gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c - gcc - Git at Google

 // TODO: remove need for this option
 /* { dg-additional-options "-fanalyzer-checker=taint" } */

 #include "analyzer-decls.h"

 struct foo
 {
   int num;
 };

 /* malloc with tainted size from a field.  */

 void * __attribute__ ((tainted_args))
 test_1 (struct foo f)
 {
   __analyzer_dump_state ("taint", f.num); /* { dg-warning "state: 'tainted'" } */
   __analyzer_dump_state ("taint", f.num * 16); /* { dg-warning "state: 'tainted'" } */

   return __builtin_malloc (f.num * 16); /* { dg-warning "use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
   /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
 }
	// TODO: remove need for this option
	/* { dg-additional-options "-fanalyzer-checker=taint" } */

	#include "analyzer-decls.h"

	struct foo
	{
	int num;
	};

	/* malloc with tainted size from a field. */

	void * __attribute__ ((tainted_args))
	test_1 (struct foo f)
	{
	__analyzer_dump_state ("taint", f.num); /* { dg-warning "state: 'tainted'" } */
	__analyzer_dump_state ("taint", f.num * 16); /* { dg-warning "state: 'tainted'" } */

	return __builtin_malloc (f.num * 16); /* { dg-warning "use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
	/* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target --* } .-1 } */
	}