[Bug tree-optimization/85785] New: missing warning on strcat overflow after strcpy

["msebor at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85785

            Bug ID: 85785
           Summary: missing warning on strcat overflow after strcpy
           Product: gcc
           Version: 8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

In the test case below, GCC correctly detects and diagnoses the buffer overflow
in f() (although it issues a -Warray-bounds when the more suitable warning is
-Wstringop-overflow) but it fails to detect the same overflow in the equivalent
g().

$ cat u.c && gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout u.c
#include <string.h>

#undef strcpy
#undef strcat

char d[6];

void f (void)
{
  __builtin_memcpy (d, "1234", 4);
  __builtin_memcpy (d + 4, "5678", 5);   // warning (good)
}

void g (void)
{
  strcat (strcpy (d, "1234"), "5678");   // missing warning
}
u.c: In function ‘f’:
u.c:11:3: warning: ‘__builtin_memcpy’ forming offset [7, 9] is out of the
bounds [0, 6] of object ‘d’ with type ‘char[6]’ [-Warray-bounds]
   __builtin_memcpy (d + 4, "5678", 5);   // warning (good)
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
u.c:6:6: note: ‘d’ declared here
 char d[6];
      ^

;; Function f (f, funcdef_no=4, decl_uid=2193, cgraph_uid=4, symbol_order=5)

f ()
{
  <bb 2> [local count: 1073741825]:
  __builtin_memcpy (&d, "1234", 4);
  __builtin_memcpy (&MEM[(void *)&d + 4B], "5678", 5); [tail call]
  return;

}



;; Function g (g, funcdef_no=5, decl_uid=2196, cgraph_uid=5, symbol_order=6)

g ()
{
  char * _1;
  char * _5;

  <bb 2> [local count: 1073741825]:
  _1 = __builtin_memcpy (&d, "1234", 4);
  _5 = _1 + 4;
  __builtin_memcpy (_5, "5678", 5); [tail call]
  return;

}