Patchwork [RFA] Isolate erroneous paths optimization

login
register
mail settings
Submitter Jeff Law
Date Oct. 31, 2013, 6:11 a.m.
Message ID <5271F493.4020308@redhat.com>
Download mbox | patch
Permalink /patch/287400/
State New
Headers show

Comments

Jeff Law - Oct. 31, 2013, 6:11 a.m.
I've incorporated the various suggestions from Marc and Richi, except 
for Richi's to integrate this into jump threading.

I've also made the following changes since the last version:

   1. Added more testcases.

   2. Use infer_nonnull_range, moving it from tree-vrp.c
   into gimple.c.  Minor improvements to infer_nonnull_range
   to make it handle more cases we care about and avoid using
   unnecessary routines from tree-ssa.c (which can now be removed)

   3. Multiple undefined statements in a block are handled in the
   logical way.

Bootstrapped and regression tested on x86_64-unknown-linux-gnu.  OK for 
the trunk?

Thanks,
Jeff
* Makefile.in (OBJS): Add gimple-ssa-isolate-paths.o
	* common.opt (-fisolate-erroneous-paths): Add option and
	documentation.
	* gimple-ssa-isolate-paths.c: New file.
	* gimple.c (check_loadstore): New function.
	(infer_nonnull_range): Moved into gimple.c from tree-vrp.c
	Verify OP is in the argument list and the argument corresponding
	to OP is a pointer type.  Use operand_equal_p rather than
	pointer equality when testing if OP is on the nonnull list.
	Use check_loadstore rather than count_ptr_derefs.  Handle
	GIMPLE_RETURN statements.
	* tree-vrp.c (infer_nonnull_range): Remove.
	* gimple.h (infer_nonnull_range): Declare.
	(gsi_start_nondebug_after_labels): New function.
	* opts.c (default_options_table): Add OPT_fisolate_erroneous_paths.
	* passes.def: Add pass_isolate_erroneous_paths.
	* timevar.def (TV_ISOLATE_ERRONEOUS_PATHS): New timevar.
	* tree-pass.h (make_pass_isolate_erroneous_paths): Declare.
	* tree-ssa.c (struct count_ptr_d): Remove.
	(count_ptr_derefs, count_uses_and_derefs): Remove.
	* tree-ssa.h (count_uses_and_derefs): Remove.
	


	* gcc.dg/pr38984.c: Add -fno-isolate-erroneous-paths.
	* gcc.dg/tree-ssa/20030711-3.c: Update expected output.
	* gcc.dg/tree-ssa/isolate-1.c: New test.
	* gcc.dg/tree-ssa/isolate-2.c: New test.
	* gcc.dg/tree-ssa/isolate-3.c: New test.
	* gcc.dg/tree-ssa/isolate-4.c: New test.
Richard Guenther - Nov. 4, 2013, 1:19 p.m.
On Thu, Oct 31, 2013 at 7:11 AM, Jeff Law <law@redhat.com> wrote:
>
> I've incorporated the various suggestions from Marc and Richi, except for
> Richi's to integrate this into jump threading.
>
> I've also made the following changes since the last version:
>
>   1. Added more testcases.
>
>   2. Use infer_nonnull_range, moving it from tree-vrp.c
>   into gimple.c.  Minor improvements to infer_nonnull_range
>   to make it handle more cases we care about and avoid using
>   unnecessary routines from tree-ssa.c (which can now be removed)
>
>   3. Multiple undefined statements in a block are handled in the
>   logical way.
>
> Bootstrapped and regression tested on x86_64-unknown-linux-gnu.  OK for the
> trunk?

Comments inline

> Thanks,
> Jeff
>
>         * Makefile.in (OBJS): Add gimple-ssa-isolate-paths.o
>         * common.opt (-fisolate-erroneous-paths): Add option and
>         documentation.
>         * gimple-ssa-isolate-paths.c: New file.
>         * gimple.c (check_loadstore): New function.
>         (infer_nonnull_range): Moved into gimple.c from tree-vrp.c
>         Verify OP is in the argument list and the argument corresponding
>         to OP is a pointer type.  Use operand_equal_p rather than
>         pointer equality when testing if OP is on the nonnull list.
>         Use check_loadstore rather than count_ptr_derefs.  Handle
>         GIMPLE_RETURN statements.
>         * tree-vrp.c (infer_nonnull_range): Remove.
>         * gimple.h (infer_nonnull_range): Declare.
>         (gsi_start_nondebug_after_labels): New function.
>         * opts.c (default_options_table): Add OPT_fisolate_erroneous_paths.
>         * passes.def: Add pass_isolate_erroneous_paths.
>         * timevar.def (TV_ISOLATE_ERRONEOUS_PATHS): New timevar.
>         * tree-pass.h (make_pass_isolate_erroneous_paths): Declare.
>         * tree-ssa.c (struct count_ptr_d): Remove.
>         (count_ptr_derefs, count_uses_and_derefs): Remove.
>         * tree-ssa.h (count_uses_and_derefs): Remove.
>
>
>
>         * gcc.dg/pr38984.c: Add -fno-isolate-erroneous-paths.
>         * gcc.dg/tree-ssa/20030711-3.c: Update expected output.
>         * gcc.dg/tree-ssa/isolate-1.c: New test.
>         * gcc.dg/tree-ssa/isolate-2.c: New test.
>         * gcc.dg/tree-ssa/isolate-3.c: New test.
>         * gcc.dg/tree-ssa/isolate-4.c: New test.
>
>
>
> diff --git a/gcc/Makefile.in b/gcc/Makefile.in
> index 29609fd..7e9a702 100644
> --- a/gcc/Makefile.in
> +++ b/gcc/Makefile.in
> @@ -1233,6 +1233,7 @@ OBJS = \
>         gimple-fold.o \
>         gimple-low.o \
>         gimple-pretty-print.o \
> +       gimple-ssa-isolate-paths.o \
>         gimple-ssa-strength-reduction.o \
>         gimple-streamer-in.o \
>         gimple-streamer-out.o \
> diff --git a/gcc/common.opt b/gcc/common.opt
> index deeb3f2..6db9f56 100644
> --- a/gcc/common.opt
> +++ b/gcc/common.opt
> @@ -2104,6 +2104,12 @@ foptimize-strlen
>  Common Report Var(flag_optimize_strlen) Optimization
>  Enable string length optimizations on trees
>
> +fisolate-erroneous-paths
> +Common Report Var(flag_isolate_erroneous_paths) Init(1) Optimization

Drop Init(1) (see below)

> +Detect paths which trigger erroneous or undefined behaviour.  Isolate those
> +paths from the main control flow and turn the statement with erroneous or
> +undefined behaviour into a trap.
> +
>  ftree-loop-distribution
>  Common Report Var(flag_tree_loop_distribution) Optimization
>  Enable loop distribution on trees
> diff --git a/gcc/gimple-ssa-isolate-paths.c b/gcc/gimple-ssa-isolate-paths.c
> new file mode 100644
> index 0000000..aa526cc
> --- /dev/null
> +++ b/gcc/gimple-ssa-isolate-paths.c
> @@ -0,0 +1,332 @@
> +/* Detect paths through the CFG which can never be executed in a conforming
> +   program and isolate them.
> +
> +   Copyright (C) 2013
> +   Free Software Foundation, Inc.
> +
> +This file is part of GCC.
> +
> +GCC is free software; you can redistribute it and/or modify
> +it under the terms of the GNU General Public License as published by
> +the Free Software Foundation; either version 3, or (at your option)
> +any later version.
> +
> +GCC is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +GNU General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with GCC; see the file COPYING3.  If not see
> +<http://www.gnu.org/licenses/>.  */
> +
> +#include "config.h"
> +#include "system.h"
> +#include "coretypes.h"
> +#include "tree.h"
> +#include "flags.h"
> +#include "basic-block.h"
> +#include "gimple.h"
> +#include "tree-ssa.h"
> +#include "gimple-ssa.h"
> +#include "tree-ssa-operands.h"
> +#include "tree-phinodes.h"
> +#include "ssa-iterators.h"
> +#include "cfgloop.h"
> +#include "tree-pass.h"
> +
> +
> +static bool cfg_altered;
> +
> +/* BB when reached via incoming edge E will exhibit undefined behaviour
> +   at STMT.  Isolate and optimize the path which exhibits undefined
> +   behaviour.
> +
> +   Isolation is simple.  Duplicate BB and redirect E to BB'.
> +
> +   Optimization is simple as well.  Replace STMT in BB' with an
> +   unconditional trap and remove all outgoing edges from BB'.
> +
> +   DUPLICATE is a pre-existing duplicate, use it as BB' if it exists.
> +
> +   Return BB'.  */
> +
> +basic_block
> +isolate_path (basic_block bb, basic_block duplicate, edge e, gimple stmt)
> +{
> +  gimple_stmt_iterator si, si2;
> +  edge_iterator ei;
> +  edge e2;
> +
> +
> +  /* First duplicate BB if we have not done so already and remove all
> +     the duplicate's outgoing edges as duplicate is going to
> unconditionally
> +     trap.  Removing the outgoing edges is both an optimization and ensures
> +     we don't need to do any PHI node updates.  */
> +  if (!duplicate)
> +    {
> +      duplicate = duplicate_block (bb, NULL, NULL);
> +      for (ei = ei_start (duplicate->succs); (e2 = ei_safe_edge (ei)); )
> +       remove_edge (e2);
> +    }
> +
> +  /* Complete the isolation step by redirecting E to reach DUPLICATE.  */
> +  e2 = redirect_edge_and_branch (e, duplicate);
> +  if (e2)
> +    flush_pending_stmts (e2);
> +
> +
> +  /* There may be more than one statement in DUPLICATE which exhibits
> +     undefined behaviour.  Ultimately we want the first such statement in
> +     DUPLCIATE so that we're able to delete as much code as possible.
> +
> +     So each time we discover undefined behaviour in DUPLICATE, search for
> +     the statement which triggers undefined behaviour.  If found, then
> +     transform the statement into a trap and delete everything after the
> +     statement.  If not found, then this particular instance was subsumed
> by
> +     an earlier instance of undefined behaviour and there's nothing to do.
> +
> +     This is made more complicated by the fact that we have STMT, which is
> in
> +     BB rather than in DUPLICATE.  So we set up two iterators, one for each
> +     block and walk forward looking for STMT in BB, advancing each iterator
> at
> +     each step.
> +
> +     When we find STMT the second iterator should point to STMT's
> equivalent in
> +     duplicate.  If DUPLICATE ends before STMT is found in BB, then there's
> +     nothing to do.
> +
> +     Ignore labels and debug statements.  */
> +  si = gsi_start_nondebug_after_labels (bb);
> +  si2 = gsi_start_nondebug_after_labels (duplicate);
> +  while (!gsi_end_p (si) && !gsi_end_p (si2) && gsi_stmt (si) != stmt)
> +    {
> +      gsi_next_nondebug (&si);
> +      gsi_next_nondebug (&si2);
> +    }
> +
> +  /* This would be an indicator that we never found STMT in BB, which
> should
> +     never happen.  */
> +  gcc_assert (!gsi_end_p (si));
> +
> +  /* If we did not run to the end of DUPLICATE, then SI points to STMT and
> +     SI2 points to the duplicate of STMT in DUPLICATE.  */
> +  if (!gsi_end_p (si2))
> +    {
> +      /* SI2 is the iterator in the duplicate block and it now points
> +        to our victim statement.  */
> +      gimple_seq seq = NULL;
> +      gimple stmt
> +       = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
> +      gimple_seq_add_stmt (&seq, stmt);
> +      gsi_insert_before (&si2, seq, GSI_SAME_STMT);
> +      /* Now delete all remaining statements in this block.  */
> +      for (; !gsi_end_p (si2);)
> +       gsi_remove (&si2, true);

