[gcc r14-5464] analyzer: enable taint state machine by default [PR103533]

[gcc r14-5464] analyzer: enable taint state machine by default [PR103533]

[David Malcolm]

https://gcc.gnu.org/g:cfaaa8b11b8429eed5ec44426fc6a20ad5d53d30

commit r14-5464-gcfaaa8b11b8429eed5ec44426fc6a20ad5d53d30
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Tue Nov 14 15:51:52 2023 -0500

    analyzer: enable taint state machine by default [PR103533]
    
    gcc/analyzer/ChangeLog:
            PR analyzer/103533
            * sm-taint.cc: Remove "experimental" from comment.
            * sm.cc (make_checkers): Always add taint state machine.
    
    gcc/ChangeLog:
            PR analyzer/103533
            * doc/invoke.texi (Static Analyzer Options): Add the six
            -Wanalyzer-tainted-* warnings.  Update documentation of each
            warning to reflect removed requirement to use
            -fanalyzer-checker=taint.  Remove discussion of
            -fanalyzer-checker=taint.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/103533
            * c-c++-common/analyzer/attr-tainted_args-1.c: Remove use of
            -fanalyzer-checker=taint.
            * c-c++-common/analyzer/fread-1.c: Likewise.
            * c-c++-common/analyzer/pr104029.c: Likewise.
            * gcc.dg/analyzer/pr93032-mztools-signed-char.c: Add params to
            work around state explosion.
            * gcc.dg/analyzer/pr93032-mztools-unsigned-char.c: Likewise.
            * gcc.dg/analyzer/pr93382.c: Remove use of
            -fanalyzer-checker=taint.
            * gcc.dg/analyzer/switch-enum-taint-1.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2011-2210-1.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2020-13143-1.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2020-13143-2.c: Likewise.
            * gcc.dg/analyzer/taint-CVE-2020-13143.h: Likewise.
            * gcc.dg/analyzer/taint-alloc-1.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-2.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-3.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-4.c: Likewise.
            * gcc.dg/analyzer/taint-alloc-5.c: Likewise.
            * gcc.dg/analyzer/taint-assert-BUG_ON.c: Likewise.
            * gcc.dg/analyzer/taint-assert-macro-expansion.c: Likewise.
            * gcc.dg/analyzer/taint-assert-system-header.c: Likewise.
            * gcc.dg/analyzer/taint-assert.c: Likewise.
            * gcc.dg/analyzer/taint-divisor-1.c: Likewise.
            * gcc.dg/analyzer/taint-divisor-2.c: Likewise.
            * gcc.dg/analyzer/taint-merger.c: Likewise.
            * gcc.dg/analyzer/taint-ops.c: Delete this test: it was a
            duplicate of material in operations.c and data-model-1.c, with
            -fanalyzer-checker=taint added.
            * gcc.dg/analyzer/taint-read-index-1.c: Remove use of
            -fanalyzer-checker=taint.
            * gcc.dg/analyzer/taint-read-offset-1.c: Likewise.
            * gcc.dg/analyzer/taint-realloc.c: Likewise.  Add missing
            dg-warning for leak now that the malloc state machine is also
            active.
            * gcc.dg/analyzer/taint-size-1.c: Remove use of
            -fanalyzer-checker=taint.
            * gcc.dg/analyzer/taint-size-access-attr-1.c: Likewise.
            * gcc.dg/analyzer/taint-write-index-1.c: Likewise.
            * gcc.dg/analyzer/taint-write-offset-1.c: Likewise.
            * gcc.dg/analyzer/torture/taint-read-index-2.c: Likewise.
            * gcc.dg/analyzer/torture/taint-read-index-3.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c: Likewise.  Add
            -Wno-pedantic.
            * gcc.dg/plugin/taint-CVE-2011-0521-1.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-2.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-3.c: Likewise.  Fix C++-style
            comment.
            * gcc.dg/plugin/taint-CVE-2011-0521-4.c: Remove use of
            -fanalyzer-checker=taint and add -Wno-pedantic. Remove xfail and
            add missing dg-warning.
            * gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c: Remove use of
            -fanalyzer-checker=taint and add -Wno-pedantic.
            * gcc.dg/plugin/taint-CVE-2011-0521-5.c: Likewise.
            * gcc.dg/plugin/taint-CVE-2011-0521-6.c: Likewise.
            * gcc.dg/plugin/taint-antipatterns-1.c: : Remove use of
            -fanalyzer-checker=taint.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 gcc/analyzer/sm-taint.cc                           |   2 +-
 gcc/analyzer/sm.cc                                 |   5 +-
 gcc/doc/invoke.texi                                |  63 +++---------
 .../c-c++-common/analyzer/attr-tainted_args-1.c    |   3 -
 gcc/testsuite/c-c++-common/analyzer/fread-1.c      |   2 -
 gcc/testsuite/c-c++-common/analyzer/pr104029.c     |   3 -
 .../gcc.dg/analyzer/pr93032-mztools-signed-char.c  |   3 +
 .../analyzer/pr93032-mztools-unsigned-char.c       |   3 +
 gcc/testsuite/gcc.dg/analyzer/pr93382.c            |   2 -
 .../gcc.dg/analyzer/switch-enum-taint-1.c          |   3 -
 .../gcc.dg/analyzer/taint-CVE-2011-2210-1.c        |   3 -
 .../gcc.dg/analyzer/taint-CVE-2020-13143-1.c       |   3 -
 .../gcc.dg/analyzer/taint-CVE-2020-13143-2.c       |   3 -
 .../gcc.dg/analyzer/taint-CVE-2020-13143.h         |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c      |   2 -
 gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c      |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c      |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c      |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c      |   3 -
 .../gcc.dg/analyzer/taint-assert-BUG_ON.c          |   3 -
 .../gcc.dg/analyzer/taint-assert-macro-expansion.c |   3 -
 .../gcc.dg/analyzer/taint-assert-system-header.c   |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-assert.c       |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c    |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c    |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-merger.c       |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-ops.c          | 106 ---------------------
 gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c |   3 -
 .../gcc.dg/analyzer/taint-read-offset-1.c          |   3 -
 gcc/testsuite/gcc.dg/analyzer/taint-realloc.c      |   5 +-
 gcc/testsuite/gcc.dg/analyzer/taint-size-1.c       |   3 -
 .../gcc.dg/analyzer/taint-size-access-attr-1.c     |   3 +-
 .../gcc.dg/analyzer/taint-write-index-1.c          |   3 -
 .../gcc.dg/analyzer/taint-write-offset-1.c         |   3 -
 .../gcc.dg/analyzer/torture/taint-read-index-2.c   |   2 -
 .../gcc.dg/analyzer/torture/taint-read-index-3.c   |   2 -
 .../gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c    |   3 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-1.c          |   3 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c    |   6 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-2.c          |   3 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c    |   6 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-3.c          |   5 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-4.c          |  12 +--
 .../gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c    |   4 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-5.c          |   4 +-
 .../gcc.dg/plugin/taint-CVE-2011-0521-6.c          |   4 +-
 gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c |   3 +-
 47 files changed, 41 insertions(+), 281 deletions(-)

