clang crashes on valid code at -O{s,2,3} on x86_64-linux-gnu: Segmentation fault (core dumped)

It appears to be a regression from 13.0.0 and affects 14.0.0 and later. 

Compiler Explorer: https://godbolt.org/z/M1991hr37

```
[509] % clangtk -v
clang version 21.0.0git (https://github.com/llvm/llvm-project.git 4d7192a5ecabb36263a2cacd4e9243b958424805)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/software/local/clang-trunk/bin
Build config: +assertions
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/10
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/11
Candidate multilib: .;@m64
Selected multilib: .;@m64
[510] % 
[510] % clangtk -O3 small.c
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /local/suz-local/software/local/clang-trunk/bin/clang-21 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -dumpdir a- -disable-free -clear-ast-before-backend -main-file-name small.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/local/suz-local/software/emitesting/bugs/20250207-clangtk-m64-O3-build-172826/delta -fcoverage-compilation-dir=/local/suz-local/software/emitesting/bugs/20250207-clangtk-m64-O3-build-172826/delta -resource-dir /local/suz-local/software/local/clang-trunk/lib/clang/21 -I /usr/local/include -I /local/suz-local/software/local/include -internal-isystem /local/suz-local/software/local/clang-trunk/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/11/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -ferror-limit 19 -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fcolor-diagnostics -vectorize-loops -vectorize-slp -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/small-f51eec.o -x c small.c
1.	<eof> parser at end of file
2.	Optimizer
3.	Running pass "require<globals-aa>,function(invalidate<aa>),require<profile-summary>,cgscc(devirt<4>(inline,function-attrs<skip-non-recursive-function-attrs>,argpromotion,openmp-opt-cgscc,function<eager-inv;no-rerun>(sroa<modify-cfg>,early-cse<memssa>,speculative-execution<only-if-divergent-target>,jump-threading,correlated-propagation,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,aggressive-instcombine,libcalls-shrinkwrap,tailcallelim,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,reassociate,constraint-elimination,loop-mssa(loop-instsimplify,loop-simplifycfg,licm<no-allowspeculation>,loop-rotate<header-duplication;no-prepare-for-lto>,licm<allowspeculation>,simple-loop-unswitch<nontrivial;trivial>),simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,loop(loop-idiom,indvars,extra-simple-loop-unswitch-passes,loop-deletion,loop-unroll-full),sroa<modify-cfg>,vector-combine,mldst-motion<no-split-footer-bb>,gvn<>,sccp,bdce,instcombine<max-iterations=1;no-verify-fixpoint>,jump-threading,correlated-propagation,adce,memcpyopt,dse,move-auto-init,loop-mssa(licm<allowspeculation>),coro-elide,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>),function-attrs,function(require<should-not-run-function-passes>),coro-split,coro-annotation-elide)),function(invalidate<should-not-run-function-passes>),cgscc(devirt<4>())" on module "small.c"
4.	Running pass "cgscc(devirt<4>(inline,function-attrs<skip-non-recursive-function-attrs>,argpromotion,openmp-opt-cgscc,function<eager-inv;no-rerun>(sroa<modify-cfg>,early-cse<memssa>,speculative-execution<only-if-divergent-target>,jump-threading,correlated-propagation,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,aggressive-instcombine,libcalls-shrinkwrap,tailcallelim,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,reassociate,constraint-elimination,loop-mssa(loop-instsimplify,loop-simplifycfg,licm<no-allowspeculation>,loop-rotate<header-duplication;no-prepare-for-lto>,licm<allowspeculation>,simple-loop-unswitch<nontrivial;trivial>),simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;no-hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;no-sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>,loop(loop-idiom,indvars,extra-simple-loop-unswitch-passes,loop-deletion,loop-unroll-full),sroa<modify-cfg>,vector-combine,mldst-motion<no-split-footer-bb>,gvn<>,sccp,bdce,instcombine<max-iterations=1;no-verify-fixpoint>,jump-threading,correlated-propagation,adce,memcpyopt,dse,move-auto-init,loop-mssa(licm<allowspeculation>),coro-elide,simplifycfg<bonus-inst-threshold=1;no-forward-switch-cond;switch-range-to-icmp;no-switch-to-lookup;keep-loops;hoist-common-insts;no-hoist-loads-stores-with-cond-faulting;sink-common-insts;speculate-blocks;simplify-cond-branch;no-speculate-unpredictables>,instcombine<max-iterations=1;no-verify-fixpoint>),function-attrs,function(require<should-not-run-function-passes>),coro-split,coro-annotation-elide))" on module "small.c"
