https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120213
--- Comment #8 from David Malcolm <dmalcolm at gcc dot gnu.org> --- I'm not sure I fully grok the example code, but FWIW the analyzer doesn't yet "know" about the behavior of strnlen and so conservatively assumes any possible size_t value as the output. There are also limitations in the current internal representation that prevent various useful reasoning about string operations, so it might be running into that.