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index 09c1e9368cd..dfd5f7fa5d2 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -1,4 +1,4 @@
-/* An experimental state machine, for tracking "taint": unsanitized uses
+/* A state machine for tracking "taint": unsanitized uses
    of data potentially under an attacker's control.
 
    Copyright (C) 2019-2023 Free Software Foundation, Inc.
diff --git a/gcc/analyzer/sm.cc b/gcc/analyzer/sm.cc
index 2b88430c012..c030c272ccc 100644
--- a/gcc/analyzer/sm.cc
+++ b/gcc/analyzer/sm.cc
@@ -188,10 +188,7 @@ make_checkers (auto_delete_vec <state_machine> &out, logger *logger)
   out.safe_push (make_malloc_state_machine (logger));
   out.safe_push (make_fileptr_state_machine (logger));
   out.safe_push (make_fd_state_machine (logger));
-  /* The "taint" checker must be explicitly enabled (as it currently
-     leads to state explosions that stop the other checkers working).  */
-  if (flag_analyzer_checker)
-    out.safe_push (make_taint_state_machine (logger));
+  out.safe_push (make_taint_state_machine (logger));
   out.safe_push (make_sensitive_state_machine (logger));
   out.safe_push (make_signal_state_machine (logger));
   out.safe_push (make_va_list_state_machine (logger));
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 2d30a5d4767..1748afdbfe0 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -10415,6 +10415,12 @@ Enabling this option effectively enables the following warnings:
 -Wanalyzer-shift-count-negative
 -Wanalyzer-shift-count-overflow
 -Wanalyzer-stale-setjmp-buffer
+-Wanalyzer-tainted-allocation-size
+-Wanalyzer-tainted-array-index
+-Wanalyzer-tainted-assertion
+-Wanalyzer-tainted-divisor
+-Wanalyzer-tainted-offset
+-Wanalyzer-tainted-size
 -Wanalyzer-unsafe-call-within-signal-handler
 -Wanalyzer-use-after-free
 -Wanalyzer-use-of-pointer-in-stale-stack-frame
@@ -10426,13 +10432,6 @@ Enabling this option effectively enables the following warnings:
 -Wanalyzer-write-to-const
 -Wanalyzer-write-to-string-literal
 }
-@ignore
--Wanalyzer-tainted-allocation-size
--Wanalyzer-tainted-array-index
--Wanalyzer-tainted-divisor
--Wanalyzer-tainted-offset
--Wanalyzer-tainted-size
-@end ignore
 
