https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105329
--- Comment #5 from Andrew Macleod <amacleod at redhat dot com> --- Before inlining, the general code see: if (_27 <= __s_53(D)) goto <bb 36>; [INV] else goto <bb 40>; [INV] <bb40> _34 = _27 - __s_53(D); __nleft_64 = (const size_type) _34 THe branch now registers the relation that __s_53 < _27, and this allows us to now determine that _34 and _nleft_64 is [1, 0x7FFFFFFF] THen we inline this code, and by the time we get to the restrict code, we have the following IL: <bb 9> [local count: 89889908]: if (_22 >= &MEM <const char[2]> [(void *)"5" + 1B]) goto <bb 10>; [50.00%] else goto <bb 11>; [50.00%] <..> <bb 11> [local count: 44944954]: if (_22 <= "5") goto <bb 12>; [50.00%] else goto <bb 13>; [50.00%] <...> <bb 13> [local count: 22472477]: _48 = _22 - "5"; if (_48 == 1) goto <bb 14>; [34.00%] else goto <bb 15>; [66.00%] <bb 14> [local count: 7640642]: MEM[(char_type &)_22] = 53; pretmp_64 = MEM[(const struct basic_string *)s_2(D)]._M_dataplus._M_p; goto <bb 19>; <bb15> __nleft_49 = (const size_type) _48; __builtin_memcpy (_22, "5", __nleft_49); _28 = 1 - __nleft_49; _29 = _22 + 1; _140 = _22 + __nleft_49; __builtin_memcpy (_140, _29, _28); Our problem seems rooted in the calculation of _28. Ranger has figured out via feeding calculations based on the comparisons that nleft_49 cannot be 0 or 1 either, and therefore must be [2, 0x7FFFFFFF] But it means that _28 = 1 - __nleft_49; becomes a calculated range of [9223372036854775810, +INF] And that makes the warning code very unhappy when it is used as the number of bytes in the second memcpy. Previously, we hadn't made some of these conclusions, so we were looking at VARYING, so the warning code presumably ignored it. This code is actually dead, but its not being figured out. the pointer tracking does not recognize that if this branch is NOT taken: if (_22 >= &MEM <const char[2]> [(void *)"5" + 1B]) then we follow the following sequence: <bb 11> [local count: 44944954]: if (_22 <= "5") goto <bb 12>; [50.00%] else goto <bb 13>; [50.00%] <bb 12> [local count: 22472477]: _42 = "5" - _22; _43 = (long unsigned int) _42; __poff_45 = _43 + 1; _46 = _22 + __poff_45; _47 = MEM[(const char_type &)_46]; MEM[(char_type &)_22] = _47; pretmp_83 = MEM[(const struct basic_string *)s_2(D)]._M_dataplus._M_p; goto <bb 19>; [100.00%] <bb 13> [local count: 22472477]: _48 = _22 - "5"; if (_48 == 1) I believe the very first if can never take the edge 11->13... and thus the rest of that code should go. for the general case, The tracking of _22 needs to recognize that when we get to bb12 that the expression "5" - 22 and in bb13 _22 - "5" have very strict ranges. in fact, they are [0,0] in think case I think. That is certainly beyond rangers current capabilities. I thought that the reference tracking used by the warning system tried to do that. Regardless, when we introduce prange (pointer ranges) next cycle perhaps there is something we can do to track the base an offsets based on the conditions.