This patch makes -fanalyzer make use of the function attribute
"alloc_size", allowing -fanalyzer to emit -Wanalyzer-allocation-size,
-Wanalyzer-out-of-bounds, and -Wanalyzer-tainted-allocation-size on
execution paths involving allocations using such functions.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as r14-3001-g021077b94741c9.

gcc/analyzer/ChangeLog:
        PR analyzer/110426
        * bounds-checking.cc (region_model::check_region_bounds): Handle
        symbolic base regions.
        * call-details.cc: Include "stringpool.h" and "attribs.h".
        (call_details::lookup_function_attribute): New function.
        * call-details.h (call_details::lookup_function_attribute): New
        function decl.
        * region-model-manager.cc
        (region_model_manager::maybe_fold_binop): Add reference to
        PR analyzer/110902.
        * region-model-reachability.cc (reachable_regions::handle_sval):
        Add symbolic regions for pointers that are conjured svalues for
        the LHS of a stmt.
        * region-model.cc (region_model::canonicalize): Purge dynamic
        extents for regions that aren't referenced.
        (get_result_size_in_bytes): New function.
        (region_model::on_call_pre): Use get_result_size_in_bytes and
        potentially set the dynamic extents of the region pointed to by
        the return value.
        (region_model::deref_rvalue): Add param "add_nonnull_constraint"
        and use it to conditionalize adding the constraint.
        (pending_diagnostic_subclass::dubious_allocation_size): Add "stmt"
        param to both ctors and use it to initialize new "m_stmt" field.
        (pending_diagnostic_subclass::operator==): Use m_stmt; don't use
        m_lhs or m_rhs.
        (pending_diagnostic_subclass::m_stmt): New field.
        (region_model::check_region_size): Generalize to any kind of
        pointer svalue by using deref_rvalue rather than checking for
        region_svalue.  Pass stmt to dubious_allocation_size ctor.
        * region-model.h (region_model::deref_rvalue): Add param
        "add_nonnull_constraint".
        * svalue.cc (conjured_svalue::lhs_value_p): New function.
        * svalue.h (conjured_svalue::lhs_value_p): New decl.

gcc/testsuite/ChangeLog:
        PR analyzer/110426
        * gcc.dg/analyzer/allocation-size-1.c: Update expected message to
        reflect consolidation of size and assignment into a single event.
        * gcc.dg/analyzer/allocation-size-2.c: Likewise.
        * gcc.dg/analyzer/allocation-size-3.c: Likewise.
        * gcc.dg/analyzer/allocation-size-4.c: Likewise.
        * gcc.dg/analyzer/allocation-size-multiline-1.c: Likewise.
        * gcc.dg/analyzer/allocation-size-multiline-2.c: Likewise.
        * gcc.dg/analyzer/allocation-size-multiline-3.c: Likewise.
        * gcc.dg/analyzer/attr-alloc_size-1.c: New test.
        * gcc.dg/analyzer/attr-alloc_size-2.c: New test.
        * gcc.dg/analyzer/attr-alloc_size-3.c: New test.
        * gcc.dg/analyzer/explode-4.c: New test.
        * gcc.dg/analyzer/taint-size-1.c: Add test coverage for
        __attribute__ alloc_size.
---
 gcc/analyzer/bounds-checking.cc               |  12 +-
 gcc/analyzer/call-details.cc                  |  21 +++
 gcc/analyzer/call-details.h                   |   2 +
 gcc/analyzer/region-model-manager.cc          |   2 +
 gcc/analyzer/region-model-reachability.cc     |  21 +++
 gcc/analyzer/region-model.cc                  | 109 ++++++++++--
 gcc/analyzer/region-model.h                   |   3 +-
 gcc/analyzer/svalue.cc                        |  11 ++
 gcc/analyzer/svalue.h                         |   1 +
 .../gcc.dg/analyzer/allocation-size-1.c       |   3 +-
 .../gcc.dg/analyzer/allocation-size-2.c       |   3 +-
 .../gcc.dg/analyzer/allocation-size-3.c       |   9 +-
 .../gcc.dg/analyzer/allocation-size-4.c       |   6 +-
 .../analyzer/allocation-size-multiline-1.c    |  12 +-
 .../analyzer/allocation-size-multiline-2.c    |  15 +-
 .../analyzer/allocation-size-multiline-3.c    |  10 +-
 .../gcc.dg/analyzer/attr-alloc_size-1.c       |  81 +++++++++
 .../gcc.dg/analyzer/attr-alloc_size-2.c       |  19 +++
 .../gcc.dg/analyzer/attr-alloc_size-3.c       |  14 ++
 gcc/testsuite/gcc.dg/analyzer/explode-4.c     | 157 ++++++++++++++++++
 gcc/testsuite/gcc.dg/analyzer/taint-size-1.c  |  10 ++
 21 files changed, 458 insertions(+), 63 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-1.c
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-2.c
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-3.c
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/explode-4.c

diff --git a/gcc/analyzer/bounds-checking.cc b/gcc/analyzer/bounds-checking.cc
index 5e8de9a7aa5..f49cf7cf2af 100644
--- a/gcc/analyzer/bounds-checking.cc
+++ b/gcc/analyzer/bounds-checking.cc
@@ -981,12 +981,6 @@ region_model::check_region_bounds (const region *reg,
   region_offset reg_offset = reg->get_offset (m_mgr);
   const region *base_reg = reg_offset.get_base_region ();
 
