tree-optimization/109170 - bogus use-after-free with __builtin_expect

The following generalizes the range-op for __builtin_expect
by using the fnspec machinery.

	PR tree-optimization/109170
	* gimple-range-op.cc (gimple_range_op_handler::maybe_builtin_call):
	Handle __builtin_expect and similar via cfn_pass_through_arg1
	and inspecting the calls fnspec.
	* builtins.cc (builtin_fnspec): Handle BUILT_IN_EXPECT
	and BUILT_IN_EXPECT_WITH_PROBABILITY.

2 files changed, 13 insertions, 8 deletions

diff --git a/gcc/builtins.cc b/gcc/builtins.cc
index 878596c..bd07873 100644
--- a/gcc/builtins.cc
+++ b/gcc/builtins.cc
@@ -11718,6 +11718,8 @@ builtin_fnspec (tree callee)
       case BUILT_IN_RETURN_ADDRESS:
 	return ".c";
       case BUILT_IN_ASSUME_ALIGNED:
+      case BUILT_IN_EXPECT:
+      case BUILT_IN_EXPECT_WITH_PROBABILITY:
 	return "1cX ";
       /* But posix_memalign stores a pointer into the memory pointed to
 	 by its first argument.  */
diff --git a/gcc/gimple-range-op.cc b/gcc/gimple-range-op.cc
index f7409e3..04e27d6 100644
--- a/gcc/gimple-range-op.cc
+++ b/gcc/gimple-range-op.cc
@@ -43,6 +43,7 @@ along with GCC; see the file COPYING3.  If not see
 #include "range.h"
 #include "value-query.h"
 #include "gimple-range.h"
+#include "attr-fnspec.h"
 
 // Given stmt S, fill VEC, up to VEC_SIZE elements, with relevant ssa-names
 // on the statement.  For efficiency, it is an error to not pass in enough
@@ -984,14 +985,16 @@ gimple_range_op_handler::maybe_builtin_call ()
       m_int = &op_cfn_parity;
       break;
 
-    case CFN_BUILT_IN_EXPECT:
-    case CFN_BUILT_IN_EXPECT_WITH_PROBABILITY:
-      m_valid = true;
-      m_op1 = gimple_call_arg (call, 0);
-      m_int = &op_cfn_pass_through_arg1;
-      break;
-
     default:
-      break;
+      {
+	unsigned arg;
+	if (gimple_call_fnspec (call).returns_arg (&arg) && arg == 0)
+	  {
+	    m_valid = true;
+	    m_op1 = gimple_call_arg (call, 0);
+	    m_int = &op_cfn_pass_through_arg1;
+	  }
+	break;
+      }
     }
 }