Even though the lengths of the strings in the test case below are unknown it is possible to determine that the strcpy() call overflows the destination because it writes one more byte into the region than have been allocated for it. This type of an error can be detected in the strlen() pass by looking at the size of the destination of a call like strcpy or memcpy and comparing it to the length of the source string. Even if neither is constant, if the length of the source is greater than the size of the destination (or very likely greater, ignoring unsigned integer wrapping), diagnosing it would catch the error. $ cat c.c && gcc -O2 -S -Wall -fdump-tree-strlen=/dev/stdout c.c char* f (const char *s) { __SIZE_TYPE__ n = __builtin_strlen (s); char *p = __builtin_malloc (n); __builtin_strcpy (p, s); return p; } ;; Function f (f, funcdef_no=0, decl_uid=1898, cgraph_uid=1, symbol_order=0) f (const char * s) { char * p; long unsigned int n; long unsigned int _8; <bb 2> [local count: 1073741825]: n_3 = __builtin_strlen (s_2(D)); p_5 = __builtin_malloc (n_3); _8 = n_3 + 1; __builtin_memcpy (p_5, s_2(D), _8); return p_5; }
Done in GCC 10: $ gcc -O2 -S -Wall -Wextra pr86349.c pr86349.c: In function ‘f’: pr86349.c:5:3: warning: ‘__builtin_strcpy’ writing one too many bytes into a region of a size that depends on ‘strlen’ [-Wstringop-overflow=] 5 | __builtin_strcpy (p, s); | ^~~~~~~~~~~~~~~~~~~~~~~ pr86349.c:4:13: note: at offset 0 to an object allocated by ‘__builtin_malloc’ here 4 | char *p = __builtin_malloc (n); | ^~~~~~~~~~~~~~~~~~~~