-  /* Bail out on symbolic regions.
-     (e.g. because the analyzer did not see previous offsets on the latter,
-     it might think that a negative access is before the buffer).  */
-  if (base_reg->symbolic_p ())
-         return true;
-
   /* Find out how many bytes were accessed.  */
   const svalue *num_bytes_sval = reg->get_byte_size_sval (m_mgr);
   tree num_bytes_tree = maybe_get_integer_cst_tree (num_bytes_sval);
@@ -1010,9 +1004,9 @@ region_model::check_region_bounds (const region *reg,
     offset = wi::sext (reg_offset.get_bit_offset () >> LOG2_BITS_PER_UNIT,
                       TYPE_PRECISION (size_type_node));
 
-  /* If either the offset or the number of bytes accessed are symbolic,
-     we have to reason about symbolic values.  */
-  if (reg_offset.symbolic_p () || !num_bytes_tree)
+  /* If any of the base region, the offset, or the number of bytes accessed
+     are symbolic, we have to reason about symbolic values.  */
+  if (base_reg->symbolic_p () || reg_offset.symbolic_p () || !num_bytes_tree)
     {
       const svalue* byte_offset_sval;
       if (!reg_offset.symbolic_p ())
diff --git a/gcc/analyzer/call-details.cc b/gcc/analyzer/call-details.cc
index 17edaf26276..793317eaa02 100644
--- a/gcc/analyzer/call-details.cc
+++ b/gcc/analyzer/call-details.cc
@@ -34,6 +34,8 @@ along with GCC; see the file COPYING3.  If not see
 #include "gimple-pretty-print.h"
 #include "analyzer/region-model.h"
 #include "analyzer/call-details.h"
+#include "stringpool.h"
+#include "attribs.h"
 
 #if ENABLE_ANALYZER
 
@@ -226,6 +228,25 @@ call_details::get_or_create_conjured_svalue (const region 
*reg) const
                                             conjured_purge (m_model, m_ctxt));
 }
 
+/* Look for a function attribute with name ATTR_NAME on the called
+   function (or on its type).
+   Return the attribute if one is found, otherwise return NULL_TREE.  */
+
+tree
+call_details::lookup_function_attribute (const char *attr_name) const
+{
+  tree allocfntype;
+  if (tree fndecl = get_fndecl_for_call ())
+    allocfntype = TREE_TYPE (fndecl);
+  else
+    allocfntype = gimple_call_fntype (m_call);
+
+  if (!allocfntype)
+    return NULL_TREE;
+
+  return lookup_attribute (attr_name, TYPE_ATTRIBUTES (allocfntype));
+}
+
 } // namespace ana
 
 #endif /* #if ENABLE_ANALYZER */
diff --git a/gcc/analyzer/call-details.h b/gcc/analyzer/call-details.h
index 14a206ff5d6..25ea5546182 100644
--- a/gcc/analyzer/call-details.h
+++ b/gcc/analyzer/call-details.h
@@ -64,6 +64,8 @@ public:
 
   const svalue *get_or_create_conjured_svalue (const region *) const;
 
+  tree lookup_function_attribute (const char *attr_name) const;
+
 private:
   const gcall *m_call;
   region_model *m_model;
diff --git a/gcc/analyzer/region-model-manager.cc 
b/gcc/analyzer/region-model-manager.cc
index 46d271a295c..65b719056c8 100644
--- a/gcc/analyzer/region-model-manager.cc
+++ b/gcc/analyzer/region-model-manager.cc
@@ -654,6 +654,8 @@ region_model_manager::maybe_fold_binop (tree type, enum 
tree_code op,
        return get_or_create_constant_svalue (build_int_cst (type, 0));
       /* (VAL * 1) -> VAL.  */
       if (cst1 && integer_onep (cst1))
+       /* TODO: we ought to have a cast to TYPE here, but doing so introduces
+          regressions; see PR analyzer/110902.  */
        return arg0;
       break;
     case BIT_AND_EXPR:
diff --git a/gcc/analyzer/region-model-reachability.cc 
b/gcc/analyzer/region-model-reachability.cc
index a5c12f49346..1c747e14eab 100644
--- a/gcc/analyzer/region-model-reachability.cc
+++ b/gcc/analyzer/region-model-reachability.cc
@@ -184,6 +184,27 @@ reachable_regions::handle_sval (const svalue *sval)
        }
       add (pointee, ptr_is_mutable);
     }
+  else if (sval->get_type ()
+          && TREE_CODE (sval->get_type ()) == POINTER_TYPE
+          && sval->get_kind () == SK_CONJURED)
+    {
+      /* Also add symbolic regions for pointers, but only for conjured svalues
+        for the LHS of a stmt.  Doing it for more leads to state explosions
+        on chains of calls to external functions, due to each conjured svalue
+        potentially being modified at each successive call, recursively.  */
+      const conjured_svalue *conjured_sval = (const conjured_svalue *)sval;
+      if (conjured_sval->lhs_value_p ())
+       {
+         const region *pointee
+           = m_model->get_manager ()->get_symbolic_region (sval);
+         /* Use const-ness of pointer type to affect mutability.  */
+         bool ptr_is_mutable = true;
+         if (TYPE_READONLY (TREE_TYPE (sval->get_type ())))
+           ptr_is_mutable = false;
+         add (pointee, ptr_is_mutable);
+       }
+    }
+
   /* Treat all svalues within a compound_svalue as reachable.  */
   if (const compound_svalue *compound_sval
       = sval->dyn_cast_compound_svalue ())
diff --git a/gcc/analyzer/region-model.cc b/gcc/analyzer/region-model.cc
index 5ed735dc2a2..e92b3f7b074 100644
--- a/gcc/analyzer/region-model.cc
+++ b/gcc/analyzer/region-model.cc
@@ -441,6 +441,29 @@ region_model::canonicalize ()
 {
   m_store.canonicalize (m_mgr->get_store_manager ());
   m_constraints->canonicalize ();
+
+  if (!m_dynamic_extents.is_empty ())
+    {
+      /* Purge any dynamic extents for regions that aren't referenced.
+        Normally these are eliminated when leaks are detected, but we
+        can also gain stray heap_allocated_regions that aren't seen
+        by the leak-detection code.  This happens when
+        region_model::on_call_pre provides a default result for a
+        function with both attributes "malloc" and "alloc_size" that
+        also has a known_function implementation.
+        Purge dynamic extent information for such regions.  */
+      auto_bitmap referenced_base_region_ids;
+      get_referenced_base_regions (referenced_base_region_ids);
+      auto_vec<const region *> purgable_dyn_extents;
+      for (auto iter : m_dynamic_extents)
+       {
+         const region *reg = iter.first;
+         if (!bitmap_bit_p (referenced_base_region_ids, reg->get_id ()))
+           purgable_dyn_extents.safe_push (reg);
+       }
+      for (auto reg : purgable_dyn_extents)
+       m_dynamic_extents.remove (reg);
+    }
 }
 
