https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104964
--- Comment #13 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> --- It's not really a regression AFAICT, it's only more visible with __bdos because non-constant offsets don't stop it. Also the problem is only with subobjects (hence limited to _FORTIFY_SOURCE > 1 for strcpy) where the block in addr_object_size that is supposed to deal with flex arrays at the end doesn't quite do its job with nested structs. The same reproducer tweaked a bit will crash even for __builtin_object_size: struct __string_ext { char s_str[0]; }; typedef struct { int o_prefix; struct __string_ext i; } string_obj; #define SUFFIX ".suffix" string_obj * __acl_to_any_text (unsigned long n) { unsigned long off = 0; unsigned long size = sizeof SUFFIX; string_obj *obj = __builtin_malloc (sizeof (string_obj) + size); if (n == 0) __builtin_unreachable (); while (n-- != 0) { if (off + 1 > size - sizeof SUFFIX) { size <<= 1; string_obj *tmp = __builtin_realloc (obj, sizeof (string_obj) + size); if (!tmp) __builtin_unreachable (); obj = tmp; } obj->i.s_str[off++] = 'A'; } char *t = obj->i.s_str; __strcpy_chk (t, SUFFIX, __builtin_object_size (t, 1)); return obj; } int main () { string_obj *s = __acl_to_any_text (32); __builtin_printf ("%zu: %s\n", __builtin_strlen (s->i.s_str), s->i.s_str); return 0; } $ gcc/cc1 -g -o test.s -quiet -Wall -O3 fs3.c fs3.c: In function ‘__acl_to_any_text’: fs3.c:40:3: warning: ‘__builtin___memcpy_chk’ writing 8 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] 40 | __strcpy_chk (t, SUFFIX, __builtin_object_size (t, 1)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~