Please do

   stmt = gsi_stmt (si2);
   unlink_stmt_vdef (stmt);
   gsi_remove (&si2, true);
   release_defs (stmt);

to "completely" remove the stmts correctly (you've left SSA names
unreleased and virtual SSA form broken).

> +    }
> +
> +  return duplicate;
> +}
> +
> +/* Search the function for statements which, if executed, would cause
> +   the program to fault such as a dereference of a NULL pointer.
> +
> +   Such a program can't be valid if such a statement was to execute
> +   according to ISO standards.
> +
> +   We detect explicit NULL pointer dereferences as well as those implied
> +   by a PHI argument having a NULL value which unconditionally flows into
> +   a dereference in the same block as the PHI.
> +
> +   In the former case we replace the offending statement with an
> +   unconditional trap and eliminate the outgoing edges from the statement's
> +   basic block.  This may expose secondary optimization opportunities.
> +
> +   In the latter case, we isolate the path(s) with the NULL PHI
> +   feeding the dereference.  We can then replace the offending statement
> +   and eliminate the outgoing edges in the duplicate.  Again, this may
> +   expose secondary optimization opportunities.
> +
> +   A warning for both cases may be advisable as well.
> +
> +   Other statically detectable violations of the ISO standard could be
> +   handled in a similar way, such as out-of-bounds array indexing.  */
> +
> +static unsigned int
> +gimple_ssa_isolate_erroneous_paths (void)
> +{
> +  basic_block bb;
> +
> +  initialize_original_copy_tables ();
> +
> +  /* Search all the blocks for edges which, if traversed, will
> +     result in undefined behaviour.  */
> +  cfg_altered = false;
> +  FOR_EACH_BB (bb)
> +    {
> +      gimple_stmt_iterator si;
> +
> +      /* First look for a PHI which sets a pointer to NULL and which
> +        is then dereferenced within BB.  This is somewhat overly
> +        conservative, but probably catches most of the interesting
> +        cases.   */
> +      for (si = gsi_start_phis (bb); !gsi_end_p (si); gsi_next (&si))
> +       {
> +         gimple phi = gsi_stmt (si);
> +         tree lhs = gimple_phi_result (phi);
> +
> +         /* If the result is not a pointer, then there is no need to
> +            examine the arguments.  */
> +         if (!POINTER_TYPE_P (TREE_TYPE (lhs)))
> +           continue;
> +
> +         /* PHI produces a pointer result.  See if any of the PHI's
> +            arguments are NULL.
> +
> +            When we remove an edge, we want to reprocess the current
> +            index, hence the ugly way we update I for each iteration.  */
> +         basic_block duplicate = NULL;
> +         for (unsigned i = 0, next_i = 0;
> +              i < gimple_phi_num_args (phi);
> +              i = next_i)
> +           {
> +             tree op = gimple_phi_arg_def (phi, i);
> +
> +             next_i = i + 1;
> +             if (integer_zerop (op))
> +               {

I always prefer

                   if (!integer_zerop (op))
                     continue;

to reduce indentation of following code (but that's personal
preference).

> +                 edge e = gimple_phi_arg_edge (phi, i);
> +                 imm_use_iterator iter;
> +                 gimple use_stmt;
> +
> +                 /* We've got a NULL PHI argument.  Now see if the
> +                    PHI's result is dereferenced within BB.  */
> +                 FOR_EACH_IMM_USE_STMT (use_stmt, iter, lhs)
> +                   {
> +                     /* We only care about uses in BB which are
> assignements
> +                        with memory operands.
> +
> +                        We could see if any uses are as function arguments
> +                        when the callee has marked the argument as being
> +                        non-null.  */
> +                     if (gimple_bb (use_stmt) != bb
> +                         || (!is_gimple_assign (use_stmt)
> +                             && !is_gimple_call (use_stmt)
> +                             && gimple_code (use_stmt) != GIMPLE_RETURN))

any reason for this restrictions on use_stmt?

> +                       continue;
> +
> +                     if (infer_nonnull_range (use_stmt, lhs))
> +                       {
> +                         duplicate = isolate_path (bb, duplicate,
> +                                                   e, use_stmt);
> +
> +                         /* When we remove an incoming edge, we need to
> +                            reprocess the Ith element.  */
> +                         next_i = i;
> +                         cfg_altered = true;
> +                       }
> +                   }
> +               }
> +           }
> +       }
> +
> +      /* Now look at the statements in the block and see if any of
> +        them explicitly dereference a NULL pointer.  Believe it or
> +        not, this does happen from time to time.  */

"happens because of constant propagation."

> +      for (si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
> +       {
> +         gimple stmt = gsi_stmt (si);
> +
> +

extra vertical space

> +         /* By passing null_pointer_node, we can use infer_nonnull_range
> +            to detect explicit NULL pointer dereferences and other uses
> +            where a non-NULL value is required.  */
> +         if (infer_nonnull_range (stmt, null_pointer_node))
> +           {
> +             /* First insert a TRAP before this statement.  */
> +             gimple_seq seq = NULL;
> +             tree t
> +               = build_call_expr_loc (0,

Use the location of 'stmt'?

> +                                      builtin_decl_explicit
> (BUILT_IN_TRAP),
> +                                      0);
> +             gimplify_and_add (t, &seq);
> +             gsi_insert_before (&si, seq, GSI_SAME_STMT);

and please build GIMPLE directly here as well.

> +             /* Now delete all remaining statements in this block.  */
> +             for (gimple_stmt_iterator si2 = si; !gsi_end_p (si2);)
> +               gsi_remove (&si2, true);

See above.

Maybe you can split this common functionality out into a helper.

> +             /* And finally, remove all outgoing edges from BB.  */
> +             edge e;
> +             for (edge_iterator ei = ei_start (bb->succs);
> +                  (e = ei_safe_edge (ei)); )
> +               remove_edge (e);
> +
> +             /* Ignore any more operands on this statement and
> +                continue the statement iterator (which should
> +                terminate its loop immediately.  */
> +             cfg_altered = true;
> +             break;
> +           }
> +       }
> +    }
> +  free_original_copy_tables ();
> +
> +  /* We scramble the CFG and loop structures a bit, clean up
> +     appropriately.  We really should incrementally update the
> +     loop structures, in theory it shouldn't be that hard.  */
> +  if (cfg_altered)
> +    {
> +      free_dominance_info (CDI_DOMINATORS);
> +      free_dominance_info (CDI_POST_DOMINATORS);
> +      loops_state_set (LOOPS_NEED_FIXUP);
> +      return TODO_cleanup_cfg | TODO_update_ssa;
> +    }
> +  return 0;
> +}
> +
> +static bool
> +gate_isolate_erroneous_paths (void)
> +{
> +  /* If we do not have a suitable builtin function for the trap statement,
> +     then do not perform the optimization.  */
> +  return (flag_isolate_erroneous_paths != 0
> +         && builtin_decl_explicit (BUILT_IN_TRAP) != NULL);

I don't think this can happen.

> +}
> +
> +namespace {
> +const pass_data pass_data_isolate_erroneous_paths =
> +{
> +  GIMPLE_PASS, /* type */
> +  "isolate-paths", /* name */
> +  OPTGROUP_NONE, /* optinfo_flags */
> +  true, /* has_gate */
> +  true, /* has_execute */
> +  TV_ISOLATE_ERRONEOUS_PATHS, /* tv_id */
> +  ( PROP_cfg | PROP_ssa ), /* properties_required */
> +  0, /* properties_provided */
> +  0, /* properties_destroyed */
> +  0, /* todo_flags_start */
> +  TODO_verify_ssa, /* todo_flags_finish */
> +};
> +
> +class pass_isolate_erroneous_paths : public gimple_opt_pass
> +{
> +public:
> +  pass_isolate_erroneous_paths (gcc::context *ctxt)
> +    : gimple_opt_pass (pass_data_isolate_erroneous_paths, ctxt)
> +  {}
> +
> +  /* opt_pass methods: */
> +  opt_pass * clone () { return new pass_isolate_erroneous_paths (m_ctxt); }
> +  bool gate () { return gate_isolate_erroneous_paths (); }
> +  unsigned int execute () { return gimple_ssa_isolate_erroneous_paths (); }
> +
> +}; // class pass_uncprop
> +}
> +
> +gimple_opt_pass *
> +make_pass_isolate_erroneous_paths (gcc::context *ctxt)
> +{
> +  return new pass_isolate_erroneous_paths (ctxt);
> +}
> diff --git a/gcc/gimple.c b/gcc/gimple.c
> index 3ddceb9..fbb1393 100644
> --- a/gcc/gimple.c
> +++ b/gcc/gimple.c
> @@ -4083,6 +4083,87 @@ nonfreeing_call_p (gimple call)
>    return false;
>  }
>
> +/* Callback for walk_stmt_load_store_ops.
> +
> +   Return TRUE if OP will dereference the tree stored in DATA, FALSE
> +   otherwise.
> +
> +   This routine only makes a superficial check for a dereference.  Thus
> +   it must only be used if it is safe to return a false negative.  */
> +static bool
> +check_loadstore (gimple stmt ATTRIBUTE_UNUSED, tree op, void *data)
> +{
> +  if ((TREE_CODE (op) == MEM_REF || TREE_CODE (op) == TARGET_MEM_REF)
> +      && operand_equal_p (TREE_OPERAND (op, 0), (tree)data, 0))

As you are interested in pointer dereferences and we are in SSA form
you can use pointer equality:

           && TREE_OPERAND (op, 0) == (tree) data

note that this should also work for memory inputs/outputs of ASMs
and for dereferences in calls (happens for aggregate arguments
and return values).  So in theory it should work for all kind of stmts
(or walk_stmt_load_store_addr_ops would have a bug).

