https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105329
--- Comment #5 from Andrew Macleod <amacleod at redhat dot com> ---
Before inlining, the general code see:
if (_27 <= __s_53(D))
goto <bb 36>; [INV]
else
goto <bb 40>; [INV]
<bb40>
_34 = _27 - __s_53(D);
__nleft_64 = (const size_type) _34
THe branch now registers the relation that __s_53 < _27, and this allows us to
now determine that _34 and _nleft_64 is [1, 0x7FFFFFFF]
THen we inline this code, and by the time we get to the restrict code, we have
the following IL:
<bb 9> [local count: 89889908]:
if (_22 >= &MEM <const char[2]> [(void *)"5" + 1B])
goto <bb 10>; [50.00%]
else
goto <bb 11>; [50.00%]
<..>
<bb 11> [local count: 44944954]:
if (_22 <= "5")
goto <bb 12>; [50.00%]
else
goto <bb 13>; [50.00%]
<...>
<bb 13> [local count: 22472477]:
_48 = _22 - "5";
if (_48 == 1)
goto <bb 14>; [34.00%]
else
goto <bb 15>; [66.00%]
<bb 14> [local count: 7640642]:
MEM[(char_type &)_22] = 53;
pretmp_64 = MEM[(const struct basic_string *)s_2(D)]._M_dataplus._M_p;
goto <bb 19>;
<bb15>
__nleft_49 = (const size_type) _48;
__builtin_memcpy (_22, "5", __nleft_49);
_28 = 1 - __nleft_49;
_29 = _22 + 1;
_140 = _22 + __nleft_49;
__builtin_memcpy (_140, _29, _28);
Our problem seems rooted in the calculation of _28.
Ranger has figured out via feeding calculations based on the comparisons that
nleft_49 cannot be 0 or 1 either, and therefore must be [2, 0x7FFFFFFF]
But it means that
_28 = 1 - __nleft_49;
becomes a calculated range of [9223372036854775810, +INF]
And that makes the warning code very unhappy when it is used as the number of
bytes in the second memcpy. Previously, we hadn't made some of these
conclusions, so we were looking at VARYING, so the warning code presumably
ignored it.
This code is actually dead, but its not being figured out.
the pointer tracking does not recognize that if this branch is NOT taken:
if (_22 >= &MEM <const char[2]> [(void *)"5" + 1B])
then we follow the following sequence:
<bb 11> [local count: 44944954]:
if (_22 <= "5")
goto <bb 12>; [50.00%]
else
goto <bb 13>; [50.00%]
<bb 12> [local count: 22472477]:
_42 = "5" - _22;
_43 = (long unsigned int) _42;
__poff_45 = _43 + 1;
_46 = _22 + __poff_45;
_47 = MEM[(const char_type &)_46];
MEM[(char_type &)_22] = _47;
pretmp_83 = MEM[(const struct basic_string *)s_2(D)]._M_dataplus._M_p;
goto <bb 19>; [100.00%]
<bb 13> [local count: 22472477]:
_48 = _22 - "5";
if (_48 == 1)
I believe the very first if can never take the edge 11->13... and thus the rest
of that code should go.
for the general case, The tracking of _22 needs to recognize that when we get
to bb12 that the expression "5" - 22 and in bb13 _22 - "5" have very strict
ranges. in fact, they are [0,0] in think case I think.
That is certainly beyond rangers current capabilities. I thought that the
reference tracking used by the warning system tried to do that. Regardless,
when we introduce prange (pointer ranges) next cycle perhaps there is something
we can do to track the base an offsets based on the conditions.
