https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105022
Bug ID: 105022 Summary: -Wanalyzer-tainted-allocation-size doesn't warn for custom allocators marked with "malloc" attribute Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Given: typedef __SIZE_TYPE__ size_t; void *custom_alloc (size_t sz) __attribute__((malloc (__builtin_free))); void * __attribute__ ((tainted_args)) test_ (size_t sz) { return custom_alloc (sz); } and compiling with: -fanalyzer -fanalyzer-checker=taint there is no output. Ideally the analyzer should complain with -Wanalyzer-tainted-allocation-size that "sz" is attacker-controlled. https://godbolt.org/z/oohh39Gjj