diff --git a/test/sim/taint-ret.sh b/test/sim/taint-ret.sh
new file mode 100644
index 0000000000000000000000000000000000000000..9688dbae911d5b9455ad6c5cbc3c7f5fb0d9a0a5
--- /dev/null
+++ b/test/sim/taint-ret.sh
@@ -0,0 +1,38 @@
+. lib/testcase
+
+cat > src.cpp <<EOF
+#include <sys/lamp.h>
+#include <cassert>
+
+int x;
+
+int get() { return x; }
+
+void foo()
+{
+    int val = __lamp_any_i32();
+    if (val == 0) {
+        val = get();
+    } else {
+        val -= 1;
+    }
+    int y = get();
+    assert( x == y );
+}
+
+int main()
+{
+    foo();
+}
+EOF
+
+sim --symbolic src.cpp <<EOF
+> start
+> break __lart_abstract.tobool.i1
+> step --out
+> step --out
+> bitcode
+> stepi
+- FAULT
++ executing foo()
+EOF