From 65369ab62cee68eb7f6ef65e3d12d1969a9e20ee Mon Sep 17 00:00:00 2001
From: Richard Biener <rguenther@suse.de>
Date: Fri, 17 Mar 2023 13:14:49 +0100
Subject: tree-optimization/109170 - bogus use-after-free with __builtin_expect

The following generalizes the range-op for __builtin_expect
by using the fnspec machinery.

	PR tree-optimization/109170
	* gimple-range-op.cc (gimple_range_op_handler::maybe_builtin_call):
	Handle __builtin_expect and similar via cfn_pass_through_arg1
	and inspecting the calls fnspec.
	* builtins.cc (builtin_fnspec): Handle BUILT_IN_EXPECT
	and BUILT_IN_EXPECT_WITH_PROBABILITY.
---
 gcc/gimple-range-op.cc | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'gcc/gimple-range-op.cc')

diff --git a/gcc/gimple-range-op.cc b/gcc/gimple-range-op.cc
index f7409e3..04e27d6 100644
--- a/gcc/gimple-range-op.cc
+++ b/gcc/gimple-range-op.cc
@@ -43,6 +43,7 @@ along with GCC; see the file COPYING3.  If not see
 #include "range.h"
 #include "value-query.h"
 #include "gimple-range.h"
+#include "attr-fnspec.h"
 
 // Given stmt S, fill VEC, up to VEC_SIZE elements, with relevant ssa-names
 // on the statement.  For efficiency, it is an error to not pass in enough
@@ -984,14 +985,16 @@ gimple_range_op_handler::maybe_builtin_call ()
       m_int = &op_cfn_parity;
       break;
 
-    case CFN_BUILT_IN_EXPECT:
-    case CFN_BUILT_IN_EXPECT_WITH_PROBABILITY:
-      m_valid = true;
-      m_op1 = gimple_call_arg (call, 0);
-      m_int = &op_cfn_pass_through_arg1;
-      break;
-
     default:
-      break;
+      {
+	unsigned arg;
+	if (gimple_call_fnspec (call).returns_arg (&arg) && arg == 0)
+	  {
+	    m_valid = true;
+	    m_op1 = gimple_call_arg (call, 0);
+	    m_int = &op_cfn_pass_through_arg1;
+	  }
+	break;
+      }
     }
 }
-- 
cgit v1.1