> +    return true;
> +  return false;
> +}
> +
> +/* If OP can be inferred to be non-zero after STMT executes, return true.
> */
> +
> +bool
> +infer_nonnull_range (gimple stmt, tree op)
> +{
> +  /* We can only assume that a pointer dereference will yield
> +     non-NULL if -fdelete-null-pointer-checks is enabled.  */
> +  if (!flag_delete_null_pointer_checks
> +      || !POINTER_TYPE_P (TREE_TYPE (op))
> +      || gimple_code (stmt) == GIMPLE_ASM)
> +    return false;
> +
> +  if (walk_stmt_load_store_ops (stmt, (void *)op,
> +                               check_loadstore, check_loadstore))
> +    return true;
> +
> +  if (is_gimple_call (stmt) && !gimple_call_internal_p (stmt))
> +    {
> +      tree fntype = gimple_call_fntype (stmt);
> +      tree attrs = TYPE_ATTRIBUTES (fntype);
> +      for (; attrs; attrs = TREE_CHAIN (attrs))
> +       {
> +         attrs = lookup_attribute ("nonnull", attrs);
> +
> +         /* If "nonnull" wasn't specified, we know nothing about
> +            the argument.  */
> +         if (attrs == NULL_TREE)
> +           return false;
> +
> +         /* If "nonnull" applies to all the arguments, then ARG
> +            is non-null if it's in the argument list.  */
> +         if (TREE_VALUE (attrs) == NULL_TREE)
> +           {
> +             for (unsigned int i = 0; i < gimple_call_num_args (stmt); i++)
> +               {
> +                 if (operand_equal_p (op, gimple_call_arg (stmt, i), 0)

See above (pointer comparison).

> +                     && POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (stmt,
> i))))
> +                   return true;
> +               }
> +             return false;
> +           }
> +
> +         /* Now see if op appears in the nonnull list.  */
> +         for (tree t = TREE_VALUE (attrs); t; t = TREE_CHAIN (t))
> +           {
> +             int idx = TREE_INT_CST_LOW (TREE_VALUE (t)) - 1;
> +             tree arg = gimple_call_arg (stmt, idx);
> +             if (operand_equal_p (op, arg, 0))

See above.

> +               return true;
> +           }
> +       }
> +    }
> +
> +  /* If this function is marked as returning non-null, then we can
> +     infer OP is non-null if it is used in the return statement.  */
> +  if (gimple_code (stmt) == GIMPLE_RETURN
> +      && gimple_return_retval (stmt)
> +      && operand_equal_p (gimple_return_retval (stmt), op, 0)

See above.

> +      && lookup_attribute ("returns_nonnull",
> +                          TYPE_ATTRIBUTES (TREE_TYPE
> (current_function_decl))))
> +    return true;
> +
> +  return false;
> +}
> +
>  /* Create a new VAR_DECL and copy information from VAR to it.  */
>
>  tree
> diff --git a/gcc/gimple.h b/gcc/gimple.h
> index e34411d..4d00493 100644
> --- a/gcc/gimple.h
> +++ b/gcc/gimple.h
> @@ -1088,6 +1088,7 @@ extern void dump_decl_set (FILE *, bitmap);
>  extern bool gimple_can_coalesce_p (tree, tree);
>  extern bool nonfreeing_call_p (gimple);
>  extern tree copy_var_decl (tree, tree, tree);
> +extern bool infer_nonnull_range (gimple, tree);
>
>  /* In trans-mem.c.  */
>  extern void diagnose_tm_safe_errors (tree);
> @@ -5533,6 +5534,20 @@ gsi_start_nondebug_bb (basic_block bb)
>    return i;
>  }
>
> +/* Return a new iterator pointing to the first non-debug, non-label
> statement
> +   in basic block BB.  */
> +
> +static inline gimple_stmt_iterator
> +gsi_start_nondebug_after_labels (basic_block bb)
> +{
> +  gimple_stmt_iterator gsi = gsi_start_nondebug_bb (bb);
> +
> +  while (!gsi_end_p (gsi) && gimple_code (gsi_stmt (gsi)) == GIMPLE_LABEL)
> +    gsi_next_nondebug (&gsi);
> +
> +  return gsi;
> +}
> +
>  /* Return a new iterator pointing to the last non-debug statement in
>     basic block BB.  */
>
> diff --git a/gcc/opts.c b/gcc/opts.c
> index 728d36d..e1e09c7 100644
> --- a/gcc/opts.c
> +++ b/gcc/opts.c
> @@ -453,6 +453,7 @@ static const struct default_options
> default_options_table[] =
>      { OPT_LEVELS_1_PLUS, OPT_ftree_ch, NULL, 1 },
>      { OPT_LEVELS_1_PLUS, OPT_fcombine_stack_adjustments, NULL, 1 },
>      { OPT_LEVELS_1_PLUS, OPT_fcompare_elim, NULL, 1 },
> +    { OPT_LEVELS_1_PLUS, OPT_fisolate_erroneous_paths, NULL, 1 },

Why enable this at -O1?  We have -fno-strict-overflow, -fno-strict-aliasing
at -O1 so I'd rather defer this to -O2 and above (including -Os).

Otherwise the patch looks ok to me.

Thanks,
Richard.

