https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90905
--- Comment #6 from Martin Sebor <msebor at gcc dot gnu.org> --- With str being a local (non-reference) variable this should be diagnosed because of the str.D.28972._M_local_buf(12): # _47 = PHI <_59(9), &str.D.28972._M_local_buf(12), _59(8)> str ={v} {CLOBBER}; return _47; In your example a is a reference argument but in this modified version: struct A { char *p; char c[13]; }; void* f (struct A a, _Bool b) { a.p = b ? a.c : (char*)__builtin_malloc (13); __builtin_memcpy (a.p, "hello world!", 12); a.p[12] = 0; return a.p; } and the IL: <bb 3> [local count: 354334802]: iftmp.0_7 = __builtin_malloc (13); <bb 4> [local count: 1073741824]: # iftmp.0_2 = PHI <iftmp.0_7(3), &a.c(2)> a.p = iftmp.0_2; __builtin_memcpy (iftmp.0_2, "hello world!", 12); _1 = a.p; MEM[(char *)_1 + 12B] = 0; return _1; the only challenge with detecting the bug that I see is making a record of the rhs of the assignment to _1 = a.p (and others like that) and then checking the prior assignment to a.p (et al.). With that in place the "may return" warning will trigger.