https://gcc.gnu.org/g:fb22d7f3b665555cfb55673ca2b954f860d28b50
commit r16-5506-gfb22d7f3b665555cfb55673ca2b954f860d28b50 Author: Jakub Jelinek <[email protected]> Date: Sat Nov 22 12:24:35 2025 +0100 c++: Readd type checks for cp_fold -ffold-simple-inlines foldings [PR122185] In GCC15, cp_fold -ffold-simple-inlines code contained if (INDIRECT_TYPE_P (TREE_TYPE (x)) && INDIRECT_TYPE_P (TREE_TYPE (r))) check around the optimization, but as std::to_underlying has been added to the set, it got removed. Now, the check isn't needed when using correct libstdc++-v3 headers, because the function template types ensure the converted types are sane (so for most of them both are some kind of REFERENCE_TYPEs, for addressof one REFERENCE_TYPE and one POINTER_TYPE, for to_underlying one ENUMERAL_TYPE and one INTEGRAL_TYPE_P). But when some fuzzer or user attempts to implement one or more of those std:: functions and does it wrong (sure, such code is invalid), we can ICE because build_nop certainly doesn't handle all possible type conversions. So, the following patch readds the INDIRECT_REF_P && INDIRECT_REF_P check for everything but to_underlying, for which it checks ENUMERAL_TYPE to INTEGRAL_TYPE_P. That way we don't ICE on bogus code. Though, I wonder about 2 things, whether the CALL_EXPR_ARG in there shouldn't be also guarded just in case somebody tries to compile namespace std { int to_underlying (); }; int a = std::to_underlying (); and also whether this to_underlying folding doesn't behave differently from the libstdc++-v3 implementation if the enum is enum A : bool { B, C }; I think -fno-fold-simple-inlines will compile it as != 0, while the -ffold-simple-inlines code just as a cast. Sure, enum with underlying bool can't contain enumerators with values other than 0 and 1, but it is still 8-bit at least and so what happens with other values? 2025-11-22 Jakub Jelinek <[email protected]> PR c++/122185 * cp-gimplify.cc (cp_fold) <case CALL_EXPR>: For -ffold-simple-inlines restore check that both types are INDIRECT_TYPE_P, except for "to_underlying" check that r has ENUMERAL_TYPE and x has INTEGRAL_TYPE_P. * g++.dg/cpp1z/pr122185.C: New test. Diff: --- gcc/cp/cp-gimplify.cc | 14 ++++++++-- gcc/testsuite/g++.dg/cpp1z/pr122185.C | 49 +++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 2 deletions(-) diff --git a/gcc/cp/cp-gimplify.cc b/gcc/cp/cp-gimplify.cc index 1662336e165c..994d4deb0f12 100644 --- a/gcc/cp/cp-gimplify.cc +++ b/gcc/cp/cp-gimplify.cc @@ -3447,8 +3447,18 @@ cp_fold (tree x, fold_flags_t flags) || id_equal (DECL_NAME (callee), "as_const"))) { r = CALL_EXPR_ARG (x, 0); - r = build_nop (TREE_TYPE (x), r); - x = cp_fold (r, flags); + /* These type-checks must be performed here, because invalid + definitions of these functions could fail to ensure those and + build_nop could misbehave. See PR122185. */ + if (id_equal (DECL_NAME (callee), "to_underlying") + ? TREE_CODE (TREE_TYPE (r)) == ENUMERAL_TYPE + && INTEGRAL_TYPE_P (TREE_TYPE (x)) + : INDIRECT_TYPE_P (TREE_TYPE (x)) + && INDIRECT_TYPE_P (TREE_TYPE (r))) + { + r = build_nop (TREE_TYPE (x), r); + x = cp_fold (r, flags); + } break; } diff --git a/gcc/testsuite/g++.dg/cpp1z/pr122185.C b/gcc/testsuite/g++.dg/cpp1z/pr122185.C new file mode 100644 index 000000000000..73cba761b011 --- /dev/null +++ b/gcc/testsuite/g++.dg/cpp1z/pr122185.C @@ -0,0 +1,49 @@ +// PR c++/122185 +// { dg-do compile { target c++17 } } +// { dg-options "-w -O2" } + +namespace std { +template <typename _Tp> struct remove_reference { + using type = __remove_reference(_Tp); +}; +template <typename _Tp> _Tp forward(typename remove_reference<_Tp>::type); +} +template <typename T> struct static_const { + static constexpr T value{}; +}; +template <typename, typename> struct adl_serializer; +template <template <typename, typename> class = adl_serializer> +class basic_json; +struct from_json_fn { + template <typename BasicJsonType, typename T> + void operator()(BasicJsonType, T) const; +}; +template <typename, typename> struct adl_serializer { + template <typename BasicJsonType, typename TargetType> + static void from_json(BasicJsonType &&j, TargetType val) { + static_const<from_json_fn>::value(std::forward<BasicJsonType>(j), val); + } +}; +struct iter_impl { + basic_json<> operator*(); + void operator++(); + bool operator!=(iter_impl); +}; +template <template <typename, typename = void> class JSONSerializer> +struct basic_json { + template <typename> using iter_impl = iter_impl; + using iterator = iter_impl<basic_json>; + template <typename> void get_impl(int) { + auto ret = int(); + JSONSerializer<int>::from_json(*this, ret); + } + template <typename> void get() { get_impl<int>({}); } + iterator begin(); + iterator end(); + char type_name; +}; +void _ValidateSignatureFile() { + basic_json signatures; + for (auto signature : signatures) + signature.get<int>(); +}
