https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97047
Bug ID: 97047
Summary: missing warning reading past the end of a constant
string returned from a function
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
The first call to memcpy below triggers a warning for reading past the end of
the string returned from f(), but the second call doesn't.
$ cat x.c && gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout x.c
const char* f (void) { return "123"; }
char a[32];
void g (void)
{
__builtin_memcpy (a, "123", sizeof a); // warning (good)
}
void h (void)
{
__builtin_memcpy (a, f (), sizeof a); // missing warning (bug)
}
;; Function f (f, funcdef_no=0, decl_uid=1931, cgraph_uid=1, symbol_order=0)
f ()
{
<bb 2> [local count: 1073741824]:
return "123";
}
x.c: In function ‘g’:
x.c:7:3: warning: ‘__builtin_memcpy’ forming offset [4, 31] is out of the
bounds [0, 4] [-Warray-bounds]
7 | __builtin_memcpy (a, "123", sizeof a); // warning (good)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
;; Function g (g, funcdef_no=1, decl_uid=1935, cgraph_uid=2, symbol_order=2)
g ()
{
<bb 2> [local count: 1073741824]:
__builtin_memcpy (&a, "123", 32); [tail call]
return;
}
;; Function h (h, funcdef_no=2, decl_uid=1938, cgraph_uid=3, symbol_order=3)
h ()
{
<bb 2> [local count: 1073741824]:
MEM <unsigned char[32]> [(char * {ref-all})&a] = MEM <unsigned char[32]>
[(char * {ref-all})"123"];
return;
}