 This option is only available if GCC was configured with analyzer
 support enabled.
@@ -10880,8 +10879,7 @@ no longer exists, and likely lead to a crash (or worse).
 @opindex Wanalyzer-tainted-allocation-size
 @opindex Wno-analyzer-tainted-allocation-size
 @item -Wno-analyzer-tainted-allocation-size
-This warning requires both @option{-fanalyzer} and
-@option{-fanalyzer-checker=taint} to enable it;
+This warning requires @option{-fanalyzer} which enables it;
 use @option{-Wno-analyzer-tainted-allocation-size} to disable it.
 
 This diagnostic warns for paths through the code in which a value
@@ -10896,8 +10894,7 @@ See @uref{https://cwe.mitre.org/data/definitions/789.html, CWE-789: Memory Alloc
 @opindex Wno-analyzer-tainted-assertion
 @item -Wno-analyzer-tainted-assertion
 
-This warning requires both @option{-fanalyzer} and
-@option{-fanalyzer-checker=taint} to enable it;
+This warning requires @option{-fanalyzer} which enables it;
 use @option{-Wno-analyzer-tainted-assertion} to disable it.
 
 This diagnostic warns for paths through the code in which a value
@@ -10958,8 +10955,7 @@ despite the above not being an assertion failure, strictly speaking.
 @opindex Wanalyzer-tainted-array-index
 @opindex Wno-analyzer-tainted-array-index
 @item -Wno-analyzer-tainted-array-index
-This warning requires both @option{-fanalyzer} and
-@option{-fanalyzer-checker=taint} to enable it;
+This warning requires @option{-fanalyzer} which enables it;
 use @option{-Wno-analyzer-tainted-array-index} to disable it.
 
 This diagnostic warns for paths through the code in which a value
@@ -10972,8 +10968,7 @@ See @uref{https://cwe.mitre.org/data/definitions/129.html, CWE-129: Improper Val
 @opindex Wanalyzer-tainted-divisor
 @opindex Wno-analyzer-tainted-divisor
 @item -Wno-analyzer-tainted-divisor
-This warning requires both @option{-fanalyzer} and
-@option{-fanalyzer-checker=taint} to enable it;
+This warning requires @option{-fanalyzer} which enables it;
 use @option{-Wno-analyzer-tainted-divisor} to disable it.
 
 This diagnostic warns for paths through the code in which a value
@@ -10986,8 +10981,7 @@ See @uref{https://cwe.mitre.org/data/definitions/369.html, CWE-369: Divide By Ze
 @opindex Wanalyzer-tainted-offset
 @opindex Wno-analyzer-tainted-offset
 @item -Wno-analyzer-tainted-offset
-This warning requires both @option{-fanalyzer} and
-@option{-fanalyzer-checker=taint} to enable it;
+This warning requires @option{-fanalyzer} which enables it;
 use @option{-Wno-analyzer-tainted-offset} to disable it.
 
 This diagnostic warns for paths through the code in which a value
@@ -11000,8 +10994,7 @@ See @uref{https://cwe.mitre.org/data/definitions/823.html, CWE-823: Use of Out-o
 @opindex Wanalyzer-tainted-size
 @opindex Wno-analyzer-tainted-size
 @item -Wno-analyzer-tainted-size
-This warning requires both @option{-fanalyzer} and
-@option{-fanalyzer-checker=taint} to enable it;
+This warning requires @option{-fanalyzer} which enables it;
 use @option{-Wno-analyzer-tainted-size} to disable it.
 