 /* Return true if this region_model is in canonical form.  */
@@ -1462,6 +1485,48 @@ region_model::get_known_function (enum internal_fn ifn) 
const
   return known_fn_mgr->get_internal_fn (ifn);
 }
 
+/* Look for attribute "alloc_size" on the called function and, if found,
+   return a symbolic value of type size_type_node for the allocation size
+   based on the call's parameters.
+   Otherwise, return null.  */
+
+static const svalue *
+get_result_size_in_bytes (const call_details &cd)
+{
+  const tree attr = cd.lookup_function_attribute ("alloc_size");
+  if (!attr)
+    return nullptr;
+
+  const tree atval_1 = TREE_VALUE (attr);
+  if (!atval_1)
+    return nullptr;
+
+  unsigned argidx1 = TREE_INT_CST_LOW (TREE_VALUE (atval_1)) - 1;
+  if (cd.num_args () <= argidx1)
+    return nullptr;
+
+  const svalue *sval_arg1 = cd.get_arg_svalue (argidx1);
+
+  if (const tree atval_2 = TREE_CHAIN (atval_1))
+    {
+      /* Two arguments.  */
+      unsigned argidx2 = TREE_INT_CST_LOW (TREE_VALUE (atval_2)) - 1;
+      if (cd.num_args () <= argidx2)
+       return nullptr;
+      const svalue *sval_arg2 = cd.get_arg_svalue (argidx2);
+      /* TODO: ideally we shouldn't need this cast here;
+        see PR analyzer/110902.  */
+      return cd.get_manager ()->get_or_create_cast
+       (size_type_node,
+        cd.get_manager ()->get_or_create_binop (size_type_node,
+                                                MULT_EXPR,
+                                                sval_arg1, sval_arg2));
+    }
+  else
+    /* Single argument.  */
+    return cd.get_manager ()->get_or_create_cast (size_type_node, sval_arg1);
+}
+
 /* Update this model for the CALL stmt, using CTXT to report any
    diagnostics - the first half.
 
@@ -1522,6 +1587,11 @@ region_model::on_call_pre (const gcall *call, 
region_model_context *ctxt)
                                                         lhs_region,
                                                         conjured_purge (this,
                                                                         ctxt));
+         if (const svalue *size_in_bytes = get_result_size_in_bytes (cd))
+           {
+             const region *reg = deref_rvalue (sval, NULL_TREE, ctxt, false);
+             set_dynamic_extents (reg, size_in_bytes, ctxt);
+           }
        }
       set_value (lhs_region, sval, ctxt);
     }
@@ -2461,7 +2531,8 @@ region_model::region_exists_p (const region *reg) const
 
 const region *
 region_model::deref_rvalue (const svalue *ptr_sval, tree ptr_tree,
-                           region_model_context *ctxt) const
+                           region_model_context *ctxt,
+                           bool add_nonnull_constraint) const
 {
   gcc_assert (ptr_sval);
   gcc_assert (POINTER_TYPE_P (ptr_sval->get_type ()));
@@ -2471,9 +2542,13 @@ region_model::deref_rvalue (const svalue *ptr_sval, tree 
ptr_tree,
      -Wanalyzer-null-dereference for the case where we later have an
      if (PTR_SVAL) that would occur if we considered the false branch
      and transitioned the malloc state machine from start->null.  */
-  tree null_ptr_cst = build_int_cst (ptr_sval->get_type (), 0);
-  const svalue *null_ptr = m_mgr->get_or_create_constant_svalue (null_ptr_cst);
-  m_constraints->add_constraint (ptr_sval, NE_EXPR, null_ptr);
+  if (add_nonnull_constraint)
+    {
+      tree null_ptr_cst = build_int_cst (ptr_sval->get_type (), 0);
+      const svalue *null_ptr
+       = m_mgr->get_or_create_constant_svalue (null_ptr_cst);
+      m_constraints->add_constraint (ptr_sval, NE_EXPR, null_ptr);
+    }
 
   switch (ptr_sval->get_kind ())
     {
@@ -2851,14 +2926,15 @@ class dubious_allocation_size
 : public pending_diagnostic_subclass<dubious_allocation_size>
 {
 public:
-  dubious_allocation_size (const region *lhs, const region *rhs)
-  : m_lhs (lhs), m_rhs (rhs), m_expr (NULL_TREE),
+  dubious_allocation_size (const region *lhs, const region *rhs,
+                          const gimple *stmt)
+  : m_lhs (lhs), m_rhs (rhs), m_expr (NULL_TREE), m_stmt (stmt),
     m_has_allocation_event (false)
   {}
 
   dubious_allocation_size (const region *lhs, const region *rhs,
-                          tree expr)
-  : m_lhs (lhs), m_rhs (rhs), m_expr (expr),
+                          tree expr, const gimple *stmt)
+  : m_lhs (lhs), m_rhs (rhs), m_expr (expr), m_stmt (stmt),
     m_has_allocation_event (false)
   {}
 
