Merge branch 'main' into rdmarsh2/cpp/input-iterators-1

Resolve test conflict
2026-04-30 03:05:15 +02:00 · 2020-08-21 14:36:27 -07:00
parent 141d240813 a93a84fb2e
commit bc0d21879d
158 changed files with 13280 additions and 499 deletions
--- a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
@@ -539,6 +539,17 @@ class BinaryOperation extends Operation, @bin_op_expr {
  /** Gets the right operand of this binary operation. */
  Expr getRightOperand() { this.hasChild(result, 1) }

+  /**
+   * Holds if `e1` and `e2` (in either order) are the two operands of this
+   * binary operation.
+   */
+  predicate hasOperands(Expr e1, Expr e2) {
+    exists(int i | i in [0, 1] |
+      this.hasChild(e1, i) and
+      this.hasChild(e2, 1 - i)
+    )
+  }
+
  override string toString() { result = "... " + this.getOperator() + " ..." }

  override predicate mayBeImpure() {
--- a/cpp/ql/src/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -14,6 +14,7 @@ private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
+private import implementations.StdContainer
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -0,0 +1,102 @@
+/**
+ * Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * Additional model for standard container constructors that reference the
+ * value type of the container (that is, the `T` in `std::vector<T>`).  For
+ * example the fill constructor:
+ * ```
+ * std::vector<std::string> v(100, potentially_tainted_string);
+ * ```
+ */
+class StdSequenceContainerConstructor extends Constructor, TaintFunction {
+  StdSequenceContainerConstructor() {
+    this.getDeclaringType().hasQualifiedName("std", "vector") or
+    this.getDeclaringType().hasQualifiedName("std", "deque") or
+    this.getDeclaringType().hasQualifiedName("std", "list") or
+    this.getDeclaringType().hasQualifiedName("std", "forward_list")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of the value type to the returned object
+    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
+/**
+ * The standard container functions `push_back` and `push_front`.
+ */
+class StdSequenceContainerPush extends TaintFunction {
+  StdSequenceContainerPush() {
+    this.hasQualifiedName("std", "vector", "push_back") or
+    this.hasQualifiedName("std", "deque", "push_back") or
+    this.hasQualifiedName("std", "deque", "push_front") or
+    this.hasQualifiedName("std", "list", "push_back") or
+    this.hasQualifiedName("std", "list", "push_front") or
+    this.hasQualifiedName("std", "forward_list", "push_front")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to qualifier
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard container functions `front` and `back`.
+ */
+class StdSequenceContainerFrontBack extends TaintFunction {
+  StdSequenceContainerFrontBack() {
+    this.hasQualifiedName("std", "array", "front") or
+    this.hasQualifiedName("std", "array", "back") or
+    this.hasQualifiedName("std", "vector", "front") or
+    this.hasQualifiedName("std", "vector", "back") or
+    this.hasQualifiedName("std", "deque", "front") or
+    this.hasQualifiedName("std", "deque", "back") or
+    this.hasQualifiedName("std", "list", "front") or
+    this.hasQualifiedName("std", "list", "back") or
+    this.hasQualifiedName("std", "forward_list", "front")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from object to returned reference
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
+/**
+ * The standard container `swap` functions.
+ */
+class StdSequenceContainerSwap extends TaintFunction {
+  StdSequenceContainerSwap() {
+    this.hasQualifiedName("std", "array", "swap") or
+    this.hasQualifiedName("std", "vector", "swap") or
+    this.hasQualifiedName("std", "deque", "swap") or
+    this.hasQualifiedName("std", "list", "swap") or
+    this.hasQualifiedName("std", "forward_list", "swap")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
--- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -127,7 +127,7 @@ private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
  UnsignedBitwiseAndExpr() {
    (
      getLeftOperand().getFullyConverted().getType().getUnderlyingType().(IntegralType).isUnsigned() or
-      getLeftOperand().getFullyConverted().getValue().toInt() >= 0
+      getValue(getLeftOperand().getFullyConverted()).toInt() >= 0
    ) and
    (
      getRightOperand()
@@ -136,7 +136,7 @@ private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
          .getUnderlyingType()
          .(IntegralType)
          .isUnsigned() or
-      getRightOperand().getFullyConverted().getValue().toInt() >= 0
+      getValue(getRightOperand().getFullyConverted()).toInt() >= 0
    )
  }
 }
@@ -157,12 +157,90 @@ float safeFloor(float v) {
  result = v
 }

+/** A `MulExpr` where exactly one operand is constant. */
+private class MulByConstantExpr extends MulExpr {
+  float constant;
+  Expr operand;
+
+  MulByConstantExpr() {
+    exists(Expr constantExpr |
+      this.hasOperands(constantExpr, operand) and
+      constant = getValue(constantExpr.getFullyConverted()).toFloat() and
+      not exists(getValue(operand.getFullyConverted()).toFloat())
+    )
+  }
+
+  /** Gets the value of the constant operand. */
+  float getConstant() { result = constant }
+
+  /** Gets the non-constant operand. */
+  Expr getOperand() { result = operand }
+}
+
 private class UnsignedMulExpr extends MulExpr {
-  UnsignedMulExpr() { this.getType().(IntegralType).isUnsigned() }
+  UnsignedMulExpr() {
+    this.getType().(IntegralType).isUnsigned() and
+    // Avoid overlap. It should be slightly cheaper to analyze
+    // `MulByConstantExpr`.