5.	Running pass "loop(loop-idiom,indvars,extra-simple-loop-unswitch-passes,loop-deletion,loop-unroll-full)" on function "main"
  #0 0x000055ac714688af llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x45368af)
  #1 0x000055ac71466084 SignalHandler(int) Signals.cpp:0:0
  #2 0x00007f08737cc420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
  #3 0x000055ac7043514e llvm::ScalarEvolution::getConstantMultipleImpl(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350314e)
  #4 0x000055ac7043486b llvm::ScalarEvolution::getConstantMultiple(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350286b)
  #5 0x000055ac70434bbb llvm::ScalarEvolution::getMinTrailingZeros(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3502bbb)
  #6 0x000055ac7043553d llvm::ScalarEvolution::getConstantMultipleImpl(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350353d)
  #7 0x000055ac7043486b llvm::ScalarEvolution::getConstantMultiple(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350286b)
  #8 0x000055ac70434bbb llvm::ScalarEvolution::getMinTrailingZeros(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3502bbb)
  #9 0x000055ac704355f8 llvm::ScalarEvolution::getConstantMultipleImpl(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x35035f8)
 #10 0x000055ac7043486b llvm::ScalarEvolution::getConstantMultiple(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350286b)
 #11 0x000055ac70434bbb llvm::ScalarEvolution::getMinTrailingZeros(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3502bbb)
 #12 0x000055ac7043d90b llvm::ScalarEvolution::getRangeRef(llvm::SCEV const*, llvm::ScalarEvolution::RangeSignHint, unsigned int) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350b90b)
 #13 0x000055ac704400f6 llvm::ScalarEvolution::isKnownNonNegative(llvm::SCEV const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350e0f6)
 #14 0x000055ac70459ae6 llvm::ScalarEvolution::getGEPExpr(llvm::GEPOperator*, llvm::SmallVectorImpl<llvm::SCEV const*> const&) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3527ae6)
 #15 0x000055ac70459d01 llvm::ScalarEvolution::createNodeForGEP(llvm::GEPOperator*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3527d01)
 #16 0x000055ac7043b994 llvm::ScalarEvolution::createSCEV(llvm::Value*) (.part.0) ScalarEvolution.cpp:0:0
 #17 0x000055ac7043c4f1 llvm::ScalarEvolution::createSCEVIter(llvm::Value*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x350a4f1)
 #18 0x000055ac70465de4 llvm::ScalarEvolution::computeSCEVAtScope(llvm::SCEV const*, llvm::Loop const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3533de4)
 #19 0x000055ac704665ba llvm::ScalarEvolution::getSCEVAtScope(llvm::SCEV const*, llvm::Loop const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x35345ba)
 #20 0x000055ac70465df7 llvm::ScalarEvolution::computeSCEVAtScope(llvm::SCEV const*, llvm::Loop const*) (/local/suz-local/software/local/clang-trunk/bin/clang-21+0x3533df7)
...
clangtk: error: unable to execute command: Segmentation fault
clangtk: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 21.0.0git (https://github.com/llvm/llvm-project.git 4d7192a5ecabb36263a2cacd4e9243b958424805)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/software/local/clang-trunk/bin
Build config: +assertions
clangtk: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clangtk: note: diagnostic msg: /tmp/small-072923.c
clangtk: note: diagnostic msg: /tmp/small-072923.sh
clangtk: note: diagnostic msg: 

********************
[511] % 
[511] % cat small.c
int a[1], b, c, d, e, f, g, h, i;
int main() {
  if (b) {
    for (c = 0; c - 20; --c)
      if (i)
        i = 0;
    for (; g; g++)
      for (d = 0; d < 8; d++)
        for (h = 0; h < 7; h++)
          for (e = 0; e < 9; e++)
            for (f = 0; f < 4; f++) {
              b = a[b];
              b = a[b];
              b = a[b & 5];
            }
  }
}
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

clang crashes on valid code at -O{s,2,3} on x86_64-linux-gnu: Segmentation fault (core dumped) #126305

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

clang crashes on valid code at -O{s,2,3} on x86_64-linux-gnu: Segmentation fault (core dumped) #126305

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions