13 Regression] ICE on invalid code in tree check: expected function_type or method_type, have error_mark in gimplify_call_expr, at gimplify.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106764

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|12.3                        |13.0

--- Comment #6 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Fixed for GCC 13. Since this is an ICE after error, no reason to backport it.