+    not this instanceof MulByConstantExpr
+  }
+}
+
+/**
+ * Holds if `expr` is effectively a multiplication of `operand` with the
+ * positive constant `positive`.
+ */
+private predicate effectivelyMultipliesByPositive(Expr expr, Expr operand, float positive) {
+  operand = expr.(MulByConstantExpr).getOperand() and
+  positive = expr.(MulByConstantExpr).getConstant() and
+  positive >= 0.0 // includes positive zero
+  or
+  operand = expr.(UnaryPlusExpr).getOperand() and
+  positive = 1.0
+  or
+  operand = expr.(CommaExpr).getRightOperand() and
+  positive = 1.0
+  or
+  operand = expr.(StmtExpr).getResultExpr() and
+  positive = 1.0
+}
+
+/**
+ * Holds if `expr` is effectively a multiplication of `operand` with the
+ * negative constant `negative`.
+ */
+private predicate effectivelyMultipliesByNegative(Expr expr, Expr operand, float negative) {
+  operand = expr.(MulByConstantExpr).getOperand() and
+  negative = expr.(MulByConstantExpr).getConstant() and
+  negative < 0.0 // includes negative zero
+  or
+  operand = expr.(UnaryMinusExpr).getOperand() and
+  negative = -1.0
+}
+
+private class AssignMulByConstantExpr extends AssignMulExpr {
+  float constant;
+
+  AssignMulByConstantExpr() { constant = getValue(this.getRValue().getFullyConverted()).toFloat() }
+
+  float getConstant() { result = constant }
+}
+
+private class AssignMulByPositiveConstantExpr extends AssignMulByConstantExpr {
+  AssignMulByPositiveConstantExpr() { constant >= 0.0 }
+}
+
+private class AssignMulByNegativeConstantExpr extends AssignMulByConstantExpr {
+  AssignMulByNegativeConstantExpr() { constant < 0.0 }
 }

 private class UnsignedAssignMulExpr extends AssignMulExpr {
-  UnsignedAssignMulExpr() { this.getType().(IntegralType).isUnsigned() }
+  UnsignedAssignMulExpr() {
+    this.getType().(IntegralType).isUnsigned() and
+    // Avoid overlap. It should be slightly cheaper to analyze
+    // `AssignMulByConstantExpr`.