>      { OPT_LEVELS_1_PLUS, OPT_ftree_slsr, NULL, 1 },
>
>      /* -O2 optimizations.  */
> diff --git a/gcc/passes.def b/gcc/passes.def
> index 404b790..1607b59 100644
> --- a/gcc/passes.def
> +++ b/gcc/passes.def
> @@ -166,9 +166,16 @@ along with GCC; see the file COPYING3.  If not see
>          is removed, and this place fits nicely.  Remember this when
>          trying to move or duplicate pass_dominator somewhere earlier.  */
>        NEXT_PASS (pass_dominator);
> +      /* At this point the majority of const/copy propagations
> +        are exposed.  Go ahead and identify paths that should never
> +        be executed in a conforming program and isolate those paths.
> +
> +        This will expose more degenerate PHIs in the main path and
> +        expose more PRE/DOM optimization opportunities.  */
> +      NEXT_PASS (pass_isolate_erroneous_paths);
>        /* The only const/copy propagation opportunities left after
> -        DOM should be due to degenerate PHI nodes.  So rather than
> -        run the full propagators, run a specialized pass which
> +        DOM and erroneous path isolation should be due to degenerate PHI
> nodes.
> +        So rather than run the full propagators, run a specialized pass
> which
>          only examines PHIs to discover const/copy propagation
>          opportunities.  */
>        NEXT_PASS (pass_phi_only_cprop);
> diff --git a/gcc/testsuite/gcc.dg/pr38984.c b/gcc/testsuite/gcc.dg/pr38984.c
> index 11f1e7f..0c03180 100644
> --- a/gcc/testsuite/gcc.dg/pr38984.c
> +++ b/gcc/testsuite/gcc.dg/pr38984.c
> @@ -1,5 +1,5 @@
>  /* { dg-do compile } */
> -/* { dg-options "-O2 -fno-delete-null-pointer-checks -fdump-tree-optimized"
> }
> +/* { dg-options "-O2 -fno-delete-null-pointer-checks -fdump-tree-optimized
> -fno-isolate-erroneous-paths" }
>   * */
>
>  int f(int *p)
> diff --git a/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
> b/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
> index ec04e17..bcd5681 100644
> --- a/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
> +++ b/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
> @@ -52,10 +52,10 @@ get_alias_set (t)
>  /* There should be one load of decl.rtl.  */
>  /* { dg-final { scan-tree-dump-times "decl\\.rtl" 1 "dom2"} } */
>
> -/* There should be two loads of rtmem.  */
> -/* { dg-final { scan-tree-dump-times "rtmem" 2 "dom2"} } */
> +/* There should be one load of rtmem.  */
> +/* { dg-final { scan-tree-dump-times "rtmem" 1 "dom2"} } */
>
> -/* There should be one load of alias.  */
> -/* { dg-final { scan-tree-dump-times "->alias" 1 "dom2"} } */
> +/* There should be no load of alias.  */
> +/* { dg-final { scan-tree-dump-not "->alias" "dom2"} } */
>
>  /* { dg-final { cleanup-tree-dump "dom2" } } */
> diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-1.c
> b/gcc/testsuite/gcc.dg/tree-ssa/isolate-1.c
> new file mode 100644
> index 0000000..6b779b4
> --- /dev/null
> +++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-1.c
> @@ -0,0 +1,58 @@
> +
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fdump-tree-isolate-paths" } */
> +
> +
> +struct demangle_component
> +{
> +
> +  int type;
> +  int zzz;
> +
> +};
> +
> +
> +struct d_info
> +{
> +  struct demangle_component *comps;
> +  int next_comp;
> +  int num_comps;
> +};
> +
> +
> +static struct demangle_component *
> +d_make_empty (struct d_info *di)
> +{
> +  struct demangle_component *p;
> +
> +  if (di->next_comp >= di->num_comps)
> +    return ((void *)0);
> +  p = &di->comps[di->next_comp];
> +  return p;
> +}
> +
> +
> +
> +struct demangle_component *
> +d_type (struct d_info *di)
> +{
> +   struct demangle_component *ret;
> +   ret = d_make_empty (di);
> +   ret->type = 42;
> +   ret->zzz = -1;
> +   return ret;
> +}
> +
> +/* We're testing two aspects of isolation here.  First that isolation
> +   occurs, second that if we have two null dereferences in a block that
> +   that we delete everything from the first dereferece to the end of the
> +   block, regardless of which comes first in the immediate use iterator.
> */
> +/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "isolate-paths"} }
> */
> +/* { dg-final { scan-tree-dump-times "->type" 1 "isolate-paths"} } */
> +/* { dg-final { scan-tree-dump-times "->zzz" 1 "isolate-paths"} } */
> +/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
> +
> +
> +
> +
> +
> diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-2.c
> b/gcc/testsuite/gcc.dg/tree-ssa/isolate-2.c
> new file mode 100644
> index 0000000..290b44c
> --- /dev/null
> +++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-2.c
> @@ -0,0 +1,43 @@
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fdump-tree-isolate-paths -fdump-tree-phicprop1" } */
> +
> +
> +int z;
> +int y;
> +
> +int * foo(int a) __attribute__((returns_nonnull));
> +int * bar(void) __attribute__((returns_nonnull));
> +
> +int *
> +foo(int a)
> +
> +{
> +  switch (a)
> +    {
> +      case 0:
> +        return &z;
> +      default:
> +        return (int *)0;
> +    }
> +}
> +
> +
> +int *
> +bar (void)
> +{
> +  return 0;
> +}
> +
> +/* We testing that the path isolation code can take advantage of the
> +   returns non-null attribute to isolate a path where NULL flows into
> +   a return statement.  We test this twice, once where the NULL flows
> +   from a PHI, the second with an explicit return 0 in the IL.
> +
> +   We also verify that after isolation phi-cprop simplifies the
> +   return statement so that it returns &z directly.
> +/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "isolate-paths"} }
> */
> +/* { dg-final { scan-tree-dump-times "return &z;" 1 "phicprop1"} } */
> +/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
> +/* { dg-final { cleanup-tree-dump "phicprop1" } } */
> +
> +
> diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-3.c
> b/gcc/testsuite/gcc.dg/tree-ssa/isolate-3.c
> new file mode 100644
> index 0000000..7dddd80
> --- /dev/null
> +++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-3.c
> @@ -0,0 +1,65 @@
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fdump-tree-isolate-paths" } */
> +
> +
> +typedef long unsigned int size_t;
> +extern void *memset (void *__s, int __c, size_t __n)
> +  __attribute__ ((__nothrow__, __leaf__)) __attribute__ ((__nonnull__
> (1)));
> +struct rtx_def;
> +typedef struct rtx_def *rtx;
> +typedef struct VEC_rtx_base
> +
> +{
> +  unsigned num;
> +  unsigned alloc;
> +  rtx vec[1];
> +} VEC_rtx_base;
> +static __inline__ rtx *
> +VEC_rtx_base_address (VEC_rtx_base * vec_)
> +{
> +  return vec_ ? vec_->vec : 0;
> +}
> +typedef struct VEC_rtx_gc
> +{
> +  VEC_rtx_base base;
> +} VEC_rtx_gc;
> +
> +static __inline__ void
> +VEC_rtx_gc_safe_grow (VEC_rtx_gc ** vec_, int size_, const char *file_,
> +                      unsigned line_, const char *function_)
> +{
> +  ((*vec_) ? &(*vec_)->base : 0)->num = size_;
> +}
> +
> +static __inline__ void
> +VEC_rtx_gc_safe_grow_cleared (VEC_rtx_gc ** vec_, int size_,
> +                              const char *file_, unsigned line_,
> +                              const char *function_, int oldsize)
> +{
> +  VEC_rtx_gc_safe_grow (vec_, size_, file_, line_, function_);
> +  memset (&(VEC_rtx_base_address ((*vec_) ? &(*vec_)->base : 0))[oldsize],
> 0,
> +          sizeof (rtx) * (size_ - oldsize));
> +}
> +
> +static VEC_rtx_gc *reg_base_value;
> +void
> +init_alias_analysis (void)
> +{
> +  unsigned int maxreg = max_reg_num ();
> +  (VEC_rtx_gc_safe_grow_cleared
> +   (&(reg_base_value), maxreg, "../../../gcc-4.6.0/gcc/alias.c", 2755,
> +    __FUNCTION__, arf ()));
> +}
> +
> +
> +
> +/* This is an example of how a NULL pointer dereference can show up
> +   without a PHI.  Note VEC_rtx_gcc_safe_grow.  If an earlier pass
> +   (such as VRP) isolates the NULL path for some reason or another
> +   we end up with an explicit NULL dereference in the IL.  Yes, it
> +   started with a PHI, but by the time the path isolation code runs
> +   its explicit in the IL.  */
> +/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "isolate-paths"} }
> */
> +/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
> +
> +
> diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c
> b/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c
> new file mode 100644
> index 0000000..6937d25
> --- /dev/null
> +++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c
> @@ -0,0 +1,32 @@
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -fdump-tree-isolate-paths -fdump-tree-phicprop1" } */
