[Bug c++/97419] New: crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[Bug c++/97419] New: crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

            Bug ID: 97419
           Summary: crash in decl_as_string(TFF_DECL_SPECIFIERS |
                    TFF_CHASE_TYPEDEF) from plugin using std::declval()
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sphink at gmail dot com
  Target Milestone: ---

Created attachment 49368
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49368&action=edit
gcc -v -save-temps output

I cannot trigger this crash without a plugin, but the plugin in this case is
merely calling 
decl_as_string(decl, TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF). Removing either
of the TFF_ parameters makes it go away.

Given that this requires a plugin to trigger, I'm going to try to give as much
detail as I can here. (I have an rr recording of this crash, fwiw.)

More specifically, finish_decltype_type() in cp/semantics.c is calling:

          type = unlowered_expr_type (expr);
          gcc_assert (!TYPE_REF_P (type));

unlowered_expr_type has:

  tree etype = TREE_TYPE (exp);

  type = is_bitfield_expr_with_lowered_type (exp);
  if (type)
    type = cp_build_qualified_type (type, cp_type_quals (etype));
  else
    type = etype;

TREE_CODE(exp) is INDIRECT_REF. TREE_TYPE(exp) is NULL_TREE, so this returns
NULL_TREE and crashes when it attempts to dereference for TYPE_REF_P (type).

I'm attaching a minimal C++ test case that only #includes <utility> (for
std::declval()). The files I'm attaching are for gcc 9.1.0, but the same thing
happens on gcc 9.3.0. The crash occurs when decl_as_string is called on the
`get` decl, which is:

 <function_decl 0x7fdbbf74bb00 get
    type <method_type 0x7fdbbf74d1f8
        type <reference_type 0x7fdbbf74d9d8 Elem type <record_type
0x7fdbc9faf9d8 UniquePtr>
            asm_written unsigned DI
            size <integer_cst 0x7fdbdfab4e28 constant 64>
            unit-size <integer_cst 0x7fdbdfab4e40 constant 8>
            align:64 warn_if_not_align:0 symtab:-1082851088 alias-set -1
canonical-type 0x7fdbc9fafa80>
        QI
        size <integer_cst 0x7fdbdfab4f18 constant 8>
        unit-size <integer_cst 0x7fdbdfab4f30 constant 1>
        align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7fdbbf74d2a0 method basetype <record_type 0x7fdbbf714348 ContainerIter>
        arg-types <tree_list 0x7fdbc5e49550 value <pointer_type 0x7fdbbf74ddc8>
            chain <tree_list 0x7fdbdfac8848 value <void_type 0x7fdbdfad2f18
void>>>
        pointer_to_this <pointer_type 0x7fdbbf74ed20>>
    addressable used public external autoinline QI defer-output
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5939:8 align:16 warn_if_not_align:0
context <record_type 0x7fdbbf714348 ContainerIter>
    full-name "ContainerIter<Container>::Elem ContainerIter<Container>::get()
const [with Container = mozilla::Vector<mozilla::UniquePtr<js::gc::SweepAction,
JS::DeletePolicy<js::gc::SweepAction> >, 0, js::SystemAllocPolicy>;
ContainerIter<Container>::Elem = const mozilla::UniquePtr<js::gc::SweepAction,
JS::DeletePolicy<js::gc::SweepAction> >&; ContainerIter<Container>::Iter =
const mozilla::UniquePtr<js::gc::SweepAction,
JS::DeletePolicy<js::gc::SweepAction> >*]"
    not-really-extern template-info 0x7fdbbf749e60 chain <function_decl
0x7fdbbf74bc00 next>>

----

The INDIRECT_REF tree is:

 <indirect_ref 0x7fdbba0da6e0
    arg:0 <call_expr 0x7fdbba0d9300
        fn <template_id_expr 0x7fdbba0dd168 type <lang_type 0x7fdbdfc09d20
unknown type>

            arg:0 <overload 0x7fdbd7992e40 type <lang_type 0x7fdbdfc09d20
unknown type>
                function <template_decl 0x7fdbd799c580 declval>>
            arg:1 <tree_vec 0x7fdbba0da6c0 length:1 elt:0 <decltype_type
0x7fdbbf6e70a8>>
            /home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:31 start:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:26 finish:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:43>
        /home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:44 start:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:26 finish:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:45>
    /home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:25 start:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:25 finish:
/home/sfink/src/mozilla3/js/src/gc/GC.cpp:5928:45>

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #1 from Steve Fink <sphink at gmail dot com> ---
Created attachment 49369
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49369&action=edit
minimized C++ source

C++ source that only includes <utility>.

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #2 from Steve Fink <sphink at gmail dot com> ---
Created attachment 49370
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49370&action=edit
Preprocessed source

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #3 from Steve Fink <sphink at gmail dot com> ---
This invokes decl_as_string(decl, TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF)

TREE_CODE(decl) is FUNCTION_DECL.

dump_function_decl(decl) is attempting to render the return type of the
function. It's in a local variable `ret` from

      ret = fndecl_declared_return_type (t);

TREE_CODE(ret) is DECLTYPE_TYPE.

dump_type(ret) checks typedef_variant(p), which is true, and TFF_CHASE_TYPEDEF
was given, so it calls strip_typedefs(ret).

strip_typedefs recurses through many layers, though I think that's for other
parts of the type. gdb gets a little confused stepping through this stuff, so
it's hard for me to tell. The final crash stack makes it seem like it's all in
the finish_decltype_type() of the INDIRECT_REF in the DECLTYPE_TYPE return
value, though.

Oh, shoot. I still haven't attached the most important thing, the crash stack.

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #4 from Steve Fink <sphink at gmail dot com> ---
Created attachment 49371
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49371&action=edit
crash stack

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #5 from Steve Fink <sphink at gmail dot com> ---
Created attachment 49372
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49372&action=edit
backtrace of crash

Note that the invalid_nonstatic_memfn_p in the attached crash stack seems
bogus. Here's a backtrace from rr.

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #6 from Steve Fink <sphink at gmail dot com> ---
The crash still happens with gcc 10.2.0.

[Bug c++/97419] crash in decl_as_string(TFF_DECL_SPECIFIERS | TFF_CHASE_TYPEDEF) from plugin using std::declval()

[sphink at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97419

--- Comment #7 from Steve Fink <sphink at gmail dot com> ---
I can workaround the bug by avoiding declval:

-   using Iter = decltype(std::declval<const Container>().begin());
-   using Elem = decltype(*std::declval<Iter>());
+   using Iter = decltype(static_cast<const Container*>(nullptr)->begin());
+   using Elem = decltype(*static_cast<const Container*>(nullptr)->begin());

fixes it in my original code. In the minimized testcase, it would be the more
pedestrian

-   using Iter = typename Container::ValueType*;
-   using Elem = decltype(*std::declval<Iter>());
+   using Iter = typename Container::ValueType*;
+   using Elem = typename Container::ValueType;