https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187
--- Comment #11 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Jakub Jelinek <ja...@gcc.gnu.org>: https://gcc.gnu.org/g:741ff2a263fe0ddc343288331c0047c1a32af8b2 commit r10-7207-g741ff2a263fe0ddc343288331c0047c1a32af8b2 Author: Jakub Jelinek <ja...@redhat.com> Date: Tue Mar 17 10:43:46 2020 +0100 strlen: Punt on UB reads past end of string literal [PR94187] The gcc.dg/pr68785.c test which contains: int foo (void) { return *(int *) ""; } has UB in the program if it is ever called, but causes UB in the compiler as well as at least in theory non-reproduceable code generation. The problem is that nbytes is in this case 4, prep is the TREE_STRING_POINTER of a "" string literal with TREE_STRING_LENGTH of 1 and we do: 4890 for (const char *p = prep; p != prep + nbytes; ++p) 4891 if (*p) 4892 { 4893 *allnul = false; 4894 break; 4895 } and so read the bytes after the STRING_CST payload, which can be random. I think we should just punt in this case. 2020-03-17 Jakub Jelinek <ja...@redhat.com> PR tree-optimization/94187 * tree-ssa-strlen.c (count_nonzero_bytes): Punt if nchars - offset < nbytes.