@@ -2869,8 +2945,8 @@ public:
 
   bool operator== (const dubious_allocation_size &other) const
   {
-    return m_lhs == other.m_lhs && m_rhs == other.m_rhs
-          && pending_diagnostic::same_tree_p (m_expr, other.m_expr);
+    return (m_stmt == other.m_stmt
+           && pending_diagnostic::same_tree_p (m_expr, other.m_expr));
   }
 
   int get_controlling_option () const final override
@@ -2940,6 +3016,7 @@ private:
   const region *m_lhs;
   const region *m_rhs;
   const tree m_expr;
+  const gimple *m_stmt;
   bool m_has_allocation_event;
 };
 
@@ -3139,10 +3216,6 @@ region_model::check_region_size (const region *lhs_reg, 
const svalue *rhs_sval,
   if (!is_any_cast_p (ctxt->get_stmt ()))
     return;
 
-  const region_svalue *reg_sval = dyn_cast <const region_svalue *> (rhs_sval);
-  if (!reg_sval)
-    return;
-
   tree pointer_type = lhs_reg->get_type ();
   if (pointer_type == NULL_TREE || !POINTER_TYPE_P (pointer_type))
     return;
@@ -3167,7 +3240,7 @@ region_model::check_region_size (const region *lhs_reg, 
const svalue *rhs_sval,
       || integer_onep (pointee_size_tree))
     return;
 
-  const region *rhs_reg = reg_sval->get_pointee ();
+  const region *rhs_reg = deref_rvalue (rhs_sval, NULL_TREE, ctxt, false);
   const svalue *capacity = get_capacity (rhs_reg);
   switch (capacity->get_kind ())
     {
@@ -3180,7 +3253,8 @@ region_model::check_region_size (const region *lhs_reg, 
const svalue *rhs_sval,
            && !capacity_compatible_with_type (cst_cap, pointee_size_tree,
                                               is_struct))
          ctxt->warn (make_unique <dubious_allocation_size> (lhs_reg, rhs_reg,
-                                                            cst_cap));
+                                                            cst_cap,
+                                                            ctxt->get_stmt 
()));
       }
       break;
     default:
@@ -3193,7 +3267,8 @@ region_model::check_region_size (const region *lhs_reg, 
const svalue *rhs_sval,
                tree expr = get_representative_tree (capacity);
                ctxt->warn (make_unique <dubious_allocation_size> (lhs_reg,
                                                                   rhs_reg,
-                                                                  expr));
+                                                                  expr,
+                                                                  
ctxt->get_stmt ()));
              }
          }
       break;
diff --git a/gcc/analyzer/region-model.h b/gcc/analyzer/region-model.h
index d6d9615490c..0cf38714c96 100644
--- a/gcc/analyzer/region-model.h
+++ b/gcc/analyzer/region-model.h
@@ -352,7 +352,8 @@ class region_model
   const svalue *get_rvalue (tree expr, region_model_context *ctxt) const;
 
   const region *deref_rvalue (const svalue *ptr_sval, tree ptr_tree,
-                              region_model_context *ctxt) const;
+                             region_model_context *ctxt,
+                             bool add_nonnull_constraint = true) const;
 
   const svalue *get_rvalue_for_bits (tree type,
                                     const region *reg,
diff --git a/gcc/analyzer/svalue.cc b/gcc/analyzer/svalue.cc
index 5d5c80f88c6..064627f3dcc 100644
--- a/gcc/analyzer/svalue.cc
+++ b/gcc/analyzer/svalue.cc
@@ -1940,6 +1940,17 @@ conjured_svalue::accept (visitor *v) const
   v->visit_conjured_svalue (this);
 }
 
+/* Return true iff this conjured_svalue is for the LHS of the
+   stmt that conjured it.  */
+
+bool
+conjured_svalue::lhs_value_p () const
+{
+  if (tree decl = m_id_reg->maybe_get_decl ())
+    return decl == gimple_get_lhs (m_stmt);
+  return false;
+}
+
 /* class asm_output_svalue : public svalue.  */
 
 /* Implementation of svalue::dump_to_pp vfunc for asm_output_svalue.  */
diff --git a/gcc/analyzer/svalue.h b/gcc/analyzer/svalue.h
index fbb10187677..5492b1e0b7c 100644
--- a/gcc/analyzer/svalue.h
+++ b/gcc/analyzer/svalue.h
@@ -1411,6 +1411,7 @@ public:
 
   const gimple *get_stmt () const { return m_stmt; }
   const region *get_id_region () const { return m_id_reg; }
+  bool lhs_value_p () const;
 
  private:
   const gimple *m_stmt;
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-1.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-1.c
index 003914ed96c..dcffc1175cf 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-1.c
@@ -16,8 +16,7 @@ void test_2 (void)
   free (ptr);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc2 } */
-  /* { dg-message "42 bytes" "note" { target *-*-* } malloc2 } */
-  /* { dg-message "'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 
'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' is '4'" "note" { target *-*-* 
} malloc2 } */
+  /* { dg-message "allocated 42 bytes and assigned to 'int32_t \\*' (\\\{aka 
'(long )?int \\*'\\\})? here; 'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' 
is '4'" "note" { target *-*-* } malloc2 } */
 }
 