> +
> +
> +extern void foo(void *) __attribute__ ((__nonnull__ (1)));
> +
> +int z;
> +
> +void
> +com (int a)
> +{
> +    foo (a == 42 ? &z  : (void *) 0);
> +}
> +
> +void
> +bar (void)
> +{
> +  foo ((void *)0);
> +}
> +
> +/* We testing that the path isolation code can take advantage of the
> +   returns non-null attribute to isolate a path where NULL flows into
> +   a return statement.
> +
> +   We also verify that after isolation phi-cprop simplifies the
> +   return statement so that it returns &z directly.
> +/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "isolate-paths"} }
> */
> +/* { dg-final { scan-tree-dump-times "foo .&z.;" 1 "phicprop1"} } */
> +/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
> +/* { dg-final { cleanup-tree-dump "phicprop1" } } */
> +
> +
> diff --git a/gcc/timevar.def b/gcc/timevar.def
> index 5a880a8..4c11511 100644
> --- a/gcc/timevar.def
> +++ b/gcc/timevar.def
> @@ -144,6 +144,7 @@ DEFTIMEVAR (TV_TREE_SSA_INCREMENTAL  , "tree SSA
> incremental")
>  DEFTIMEVAR (TV_TREE_OPS                     , "tree operand scan")
>  DEFTIMEVAR (TV_TREE_SSA_DOMINATOR_OPTS   , "dominator optimization")
>  DEFTIMEVAR (TV_TREE_SRA              , "tree SRA")
> +DEFTIMEVAR (TV_ISOLATE_ERRONEOUS_PATHS    , "isolate eroneous paths")
>  DEFTIMEVAR (TV_TREE_CCP                     , "tree CCP")
>  DEFTIMEVAR (TV_TREE_PHI_CPROP       , "tree PHI const/copy prop")
>  DEFTIMEVAR (TV_TREE_SPLIT_EDGES      , "tree split crit edges")
> diff --git a/gcc/tree-pass.h b/gcc/tree-pass.h
> index 5237438..3f251b6 100644
> --- a/gcc/tree-pass.h
> +++ b/gcc/tree-pass.h
> @@ -425,6 +425,7 @@ extern gimple_opt_pass *make_pass_sink_code
> (gcc::context *ctxt);
>  extern gimple_opt_pass *make_pass_fre (gcc::context *ctxt);
>  extern gimple_opt_pass *make_pass_check_data_deps (gcc::context *ctxt);
>  extern gimple_opt_pass *make_pass_copy_prop (gcc::context *ctxt);
> +extern gimple_opt_pass *make_pass_isolate_erroneous_paths (gcc::context
> *ctxt);
>  extern gimple_opt_pass *make_pass_vrp (gcc::context *ctxt);
>  extern gimple_opt_pass *make_pass_uncprop (gcc::context *ctxt);
>  extern gimple_opt_pass *make_pass_return_slot (gcc::context *ctxt);
> diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
> index 0b743d1..ba8045d 100644
> --- a/gcc/tree-ssa.c
> +++ b/gcc/tree-ssa.c
> @@ -236,100 +236,6 @@ flush_pending_stmts (edge e)
>    redirect_edge_var_map_clear (e);
>  }
>
> -
> -/* Data structure used to count the number of dereferences to PTR
> -   inside an expression.  */
> -struct count_ptr_d
> -{
> -  tree ptr;
> -  unsigned num_stores;
> -  unsigned num_loads;
> -};
> -
> -
> -/* Helper for count_uses_and_derefs.  Called by walk_tree to look for
> -   (ALIGN/MISALIGNED_)INDIRECT_REF nodes for the pointer passed in DATA.
> */
> -
> -static tree
> -count_ptr_derefs (tree *tp, int *walk_subtrees, void *data)
> -{
> -  struct walk_stmt_info *wi_p = (struct walk_stmt_info *) data;
> -  struct count_ptr_d *count_p = (struct count_ptr_d *) wi_p->info;
> -
> -  /* Do not walk inside ADDR_EXPR nodes.  In the expression &ptr->fld,
> -     pointer 'ptr' is *not* dereferenced, it is simply used to compute
> -     the address of 'fld' as 'ptr + offsetof(fld)'.  */
> -  if (TREE_CODE (*tp) == ADDR_EXPR)
> -    {
> -      *walk_subtrees = 0;
> -      return NULL_TREE;
> -    }
> -
> -  if (TREE_CODE (*tp) == MEM_REF && TREE_OPERAND (*tp, 0) == count_p->ptr)
> -    {
> -      if (wi_p->is_lhs)
> -       count_p->num_stores++;
> -      else
> -       count_p->num_loads++;
> -    }
> -
> -  return NULL_TREE;
> -}
> -
> -
> -/* Count the number of direct and indirect uses for pointer PTR in
> -   statement STMT.  The number of direct uses is stored in
> -   *NUM_USES_P.  Indirect references are counted separately depending
> -   on whether they are store or load operations.  The counts are
> -   stored in *NUM_STORES_P and *NUM_LOADS_P.  */
> -
> -void
> -count_uses_and_derefs (tree ptr, gimple stmt, unsigned *num_uses_p,
> -                      unsigned *num_loads_p, unsigned *num_stores_p)
> -{
> -  ssa_op_iter i;
> -  tree use;
> -
> -  *num_uses_p = 0;
> -  *num_loads_p = 0;
> -  *num_stores_p = 0;
> -
> -  /* Find out the total number of uses of PTR in STMT.  */
> -  FOR_EACH_SSA_TREE_OPERAND (use, stmt, i, SSA_OP_USE)
> -    if (use == ptr)
> -      (*num_uses_p)++;
> -
> -  /* Now count the number of indirect references to PTR.  This is
> -     truly awful, but we don't have much choice.  There are no parent
> -     pointers inside INDIRECT_REFs, so an expression like
> -     '*x_1 = foo (x_1, *x_1)' needs to be traversed piece by piece to
> -     find all the indirect and direct uses of x_1 inside.  The only
> -     shortcut we can take is the fact that GIMPLE only allows
> -     INDIRECT_REFs inside the expressions below.  */
> -  if (is_gimple_assign (stmt)
> -      || gimple_code (stmt) == GIMPLE_RETURN
> -      || gimple_code (stmt) == GIMPLE_ASM
> -      || is_gimple_call (stmt))
> -    {
> -      struct walk_stmt_info wi;
> -      struct count_ptr_d count;
> -
> -      count.ptr = ptr;
> -      count.num_stores = 0;
> -      count.num_loads = 0;
> -
> -      memset (&wi, 0, sizeof (wi));
> -      wi.info = &count;
> -      walk_gimple_op (stmt, count_ptr_derefs, &wi);
> -
> -      *num_stores_p = count.num_stores;
> -      *num_loads_p = count.num_loads;
> -    }
> -
> -  gcc_assert (*num_uses_p >= *num_loads_p + *num_stores_p);
> -}
> -
> -
>  /* Replace the LHS of STMT, an assignment, either a GIMPLE_ASSIGN or a
>     GIMPLE_CALL, with NLHS, in preparation for modifying the RHS to an
>     expression with a different value.
> diff --git a/gcc/tree-ssa.h b/gcc/tree-ssa.h
> index ab1c920..89ea5c6 100644
> --- a/gcc/tree-ssa.h
> +++ b/gcc/tree-ssa.h
> @@ -39,8 +39,6 @@ extern edge_var_map_vector *redirect_edge_var_map_vector
> (edge);
>  extern void redirect_edge_var_map_destroy (void);
>  extern edge ssa_redirect_edge (edge, basic_block);
>  extern void flush_pending_stmts (edge);
> -extern void count_uses_and_derefs (tree, gimple, unsigned *, unsigned *,
> -                                  unsigned *);
>  extern void gimple_replace_ssa_lhs (gimple, tree);
>  extern tree target_for_debug_bind (tree);
>  extern void insert_debug_temp_for_var_def (gimple_stmt_iterator *, tree);
> diff --git a/gcc/tree-vrp.c b/gcc/tree-vrp.c
> index d3a07f3..a98ce25 100644
> --- a/gcc/tree-vrp.c
> +++ b/gcc/tree-vrp.c
> @@ -4476,57 +4476,6 @@ fp_predicate (gimple stmt)
>    return FLOAT_TYPE_P (TREE_TYPE (gimple_cond_lhs (stmt)));
>  }
>
> -
> -/* If OP can be inferred to be non-zero after STMT executes, return true.
> */
> -
> -static bool
> -infer_nonnull_range (gimple stmt, tree op)
> -{
> -  /* We can only assume that a pointer dereference will yield
> -     non-NULL if -fdelete-null-pointer-checks is enabled.  */
> -  if (!flag_delete_null_pointer_checks
> -      || !POINTER_TYPE_P (TREE_TYPE (op))
> -      || gimple_code (stmt) == GIMPLE_ASM)
> -    return false;
> -
> -  unsigned num_uses, num_loads, num_stores;
> -
> -  count_uses_and_derefs (op, stmt, &num_uses, &num_loads, &num_stores);
> -  if (num_loads + num_stores > 0)
> -    return true;
> -
> -  if (is_gimple_call (stmt) && !gimple_call_internal_p (stmt))
> -    {
> -      tree fntype = gimple_call_fntype (stmt);
> -      tree attrs = TYPE_ATTRIBUTES (fntype);
> -      for (; attrs; attrs = TREE_CHAIN (attrs))
> -       {
> -         attrs = lookup_attribute ("nonnull", attrs);
> -
> -         /* If "nonnull" wasn't specified, we know nothing about
> -            the argument.  */
> -         if (attrs == NULL_TREE)
> -           return false;
> -
> -         /* If "nonnull" applies to all the arguments, then ARG
> -            is non-null.  */
> -         if (TREE_VALUE (attrs) == NULL_TREE)
> -           return true;
> -
> -         /* Now see if op appears in the nonnull list.  */
> -         for (tree t = TREE_VALUE (attrs); t; t = TREE_CHAIN (t))
> -           {
> -             int idx = TREE_INT_CST_LOW (TREE_VALUE (t)) - 1;
> -             tree arg = gimple_call_arg (stmt, idx);
> -             if (op == arg)
> -               return true;
> -           }
> -       }
> -    }
> -
> -  return false;
> -}
> -
>  /* If the range of values taken by OP can be inferred after STMT executes,
>     return the comparison code (COMP_CODE_P) and value (VAL_P) that
>     describes the inferred range.  Return true if a range could be
>