+    not this instanceof AssignMulByConstantExpr
+  }
 }

 /** Set of expressions which we know how to analyze. */
@@ -173,9 +251,9 @@ private predicate analyzableExpr(Expr e) {
  (
    exists(getValue(e).toFloat())
    or
-    e instanceof UnaryPlusExpr
+    effectivelyMultipliesByPositive(e, _, _)
    or
-    e instanceof UnaryMinusExpr
+    effectivelyMultipliesByNegative(e, _, _)
    or
    e instanceof MinExpr
    or
@@ -197,14 +275,12 @@ private predicate analyzableExpr(Expr e) {
    or
    e instanceof UnsignedAssignMulExpr
    or
+    e instanceof AssignMulByConstantExpr
+    or
    e instanceof CrementOperation
    or
    e instanceof RemExpr
    or
-    e instanceof CommaExpr
-    or
-    e instanceof StmtExpr
-    or
    // A conversion is analyzable, provided that its child has an arithmetic
    // type. (Sometimes the child is a reference type, and so does not get
    // any bounds.) Rather than checking whether the type of the child is
@@ -219,7 +295,7 @@ private predicate analyzableExpr(Expr e) {
    e instanceof UnsignedBitwiseAndExpr
    or
    // `>>` by a constant
-    exists(e.(RShiftExpr).getRightOperand().getValue())
+    exists(getValue(e.(RShiftExpr).getRightOperand()))
    or
    // A modeled expression for range analysis
    e instanceof SimpleRangeAnalysisExpr
@@ -261,6 +337,12 @@ private predicate defDependsOnDef(
    exprDependsOnDef(assignMul.getAnOperand(), srcDef, srcVar)
  )
  or
+  exists(AssignMulByConstantExpr assignMul |
+    def = assignMul and
+    def.getAVariable() = v and
+    exprDependsOnDef(assignMul.getLValue(), srcDef, srcVar)
+  )
+  or
  exists(CrementOperation crem |
    def = crem and
    def.getAVariable() = v and
@@ -276,12 +358,14 @@ private predicate defDependsOnDef(
 * the structure of `getLowerBoundsImpl` and `getUpperBoundsImpl`.
 */
 private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVariable srcVar) {
-  exists(UnaryMinusExpr negateExpr | e = negateExpr |
-    exprDependsOnDef(negateExpr.getOperand(), srcDef, srcVar)
+  exists(Expr operand |
+    effectivelyMultipliesByNegative(e, operand, _) and
+    exprDependsOnDef(operand, srcDef, srcVar)
  )
  or
-  exists(UnaryPlusExpr plusExpr | e = plusExpr |
-    exprDependsOnDef(plusExpr.getOperand(), srcDef, srcVar)
+  exists(Expr operand |
+    effectivelyMultipliesByPositive(e, operand, _) and
+    exprDependsOnDef(operand, srcDef, srcVar)
  )
  or
  exists(MinExpr minExpr | e = minExpr | exprDependsOnDef(minExpr.getAnOperand(), srcDef, srcVar))
@@ -314,20 +398,16 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
    exprDependsOnDef(mulExpr.getAnOperand(), srcDef, srcVar)
  )
  or
+  exists(AssignMulByConstantExpr mulExpr | e = mulExpr |
+    exprDependsOnDef(mulExpr.getLValue(), srcDef, srcVar)
+  )
+  or
  exists(CrementOperation crementExpr | e = crementExpr |
    exprDependsOnDef(crementExpr.getOperand(), srcDef, srcVar)
  )
  or
  exists(RemExpr remExpr | e = remExpr | exprDependsOnDef(remExpr.getAnOperand(), srcDef, srcVar))
  or
-  exists(CommaExpr commaExpr | e = commaExpr |
-    exprDependsOnDef(commaExpr.getRightOperand(), srcDef, srcVar)
-  )
-  or
-  exists(StmtExpr stmtExpr | e = stmtExpr |
-    exprDependsOnDef(stmtExpr.getResultExpr(), srcDef, srcVar)
-  )
-  or
  exists(Conversion convExpr | e = convExpr | exprDependsOnDef(convExpr.getExpr(), srcDef, srcVar))
  or
  // unsigned `&`
@@ -339,7 +419,7 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
  // `>>` by a constant
  exists(RShiftExpr rs |
    rs = e and
-    exists(rs.getRightOperand().getValue()) and
+    exists(getValue(rs.getRightOperand())) and
    exprDependsOnDef(rs.getLeftOperand(), srcDef, srcVar)
  )
  or
@@ -592,15 +672,16 @@ deprecated predicate positive_overflow(Expr expr) { exprMightOverflowPositively(

 /** Only to be called by `getTruncatedLowerBounds`. */
 private float getLowerBoundsImpl(Expr expr) {
-  exists(UnaryPlusExpr plusExpr |
-    expr = plusExpr and
-    result = getFullyConvertedLowerBounds(plusExpr.getOperand())
+  exists(Expr operand, float operandLow, float positive |
+    effectivelyMultipliesByPositive(expr, operand, positive) and
+    operandLow = getFullyConvertedLowerBounds(operand) and
+    result = positive * operandLow
  )
  or
