[Bug tree-optimization/97631] [10/11 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

msebor at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Thu Oct 29 16:25:01 GMT 2020 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
While playing with the test case I added to pr97631 I noticed that when I
change the type of len to int, the warning disappears for the call to strcpy
(where it's intended) but the false positive stays for the call to memcpy. 
When I change the type to unsigned int, the warning then moves to strcpy and
disappears for memcpy.  This should get cleaned up too.

$ (set -x && cat xxx.c && gcc -DINT=int -O2 -S -Wall xxx.c && gcc
-DINT=unsigned -O2 -S -Wall xxx.c)
+ cat xxx.c
char* f (char *s)
{
  INT n = __builtin_strlen (s);
  if (n == 0)
    return 0;

  char *d = __builtin_malloc (n);
  __builtin_strcpy (d, s);       // -Wstringop-overflow (good)
  return d;
}

char* g (char *s)
{
  INT n = __builtin_strlen (s);
  if (n == 0)
    return 0;

  char *d = __builtin_malloc (n);
  __builtin_memcpy (d, s, n);    // bogus overflow warning
  return d;
}

+ gcc -DINT=int -O2 -S -Wall xxx.c
xxx.c: In function ‘g’:
xxx.c:19:3: warning: ‘__builtin_memcpy’ writing one too many bytes into a
region of a size that depends on ‘strlen’ [-Wstringop-overflow=]
   19 |   __builtin_memcpy (d, s, n);    // bogus overflow warning
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~
xxx.c:18:13: note: at offset 0 to an object with size between 1 and
18446744073709551615 allocated by ‘__builtin_malloc’ here
   18 |   char *d = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~
+ gcc -DINT=unsigned -O2 -S -Wall xxx.c
xxx.c: In function ‘f’:
xxx.c:8:3: warning: ‘__builtin_strcpy’ writing one too many bytes into a region
of a size that depends on ‘strlen’ [-Wstringop-overflow=]
    8 |   __builtin_strcpy (d, s);       // -Wstringop-overflow (good)
      |   ^~~~~~~~~~~~~~~~~~~~~~~
xxx.c:7:13: note: at offset 0 to an object with size at most 4294967295
allocated by ‘__builtin_malloc’ here
    7 |   char *d = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~

More information about the Gcc-bugs mailing list