 This diagnostic warns for paths through the code in which a value
@@ -11251,38 +11244,6 @@ call site, and that are sufficiently complicated (as per
 @item -fanalyzer-checker=@var{name}
 Restrict the analyzer to run just the named checker, and enable it.
 
-Some checkers are disabled by default (even with @option{-fanalyzer}),
-such as the @code{taint} checker that implements
-@option{-Wanalyzer-tainted-array-index}, and this option is required
-to enable them.
-
-@emph{Note:} currently, @option{-fanalyzer-checker=taint} disables the
-following warnings from @option{-fanalyzer}:
-
-@gccoptlist{
--Wanalyzer-deref-before-check
--Wanalyzer-double-fclose
--Wanalyzer-double-free
--Wanalyzer-exposure-through-output-file
--Wanalyzer-fd-access-mode-mismatch
--Wanalyzer-fd-double-close
--Wanalyzer-fd-leak
--Wanalyzer-fd-use-after-close
--Wanalyzer-fd-use-without-check
--Wanalyzer-file-leak
--Wanalyzer-free-of-non-heap
--Wanalyzer-malloc-leak
--Wanalyzer-mismatching-deallocation
--Wanalyzer-null-argument
--Wanalyzer-null-dereference
--Wanalyzer-possible-null-argument
--Wanalyzer-possible-null-dereference
--Wanalyzer-unsafe-call-within-signal-handler
--Wanalyzer-use-after-free
--Wanalyzer-va-list-leak
--Wanalyzer-va-list-use-after-va-end
-}
-
 @opindex fanalyzer-debug-text-art
 @opindex fno-analyzer-debug-text-art
 @item -fanalyzer-debug-text-art-headings
diff --git a/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c b/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c
index 0ff34469967..3525e84b94b 100644
--- a/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c
+++ b/gcc/testsuite/c-c++-common/analyzer/attr-tainted_args-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "../../gcc.dg/analyzer/analyzer-decls.h"
 
 struct arg_buf
diff --git a/gcc/testsuite/c-c++-common/analyzer/fread-1.c b/gcc/testsuite/c-c++-common/analyzer/fread-1.c
index 593cb7f4aa0..467467ee8a6 100644
--- a/gcc/testsuite/c-c++-common/analyzer/fread-1.c
+++ b/gcc/testsuite/c-c++-common/analyzer/fread-1.c
@@ -1,5 +1,3 @@
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 typedef __SIZE_TYPE__ size_t;
 
 extern size_t fread (void *, size_t, size_t, void *);
diff --git a/gcc/testsuite/c-c++-common/analyzer/pr104029.c b/gcc/testsuite/c-c++-common/analyzer/pr104029.c
index 873f0eb16b7..04b9ef872a3 100644
--- a/gcc/testsuite/c-c++-common/analyzer/pr104029.c
+++ b/gcc/testsuite/c-c++-common/analyzer/pr104029.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 typedef __SIZE_TYPE__ size_t;
 typedef const void *t_comptype;
 typedef int (*t_compfunc)(t_comptype, t_comptype);
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c
index 1f3df7c211f..45599e228b8 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-signed-char.c
@@ -6,6 +6,9 @@
 /* { dg-do "compile" } */
 /* { dg-additional-options "-fsigned-char" } */
 
+/* TODO (PR analyzer/112528): remove need for this.  */
+/* { dg-additional-options "--param analyzer-max-enodes-per-program-point=40 --param analyzer-bb-explosion-factor=10" } */
+
 /* Minimal replacement of system headers.  */
 
 typedef __SIZE_TYPE__ size_t;
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c
index db9678d1caa..a59fc49c2b3 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93032-mztools-unsigned-char.c
@@ -6,6 +6,9 @@
 /* { dg-do "compile" } */
 /* { dg-additional-options "-funsigned-char" } */
 
+/* TODO (PR analyzer/112528): remove need for this.  */
+/* { dg-additional-options "--param analyzer-max-enodes-per-program-point=40 --param analyzer-bb-explosion-factor=10" } */
+
 /* Minimal replacement of system headers.  */
 
 typedef __SIZE_TYPE__ size_t;
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93382.c b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
index 1e6612ddc05..91eab2192ad 100644
--- a/gcc/testsuite/gcc.dg/analyzer/pr93382.c
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93382.c
@@ -1,5 +1,3 @@
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 typedef __SIZE_TYPE__ size_t;
 
 int idx;
diff --git a/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c b/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c
index db3bb5b4947..d20b33e090b 100644
--- a/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/switch-enum-taint-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 
 /* Verify the handling of "switch (enum_value)".  */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c
index b44be993568..fa89bda6f0f 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c
@@ -7,9 +7,6 @@
    Fixed in 3d0475119d8722798db5e88f26493f6547a4bb5b on linux-2.6.39.y
    in linux-stable.  */
 