 void test_3 (void)
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-2.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-2.c
index eb770f73d4a..d26c2672531 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-2.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-2.c
@@ -19,8 +19,7 @@ void test_2 (int32_t n)
   free (ptr);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc2 } */
-  /* { dg-message "'\[a-z0-9\\*\\(\\)\\s\]*' bytes" "note" { target *-*-* } 
malloc2 } */
-  /* { dg-message "'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 
'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' is '4" "note" { target *-*-* 
} malloc2 } */
+  /* { dg-message "allocated '\[a-z0-9\\*\\(\\)\\s\]*' bytes and assigned to 
'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 'sizeof \\(int32_t 
(\\\{aka (long )?int\\\})?\\)' is '4" "note" { target *-*-* } malloc2 } */
 }
 
 void test_3 (int32_t n)
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-3.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-3.c
index 6751441dd18..6b753073008 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-3.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-3.c
@@ -20,8 +20,7 @@ void test_1 (void)
   free (id_sequence);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc1 } */
-  /* { dg-message "3 bytes" "note" { target *-*-* } malloc1 } */
-  /* { dg-message "'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 
'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' is '4'" "note" { target *-*-* 
} malloc1 } */
+  /* { dg-message "allocated 3 bytes and assigned to 'int32_t \\*' (\\\{aka 
'(long )?int \\*'\\\})? here; 'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' 
is '4'" "note" { target *-*-* } malloc1 } */
 }
 
 void test_2 (void)
@@ -30,8 +29,7 @@ void test_2 (void)
   free (ptr);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc2 } */
-  /* { dg-message "14 bytes" "note" { target *-*-* } malloc2 } */
-  /* { dg-message "'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 
'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' is '4'" "note" { target *-*-* 
} malloc2 } */
+  /* { dg-message "allocated 14 bytes and assigned to 'int32_t \\*' (\\\{aka 
'(long )?int \\*'\\\})? here; 'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' 
is '4'" "note" { target *-*-* } malloc2 } */
 }
 
 void test_3 (int32_t n)
@@ -40,8 +38,7 @@ void test_3 (int32_t n)
   free (ptr);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc3 } */
-  /* { dg-message "'\[a-z0-9\\+\\(\\)\\s\]*' bytes" "note" { target *-*-* } 
malloc3 } */
-  /* { dg-message "'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 
'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' is '4'" "note" { target *-*-* 
} malloc3 } */
+  /* { dg-message "allocated '\[a-z0-9\\+\\(\\)\\s\]*' bytes and assigned to 
'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 'sizeof \\(int32_t 
(\\\{aka (long )?int\\\})?\\)' is '4'" "note" { target *-*-* } malloc3 } */
 }
 
 void test_4 (int32_t n, int32_t m)
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-4.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-4.c
index a56b25b4374..642e8f5f496 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-4.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-4.c
@@ -30,8 +30,7 @@ void test_2 (void)
   free (ptr);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc2 } */
-  /* { dg-message "\\d+ bytes" "note" { target *-*-* } malloc2 } */
-  /* { dg-message "'int32_t \\*' (\\\{aka '(long )?int \\*'\\\})? here; 
'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' is '4'" "note" { target *-*-* 
} malloc2 } */
+  /* { dg-message "allocated \\d+ bytes and assigned to 'int32_t \\*' (\\\{aka 
'(long )?int \\*'\\\})? here; 'sizeof \\(int32_t (\\\{aka (long )?int\\\})?\\)' 
is '4'" "note" { target *-*-* } malloc2 } */
 }
 
 void test_3 (void)
@@ -56,6 +55,5 @@ void test_5 (void)
   free (ptr);
 
   /* { dg-warning "allocated buffer size is not a multiple of the pointee's 
size \\\[CWE-131\\\]" "warning" { target *-*-* } malloc5 } */
-  /* { dg-message "allocated 1 byte here" "note" { target *-*-* } malloc5 } */
-  /* { dg-message "'struct base \\*' here; 'sizeof \\(struct base\\)' is 
'\\d+'" "note" { target *-*-* } malloc5 } */
+  /* { dg-message "allocated 1 bytes and assigned to 'struct base \\*' here; 
'sizeof \\(struct base\\)' is '\\d+'" "note" { target *-*-* } malloc5 } */
 }
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-1.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-1.c
index 7251665105d..9938ba237a0 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-1.c
@@ -11,13 +11,12 @@ void test_constant_1 (void)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = __builtin_malloc (1);
                   ^~~~~~~~~~~~~~~~~~~~
-  'test_constant_1': events 1-2
+  'test_constant_1': event 1
     |
     |   int32_t *ptr = __builtin_malloc (1);
     |                  ^~~~~~~~~~~~~~~~~~~~
     |                  |
-    |                  (1) allocated 1 byte here
-    |                  (2) assigned to 'int32_t *'
+    |                  (1) allocated 1 bytes and assigned to 'int32_t *' {aka 
'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
 
@@ -30,13 +29,12 @@ void test_constant_2 (void)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = __builtin_malloc (2);
                   ^~~~~~~~~~~~~~~~~~~~
-  'test_constant_2': events 1-2
+  'test_constant_2': event 1
     |
     |   int32_t *ptr = __builtin_malloc (2);
     |                  ^~~~~~~~~~~~~~~~~~~~
     |                  |
-    |                  (1) allocated 2 bytes here
-    |                  (2) assigned to 'int32_t *'
+    |                  (1) allocated 2 bytes and assigned to 'int32_t *' {aka 
'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
 