Patch

diff --git a/gcc/Makefile.in b/gcc/Makefile.in
index 29609fd..7e9a702 100644
--- a/gcc/Makefile.in
+++ b/gcc/Makefile.in
@@ -1233,6 +1233,7 @@  OBJS = \
 	gimple-fold.o \
 	gimple-low.o \
 	gimple-pretty-print.o \
+	gimple-ssa-isolate-paths.o \
 	gimple-ssa-strength-reduction.o \
 	gimple-streamer-in.o \
 	gimple-streamer-out.o \
diff --git a/gcc/common.opt b/gcc/common.opt
index deeb3f2..6db9f56 100644
--- a/gcc/common.opt
+++ b/gcc/common.opt
@@ -2104,6 +2104,12 @@  foptimize-strlen
 Common Report Var(flag_optimize_strlen) Optimization
 Enable string length optimizations on trees
 
+fisolate-erroneous-paths
+Common Report Var(flag_isolate_erroneous_paths) Init(1) Optimization
+Detect paths which trigger erroneous or undefined behaviour.  Isolate those
+paths from the main control flow and turn the statement with erroneous or
+undefined behaviour into a trap.
+
 ftree-loop-distribution
 Common Report Var(flag_tree_loop_distribution) Optimization
 Enable loop distribution on trees
diff --git a/gcc/gimple-ssa-isolate-paths.c b/gcc/gimple-ssa-isolate-paths.c
new file mode 100644
index 0000000..aa526cc
--- /dev/null
+++ b/gcc/gimple-ssa-isolate-paths.c
@@ -0,0 +1,332 @@ 
+/* Detect paths through the CFG which can never be executed in a conforming
+   program and isolate them.
+
+   Copyright (C) 2013
+   Free Software Foundation, Inc.
+
+This file is part of GCC.
+
+GCC is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3, or (at your option)
+any later version.
+
+GCC is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GCC; see the file COPYING3.  If not see
+<http://www.gnu.org/licenses/>.  */
+
+#include "config.h"
+#include "system.h"
+#include "coretypes.h"
+#include "tree.h"
+#include "flags.h"
+#include "basic-block.h"
+#include "gimple.h"
+#include "tree-ssa.h"
+#include "gimple-ssa.h"
+#include "tree-ssa-operands.h"
+#include "tree-phinodes.h"
+#include "ssa-iterators.h"
+#include "cfgloop.h"
+#include "tree-pass.h"
+
+
+static bool cfg_altered;
+
+/* BB when reached via incoming edge E will exhibit undefined behaviour
+   at STMT.  Isolate and optimize the path which exhibits undefined
+   behaviour.
+
+   Isolation is simple.  Duplicate BB and redirect E to BB'.
+
+   Optimization is simple as well.  Replace STMT in BB' with an
+   unconditional trap and remove all outgoing edges from BB'.
+
+   DUPLICATE is a pre-existing duplicate, use it as BB' if it exists.
+
+   Return BB'.  */
+
+basic_block
+isolate_path (basic_block bb, basic_block duplicate, edge e, gimple stmt)
+{
+  gimple_stmt_iterator si, si2;
+  edge_iterator ei;
+  edge e2;
+  
+
+  /* First duplicate BB if we have not done so already and remove all
+     the duplicate's outgoing edges as duplicate is going to unconditionally
+     trap.  Removing the outgoing edges is both an optimization and ensures
+     we don't need to do any PHI node updates.  */
+  if (!duplicate)
+    {
+      duplicate = duplicate_block (bb, NULL, NULL);
+      for (ei = ei_start (duplicate->succs); (e2 = ei_safe_edge (ei)); )
+	remove_edge (e2);
+    }
+
+  /* Complete the isolation step by redirecting E to reach DUPLICATE.  */
+  e2 = redirect_edge_and_branch (e, duplicate);
+  if (e2)
+    flush_pending_stmts (e2);
+
+
+  /* There may be more than one statement in DUPLICATE which exhibits
+     undefined behaviour.  Ultimately we want the first such statement in
+     DUPLCIATE so that we're able to delete as much code as possible.
+
+     So each time we discover undefined behaviour in DUPLICATE, search for
+     the statement which triggers undefined behaviour.  If found, then
+     transform the statement into a trap and delete everything after the
+     statement.  If not found, then this particular instance was subsumed by
+     an earlier instance of undefined behaviour and there's nothing to do. 
+
+     This is made more complicated by the fact that we have STMT, which is in
+     BB rather than in DUPLICATE.  So we set up two iterators, one for each
+     block and walk forward looking for STMT in BB, advancing each iterator at
+     each step.
+
+     When we find STMT the second iterator should point to STMT's equivalent in
+     duplicate.  If DUPLICATE ends before STMT is found in BB, then there's
+     nothing to do. 
+
+     Ignore labels and debug statements.  */
+  si = gsi_start_nondebug_after_labels (bb);
+  si2 = gsi_start_nondebug_after_labels (duplicate);
+  while (!gsi_end_p (si) && !gsi_end_p (si2) && gsi_stmt (si) != stmt)
+    {
+      gsi_next_nondebug (&si);
+      gsi_next_nondebug (&si2);
+    }
+
+  /* This would be an indicator that we never found STMT in BB, which should
+     never happen.  */
+  gcc_assert (!gsi_end_p (si));
+
+  /* If we did not run to the end of DUPLICATE, then SI points to STMT and
+     SI2 points to the duplicate of STMT in DUPLICATE.  */
+  if (!gsi_end_p (si2))
+    {
+      /* SI2 is the iterator in the duplicate block and it now points
+	 to our victim statement.  */
+      gimple_seq seq = NULL;
+      gimple stmt
+	= gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
+      gimple_seq_add_stmt (&seq, stmt);
+      gsi_insert_before (&si2, seq, GSI_SAME_STMT);
+
+      /* Now delete all remaining statements in this block.  */
+      for (; !gsi_end_p (si2);)
+	gsi_remove (&si2, true);
+    }
+
+  return duplicate;
+}
+
+/* Search the function for statements which, if executed, would cause
+   the program to fault such as a dereference of a NULL pointer.
+
+   Such a program can't be valid if such a statement was to execute
+   according to ISO standards.
+
+   We detect explicit NULL pointer dereferences as well as those implied
+   by a PHI argument having a NULL value which unconditionally flows into
+   a dereference in the same block as the PHI.
+
+   In the former case we replace the offending statement with an
+   unconditional trap and eliminate the outgoing edges from the statement's
+   basic block.  This may expose secondary optimization opportunities.
+
+   In the latter case, we isolate the path(s) with the NULL PHI 
+   feeding the dereference.  We can then replace the offending statement
+   and eliminate the outgoing edges in the duplicate.  Again, this may
+   expose secondary optimization opportunities.
+
+   A warning for both cases may be advisable as well.
+
+   Other statically detectable violations of the ISO standard could be
+   handled in a similar way, such as out-of-bounds array indexing.  */
+
+static unsigned int
+gimple_ssa_isolate_erroneous_paths (void)
+{
+  basic_block bb;
+
+  initialize_original_copy_tables ();
+
+  /* Search all the blocks for edges which, if traversed, will
+     result in undefined behaviour.  */
+  cfg_altered = false;
+  FOR_EACH_BB (bb)
+    {
+      gimple_stmt_iterator si;
+
+      /* First look for a PHI which sets a pointer to NULL and which
+ 	 is then dereferenced within BB.  This is somewhat overly
+	 conservative, but probably catches most of the interesting
+	 cases.   */
+      for (si = gsi_start_phis (bb); !gsi_end_p (si); gsi_next (&si))
+	{
+	  gimple phi = gsi_stmt (si);
+	  tree lhs = gimple_phi_result (phi);
+
+	  /* If the result is not a pointer, then there is no need to
+ 	     examine the arguments.  */
+	  if (!POINTER_TYPE_P (TREE_TYPE (lhs)))
+	    continue;
+
+	  /* PHI produces a pointer result.  See if any of the PHI's
+	     arguments are NULL. 
+
+	     When we remove an edge, we want to reprocess the current
+	     index, hence the ugly way we update I for each iteration.  */
+	  basic_block duplicate = NULL;
+	  for (unsigned i = 0, next_i = 0;
+	       i < gimple_phi_num_args (phi);
+	       i = next_i)
+	    {
+	      tree op = gimple_phi_arg_def (phi, i);
+
+	      next_i = i + 1;
+	      if (integer_zerop (op))
+		{
+		  edge e = gimple_phi_arg_edge (phi, i);
+		  imm_use_iterator iter;
+		  gimple use_stmt;
+
+		  /* We've got a NULL PHI argument.  Now see if the
+ 		     PHI's result is dereferenced within BB.  */
+		  FOR_EACH_IMM_USE_STMT (use_stmt, iter, lhs)
+		    {
+		      /* We only care about uses in BB which are assignements
+ 			 with memory operands. 
+
+			 We could see if any uses are as function arguments
+			 when the callee has marked the argument as being
+			 non-null.  */
+		      if (gimple_bb (use_stmt) != bb
+			  || (!is_gimple_assign (use_stmt)
+			      && !is_gimple_call (use_stmt)
+			      && gimple_code (use_stmt) != GIMPLE_RETURN))
+			continue;
+
+		      if (infer_nonnull_range (use_stmt, lhs))
+			{
+			  duplicate = isolate_path (bb, duplicate,
+						    e, use_stmt);
+
+			  /* When we remove an incoming edge, we need to
+			     reprocess the Ith element.  */
+			  next_i = i;
+			  cfg_altered = true;
+			}
+		    }
+		}
+	    }
+	}
+
+      /* Now look at the statements in the block and see if any of
+	 them explicitly dereference a NULL pointer.  Believe it or
+	 not, this does happen from time to time.  */
+      for (si = gsi_start_bb (bb); !gsi_end_p (si); gsi_next (&si))
+	{
+	  gimple stmt = gsi_stmt (si);
+
+
+	  /* By passing null_pointer_node, we can use infer_nonnull_range
+	     to detect explicit NULL pointer dereferences and other uses
+	     where a non-NULL value is required.  */
+	  if (infer_nonnull_range (stmt, null_pointer_node))
+	    {
+	      /* First insert a TRAP before this statement.  */
+	      gimple_seq seq = NULL;
+     	      tree t
+		= build_call_expr_loc (0,
+				       builtin_decl_explicit (BUILT_IN_TRAP),
+				       0);
+	      gimplify_and_add (t, &seq);
+	      gsi_insert_before (&si, seq, GSI_SAME_STMT);
+
+	      /* Now delete all remaining statements in this block.  */
+	      for (gimple_stmt_iterator si2 = si; !gsi_end_p (si2);)
+		gsi_remove (&si2, true);
+
+	      /* And finally, remove all outgoing edges from BB.  */
+	      edge e;
+	      for (edge_iterator ei = ei_start (bb->succs);
+		   (e = ei_safe_edge (ei)); )
+		remove_edge (e);
+
+	      /* Ignore any more operands on this statement and
+		 continue the statement iterator (which should
+		 terminate its loop immediately.  */
+	      cfg_altered = true;
+	      break;
+	    }
+	}
+    }
+  free_original_copy_tables ();
+
+  /* We scramble the CFG and loop structures a bit, clean up 
+     appropriately.  We really should incrementally update the
+     loop structures, in theory it shouldn't be that hard.  */
+  if (cfg_altered)
+    {
+      free_dominance_info (CDI_DOMINATORS);
+      free_dominance_info (CDI_POST_DOMINATORS);
+      loops_state_set (LOOPS_NEED_FIXUP);
+      return TODO_cleanup_cfg | TODO_update_ssa;
+    }
+  return 0;
+}
+
+static bool
+gate_isolate_erroneous_paths (void)
+{
+  /* If we do not have a suitable builtin function for the trap statement,
+     then do not perform the optimization.  */
+  return (flag_isolate_erroneous_paths != 0
+	  && builtin_decl_explicit (BUILT_IN_TRAP) != NULL);
+}
+
+namespace {
+const pass_data pass_data_isolate_erroneous_paths =
+{
+  GIMPLE_PASS, /* type */
+  "isolate-paths", /* name */
+  OPTGROUP_NONE, /* optinfo_flags */
+  true, /* has_gate */
+  true, /* has_execute */
+  TV_ISOLATE_ERRONEOUS_PATHS, /* tv_id */
+  ( PROP_cfg | PROP_ssa ), /* properties_required */
+  0, /* properties_provided */
+  0, /* properties_destroyed */
+  0, /* todo_flags_start */
+  TODO_verify_ssa, /* todo_flags_finish */
+};
+
+class pass_isolate_erroneous_paths : public gimple_opt_pass
+{
+public:
+  pass_isolate_erroneous_paths (gcc::context *ctxt)
+    : gimple_opt_pass (pass_data_isolate_erroneous_paths, ctxt)
+  {}
+
+  /* opt_pass methods: */
+  opt_pass * clone () { return new pass_isolate_erroneous_paths (m_ctxt); }
+  bool gate () { return gate_isolate_erroneous_paths (); }
+  unsigned int execute () { return gimple_ssa_isolate_erroneous_paths (); }
+
+}; // class pass_uncprop
+}
+
+gimple_opt_pass *
+make_pass_isolate_erroneous_paths (gcc::context *ctxt)
+{
+  return new pass_isolate_erroneous_paths (ctxt);
+}
diff --git a/gcc/gimple.c b/gcc/gimple.c
index 3ddceb9..fbb1393 100644
--- a/gcc/gimple.c
+++ b/gcc/gimple.c
@@ -4083,6 +4083,87 @@  nonfreeing_call_p (gimple call)
   return false;
 }
 
+/* Callback for walk_stmt_load_store_ops.
+ 
+   Return TRUE if OP will dereference the tree stored in DATA, FALSE
+   otherwise.
+
+   This routine only makes a superficial check for a dereference.  Thus
+   it must only be used if it is safe to return a false negative.  */
+static bool
+check_loadstore (gimple stmt ATTRIBUTE_UNUSED, tree op, void *data)
+{
+  if ((TREE_CODE (op) == MEM_REF || TREE_CODE (op) == TARGET_MEM_REF)
+      && operand_equal_p (TREE_OPERAND (op, 0), (tree)data, 0))
+    return true;
+  return false;
+}
+
+/* If OP can be inferred to be non-zero after STMT executes, return true.  */
+
+bool
+infer_nonnull_range (gimple stmt, tree op)
+{
+  /* We can only assume that a pointer dereference will yield
+     non-NULL if -fdelete-null-pointer-checks is enabled.  */
+  if (!flag_delete_null_pointer_checks
+      || !POINTER_TYPE_P (TREE_TYPE (op))
+      || gimple_code (stmt) == GIMPLE_ASM)
+    return false;
+
+  if (walk_stmt_load_store_ops (stmt, (void *)op,
+				check_loadstore, check_loadstore))
+    return true;
+
+  if (is_gimple_call (stmt) && !gimple_call_internal_p (stmt))
+    {
+      tree fntype = gimple_call_fntype (stmt);
+      tree attrs = TYPE_ATTRIBUTES (fntype);
+      for (; attrs; attrs = TREE_CHAIN (attrs))
+	{
+	  attrs = lookup_attribute ("nonnull", attrs);
+
+	  /* If "nonnull" wasn't specified, we know nothing about
+	     the argument.  */
+	  if (attrs == NULL_TREE)
+	    return false;
+
+	  /* If "nonnull" applies to all the arguments, then ARG
+	     is non-null if it's in the argument list.  */
+	  if (TREE_VALUE (attrs) == NULL_TREE)
+	    {
+	      for (unsigned int i = 0; i < gimple_call_num_args (stmt); i++)
+		{
+		  if (operand_equal_p (op, gimple_call_arg (stmt, i), 0)
+		      && POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (stmt, i))))
+		    return true;
+		}
+	      return false;
+	    }
+
+	  /* Now see if op appears in the nonnull list.  */
+	  for (tree t = TREE_VALUE (attrs); t; t = TREE_CHAIN (t))
+	    {
+	      int idx = TREE_INT_CST_LOW (TREE_VALUE (t)) - 1;
+	      tree arg = gimple_call_arg (stmt, idx);
+	      if (operand_equal_p (op, arg, 0))
+		return true;
+	    }
+	}
+    }
+
+  /* If this function is marked as returning non-null, then we can
+     infer OP is non-null if it is used in the return statement.  */
+  if (gimple_code (stmt) == GIMPLE_RETURN
+      && gimple_return_retval (stmt)
+      && operand_equal_p (gimple_return_retval (stmt), op, 0)
+      && lookup_attribute ("returns_nonnull",
+			   TYPE_ATTRIBUTES (TREE_TYPE (current_function_decl))))
+    return true;
+
+  return false;
+}
+
 /* Create a new VAR_DECL and copy information from VAR to it.  */
 
 tree
diff --git a/gcc/gimple.h b/gcc/gimple.h
index e34411d..4d00493 100644
--- a/gcc/gimple.h
+++ b/gcc/gimple.h
@@ -1088,6 +1088,7 @@  extern void dump_decl_set (FILE *, bitmap);
 extern bool gimple_can_coalesce_p (tree, tree);
 extern bool nonfreeing_call_p (gimple);
 extern tree copy_var_decl (tree, tree, tree);
+extern bool infer_nonnull_range (gimple, tree);
 
