1  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       2  
       3  typedef __SIZE_TYPE__ size_t;
       4  
       5  int idx;
       6  void *fp;
       7  
       8  size_t
       9  fread (void *, size_t, size_t, void *);
      10  
      11  void
      12  ql (void)
      13  {
      14    int n1[1];
      15  
      16    fread (n1, sizeof (n1[0]), 1, fp); /* { dg-message "'n1' gets an unchecked value here" "" { xfail *-*-* } } */
      17    idx = n1[0]; /* { dg-message "'idx' has an unchecked value here \\\(from 'n1'\\\)" "" { xfail *-*-* } } */
      18  }
      19  
      20  int arr[10];
      21  	
      22  int
      23  pl (void)
      24  {
      25    ql ();
      26    return arr[idx]; /* { dg-warning "use of attacker-controlled value 'idx' in array lookup without bounds checking" "" { xfail *-*-* } } */
      27  }