-  exists(UnaryMinusExpr negateExpr, float xHigh |
-    expr = negateExpr and
-    xHigh = getFullyConvertedUpperBounds(negateExpr.getOperand()) and
-    result = -xHigh
+  exists(Expr operand, float operandHigh, float negative |
+    effectivelyMultipliesByNegative(expr, operand, negative) and
+    operandHigh = getFullyConvertedUpperBounds(operand) and
+    result = negative * operandHigh
  )
  or
  exists(MinExpr minExpr |
@@ -688,6 +769,18 @@ private float getLowerBoundsImpl(Expr expr) {
    result = xLow * yLow
  )
  or
+  exists(AssignMulByPositiveConstantExpr mulExpr, float xLow |
+    expr = mulExpr and
+    xLow = getFullyConvertedLowerBounds(mulExpr.getLValue()) and
+    result = xLow * mulExpr.getConstant()
+  )
+  or
+  exists(AssignMulByNegativeConstantExpr mulExpr, float xHigh |
+    expr = mulExpr and
+    xHigh = getFullyConvertedUpperBounds(mulExpr.getLValue()) and
+    result = xHigh * mulExpr.getConstant()
+  )
+  or
  exists(PrefixIncrExpr incrExpr, float xLow |
    expr = incrExpr and
    xLow = getFullyConvertedLowerBounds(incrExpr.getOperand()) and
@@ -732,16 +825,6 @@ private float getLowerBoundsImpl(Expr expr) {
    )
  )
  or
-  exists(CommaExpr commaExpr |
-    expr = commaExpr and
-    result = getFullyConvertedLowerBounds(commaExpr.getRightOperand())
-  )
-  or
-  exists(StmtExpr stmtExpr |
-    expr = stmtExpr and
-    result = getFullyConvertedLowerBounds(stmtExpr.getResultExpr())
-  )
-  or
  // If the conversion is to an arithmetic type then we just return the
  // lower bound of the child. We do not need to handle truncation and
  // overflow here, because that is done in `getTruncatedLowerBounds`.
@@ -770,7 +853,7 @@ private float getLowerBoundsImpl(Expr expr) {
  exists(RShiftExpr rsExpr, float left, int right |
    rsExpr = expr and
    left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
-    right = rsExpr.getRightOperand().getFullyConverted().getValue().toInt() and
+    right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
    result = safeFloor(left / 2.pow(right))
  )
  or
@@ -783,15 +866,16 @@ private float getLowerBoundsImpl(Expr expr) {

 /** Only to be called by `getTruncatedUpperBounds`. */
 private float getUpperBoundsImpl(Expr expr) {
-  exists(UnaryPlusExpr plusExpr |
-    expr = plusExpr and
-    result = getFullyConvertedUpperBounds(plusExpr.getOperand())
+  exists(Expr operand, float operandHigh, float positive |
+    effectivelyMultipliesByPositive(expr, operand, positive) and
+    operandHigh = getFullyConvertedUpperBounds(operand) and
+    result = positive * operandHigh
  )
  or
-  exists(UnaryMinusExpr negateExpr, float xLow |
-    expr = negateExpr and
-    xLow = getFullyConvertedLowerBounds(negateExpr.getOperand()) and
-    result = -xLow
+  exists(Expr operand, float operandLow, float negative |
+    effectivelyMultipliesByNegative(expr, operand, negative) and
+    operandLow = getFullyConvertedLowerBounds(operand) and
+    result = negative * operandLow
  )
  or
  exists(MaxExpr maxExpr |
@@ -879,6 +963,18 @@ private float getUpperBoundsImpl(Expr expr) {
    result = xHigh * yHigh
  )
  or
+  exists(AssignMulByPositiveConstantExpr mulExpr, float xHigh |
+    expr = mulExpr and
+    xHigh = getFullyConvertedUpperBounds(mulExpr.getLValue()) and
+    result = xHigh * mulExpr.getConstant()
+  )
+  or
+  exists(AssignMulByNegativeConstantExpr mulExpr, float xLow |
+    expr = mulExpr and
+    xLow = getFullyConvertedLowerBounds(mulExpr.getLValue()) and
+    result = xLow * mulExpr.getConstant()
+  )
+  or
  exists(PrefixIncrExpr incrExpr, float xHigh |
    expr = incrExpr and
    xHigh = getFullyConvertedUpperBounds(incrExpr.getOperand()) and
@@ -921,16 +1017,6 @@ private float getUpperBoundsImpl(Expr expr) {
    )
  )
  or
-  exists(CommaExpr commaExpr |
-    expr = commaExpr and
-    result = getFullyConvertedUpperBounds(commaExpr.getRightOperand())
-  )
-  or
-  exists(StmtExpr stmtExpr |
-    expr = stmtExpr and
-    result = getFullyConvertedUpperBounds(stmtExpr.getResultExpr())
-  )
-  or
  // If the conversion is to an arithmetic type then we just return the
  // upper bound of the child. We do not need to handle truncation and
  // overflow here, because that is done in `getTruncatedUpperBounds`.