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include "test-uaccess.h"
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c
index 328c5799145..1b81c1bb1f8 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-1.c
@@ -1,9 +1,6 @@
 /* See notes in this header.  */
 #include "taint-CVE-2020-13143.h"
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 struct configfs_attribute {
 	/* [...snip...] */
 	ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c
index c74a460b01e..f53e42bd6aa 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143-2.c
@@ -1,9 +1,6 @@
 /* See notes in this header.  */
 #include "taint-CVE-2020-13143.h"
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 struct configfs_attribute {
 	/* [...snip...] */
 	ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h
index 0ba023539af..93f90d49013 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2020-13143.h
@@ -8,9 +8,6 @@
    Fixed by 15753588bcd4bbffae1cca33c8ced5722477fe1f on linux-5.7.y
    in linux-stable.  */
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include <stddef.h>
 
 /* Adapted from include/uapi/asm-generic/posix_types.h  */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c
index cb2db6c69cf..dfb585bc613 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c
@@ -1,5 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
 /* { dg-require-effective-target alloca } */
 
 #include "analyzer-decls.h"
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c
index 72dbca5cbf0..68fbce9188c 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c
index 80d8f0b8247..ce6a3271d2a 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c
index bd47097b1d5..9df9422491c 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-4.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c
index 9a159800c61..18dbff0298e 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-alloc-5.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 
 struct foo
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c
index 8aef0a44a6d..328940d2983 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert-BUG_ON.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 /* We need this, otherwise the warnings are emitted inside the macros, which
    makes it hard to write the DejaGnu directives.  */
 /* { dg-additional-options " -ftrack-macro-expansion=0" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c
index 24b175a0973..78357ae62b8 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert-macro-expansion.c
@@ -2,9 +2,6 @@
    -Wanalyzer-tainted-assertion with macro-tracking enabled
    (the default).  */
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 /* { dg-additional-options "-fdiagnostics-show-path-depths" } */
 /* { dg-additional-options "-fdiagnostics-path-format=inline-events -fdiagnostics-show-caret" } */
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c
index a65853c7886..bd47ab79188 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert-system-header.c
@@ -3,9 +3,6 @@
    (the default), where the assertion macro is defined in
    a system header.  */
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 /* { dg-additional-options "-fdiagnostics-show-path-depths" } */
 /* { dg-additional-options "-fdiagnostics-path-format=inline-events -fdiagnostics-show-caret" } */
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-assert.c b/gcc/testsuite/gcc.dg/analyzer/taint-assert.c
index b09f8c51a16..855ed5f705f 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-assert.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-assert.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 /* We need this, otherwise the warnings are emitted inside the macros, which
    makes it hard to write the DejaGnu directives.  */
 /* { dg-additional-options " -ftrack-macro-expansion=0" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c
index b7c1faef1c4..438a2095382 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include <stdio.h>
 
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c
index de9a1cb3a46..770258418fa 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-divisor-2.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 
 __attribute__ ((tainted_args))
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-merger.c b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c
index e4e48f3db03..b7d562b9704 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-merger.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-merger.c
@@ -1,6 +1,3 @@
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-// TODO: remove need for this option
-
 #include "analyzer-decls.h"
 
