https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
Bug ID: 111266 Summary: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite. Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: vultkayn at gcc dot gnu.org Target Milestone: --- Hi, The analyzer do not emit the expected "heap-based write overflow" in the reproducer below. #include <stdint.h> void *malloc (__SIZE_TYPE__); void free (void *); void test_binop2 () { char *p = (char *) malloc (4); int32_t *i = (int32_t *) (p + 3); *i = 20042; /* { dg-warning "heap-based buffer overflow" "" { xfail *-*-* } } */ free (p); } A quick investigation showed that on *i = 20042, check_region_bounds had the following: reg is an offset_region(heap_allocated(12), 'int32_', 3) as expected base_reg is heap_allocated(12) base_reg's capacity is correct too, and reg_offset *is* 3 bytes, as it should. The issue comes from num_bytes_sval, which corresponds to the number of bytes accessed. It should be a constant_svalue of value 4, but is instead of value 1. Therefore the "read_bytes" byte_range do not overflow the buffer, as we get (offset) 3 + (accessed bytes) 1 = 4, which is not an overflow (3 + 4 expected)