https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85785
Bug ID: 85785 Summary: missing warning on strcat overflow after strcpy Product: gcc Version: 8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- In the test case below, GCC correctly detects and diagnoses the buffer overflow in f() (although it issues a -Warray-bounds when the more suitable warning is -Wstringop-overflow) but it fails to detect the same overflow in the equivalent g(). $ cat u.c && gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout u.c #include <string.h> #undef strcpy #undef strcat char d[6]; void f (void) { __builtin_memcpy (d, "1234", 4); __builtin_memcpy (d + 4, "5678", 5); // warning (good) } void g (void) { strcat (strcpy (d, "1234"), "5678"); // missing warning } u.c: In function ‘f’: u.c:11:3: warning: ‘__builtin_memcpy’ forming offset [7, 9] is out of the bounds [0, 6] of object ‘d’ with type ‘char[6]’ [-Warray-bounds] __builtin_memcpy (d + 4, "5678", 5); // warning (good) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ u.c:6:6: note: ‘d’ declared here char d[6]; ^ ;; Function f (f, funcdef_no=4, decl_uid=2193, cgraph_uid=4, symbol_order=5) f () { <bb 2> [local count: 1073741825]: __builtin_memcpy (&d, "1234", 4); __builtin_memcpy (&MEM[(void *)&d + 4B], "5678", 5); [tail call] return; } ;; Function g (g, funcdef_no=5, decl_uid=2196, cgraph_uid=5, symbol_order=6) g () { char * _1; char * _5; <bb 2> [local count: 1073741825]: _1 = __builtin_memcpy (&d, "1234", 4); _5 = _1 + 4; __builtin_memcpy (_5, "5678", 5); [tail call] return; }