[Bug c/114058] New: ICE: _BitInt + asan: tree check: expected ssa_name, have view_convert_expr in has_zero_uses, at ssa-iterators.h:389

[Bug c/114058] New: ICE: _BitInt + asan: tree check: expected ssa_name, have view_convert_expr in has_zero_uses, at ssa-iterators.h:389

[mjires at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114058

            Bug ID: 114058
           Summary: ICE: _BitInt + asan: tree check: expected ssa_name,
                    have view_convert_expr in has_zero_uses, at
                    ssa-iterators.h:389
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: mjires at gcc dot gnu.org
                CC: jakub at redhat dot com
  Target Milestone: ---

Compiling reduced testcase gcc.dg/torture/bitint-35.c results in ICE, since
_BitInt was introduced in r14-3751-g8c984a1c3693df.

$ cat bitint-35.c
_BitInt(129) foo() {
  _BitInt(129) r;
  &r;
}


$ gcc bitint-35.c -fsanitize=address -Og -fno-tree-dce
during GIMPLE pass: sanopt
bitint-35.c: In function ‘foo’:
bitint-35.c:1:14: internal compiler error: tree check: expected ssa_name, have
view_convert_expr in has_zero_uses, at ssa-iterators.h:389
    1 | _BitInt(129) foo() {
      |              ^~~
0x1ac77e1 tree_check_failed(tree_node const*, char const*, int, char const*,
...)
        /home/mjires/git/GCC/master/gcc/tree.cc:8955
0xd2f6f5 tree_check(tree_node const*, char const*, int, char const*, tree_code)
        /home/mjires/git/GCC/master/gcc/tree.h:3900
0xfa0dfd has_zero_uses(tree_node const*)
        /home/mjires/git/GCC/master/gcc/ssa-iterators.h:389
0x1714f27 asan_expand_poison_ifn(gimple_stmt_iterator*, bool*,
hash_map<tree_node*, tree_node*,
simple_hashmap_traits<default_hash_traits<tree_node*>, tree_node*> >&)
        /home/mjires/git/GCC/master/gcc/asan.cc:4104
0x172b021 execute
        /home/mjires/git/GCC/master/gcc/sanopt.cc:1382
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.


$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/home/mjires/built/master/libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /home/mjires/git/GCC/master/configure
--prefix=/home/mjires/built/master --disable-bootstrap
--enable-languages=c,c++,fortran,lto --disable-multilib --disable-libsanitizer
--enable-checking : (reconfigured) /home/mjires/git/GCC/master/configure
--prefix=/home/mjires/built/master --disable-bootstrap
--enable-languages=c,c++,fortran,lto --disable-multilib --disable-libsanitizer
--enable-checking
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 14.0.1 20240222 (experimental) (GCC)

[Bug c/114058] ICE: _BitInt + asan: tree check: expected ssa_name, have view_convert_expr in has_zero_uses, at ssa-iterators.h:389

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114058

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Better testcase which doesn't need special options, just -O2 -fsanitize=address
will do:
_BitInt(129)
foo (void)
{
  _BitInt(129) *p;
  {
    _BitInt(129) r = 42;
    p = &r;
  }
  return *p;
}

void
bar (void)
{
  _BitInt(129) *p;
  {
    _BitInt(129) r = 42;
    p = &r;
  }
  *p = 0;
}

With s/129/127/g, we get:
  r_5 = .ASAN_POISON (); [tail call]
  return r_5;
and
  r_5 = .ASAN_POISON ();
  .ASAN_POISON_USE (r_5); [tail call]
and sanopt turns that into:
  _6 = (unsigned long) &r;
  _7 = _6 >> 3;
  _8 = _7 + 2147450880;
  _9 = (signed char *) _8;
  MEM[(short int *)_9] = -1800;
  __builtin___asan_report_load16 (&r);
  return r_5(D);
and
  _6 = (unsigned long) &r;
  _7 = _6 >> 3;
  _8 = _7 + 2147450880;
  _9 = (signed char *) _8;
  MEM[(short int *)_9] = -1800;
  __builtin___asan_report_store16 (&r);

Currently bitint lowering for large/huge _BitInt rewrites this such that the
lhs of .ASAN_POISON () is typically a VIEW_CONVERT_EXPR of a VAR_DECL and ditto
for the .ASAN_POISON_USE arguments, that is something sanopt can't handle.
But we can't also easily just poison the underlying variable at .ASAN_POISON ()
call,
because the var can be reused later and we wouldn't know where to unpoison it.
We want the use after scope accesses reported by asan.
Perhaps turn the .ASAN_POISON call into .ASAN_POISON setting some other
SSA_NAME (say limb_type), replace .ASAN_POISON_USE argument with that new
SSA_NAME, keep the associated underlying VAR_DECL uninitialized and arrange the
other SSA_NAME to be somehow used whenever using the original SSA_NAME (say,
instead of actually reading from the VAR_DECL's limbs, read from the other
var).

[Bug c/114058] ICE: _BitInt + asan: tree check: expected ssa_name, have view_convert_expr in has_zero_uses, at ssa-iterators.h:389

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114058

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2024-02-22
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
.