 int v_start;
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-ops.c b/gcc/testsuite/gcc.dg/analyzer/taint-ops.c
deleted file mode 100644
index 729dbe53a0c..00000000000
--- a/gcc/testsuite/gcc.dg/analyzer/taint-ops.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-// TODO: remove need for this option
-/* This test can probably be removed when -fanalyzer enables
-   the taint checker by default.  */
-
-#include "analyzer-decls.h"
-
-void
-test_1 (char a)
-{
-  char b = -a;
-}
-
-/* Copies of code from data-model-1.c.  */
-
-void test_20 (int i, int j)
-{
-  __analyzer_eval (i + 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i + j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i - 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i - j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i * 2); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i * j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i / 2); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i / j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i % 2); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i % j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i & 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i & j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i | 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i | j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i ^ 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i ^ j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i >> 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i >> j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i << 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i << j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i && 0); /* { dg-warning "FALSE" } */
-  __analyzer_eval (i && 1); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i && j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i || 0); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (i || 1); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i || j); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval (~i); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (-i); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (+i); /* { dg-warning "UNKNOWN" } */
-
-  /* Anything added above should be added to the next function also.  */
-}
-
-void test_21 (void)
-{
-  int i, j, zero;
-  int *pi = &i;
-  int *pj = &j;
-  int *pzero = &zero;
-  *pi = 5;
-  *pj = 3;
-  *pzero = 0;
-
-  __analyzer_eval (i + j == 8); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i - j == 2); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i * j == 15); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i / j == 1); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i % j == 2); /* { dg-warning "TRUE" } */
-
-  /* Division by zero.  */
-  // TODO: should we warn for this?
-  __analyzer_eval (i / zero); /* { dg-warning "UNKNOWN" } */
-  __analyzer_eval (i % zero); /* { dg-warning "UNKNOWN" } */
-
-  __analyzer_eval ((i & 1) == (5 & 1)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i & j) == (5 & 3)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i | 1) == (5 | 1)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i | j) == (5 | 3)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i ^ 1) == (5 ^ 1)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i ^ j) == (5 ^ 3)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i >> 1) == (5 >> 1)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i >> j) == (5 >> 3)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i << 1) == (5 << 1)); /* { dg-warning "TRUE" } */
-  __analyzer_eval ((i << j) == (5 << 3)); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i && 0); /* { dg-warning "FALSE" } */
-  __analyzer_eval (i && 1); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i && j); /* { dg-warning "TRUE" } */
-
-  __analyzer_eval (i || 0); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i || 1); /* { dg-warning "TRUE" } */
-  __analyzer_eval (i || j); /* { dg-warning "TRUE" } */
-
-  __analyzer_eval (~i == ~5); /* { dg-warning "TRUE" } */
-  __analyzer_eval (-i == -5); /* { dg-warning "TRUE" } */
-  __analyzer_eval (+i == +5); /* { dg-warning "TRUE" } */
-}
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c
index 71c0816fd1f..1ec78b52629 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-read-index-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c
index 6db59bcc615..bb5d0930cdb 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-read-offset-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c b/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c
index bd0ed0010fb..aeefb7da2c1 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-realloc.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
@@ -18,4 +15,4 @@ test_1 (size_t sz) /* { dg-message "\\(1\\) function 'test_1' marked with '__att
   __analyzer_dump_state ("taint", sz); /* { dg-warning "state: 'tainted'" } */
 
   q = realloc (p, sz);  /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" } */
-}
+} /* { dg-warning "leak of 'q'" } */
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c
index 1fd5fd486c0..36083ac5071 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
index 7d243a9570f..d4da3d77fa1 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
@@ -1,8 +1,7 @@
 /* Passing tainted sizes to external functions with attribute ((access)) with
    a size-index.  */
 
-// TODO: remove need for the explicit taint option:
-/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */
+/* { dg-additional-options "-fanalyzer-show-duplicate-count" } */
 
 #include "analyzer-decls.h"
 #include <stdio.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c
index cc7ab1ca4f6..62222069578 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-write-index-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c
index d0df6220315..21794ce4cf8 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-write-offset-1.c
@@ -1,6 +1,3 @@
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c
index b3dc177cb14..81421330e8d 100644
--- a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-2.c
@@ -1,5 +1,3 @@
-// TODO: remove need for the taint option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
 /* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
 
 #define LOWER_LIMIT 5
diff --git a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c
index 8eb6061a08b..86bdedede7e 100644
--- a/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c
+++ b/gcc/testsuite/gcc.dg/analyzer/torture/taint-read-index-3.c
@@ -1,5 +1,3 @@
-// TODO: remove need for the taint option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
 /* { dg-skip-if "" { *-*-* } { "-fno-fat-lto-objects" } { "" } } */
 
 struct raw_ep {
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c
index 0ca8137c3ef..51526b831c0 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1-fixed.c
@@ -1,7 +1,6 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
 /* { dg-require-effective-target analyzer } */
+/* { dg-additional-options "-Wno-pedantic" } */
 