 /* In trans-mem.c.  */
 extern void diagnose_tm_safe_errors (tree);
@@ -5533,6 +5534,20 @@  gsi_start_nondebug_bb (basic_block bb)
   return i;
 }
 
+/* Return a new iterator pointing to the first non-debug, non-label statement
+   in basic block BB.  */
+
+static inline gimple_stmt_iterator
+gsi_start_nondebug_after_labels (basic_block bb)
+{
+  gimple_stmt_iterator gsi = gsi_start_nondebug_bb (bb);
+
+  while (!gsi_end_p (gsi) && gimple_code (gsi_stmt (gsi)) == GIMPLE_LABEL)
+    gsi_next_nondebug (&gsi);
+
+  return gsi;
+}
+
 /* Return a new iterator pointing to the last non-debug statement in
    basic block BB.  */
 
diff --git a/gcc/opts.c b/gcc/opts.c
index 728d36d..e1e09c7 100644
--- a/gcc/opts.c
+++ b/gcc/opts.c
@@ -453,6 +453,7 @@  static const struct default_options default_options_table[] =
     { OPT_LEVELS_1_PLUS, OPT_ftree_ch, NULL, 1 },
     { OPT_LEVELS_1_PLUS, OPT_fcombine_stack_adjustments, NULL, 1 },
     { OPT_LEVELS_1_PLUS, OPT_fcompare_elim, NULL, 1 },
+    { OPT_LEVELS_1_PLUS, OPT_fisolate_erroneous_paths, NULL, 1 },
     { OPT_LEVELS_1_PLUS, OPT_ftree_slsr, NULL, 1 },
 
     /* -O2 optimizations.  */
diff --git a/gcc/passes.def b/gcc/passes.def
index 404b790..1607b59 100644
--- a/gcc/passes.def
+++ b/gcc/passes.def
@@ -166,9 +166,16 @@  along with GCC; see the file COPYING3.  If not see
 	 is removed, and this place fits nicely.  Remember this when
 	 trying to move or duplicate pass_dominator somewhere earlier.  */
       NEXT_PASS (pass_dominator);
+      /* At this point the majority of const/copy propagations
+	 are exposed.  Go ahead and identify paths that should never
+	 be executed in a conforming program and isolate those paths.
+
+	 This will expose more degenerate PHIs in the main path and
+	 expose more PRE/DOM optimization opportunities.  */
+      NEXT_PASS (pass_isolate_erroneous_paths);
       /* The only const/copy propagation opportunities left after
-	 DOM should be due to degenerate PHI nodes.  So rather than
-	 run the full propagators, run a specialized pass which
+	 DOM and erroneous path isolation should be due to degenerate PHI nodes.
+	 So rather than run the full propagators, run a specialized pass which
 	 only examines PHIs to discover const/copy propagation
 	 opportunities.  */
       NEXT_PASS (pass_phi_only_cprop);
diff --git a/gcc/testsuite/gcc.dg/pr38984.c b/gcc/testsuite/gcc.dg/pr38984.c
index 11f1e7f..0c03180 100644
--- a/gcc/testsuite/gcc.dg/pr38984.c
+++ b/gcc/testsuite/gcc.dg/pr38984.c
@@ -1,5 +1,5 @@ 
 /* { dg-do compile } */
-/* { dg-options "-O2 -fno-delete-null-pointer-checks -fdump-tree-optimized" }
+/* { dg-options "-O2 -fno-delete-null-pointer-checks -fdump-tree-optimized -fno-isolate-erroneous-paths" }
  * */
 
 int f(int *p)
diff --git a/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c b/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
index ec04e17..bcd5681 100644
--- a/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
+++ b/gcc/testsuite/gcc.dg/tree-ssa/20030711-3.c
@@ -52,10 +52,10 @@  get_alias_set (t)
 /* There should be one load of decl.rtl.  */
 /* { dg-final { scan-tree-dump-times "decl\\.rtl" 1 "dom2"} } */
   
-/* There should be two loads of rtmem.  */
-/* { dg-final { scan-tree-dump-times "rtmem" 2 "dom2"} } */
+/* There should be one load of rtmem.  */
+/* { dg-final { scan-tree-dump-times "rtmem" 1 "dom2"} } */
 
-/* There should be one load of alias.  */
-/* { dg-final { scan-tree-dump-times "->alias" 1 "dom2"} } */
+/* There should be no load of alias.  */
+/* { dg-final { scan-tree-dump-not "->alias" "dom2"} } */
 
 /* { dg-final { cleanup-tree-dump "dom2" } } */
diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-1.c b/gcc/testsuite/gcc.dg/tree-ssa/isolate-1.c
new file mode 100644
index 0000000..6b779b4
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-1.c
@@ -0,0 +1,58 @@ 
+
+/* { dg-do compile } */ 
+/* { dg-options "-O2 -fdump-tree-isolate-paths" } */
+
+
+struct demangle_component
+{
+
+  int type;
+  int zzz;
+
+};
+
+
+struct d_info
+{
+  struct demangle_component *comps;
+  int next_comp;
+  int num_comps;
+};
+
+
+static struct demangle_component *
+d_make_empty (struct d_info *di)
+{
+  struct demangle_component *p;
+
+  if (di->next_comp >= di->num_comps)
+    return ((void *)0);
+  p = &di->comps[di->next_comp];
+  return p;
+}
+
+
+
+struct demangle_component *
+d_type (struct d_info *di)
+{
+   struct demangle_component *ret;
+   ret = d_make_empty (di);
+   ret->type = 42;
+   ret->zzz = -1;
+   return ret;
+}
+
+/* We're testing two aspects of isolation here.  First that isolation
+   occurs, second that if we have two null dereferences in a block that
+   that we delete everything from the first dereferece to the end of the
+   block, regardless of which comes first in the immediate use iterator.  */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "isolate-paths"} } */
+/* { dg-final { scan-tree-dump-times "->type" 1 "isolate-paths"} } */
+/* { dg-final { scan-tree-dump-times "->zzz" 1 "isolate-paths"} } */
+/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
+
+
+
+
+
diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-2.c b/gcc/testsuite/gcc.dg/tree-ssa/isolate-2.c
new file mode 100644
index 0000000..290b44c
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-2.c
@@ -0,0 +1,43 @@ 
+/* { dg-do compile } */ 
+/* { dg-options "-O2 -fdump-tree-isolate-paths -fdump-tree-phicprop1" } */
+
+
+int z;
+int y;
+
+int * foo(int a) __attribute__((returns_nonnull));
+int * bar(void) __attribute__((returns_nonnull));
+
+int *
+foo(int a)
+
+{
+  switch (a)
+    {
+      case 0:
+        return &z;
+      default:
+        return (int *)0;
+    }
+}
+
+
+int *
+bar (void)
+{
+  return 0;
+}
+
+/* We testing that the path isolation code can take advantage of the
+   returns non-null attribute to isolate a path where NULL flows into
+   a return statement.  We test this twice, once where the NULL flows
+   from a PHI, the second with an explicit return 0 in the IL.
+
+   We also verify that after isolation phi-cprop simplifies the
+   return statement so that it returns &z directly.
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "isolate-paths"} } */
+/* { dg-final { scan-tree-dump-times "return &z;" 1 "phicprop1"} } */
+/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
+/* { dg-final { cleanup-tree-dump "phicprop1" } } */
+
+
diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-3.c b/gcc/testsuite/gcc.dg/tree-ssa/isolate-3.c
new file mode 100644
index 0000000..7dddd80
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-3.c
@@ -0,0 +1,65 @@ 
+/* { dg-do compile } */ 
+/* { dg-options "-O2 -fdump-tree-isolate-paths" } */
+
+
+typedef long unsigned int size_t;
+extern void *memset (void *__s, int __c, size_t __n)
+  __attribute__ ((__nothrow__, __leaf__)) __attribute__ ((__nonnull__ (1)));
+struct rtx_def;
+typedef struct rtx_def *rtx;
+typedef struct VEC_rtx_base
+
+{
+  unsigned num;
+  unsigned alloc;
+  rtx vec[1];
+} VEC_rtx_base;
+static __inline__ rtx *
+VEC_rtx_base_address (VEC_rtx_base * vec_)
+{
+  return vec_ ? vec_->vec : 0;
+}
+typedef struct VEC_rtx_gc
+{
+  VEC_rtx_base base;
+} VEC_rtx_gc;
+
+static __inline__ void
+VEC_rtx_gc_safe_grow (VEC_rtx_gc ** vec_, int size_, const char *file_,
+                      unsigned line_, const char *function_)
+{
+  ((*vec_) ? &(*vec_)->base : 0)->num = size_;
+} 
+
+static __inline__ void
+VEC_rtx_gc_safe_grow_cleared (VEC_rtx_gc ** vec_, int size_,
+                              const char *file_, unsigned line_,
+                              const char *function_, int oldsize)
+{
+  VEC_rtx_gc_safe_grow (vec_, size_, file_, line_, function_);
+  memset (&(VEC_rtx_base_address ((*vec_) ? &(*vec_)->base : 0))[oldsize], 0,
+          sizeof (rtx) * (size_ - oldsize));
+}
+
+static VEC_rtx_gc *reg_base_value;
+void
+init_alias_analysis (void)
+{
+  unsigned int maxreg = max_reg_num ();
+  (VEC_rtx_gc_safe_grow_cleared
+   (&(reg_base_value), maxreg, "../../../gcc-4.6.0/gcc/alias.c", 2755,
+    __FUNCTION__, arf ()));
+}
+
+
+
+/* This is an example of how a NULL pointer dereference can show up
+   without a PHI.  Note VEC_rtx_gcc_safe_grow.  If an earlier pass
+   (such as VRP) isolates the NULL path for some reason or another
+   we end up with an explicit NULL dereference in the IL.  Yes, it
+   started with a PHI, but by the time the path isolation code runs
+   its explicit in the IL.  */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "isolate-paths"} } */
+/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
+
+
diff --git a/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c b/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c
new file mode 100644
index 0000000..6937d25
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c
@@ -0,0 +1,32 @@ 
+/* { dg-do compile } */ 
+/* { dg-options "-O2 -fdump-tree-isolate-paths -fdump-tree-phicprop1" } */
+
+
+extern void foo(void *) __attribute__ ((__nonnull__ (1)));
+
+int z;
+
+void
+com (int a)
+{
+    foo (a == 42 ? &z  : (void *) 0);
+}
+
+void
+bar (void)
+{
+  foo ((void *)0);
+}
+
+/* We testing that the path isolation code can take advantage of the
+   returns non-null attribute to isolate a path where NULL flows into
+   a return statement.
+
+   We also verify that after isolation phi-cprop simplifies the
+   return statement so that it returns &z directly.
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "isolate-paths"} } */
+/* { dg-final { scan-tree-dump-times "foo .&z.;" 1 "phicprop1"} } */
+/* { dg-final { cleanup-tree-dump "isolate-paths" } } */
+/* { dg-final { cleanup-tree-dump "phicprop1" } } */
+
+
diff --git a/gcc/timevar.def b/gcc/timevar.def
index 5a880a8..4c11511 100644
--- a/gcc/timevar.def
+++ b/gcc/timevar.def
@@ -144,6 +144,7 @@  DEFTIMEVAR (TV_TREE_SSA_INCREMENTAL  , "tree SSA incremental")
 DEFTIMEVAR (TV_TREE_OPS	             , "tree operand scan")
 DEFTIMEVAR (TV_TREE_SSA_DOMINATOR_OPTS   , "dominator optimization")
 DEFTIMEVAR (TV_TREE_SRA              , "tree SRA")
+DEFTIMEVAR (TV_ISOLATE_ERRONEOUS_PATHS    , "isolate eroneous paths")
 DEFTIMEVAR (TV_TREE_CCP		     , "tree CCP")
 DEFTIMEVAR (TV_TREE_PHI_CPROP	     , "tree PHI const/copy prop")
 DEFTIMEVAR (TV_TREE_SPLIT_EDGES      , "tree split crit edges")
diff --git a/gcc/tree-pass.h b/gcc/tree-pass.h
index 5237438..3f251b6 100644
--- a/gcc/tree-pass.h
+++ b/gcc/tree-pass.h
@@ -425,6 +425,7 @@  extern gimple_opt_pass *make_pass_sink_code (gcc::context *ctxt);
 extern gimple_opt_pass *make_pass_fre (gcc::context *ctxt);
 extern gimple_opt_pass *make_pass_check_data_deps (gcc::context *ctxt);
 extern gimple_opt_pass *make_pass_copy_prop (gcc::context *ctxt);
+extern gimple_opt_pass *make_pass_isolate_erroneous_paths (gcc::context *ctxt);
 extern gimple_opt_pass *make_pass_vrp (gcc::context *ctxt);
 extern gimple_opt_pass *make_pass_uncprop (gcc::context *ctxt);
 extern gimple_opt_pass *make_pass_return_slot (gcc::context *ctxt);
diff --git a/gcc/tree-ssa.c b/gcc/tree-ssa.c
index 0b743d1..ba8045d 100644
--- a/gcc/tree-ssa.c
+++ b/gcc/tree-ssa.c
@@ -236,100 +236,6 @@  flush_pending_stmts (edge e)
   redirect_edge_var_map_clear (e);
 }
 
