https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79547
--- Comment #6 from rguenther at suse dot de <rguenther at suse dot de> --- On Thu, 16 Feb 2017, jakub at gcc dot gnu.org wrote: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79547 > > --- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> --- > Actually the last 4 not, they return addresses into it. > But also strspn and strcspn? Yeah, and __builtin_object_size (which is pure, not const - huh). and __builtin_constant_p. Then there's bcmp. Just looking at the list of BT_FN_{INT,SIZE}_ in builtins.def. Note that other functions like popcount can cause similar leakage, say for foo (popcountl ((uintptr_t)s)); but as they do return some property of the pointer value I'm nervous that a combination of such info can be used to restore the actual pointer value (which is the only reason we track pointers through integers - and floats!). Richard.