@@ -54,6 +52,6 @@ void test_symbolic (int n)
     |   int32_t *ptr = __builtin_malloc (n * 2);
     |                  ^~~~~~~~~~~~~~~~~~~~~~~~
     |                  |
-    |                  (1) allocated 'n * 2' bytes and assigned to 'int32_t *'
+    |                  (1) allocated 'n * 2' bytes and assigned to 'int32_t *' 
{aka 'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-2.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-2.c
index 7cadbb74751..9e1269cbb7a 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-2.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-2.c
@@ -11,13 +11,12 @@ void test_constant_1 (void)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = __builtin_alloca (1);
                   ^~~~~~~~~~~~~~~~~~~~
-  'test_constant_1': events 1-2
+  'test_constant_1': event 1
     |
     |   int32_t *ptr = __builtin_alloca (1);
     |                  ^~~~~~~~~~~~~~~~~~~~
     |                  |
-    |                  (1) allocated 1 byte here
-    |                  (2) assigned to 'int32_t *'
+    |                  (1) allocated 1 bytes and assigned to 'int32_t *' {aka 
'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
 
@@ -29,13 +28,12 @@ void test_constant_2 (void)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = __builtin_alloca (2);
                   ^~~~~~~~~~~~~~~~~~~~
-  'test_constant_2': events 1-2
+  'test_constant_2': event 1
     |
     |   int32_t *ptr = __builtin_alloca (2);
     |                  ^~~~~~~~~~~~~~~~~~~~
     |                  |
-    |                  (1) allocated 2 bytes here
-    |                  (2) assigned to 'int32_t *'
+    |                  (1) allocated 2 bytes and assigned to 'int32_t *' {aka 
'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
 
@@ -47,13 +45,12 @@ void test_symbolic (int n)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = __builtin_alloca (n * 2);
                   ^~~~~~~~~~~~~~~~~~~~~~~~
-  'test_symbolic': events 1-2
+  'test_symbolic': event 1
     |
     |   int32_t *ptr = __builtin_alloca (n * 2);
     |                  ^~~~~~~~~~~~~~~~~~~~~~~~
     |                  |
-    |                  (1) allocated 'n * 2' bytes here
-    |                  (2) assigned to 'int32_t *'
+    |                  (1) allocated 'n * 2' bytes and assigned to 'int32_t *' 
{aka 'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-3.c 
b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-3.c
index b3de582368f..71790d91753 100644
--- a/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-3.c
+++ b/gcc/testsuite/gcc.dg/analyzer/allocation-size-multiline-3.c
@@ -15,13 +15,12 @@ void test_constant_99 (void)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = alloca (99);
                   ^~~~~~
-  'test_constant_99': events 1-2
+  'test_constant_99': event 1
     |
     |   int32_t *ptr = alloca (99);
     |                  ^~~~~~
     |                  |
-    |                  (1) allocated 99 bytes here
-    |                  (2) assigned to 'int32_t *' {aka '{re:long :re?}int *'} 
here; 'sizeof (int32_t {aka {re:long :re?}int})' is '4'
+    |                  (1) allocated 99 bytes and assigned to 'int32_t *' {aka 
'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
 
