[Bug c/125946] New: ICE: output_operand: invalid expression as operand

Mon, 22 Jun 2026 20:02:41 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=125946

            Bug ID: 125946
           Summary: ICE: output_operand: invalid expression as operand
           Product: gcc
           Version: 16.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: captainnemo9292 at gmail dot com
  Target Milestone: ---

Created attachment 64829
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=64829&action=edit
preprocessed source

**System type**: x86_64-pc-linux-gnu
**Configured with**: /root/compilers/gcc-project-release/configure
--prefix=/root/objects/gcc-project-release.obj/install --enable-languages=c,c++
--disable-bootstrap --disable-multilib
**Compilation flags**: -O0

## `gcc -v` output

```
Using built-in specs.
COLLECT_GCC=/root/objects/gcc-project-release.obj/install/bin/gcc
COLLECT_LTO_WRAPPER=/root/objects/gcc-project-release.obj/install/libexec/gcc/x86_64-pc-linux-gnu/16.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /root/compilers/gcc-project-release/configure
--prefix=/root/objects/gcc-project-release.obj/install --enable-languages=c,c++
--disable-bootstrap --disable-multilib
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 16.1.0 (GCC)
```

## What steps will reproduce the problem?

Save the following to `test.c` and run:

```sh
gcc -O0 test.c -o /dev/null
```

**Source file** (`test.c`):

```c
typedef __UINTPTR_TYPE__ uintptr_t;
int test(void)
{
    static uintptr_t a =  ((char *)&&l3-(char *)&&l2)+(char *)&&l1-(char
*)&&l2;
l1:
l2:
l3:
    return a;
}
int test1(void)
{
    static uintptr_t a =  ((char *)&&l1-(char *)&&l2)-1;
l1:
l2:
    return a;
}
int test2(void)
{
    static uintptr_t a =  ((char *)&&l2-(char *)&&l3)+((char *)&&l1-(char
*)&&l2);
l1:
l2:
l3:
    return a;
}
```

## Crash Output

```
/root/outputs/experiments-on-metamut/surfuzz,gcc,3/TTtfjYZEmkrg_surfuzz_28.c:24:1:
internal compiler error: output_operand: invalid expression as operand
   24 | }
      | ^
0x2022d9b internal_error(char const*, ...)
       
/root/compilers/gcc-project-release/gcc/diagnostic-global-context.cc:787
0xa43564 output_operand_lossage(char const*, ...)
        /root/compilers/gcc-project-release/gcc/final.cc:3206
0xa43f0a output_addr_const(_IO_FILE*, rtx_def*)
        /root/compilers/gcc-project-release/gcc/final.cc:3802
0xa440a5 output_addr_const(_IO_FILE*, rtx_def*)
        /root/compilers/gcc-project-release/gcc/final.cc:3778
0x11b2ac1 assemble_integer_with_op(char const*, rtx_def*)
        /root/compilers/gcc-project-release/gcc/varasm.cc:3125
0x11b2ac1 default_assemble_integer(rtx_def*, unsigned int, int)
        /root/compilers/gcc-project-release/gcc/varasm.cc:3141
0x11b2b50 assemble_integer(rtx_def*, unsigned int, unsigned int, int)
        /root/compilers/gcc-project-release/gcc/varasm.cc:3157
0x11bad71 output_constant
        /root/compilers/gcc-project-release/gcc/varasm.cc:5583
0x11bcb82 assemble_variable_contents
        /root/compilers/gcc-project-release/gcc/varasm.cc:2473
0x11c1597 assemble_variable(tree_node*, int, int, int)
        /root/compilers/gcc-project-release/gcc/varasm.cc:2665
0x11c46e2 varpool_node::assemble_decl()
        /root/compilers/gcc-project-release/gcc/varpool.cc:596
0x11c46e2 varpool_node::assemble_decl()
        /root/compilers/gcc-project-release/gcc/varpool.cc:564
0x95621a output_in_order
        /root/compilers/gcc-project-release/gcc/cgraphunit.cc:2225
0x95621a symbol_table::compile()
        /root/compilers/gcc-project-release/gcc/cgraphunit.cc:2432
0x9589b6 symbol_table::compile()
        /root/compilers/gcc-project-release/gcc/cgraphunit.cc:2345
0x9589b6 symbol_table::finalize_compilation_unit()
        /root/compilers/gcc-project-release/gcc/cgraphunit.cc:2626
/root/objects/gcc-project-release.obj/install/libexec/gcc/x86_64-pc-linux-gnu/16.1.0/cc1
-quiet -imultiarch x86_64-linux-gnu
/root/outputs/experiments-on-metamut/surfuzz,gcc,3/TTtfjYZEmkrg_surfuzz_28.c
-quiet -dumpdir a- -dumpbase TTtfjYZEmkrg_surfuzz_28.c -dumpbase-ext .c
-mtune=generic -march=x86-64 -O0 -o /tmp/ccKx2ISI.s
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
EXIT_CODE: 1
```

## Preprocessed Source

Generated with `gcc -save-temps -O0 test.c`. 

```c
# 0
"/root/outputs/experiments-on-metamut/surfuzz,gcc,3/TTtfjYZEmkrg_surfuzz_28.c"
# 0 "<built-in>"
# 0 "<command-line>"
# 1 "/usr/include/stdc-predef.h" 1 3
# 0 "<command-line>" 2
# 1
"/root/outputs/experiments-on-metamut/surfuzz,gcc,3/TTtfjYZEmkrg_surfuzz_28.c"
typedef long unsigned int uintptr_t;
int test(void)
{
    static uintptr_t a = ((char *)&&l3-(char *)&&l2)+(char *)&&l1-(char *)&&l2;
l1:
l2:
l3:
    return a;
}
int test1(void)
{
    static uintptr_t a = ((char *)&&l1-(char *)&&l2)-1;
l1:
l2:
    return a;
}
int test2(void)
{
    static uintptr_t a = ((char *)&&l2-(char *)&&l3)+((char *)&&l1-(char
*)&&l2);
l1:
l2:
l3:
    return a;
}
```

* found via a fuzzer
  • [Bug c/125946] New: ICE: out... captainnemo9292 at gmail dot com via Gcc-bugs

Reply via email to