The fix for pr103215 is too conservative and causes false negatives for past the end accesses to array elements like in gcc.dg/warn-strnlen-no-nul.c. A simple test case that shows the problem is below. The dump shows that both strcpy calls are plainly out of bounds and both could and should be diagnosed. $ cat y.c && gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout y.c extern int x; extern char b[5][7]; void f (const char *s) { __builtin_strncpy (b[3], s, 9); // warning (good) } void g (int i, const char *s) { char *d = i ? b[3] : b[4]; __builtin_strncpy (d, s, 9); // warning in GCC 11, missing in 12 } ;; Function f (f, funcdef_no=0, decl_uid=1980, cgraph_uid=1, symbol_order=0) void f (const char * s) { <bb 2> [local count: 1073741824]: __builtin_strncpy (&b[3], s_2(D), 9); [tail call] return; } y.c: In function ‘f’: y.c:7:3: warning: ‘__builtin_strncpy’ writing 9 bytes into a region of size 7 overflows the destination [-Wstringop-overflow=] 7 | __builtin_strncpy (b[3], s, 9); // warning (good) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ y.c:3:13: note: at offset 21 into destination object ‘b’ of size 28 3 | extern char b[5][7]; | ^ ;; Function g (g, funcdef_no=1, decl_uid=1984, cgraph_uid=2, symbol_order=1) Removing basic block 3 void g (int i, const char * s) { char * iftmp.0_1; <bb 2> [local count: 1073741824]: if (i_2(D) != 0) goto <bb 4>; [50.00%] else goto <bb 3>; [50.00%] <bb 3> [local count: 536870912]: <bb 4> [local count: 1073741824]: # iftmp.0_1 = PHI <&b[3](2), &b[4](3)> __builtin_strncpy (iftmp.0_1, s_4(D), 9); [tail call] return; }
GCC 12.1 is being released, retargeting bugs to GCC 12.2.
GCC 12.2 is being released, retargeting bugs to GCC 12.3.
Confirmed on trunk.
GCC 12.3 is being released, retargeting bugs to GCC 12.4.
GCC 12.4 is being released, retargeting bugs to GCC 12.5.