Extended Description

target datalayout = "e-p:64:64:64-S128-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f16:16:16-f32:32:32-f64:64:64-f128:128:128-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64"
target triple = "x86_64-redhat-linux"

define zeroext i8 @​_Z3BARv() unnamed_addr nounwind uwtable {
entry:
%r = alloca i8, align 1
%tmp = call zeroext i8 @​_Z3FOORb(i8* %r) nounwind
%tmp9 = and i8 %tmp, 1
%tmp1 = icmp eq i8 %tmp9, 0
br i1 %tmp1, label %"5", label %"3"

"3": ; preds = %entry
%tmp3 = load i8* %r, align 1, !range !​0
%tmp4 = icmp eq i8 %tmp3, 0
br i1 %tmp4, label %"5", label %"7"

"5": ; preds = %"3", %entry
br label %"7"

"7": ; preds = %"3", %"5"
%tmp6 = phi i8 [ 0, %"5" ], [ 1, %"3" ]
call void @​llvm.lifetime.end(i64 1, i8* %r)
ret i8 %tmp6
}

declare zeroext i8 @​_Z3FOORb(i8*)

declare void @​llvm.lifetime.end(i64, i8* nocapture) nounwind

!​0 = metadata !{i8 0, i8 2}

;========

With -simplifycfg -instcombine,

entry:
%r = alloca i8, align 1
%tmp = call zeroext i8 @​_Z3FOORb(i8* %r) nounwind
%tmp9 = and i8 %tmp, 1
%tmp3 = load i8* %r, align 1, !range !​0
%0 = xor i8 %tmp9, 1
%1 = xor i8 %tmp3, 1
%2 = or i8 %0, %1
%tmp6 = xor i8 %2, 1
call void @​llvm.lifetime.end(i64 1, i8* %r)
ret i8 %tmp6

;====

0. "load i8 %r" is undef if %tmp is false.
1. "load i8 %r" should not be executed when %tmp is false.
2. "load i8 %r" affects the result even when "load i8 %r" might be out of [0,2).
3. It would not be miscompiled when !range is removed.

FYI, this issue was found on gcc47 with dragonegg.

// r is not updated (undef) when return value is false.
// Simplified from clang/lib/Sema/SemaExpr.cpp EvaluatesAsTrue()
extern bool FOO(bool& r);

bool BAR() {
bool r;
return FOO(r) && r;
}