@@ -33,12 +32,11 @@ void test_symbolic (int n)
 /* { dg-begin-multiline-output "" }
    int32_t *ptr = alloca (n * 2);
                   ^~~~~~
-  'test_symbolic': events 1-2
+  'test_symbolic': event 1
     |
     |   int32_t *ptr = alloca (n * 2);
     |                  ^~~~~~
     |                  |
-    |                  (1) allocated 'n * 2' bytes here
-    |                  (2) assigned to 'int32_t *' {aka '{re:long :re?}int *'} 
here; 'sizeof (int32_t {aka {re:long :re?}int})' is '4'
+    |                  (1) allocated 'n * 2' bytes and assigned to 'int32_t *' 
{aka 'int *'} here; 'sizeof (int32_t {aka int})' is '4'
     |
    { dg-end-multiline-output "" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-1.c 
b/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-1.c
new file mode 100644
index 00000000000..eb3c6955e11
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-1.c
@@ -0,0 +1,81 @@
+#include "analyzer-decls.h"
+
+typedef __SIZE_TYPE__ size_t;
+
+extern void* (*my_alloc)(size_t) __attribute__ ((alloc_size (1)));
+extern void* (*my_alloc_2)(size_t, size_t) __attribute__ ((alloc_size (1, 2)));
+
+int test_one_arg_concrete_int_ptr (void)
+{
+  int *x = my_alloc (1); /* { dg-warning "allocated buffer size is not a 
multiple of the pointee's size" } */
+  __analyzer_dump_capacity (x); /* { dg-warning "capacity: 
'\\(\[^\n\r\]*\\)1'" } */
+  x[0] = 0; /* { dg-warning "buffer overflow" } */
+  return 0;
+}
+
+void test_one_arg_concrete (void)
+{
+  char *p = my_alloc (10);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(\[^\n\r\]*\\)10'" } */
+  p[0] = 'a';
+  p[9] = 'b';
+  p[10] = 'c'; /* { dg-warning "buffer overflow" } */
+  p[11] = 'c'; /* { dg-warning "buffer overflow" } */
+}
+
+void test_one_arg_symbolic (size_t sz)
+{
+  char *p = my_alloc (sz);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 'INIT_VAL\\(sz" } */
+}
+
+void test_two_args_concrete (void)
+{
+  char *p = my_alloc_2 (2, 5);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(\[^\n\r\]*\\)10'" } */
+  p[0] = 'a';
+  p[9] = 'b';
+  p[10] = 'c'; /* { dg-warning "buffer overflow" } */
+  p[11] = 'c'; /* { dg-warning "buffer overflow" } */
+}
+
+void test_two_args_symbolic_first (size_t sz)
+{
+  char *p = my_alloc_2 (sz, 5);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(INIT_VAL\\(sz\[^\n\r\]*\\*\\(size_t\\)5\\)'" } */
+}
+
+void test_two_args_symbolic_second (size_t sz)
+{
+  char *p = my_alloc_2 (5, sz);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(INIT_VAL\\(sz\[^\n\r\]*\\*\\(size_t\\)5\\)'" } */
+}
+
+void test_two_args_symbolic_both (size_t a, size_t b)
+{
+  char *p = my_alloc_2 (a, b);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(INIT_VAL\\(a\[^\n\r\]*\\*INIT_VAL\\(b" } */
+}
+
+typedef void* (*my_alloc_t)(size_t) __attribute__ ((alloc_size (1)));
+typedef void* (*my_alloc_2_t)(size_t, size_t) __attribute__ ((alloc_size (1, 
2)));
+
+void test_one_arg_concrete_fnptr (my_alloc_t fnptr)
+{
+  char *p = fnptr (10);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(\[^\n\r\]*\\)10'" } */
+  p[0] = 'a';
+  p[9] = 'b';
+  p[10] = 'c'; /* { dg-warning "buffer overflow" } */
+  p[11] = 'c'; /* { dg-warning "buffer overflow" } */
+}
+
+void test_two_args_concrete_fnptr (my_alloc_2_t fnptr)
+{
+  char *p = fnptr (2, 5);
+  __analyzer_dump_capacity (p); /* { dg-warning "capacity: 
'\\(\[^\n\r\]*\\)10'" } */
+  p[0] = 'a';
+  p[9] = 'b';
+  p[10] = 'c'; /* { dg-warning "buffer overflow" } */
+  p[11] = 'c'; /* { dg-warning "buffer overflow" } */
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-2.c 
b/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-2.c
new file mode 100644
index 00000000000..7b787f959dc
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-2.c
@@ -0,0 +1,19 @@
+typedef signed long idx_t;
+
+void *xirealloc (void *p, idx_t s)
+  __attribute__ ((__alloc_size__ (2))) __attribute__ ((__returns_nonnull__));
+
+char *
+test_cast_1 (char *buf, idx_t buf_count)
+{
+  return xirealloc (buf, buf_count + 1);
+}
+
+void *alloc_cast_2 (signed char x, signed char y)
+  __attribute__ ((__alloc_size__ (1, 2)));
+
+void *
+test_cast_2 (signed char a, signed char b)
+{
+  return alloc_cast_2 (a + 1, b + 1);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-3.c 
b/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-3.c
new file mode 100644
index 00000000000..9a33922fdd0
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/attr-alloc_size-3.c
@@ -0,0 +1,14 @@
+typedef long int idx_t;
+extern void rpl_free (void *ptr);
+
+void *xicalloc (idx_t n, idx_t s)
+  __attribute__ ((__malloc__))
+  __attribute__ ((__malloc__ (rpl_free, 1)))
+  __attribute__ ((__alloc_size__ (1, 2)))
+  __attribute__ ((__returns_nonnull__));
+
+void *
+xizalloc (idx_t s)
+{
+  return xicalloc (s, 1);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/explode-4.c 
b/gcc/testsuite/gcc.dg/analyzer/explode-4.c
new file mode 100644
index 00000000000..874b1e9c300
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/explode-4.c
@@ -0,0 +1,157 @@
+/* Regression test for state explosion seen whilst implementing
+   PR analyzer/110426, involving an explosion in the number of
+   conjured_svalues whilst handling a long chain of external
+   function calls.  */
+
+/* { dg-additional-options "-Wno-implicit-function-declaration 
-Wno-int-conversion -Wno-analyzer-too-complex" } */
+
+#define NULL ((void *)0)
+typedef unsigned char uint8_t;
+typedef unsigned short int uint16_t;