@@ -961,7 +1047,7 @@ private float getUpperBoundsImpl(Expr expr) {
  exists(RShiftExpr rsExpr, float left, int right |
    rsExpr = expr and
    left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
-    right = rsExpr.getRightOperand().getFullyConverted().getValue().toInt() and
+    right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
    result = safeFloor(left / 2.pow(right))
  )
  or
@@ -1123,6 +1209,20 @@ private float getDefLowerBoundsImpl(RangeSsaDefinition def, StackVariable v) {
    result = lhsLB * rhsLB
  )
  or
+  exists(AssignMulByPositiveConstantExpr assignMul, RangeSsaDefinition nextDef, float lhsLB |
+    def = assignMul and
+    assignMul.getLValue() = nextDef.getAUse(v) and
+    lhsLB = getDefLowerBounds(nextDef, v) and
+    result = lhsLB * assignMul.getConstant()
+  )
+  or
+  exists(AssignMulByNegativeConstantExpr assignMul, RangeSsaDefinition nextDef, float lhsUB |
+    def = assignMul and
+    assignMul.getLValue() = nextDef.getAUse(v) and
+    lhsUB = getDefUpperBounds(nextDef, v) and
+    result = lhsUB * assignMul.getConstant()
+  )
+  or
  exists(IncrementOperation incr, float newLB |
    def = incr and
    incr.getOperand() = v.getAnAccess() and
@@ -1173,6 +1273,20 @@ private float getDefUpperBoundsImpl(RangeSsaDefinition def, StackVariable v) {
    result = lhsUB * rhsUB
  )
  or
+  exists(AssignMulByPositiveConstantExpr assignMul, RangeSsaDefinition nextDef, float lhsUB |
+    def = assignMul and
+    assignMul.getLValue() = nextDef.getAUse(v) and
+    lhsUB = getDefUpperBounds(nextDef, v) and
+    result = lhsUB * assignMul.getConstant()
+  )
+  or
+  exists(AssignMulByNegativeConstantExpr assignMul, RangeSsaDefinition nextDef, float lhsLB |
+    def = assignMul and
+    assignMul.getLValue() = nextDef.getAUse(v) and
+    lhsLB = getDefLowerBounds(nextDef, v) and
+    result = lhsLB * assignMul.getConstant()
+  )
+  or
  exists(IncrementOperation incr, float newUB |
    def = incr and
    incr.getOperand() = v.getAnAccess() and
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1636,65 +1636,437 @@
 | taint.cpp:483:18:483:19 | ref arg & ... | taint.cpp:483:19:483:19 | n [inner post update] |  |
 | taint.cpp:483:19:483:19 | n | taint.cpp:483:18:483:19 | & ... |  |
 | taint.cpp:483:28:483:34 | source1 | taint.cpp:483:11:483:15 | ref arg & ... | TAINT |
-| vector.cpp:8:43:8:49 | source1 | vector.cpp:12:21:12:27 | source1 |  |
-| vector.cpp:8:43:8:49 | source1 | vector.cpp:26:33:26:39 | source1 |  |
-| vector.cpp:12:21:12:27 | source1 | vector.cpp:12:21:12:28 | call to vector | TAINT |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:14:14:14:14 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:18:38:18:38 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:14:14:14:14 | (__begin) | vector.cpp:14:14:14:14 | call to operator* | TAINT |
-| vector.cpp:14:14:14:14 | (__begin) | vector.cpp:14:14:14:14 | call to operator++ | TAINT |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to end | vector.cpp:14:14:14:14 | (__end) |  |
-| vector.cpp:14:14:14:14 | call to operator* | vector.cpp:15:8:15:8 | x |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__range) | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | call to operator* | TAINT |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:18:49:18:50 | it |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:18:66:18:67 | it |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:19:9:19:10 | it |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:18:66:18:67 | it | vector.cpp:18:64:18:64 | call to operator++ | TAINT |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:18:49:18:50 | it |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:18:66:18:67 | it |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:19:9:19:10 | it |  |
-| vector.cpp:19:9:19:10 | it | vector.cpp:19:8:19:8 | call to operator* | TAINT |
-| vector.cpp:22:15:22:15 | (__begin) | vector.cpp:22:15:22:15 | call to operator* | TAINT |
-| vector.cpp:22:15:22:15 | (__begin) | vector.cpp:22:15:22:15 | call to operator++ | TAINT |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to end | vector.cpp:22:15:22:15 | (__end) |  |
-| vector.cpp:22:15:22:15 | call to operator* | vector.cpp:23:8:23:8 | x |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__range) | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | call to operator* | TAINT |
-| vector.cpp:26:33:26:39 | source1 | vector.cpp:26:33:26:40 | call to vector | TAINT |
-| vector.cpp:26:33:26:40 | call to vector | vector.cpp:27:21:27:27 | const_v |  |
-| vector.cpp:27:21:27:21 | (__begin) | vector.cpp:27:21:27:21 | call to operator* | TAINT |
