https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97609
--- Comment #2 from Aldy Hernandez <aldyh at gcc dot gnu.org> --- tl;dr: substitute_and_fold_engine::replace_uses_in() creates invalid gimple, so when its loop goes on to request a range (value_of_expr), the ranger may see invalid IL and die an ungraceful death. The long story: We are calling substitute_and_fold_engine::replace_uses_in() on the following statement: <bb 3> : SR.2_9 = &__to_destroy._M_head; SR.1_10 = SR.2_9; __pos$_M_node_6 = SR.1_10; _11 = __pos$_M_node_6; _11->_M_next = __keep_12(D); <-- HERE HERE For _11, the call to value_of_expr() in replace_uses_in() returns: &__to_destroy._M_head; which is propagated with propagate_value() and creates invalid gimple in the process: __to_destroy._M_head._M_next = __keep_12(D); The next time in the loop in replace_uses_in, we ask for value_of_expr(__keep_12(D)), which dies deep in the call chain, because the IL borked.
