https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90752
Bug ID: 90752 Summary: missing -Warray-bounds accessing the result of string functions Product: gcc Version: 9.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- GCC doesn't diagnose any of the out-of-bounds accesses in the functions below or any others like it that involved string built-ins. The VRP pass has sufficient information to issue -Warray-bounds, it simply doesn't consider these cases. They can be easily detected by extending vrp_prop::check_mem_ref() to consider the first argument of each built-in call. (For bounded functions like stpncpy that return a pointer to the last copied character, it should also consider the bound.) extern char a[4]; int f (const void *s, unsigned n) { char *p = __builtin_memcpy (a, s, n); return p[-1]; // missing -Warray-bounds } int g (const char *s) { char *p = __builtin_stpcpy (a, s); return p[-5]; // missing -Warray-bounds } int h (const char *s) { char *p = __builtin_strcpy (a, s); return p[4]; // missing -Warray-bounds }