-| vector.cpp:27:21:27:21 | (__begin) | vector.cpp:27:21:27:21 | call to operator++ | TAINT |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to end | vector.cpp:27:21:27:21 | (__end) |  |
-| vector.cpp:27:21:27:21 | call to operator* | vector.cpp:28:8:28:8 | x |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | (__range) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | (__range) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | call to operator* | TAINT |
+| vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
+| vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:23:38:23:38 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:23:55:23:55 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:27:15:27:15 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:17:26:17:32 | source1 | vector.cpp:17:21:17:33 | call to vector | TAINT |
+| vector.cpp:19:14:19:14 | (__begin) | vector.cpp:19:14:19:14 | call to operator* | TAINT |
+| vector.cpp:19:14:19:14 | (__begin) | vector.cpp:19:14:19:14 | call to operator++ | TAINT |
+| vector.cpp:19:14:19:14 | call to begin | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | call to begin | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | call to begin | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | call to end | vector.cpp:19:14:19:14 | (__end) |  |
+| vector.cpp:19:14:19:14 | call to operator* | vector.cpp:20:8:20:8 | x |  |
+| vector.cpp:19:14:19:14 | ref arg (__begin) | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | ref arg (__begin) | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | ref arg (__begin) | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | ref arg (__range) | vector.cpp:19:14:19:14 | (__range) |  |
+| vector.cpp:19:14:19:14 | v | vector.cpp:19:14:19:14 | (__range) |  |
+| vector.cpp:19:14:19:14 | v | vector.cpp:19:14:19:14 | (__range) |  |
+| vector.cpp:19:14:19:14 | v | vector.cpp:19:14:19:14 | call to operator* | TAINT |
+| vector.cpp:23:38:23:38 | ref arg v | vector.cpp:23:55:23:55 | v |  |
+| vector.cpp:23:38:23:38 | ref arg v | vector.cpp:27:15:27:15 | v |  |
+| vector.cpp:23:38:23:38 | ref arg v | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:23:40:23:44 | call to begin | vector.cpp:23:49:23:50 | it |  |
+| vector.cpp:23:40:23:44 | call to begin | vector.cpp:23:66:23:67 | it |  |
+| vector.cpp:23:40:23:44 | call to begin | vector.cpp:24:9:24:10 | it |  |
+| vector.cpp:23:55:23:55 | ref arg v | vector.cpp:23:55:23:55 | v |  |
+| vector.cpp:23:55:23:55 | ref arg v | vector.cpp:27:15:27:15 | v |  |
+| vector.cpp:23:55:23:55 | ref arg v | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:23:66:23:67 | it | vector.cpp:23:64:23:64 | call to operator++ | TAINT |
+| vector.cpp:23:66:23:67 | ref arg it | vector.cpp:23:49:23:50 | it |  |
+| vector.cpp:23:66:23:67 | ref arg it | vector.cpp:23:66:23:67 | it |  |
+| vector.cpp:23:66:23:67 | ref arg it | vector.cpp:24:9:24:10 | it |  |
+| vector.cpp:24:9:24:10 | it | vector.cpp:24:8:24:8 | call to operator* | TAINT |
+| vector.cpp:27:15:27:15 | (__begin) | vector.cpp:27:15:27:15 | call to operator* | TAINT |
+| vector.cpp:27:15:27:15 | (__begin) | vector.cpp:27:15:27:15 | call to operator++ | TAINT |
+| vector.cpp:27:15:27:15 | call to begin | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | call to begin | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | call to begin | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | call to end | vector.cpp:27:15:27:15 | (__end) |  |
+| vector.cpp:27:15:27:15 | call to operator* | vector.cpp:28:8:28:8 | x |  |
+| vector.cpp:27:15:27:15 | ref arg (__begin) | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | ref arg (__begin) | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | ref arg (__begin) | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | ref arg (__range) | vector.cpp:27:15:27:15 | (__range) |  |
+| vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | (__range) |  |
+| vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | (__range) |  |
+| vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | call to operator* | TAINT |
+| vector.cpp:31:33:31:45 | call to vector | vector.cpp:32:21:32:27 | const_v |  |
+| vector.cpp:31:33:31:45 | call to vector | vector.cpp:35:1:35:1 | const_v |  |
+| vector.cpp:31:38:31:44 | source1 | vector.cpp:31:33:31:45 | call to vector | TAINT |
+| vector.cpp:32:21:32:21 | (__begin) | vector.cpp:32:21:32:21 | call to operator* | TAINT |
+| vector.cpp:32:21:32:21 | (__begin) | vector.cpp:32:21:32:21 | call to operator++ | TAINT |
+| vector.cpp:32:21:32:21 | call to begin | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | call to begin | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | call to begin | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | call to end | vector.cpp:32:21:32:21 | (__end) |  |
