https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> --- While playing with the test case I added to pr97631 I noticed that when I change the type of len to int, the warning disappears for the call to strcpy (where it's intended) but the false positive stays for the call to memcpy. When I change the type to unsigned int, the warning then moves to strcpy and disappears for memcpy. This should get cleaned up too. $ (set -x && cat xxx.c && gcc -DINT=int -O2 -S -Wall xxx.c && gcc -DINT=unsigned -O2 -S -Wall xxx.c) + cat xxx.c char* f (char *s) { INT n = __builtin_strlen (s); if (n == 0) return 0; char *d = __builtin_malloc (n); __builtin_strcpy (d, s); // -Wstringop-overflow (good) return d; } char* g (char *s) { INT n = __builtin_strlen (s); if (n == 0) return 0; char *d = __builtin_malloc (n); __builtin_memcpy (d, s, n); // bogus overflow warning return d; } + gcc -DINT=int -O2 -S -Wall xxx.c xxx.c: In function ‘g’: xxx.c:19:3: warning: ‘__builtin_memcpy’ writing one too many bytes into a region of a size that depends on ‘strlen’ [-Wstringop-overflow=] 19 | __builtin_memcpy (d, s, n); // bogus overflow warning | ^~~~~~~~~~~~~~~~~~~~~~~~~~ xxx.c:18:13: note: at offset 0 to an object with size between 1 and 18446744073709551615 allocated by ‘__builtin_malloc’ here 18 | char *d = __builtin_malloc (n); | ^~~~~~~~~~~~~~~~~~~~ + gcc -DINT=unsigned -O2 -S -Wall xxx.c xxx.c: In function ‘f’: xxx.c:8:3: warning: ‘__builtin_strcpy’ writing one too many bytes into a region of a size that depends on ‘strlen’ [-Wstringop-overflow=] 8 | __builtin_strcpy (d, s); // -Wstringop-overflow (good) | ^~~~~~~~~~~~~~~~~~~~~~~ xxx.c:7:13: note: at offset 0 to an object with size at most 4294967295 allocated by ‘__builtin_malloc’ here 7 | char *d = __builtin_malloc (n); | ^~~~~~~~~~~~~~~~~~~~