 /* See notes in this header.  */
 #include "taint-CVE-2011-0521.h"
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c
index cde12b3b761..3d11a75073c 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-1.c
@@ -1,6 +1,5 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
+/* { dg-additional-options "-Wno-pedantic" } */
 /* { dg-require-effective-target analyzer } */
 
 /* See notes in this header.  */
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c
index 8a211cefe4e..d035266b16a 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c
@@ -1,14 +1,10 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
+/* { dg-additional-options "-Wno-pedantic" } */
 /* { dg-require-effective-target analyzer } */
 
 /* See notes in this header.  */
 #include "taint-CVE-2011-0521.h"
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 /* Adapted from drivers/media/dvb/ttpci/av7110_ca.c  */
 
 int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c
index 30cab38e002..5270e22f1a3 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2.c
@@ -1,7 +1,6 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
 /* { dg-require-effective-target analyzer } */
+/* { dg-additional-options "-Wno-pedantic" } */
 
 /* See notes in this header.  */
 #include "taint-CVE-2011-0521.h"
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c
index b7852b40dcf..b8268fa4a82 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3-fixed.c
@@ -1,14 +1,10 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
 /* { dg-require-effective-target analyzer } */
+/* { dg-additional-options "-Wno-pedantic" } */
 
 /* See notes in this header.  */
 #include "taint-CVE-2011-0521.h"
 
-// TODO: remove need for this option
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
-
 /* Adapted from drivers/media/dvb/ttpci/av7110_ca.c  */
 
 int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c
index 6b9e034eea7..86868a017c4 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-3.c
@@ -1,7 +1,6 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
 /* { dg-require-effective-target analyzer } */
+/* { dg-additional-options "-Wno-pedantic" } */
 
 /* See notes in this header.  */
 #include "taint-CVE-2011-0521.h"
@@ -21,7 +20,7 @@ int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
 		if (info->num > 1)
 			return -EINVAL;
 		av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" "" { xfail *-*-* } } */
-		// TODO(xfail)
+		/* TODO(xfail).  */
 		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
 							CA_CI_LINK : CA_CI;
 		memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c
index f314c64ce70..06b3468fca5 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-4.c
@@ -1,8 +1,7 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
 // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
+/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */
+/* { dg-additional-options "-Wno-pedantic" } */
 /* { dg-require-effective-target analyzer } */
 
 /* See notes in this header.  */
@@ -32,11 +31,10 @@ int test_1(struct file *file, unsigned int cmd, unsigned long arg)
 
 		if (info->num > 1)
 			return -EINVAL;
-		av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" "" { xfail *-*-* } } */
-		// TODO(xfail)
-		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
+		av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" } */
+		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? /* { dg-warning "attacker-controlled value" } */
 							CA_CI_LINK : CA_CI;
-		memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));
+		memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));  /* { dg-warning "attacker-controlled value" } */
 	}
 
 	copy_to_user((void __user *)arg, parg, sizeof(sbuf));
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c
index 2e74770a7a3..076ada3a20a 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5-fixed.c
@@ -1,7 +1,7 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
 // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */
+/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */
+/* { dg-additional-options "-Wno-pedantic" } */
 /* { dg-require-effective-target analyzer } */
 
 /* On darwin, system headers are fortified, which defeats the analysis.  Turn it off.  */
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c
index 021d458b66e..e27ee469df8 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-5.c
@@ -1,7 +1,7 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
 // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */
+/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */
+/* { dg-additional-options "-Wno-pedantic" } */
 /* { dg-require-effective-target analyzer } */
 
 /* On darwin, system headers are fortified, which defeats the analysis.  Turn it off.  */
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c
index f27e9eb5f02..fea70ee5761 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c
@@ -1,7 +1,7 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
 // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */
+/* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */
+/* { dg-additional-options "-Wno-pedantic" } */
 /* { dg-require-effective-target analyzer } */
 
 /* On darwin, system headers are fortified, which defeats the analysis.  Turn it off.  */
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c b/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c
index 6bb6f1be25c..cdd9a4f1f50 100644
--- a/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c
+++ b/gcc/testsuite/gcc.dg/plugin/taint-antipatterns-1.c
@@ -1,6 +1,5 @@
 /* { dg-do compile } */
-// TODO: remove need for -fanalyzer-checker=taint here:
-/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
+/* { dg-options "-fanalyzer" } */
 /* { dg-require-effective-target analyzer } */
 
 #include "test-uaccess.h"