15 regression] -fanalyzer blows the stack with C++ infinite loop

sjames at gcc dot gnu.org via Gcc-bugs Sat, 09 May 2026 04:50:45 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=125244


            Bug ID: 125244
           Summary: [14/15 regression] -fanalyzer blows the stack with C++
                    infinite loop
           Product: gcc
           Version: 16.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: sjames at gcc dot gnu.org
  Target Milestone: ---

With `g++-13 p.cxx -fanalyzer -Og -std=gnu++23 -c`, this segfaults:
```
struct c {
  ~c();
};
struct a {
  c b;
};
namespace std {
template <class> struct initializer_list {
  a *d;
  unsigned long g;
};
} // namespace std
struct l {
  template <typename f> l(f, f);
  l(std::initializer_list<a> k) : l(k.d, k.d + 1) {}
};
template <typename f> l::l(f k, f e) {
  for (; k != e;)
    ;
}
struct h {
  l j;
  h(std::initializer_list<a> k) : j(k) {}
} i{{}};
```

```
#0  0x000055555693e713 in wide_int_binop (res=..., code=code@entry=PLUS_EXPR,
arg1=..., arg2=..., sign=sign@entry=UNSIGNED,
overflow=overflow@entry=0x7ffffbfff42c)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/fold-const.cc:1138
#1  0x000055555693e2f4 in poly_int_binop (res=..., code=PLUS_EXPR,
arg1=arg1@entry=0x7ffff7221378, arg2=arg2@entry=0x7ffff7203660,
sign=sign@entry=UNSIGNED, overflow=overflow@entry=0x7ffffbfff42c)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/fold-const.cc:1250
#2  0x000055555693e0c1 in int_const_binop (code=<optimized out>,
arg1=0x7ffff7221378, arg2=0x7ffff7203660, overflowable=1) at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/fold-const.cc:1328
#3  0x00005555569c20b8 in fold_binary_loc (loc=0, code=POINTER_PLUS_EXPR,
type=0x7ffff72297e0, op0=0x7ffff7221378, op1=0x7ffff7203660)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/fold-const.cc:10998
#4  0x000055555636a0fd in ana::region_model_manager::maybe_fold_binop
(this=this@entry=0x7fffffff8b18, type=type@entry=0x7ffff72297e0,
op=op@entry=POINTER_PLUS_EXPR, arg0=arg0@entry=0x555557fd5510, 
    arg1=arg1@entry=0x555557ffc4d0) at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/region-model-manager.cc:676
#5  0x000055555636a9c9 in ana::region_model_manager::get_or_create_binop
(this=this@entry=0x7fffffff8b18, type=0x7ffff72297e0,
op=op@entry=POINTER_PLUS_EXPR, arg0=<optimized out>,
arg1=arg1@entry=0x555557ffc4d0)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/region-model-manager.cc:939
#6  0x000055555636a860 in ana::region_model_manager::maybe_fold_binop
(this=this@entry=0x7fffffff8b18, type=type@entry=0x7ffff73bde70,
op=op@entry=POINTER_PLUS_EXPR, arg0=arg0@entry=0x555557fddd20, 
    arg1=arg1@entry=0x555557ffc4d0) at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/svalue.h:857
#7  0x000055555636a9c9 in ana::region_model_manager::get_or_create_binop
(this=0x7fffffff8b18, type=0x7ffff73bde70, op=POINTER_PLUS_EXPR,
arg0=<optimized out>, arg1=<optimized out>)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/region-model-manager.cc:939
#8  0x00005555568978e1 in
ana::constraint_manager::impossible_derived_conditions_p
(this=this@entry=0x555558086180, lhs=lhs@entry=0x555557ff3b00,
rhs=rhs@entry=0x555557fddd20)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/svalue.h:96
#9  0x0000555556897384 in ana::constraint_manager::eval_condition
(this=this@entry=0x555558086180, lhs=0x555557ff3b00, op=op@entry=EQ_EXPR,
rhs=rhs@entry=0x555557fddd20)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/constraint-manager.cc:2812
#10 0x00005555568978f4 in
ana::constraint_manager::impossible_derived_conditions_p
(this=this@entry=0x555558086180, lhs=lhs@entry=0x555557fca680,
rhs=rhs@entry=0x555557ffc500)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/constraint-manager.cc:2746
#11 0x0000555556897384 in ana::constraint_manager::eval_condition
(this=this@entry=0x555558086180, lhs=0x555557fca680, op=op@entry=EQ_EXPR,
rhs=rhs@entry=0x555557ffc500)
    at
/usr/src/debug/sys-devel/gcc-15.2.1_p20260214/gcc-15-20260214/gcc/analyzer/constraint-manager.cc:2812
```

I see it also with:
```
Using built-in specs.
COLLECT_GCC=gcc-15
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/15/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-pc-linux-gnu
Configured with:
/var/tmp/portage.notmp/portage/sys-devel/gcc-15.2.1_p20260501/work/gcc-15-20260501/configure
--host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr
--bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/15
--includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/15/include
--datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/15
--mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/15/man
--infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/15/info
--with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15
--disable-silent-rules --disable-dependency-tracking
--with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/15/python
--enable-libphobos --enable-objc-gc
--enable-languages=c,c++,d,go,objc,obj-c++,fortran,ada,cobol,m2,rust,jit
--enable-obsolete --enable-secureplt --disable-werror --with-system-zlib
--disable-nls --disable-libunwind-exceptions --enable-checking=yes,extra,rtl
--with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened
15.2.1_p20260501 p7' --with-gcc-major-version-only --enable-libstdcxx-time
--enable-lto --disable-libstdcxx-pch --enable-linker-build-id --enable-libada
--enable-shared --enable-threads=posix --enable-__cxa_atexit
--enable-clocale=gnu --enable-multilib --with-multilib-list=m32,mx32,m64
--disable-fixed-point --with-abi=m64 --enable-targets=all
--enable-offload-defaulted --enable-offload-targets=nvptx-none --enable-libgomp
--disable-libssp --disable-cet --enable-systemtap --enable-valgrind-annotations
--disable-vtable-verify --disable-libvtv --with-zstd --with-isl
--disable-isl-version-check --enable-default-pie --enable-host-pie
--enable-host-bind-now --enable-default-ssp --disable-fixincludes
--with-gxx-libcxx-include-dir=/usr/include/c++/v1 --enable-host-shared
--enable-libgdiagnostics --with-build-config='bootstrap-O3 bootstrap-lto-lean'
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 15.2.1 20260501 (Gentoo Hardened 15.2.1_p20260501 p7)
```

[Bug analyzer/125244] New: [14/15 regression] -fanalyzer blows the stack with C++ infinite loop

Reply via email to