-
-/* Data structure used to count the number of dereferences to PTR
-   inside an expression.  */
-struct count_ptr_d
-{
-  tree ptr;
-  unsigned num_stores;
-  unsigned num_loads;
-};
-
-
-/* Helper for count_uses_and_derefs.  Called by walk_tree to look for
-   (ALIGN/MISALIGNED_)INDIRECT_REF nodes for the pointer passed in DATA.  */
-
-static tree
-count_ptr_derefs (tree *tp, int *walk_subtrees, void *data)
-{
-  struct walk_stmt_info *wi_p = (struct walk_stmt_info *) data;
-  struct count_ptr_d *count_p = (struct count_ptr_d *) wi_p->info;
-
-  /* Do not walk inside ADDR_EXPR nodes.  In the expression &ptr->fld,
-     pointer 'ptr' is *not* dereferenced, it is simply used to compute
-     the address of 'fld' as 'ptr + offsetof(fld)'.  */
-  if (TREE_CODE (*tp) == ADDR_EXPR)
-    {
-      *walk_subtrees = 0;
-      return NULL_TREE;
-    }
-
-  if (TREE_CODE (*tp) == MEM_REF && TREE_OPERAND (*tp, 0) == count_p->ptr)
-    {
-      if (wi_p->is_lhs)
-	count_p->num_stores++;
-      else
-	count_p->num_loads++;
-    }
-
-  return NULL_TREE;
-}
-
-
-/* Count the number of direct and indirect uses for pointer PTR in
-   statement STMT.  The number of direct uses is stored in
-   *NUM_USES_P.  Indirect references are counted separately depending
-   on whether they are store or load operations.  The counts are
-   stored in *NUM_STORES_P and *NUM_LOADS_P.  */
-
-void
-count_uses_and_derefs (tree ptr, gimple stmt, unsigned *num_uses_p,
-		       unsigned *num_loads_p, unsigned *num_stores_p)
-{
-  ssa_op_iter i;
-  tree use;
-
-  *num_uses_p = 0;
-  *num_loads_p = 0;
-  *num_stores_p = 0;
-
-  /* Find out the total number of uses of PTR in STMT.  */
-  FOR_EACH_SSA_TREE_OPERAND (use, stmt, i, SSA_OP_USE)
-    if (use == ptr)
-      (*num_uses_p)++;
-
-  /* Now count the number of indirect references to PTR.  This is
-     truly awful, but we don't have much choice.  There are no parent
-     pointers inside INDIRECT_REFs, so an expression like
-     '*x_1 = foo (x_1, *x_1)' needs to be traversed piece by piece to
-     find all the indirect and direct uses of x_1 inside.  The only
-     shortcut we can take is the fact that GIMPLE only allows
-     INDIRECT_REFs inside the expressions below.  */
-  if (is_gimple_assign (stmt)
-      || gimple_code (stmt) == GIMPLE_RETURN
-      || gimple_code (stmt) == GIMPLE_ASM
-      || is_gimple_call (stmt))
-    {
-      struct walk_stmt_info wi;
-      struct count_ptr_d count;
-
-      count.ptr = ptr;
-      count.num_stores = 0;
-      count.num_loads = 0;
-
-      memset (&wi, 0, sizeof (wi));
-      wi.info = &count;
-      walk_gimple_op (stmt, count_ptr_derefs, &wi);
-
-      *num_stores_p = count.num_stores;
-      *num_loads_p = count.num_loads;
-    }
-
-  gcc_assert (*num_uses_p >= *num_loads_p + *num_stores_p);
-}
-
-
 /* Replace the LHS of STMT, an assignment, either a GIMPLE_ASSIGN or a
    GIMPLE_CALL, with NLHS, in preparation for modifying the RHS to an
    expression with a different value.
diff --git a/gcc/tree-ssa.h b/gcc/tree-ssa.h
index ab1c920..89ea5c6 100644
--- a/gcc/tree-ssa.h
+++ b/gcc/tree-ssa.h
@@ -39,8 +39,6 @@  extern edge_var_map_vector *redirect_edge_var_map_vector (edge);
 extern void redirect_edge_var_map_destroy (void);
 extern edge ssa_redirect_edge (edge, basic_block);
 extern void flush_pending_stmts (edge);
-extern void count_uses_and_derefs (tree, gimple, unsigned *, unsigned *,
-				   unsigned *);
 extern void gimple_replace_ssa_lhs (gimple, tree);
 extern tree target_for_debug_bind (tree);
 extern void insert_debug_temp_for_var_def (gimple_stmt_iterator *, tree);
diff --git a/gcc/tree-vrp.c b/gcc/tree-vrp.c
index d3a07f3..a98ce25 100644
--- a/gcc/tree-vrp.c
+++ b/gcc/tree-vrp.c
@@ -4476,57 +4476,6 @@  fp_predicate (gimple stmt)
   return FLOAT_TYPE_P (TREE_TYPE (gimple_cond_lhs (stmt)));
 }
 
-
-/* If OP can be inferred to be non-zero after STMT executes, return true.  */
-
-static bool
-infer_nonnull_range (gimple stmt, tree op)
-{
-  /* We can only assume that a pointer dereference will yield
-     non-NULL if -fdelete-null-pointer-checks is enabled.  */
-  if (!flag_delete_null_pointer_checks
-      || !POINTER_TYPE_P (TREE_TYPE (op))
-      || gimple_code (stmt) == GIMPLE_ASM)
-    return false;
-
-  unsigned num_uses, num_loads, num_stores;
-
-  count_uses_and_derefs (op, stmt, &num_uses, &num_loads, &num_stores);
-  if (num_loads + num_stores > 0)
-    return true;
-
-  if (is_gimple_call (stmt) && !gimple_call_internal_p (stmt))
-    {
-      tree fntype = gimple_call_fntype (stmt);
-      tree attrs = TYPE_ATTRIBUTES (fntype);
-      for (; attrs; attrs = TREE_CHAIN (attrs))
-	{
-	  attrs = lookup_attribute ("nonnull", attrs);
-
-	  /* If "nonnull" wasn't specified, we know nothing about
-	     the argument.  */
-	  if (attrs == NULL_TREE)
-	    return false;
-
-	  /* If "nonnull" applies to all the arguments, then ARG
-	     is non-null.  */
-	  if (TREE_VALUE (attrs) == NULL_TREE)
-	    return true;
-
-	  /* Now see if op appears in the nonnull list.  */
-	  for (tree t = TREE_VALUE (attrs); t; t = TREE_CHAIN (t))
-	    {
-	      int idx = TREE_INT_CST_LOW (TREE_VALUE (t)) - 1;
-	      tree arg = gimple_call_arg (stmt, idx);
-	      if (op == arg)
-		return true;
-	    }
-	}
-    }
-
-  return false;
-}
-
 /* If the range of values taken by OP can be inferred after STMT executes,
    return the comparison code (COMP_CODE_P) and value (VAL_P) that
    describes the inferred range.  Return true if a range could be