https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104715
Jakub Jelinek <jakub at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jakub at gcc dot gnu.org --- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Other tests: char * foo (char *p) { { char q[61] = "012345678901234567890123456789012345678901234567890123456789"; char *r = q; p = __builtin_strcat (p, r); } return p; } char * bar (char *p) { { char q[] = "0123456789"; char *r = q; p = __builtin_strstr (p, r); } return p; } char * baz (char *p) { { char q[] = "0123456789"; char *r = q; p = __builtin_strpbrk (p, r); } return p; } unsigned long qux (char *p) { unsigned long s; { char q[] = "0123456789"; char *r = q; s = __builtin_strspn (p, r); } return s; } There is false positive warning on foo and bar and not on baz/qux. Using q directly in the builtin calls doesn't result in a warning though. I wanted to suggest that pass_waccess::check_call_dangling would add support for ERF_RETURNS_ARG functions (ignore all arguments but the one that is returned) and similarly handle various builtins that guarnatee certain arguments don't really escape like in addition to those ERF_RETURNS_ARG ones mempcpy, strcat, strncat, strpbrk, strstr, strspn, strcspn for which only something based on the first argument can be returned (for strspn/strcspn based on no argument). But apparently that function doesn't do anything on these testcases because &q isn't passed to it.