On Fri, May 23, 2025 at 01:31:00PM +0100, David Laight wrote: > > The compiler (or headers files) can also allow strcpy() of constant > length strings into arrays (known size). Erroring requests that are too long. > The strcpy() is then converted to a memcpy() which can then be optimised > into writes of constants. > > So using strcpy() under those conditions 'isn't all bad' and can generate > better (and less bug prone) code than trying to hand-optimise it. > > So even through strcpy() is usually a bad idea, there is not need to > remove the calls that the compiler can validate as safe. I assume that what the hardening folks want to do is to assert that strcpy is always evil(tm) so they can detect potential security bugs by doing "git grep strcpy". - Ted