+typedef unsigned int uint32_t;
+typedef struct Error Error;
+typedef struct QEMUTimer QEMUTimer;
+enum libusb_class_code {
+  LIBUSB_CLASS_PER_INTERFACE = 0x00,
+};
+struct libusb_device_descriptor {};
+struct libusb_endpoint_descriptor {
+  uint8_t bEndpointAddress;
+  uint8_t bmAttributes;
+};
+struct libusb_interface_descriptor {
+  uint8_t bNumEndpoints;
+  const struct libusb_endpoint_descriptor *endpoint;
+};
+struct libusb_interface {
+  const struct libusb_interface_descriptor *altsetting;
+};
+struct libusb_config_descriptor {
+  uint8_t bNumInterfaces;
+  const struct libusb_interface *interface;
+};
+typedef struct libusb_context libusb_context;
+typedef struct libusb_device libusb_device;
+typedef struct libusb_device_handle libusb_device_handle;
+enum libusb_speed {
+  LIBUSB_SUCCESS = 0,
+  LIBUSB_TRANSFER_TYPE_BULK = 2U,
+};
+typedef struct USBDevice USBDevice;
+typedef struct USBHostDevice USBHostDevice;
+struct USBAutoFilter {
+  uint32_t bus_num;
+};
+struct USBHostDevice {
+  struct USBAutoFilter match;
+  struct USBHostDevice *tqe_next;
+  int bus_num;
+  int addr;
+  char port[16];
+  libusb_device *dev;
+  libusb_device_handle *dh;
+  struct libusb_device_descriptor ddesc;
+};
+static union { struct USBHostDevice *tqh_first; } hostdevs = {};
+static libusb_context *ctx;
+static void usb_host_ep_update(USBHostDevice *s) {
+  static const char *tname[] = {};
+  USBDevice *udev = USB_DEVICE(s);
+  struct libusb_config_descriptor *conf;
+  const struct libusb_interface_descriptor *intf;
+  const struct libusb_endpoint_descriptor *endp;
+  struct libusb_ss_endpoint_companion_descriptor *endp_ss_comp;
+  uint8_t devep, type;
+  int ep;
+  int rc, i, e;
+  usb_ep_reset(udev);
+  rc = libusb_get_active_config_descriptor(s->dev, &conf);
+  for (i = 0; i < conf->bNumInterfaces; i++) {
+    intf = &conf->interface[i].altsetting[0];
+    trace_usb_host_parse_interface();
+    for (e = 0; e < intf->bNumEndpoints; e++) {
+      endp = &intf->endpoint[e];
+      devep = endp->bEndpointAddress;
+      ep = devep & 0xf;
+      type = endp->bmAttributes & 0x3;
+      if (usb_ep_get_type(udev) != 255) {
+        trace_usb_host_parse_error();
+      }
+      trace_usb_host_parse_endpoint(s->bus_num, s->addr);
+      usb_ep_set_max_packet_size(udev);
+      usb_ep_set_type(udev);
+      usb_ep_set_ifnum(udev);
+      usb_ep_set_halted(udev);
+      if (type == LIBUSB_TRANSFER_TYPE_BULK &&
+          libusb_get_ss_endpoint_companion_descriptor(
+              ctx, endp, &endp_ss_comp) == LIBUSB_SUCCESS) {
+        usb_ep_set_max_streams(udev);
+        libusb_free_ss_endpoint_companion_descriptor(endp_ss_comp);
+      }
+    }
+  }
+}
+static int usb_host_open(USBHostDevice *s, libusb_device *dev, int hostfd) {
+  USBDevice *udev = USB_DEVICE(s);
+  int bus_num = 0;
+  int addr = 0;
+  Error *local_err = NULL;
+  if (dev) {
+    bus_num = libusb_get_bus_number(dev);
+    addr = libusb_get_device_address(dev);
+    trace_usb_host_open_started(bus_num, addr);
+    libusb_open(dev, &s->dh);
+    trace_usb_host_open_hostfd(hostfd);
+    libusb_wrap_sys_device(ctx, &s->dh);
+    dev = libusb_get_device(s->dh);
+    bus_num = libusb_get_bus_number(dev);
+    addr = libusb_get_device_address(dev);
+  }
+  usb_host_detach_kernel(s);
+  libusb_get_device_descriptor(dev, &s->ddesc);
+  usb_host_get_port(s->dev, s->port, sizeof(s->port));
+  usb_ep_init(udev);
+  usb_host_ep_update(s);
+  libusb_get_device_speed(dev);
+  usb_device_attach(udev, &local_err);
+  if (local_err) {
+    error_report_err(local_err);
+    goto fail;
+  }
+  return 0;
+fail:
+  trace_usb_host_open_failure();
+  if (s->dh != NULL) {
+    usb_host_release_interfaces(s);
+    libusb_reset_device(s->dh);
+    usb_host_attach_kernel(s);
+  }
+}
+static QEMUTimer *usb_auto_timer;
+static void usb_host_vm_state(void *unused, _Bool running) {}
+static void usb_host_auto_check(void *unused) {
+  struct USBHostDevice *s;
+  struct USBAutoFilter *f;
+  libusb_device **devs = NULL;
+  struct libusb_device_descriptor ddesc;
+  int i, n;
+  if (usb_host_init() != 0) {
+    n = libusb_get_device_list(ctx, &devs);
+    for (i = 0; i < n; i++) {
+      if (libusb_get_device_descriptor(devs[i], &ddesc) != 0) {
+      }
+      for ((s) = ((&hostdevs)->tqh_first); (s); (s) = ((s)->tqe_next)) {
+        f = &s->match;
+        if (f->bus_num > 0 && f->bus_num != libusb_get_bus_number(devs[i])) {
+        }
+        if (usb_host_open(s, devs[i], 0) < 0) {
+        }
+      }
+    }
+    libusb_free_device_list(devs, 1);
+    qemu_add_vm_change_state_handler(usb_host_vm_state, NULL);
+    timer_new_ms(usb_host_auto_check, NULL);
+    trace_usb_host_auto_scan_enabled();
+  }
+  timer_mod(usb_auto_timer, qemu_clock_get_ms() + 2000);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c 
b/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c
index 0b166f7a86a..1fd5fd486c0 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c
@@ -39,3 +39,13 @@ test_2 (size_t sz)
 {
   memcpy (buf, buf2, sz); /* { dg-warning "use of attacker-controlled value 
'sz' as size without upper-bounds checking" } */
 }
+
+/* __attribute__ alloc_size with tainted size.  */
+
+extern void* (*my_alloc)(size_t) __attribute__ ((alloc_size (1)));
+
+void * __attribute__((tainted_args))
+test_attr_alloc_size (size_t sz)
+{
+  return my_alloc (sz); /* { dg-warning "use of attacker-controlled value 'sz' 
as allocation size without upper-bounds checking" } */
+}
-- 
2.26.3


Reply via email to