1  // TODO: remove need for this option
       2  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       3  
       4  #include "analyzer-decls.h"
       5  
       6  struct foo
       7  {
       8    int num;
       9  };
      10  
      11  /* malloc with tainted size from a field.  */
      12  
      13  void * __attribute__ ((tainted_args))
      14  test_1 (struct foo f)
      15  {
      16    __analyzer_dump_state ("taint", f.num); /* { dg-warning "state: 'tainted'" } */
      17    __analyzer_dump_state ("taint", f.num * 16); /* { dg-warning "state: 'tainted'" } */
      18  
      19    return __builtin_malloc (f.num * 16); /* { dg-warning "use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
      20    /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
      21  }