tree-optimization/109170 - bogus use-after-free with __builtin_expect

The following generalizes the range-op for __builtin_expect
by using the fnspec machinery.

	PR tree-optimization/109170
	* gimple-range-op.cc (gimple_range_op_handler::maybe_builtin_call):
	Handle __builtin_expect and similar via cfn_pass_through_arg1
	and inspecting the calls fnspec.
	* builtins.cc (builtin_fnspec): Handle BUILT_IN_EXPECT
	and BUILT_IN_EXPECT_WITH_PROBABILITY.

diff --git a/gcc/builtins.cc b/gcc/builtins.cc
index 878596c240a9e43a0d823178534beddbec694dfe..bd07873a80e1723b5f7a61f60e47d6d90ac0942a 100644 (file)
--- a/gcc/builtins.cc
+++ b/gcc/builtins.cc
@@ -11718,6 +11718,8 @@ builtin_fnspec (tree callee)
       case BUILT_IN_RETURN_ADDRESS:
        return ".c";
       case BUILT_IN_ASSUME_ALIGNED:
+      case BUILT_IN_EXPECT:
+      case BUILT_IN_EXPECT_WITH_PROBABILITY:
        return "1cX ";
       /* But posix_memalign stores a pointer into the memory pointed to
         by its first argument.  */

diff --git a/gcc/gimple-range-op.cc b/gcc/gimple-range-op.cc
index f7409e35a992b7bec3f3ba056338850b50f01906..04e27d6aa054a34ef46659a92b5a3d8306eca27c 100644 (file)
--- a/gcc/gimple-range-op.cc
+++ b/gcc/gimple-range-op.cc
@@ -43,6 +43,7 @@ along with GCC; see the file COPYING3.  If not see
 #include "range.h"
 #include "value-query.h"
 #include "gimple-range.h"
+#include "attr-fnspec.h"
 
 // Given stmt S, fill VEC, up to VEC_SIZE elements, with relevant ssa-names
 // on the statement.  For efficiency, it is an error to not pass in enough
@@ -984,14 +985,16 @@ gimple_range_op_handler::maybe_builtin_call ()
       m_int = &op_cfn_parity;
       break;
 
-    case CFN_BUILT_IN_EXPECT:
-    case CFN_BUILT_IN_EXPECT_WITH_PROBABILITY:
-      m_valid = true;
-      m_op1 = gimple_call_arg (call, 0);
-      m_int = &op_cfn_pass_through_arg1;
-      break;
-
     default:
-      break;
+      {
+       unsigned arg;
+       if (gimple_call_fnspec (call).returns_arg (&arg) && arg == 0)
+         {
+           m_valid = true;
+           m_op1 = gimple_call_arg (call, 0);
+           m_int = &op_cfn_pass_through_arg1;
+         }
+       break;
+      }
     }
 }