+| vector.cpp:32:21:32:21 | call to operator* | vector.cpp:33:8:33:8 | x |  |
+| vector.cpp:32:21:32:21 | ref arg (__begin) | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | ref arg (__begin) | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | ref arg (__begin) | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:27 | const_v | vector.cpp:32:21:32:21 | (__range) |  |
+| vector.cpp:32:21:32:27 | const_v | vector.cpp:32:21:32:21 | (__range) |  |
+| vector.cpp:32:21:32:27 | const_v | vector.cpp:32:21:32:21 | call to operator* | TAINT |
+| vector.cpp:37:29:37:29 | x | vector.cpp:42:5:42:5 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:47:10:47:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:55:10:55:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:61:10:61:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:63:5:63:5 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:67:10:67:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:96:8:96:8 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:100:13:100:13 | x |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:40:2:40:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:41:2:41:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:42:2:42:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:51:2:51:3 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:52:7:52:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:53:7:53:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:57:2:57:3 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:58:7:58:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:59:7:59:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:63:2:63:3 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:64:7:64:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:65:7:65:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:69:2:69:3 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:70:7:70:8 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:71:7:71:8 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:74:2:74:3 | v6 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:75:7:75:8 | v6 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:76:7:76:8 | v6 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:79:33:79:34 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:81:3:81:4 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:83:7:83:8 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:84:7:84:8 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:88:33:88:34 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:90:3:90:4 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:92:7:92:8 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:93:7:93:8 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:96:2:96:3 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:97:7:97:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:98:7:98:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:41:2:41:3 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:42:2:42:3 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:40:10:40:10 | 0 | vector.cpp:40:2:40:10 | ... = ... |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:42:2:42:3 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:41:10:41:10 | 0 | vector.cpp:41:2:41:10 | ... = ... |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:42:10:42:10 | 0 | vector.cpp:42:2:42:10 | ... = ... |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:43:15:43:15 | 1 | vector.cpp:43:2:43:3 | ref arg v1 | TAINT |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:48:7:48:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:48:7:48:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:48:7:48:8 | v1 | vector.cpp:48:10:48:14 | call to front | TAINT |
+| vector.cpp:49:7:49:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:49:7:49:8 | v1 | vector.cpp:49:10:49:13 | call to back | TAINT |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:52:7:52:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:53:7:53:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:51:10:51:15 | call to source | vector.cpp:51:2:51:17 | ... = ... |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:53:7:53:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:55:7:55:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:55:7:55:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:58:7:58:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:59:7:59:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:57:7:57:8 | v2 | vector.cpp:57:2:57:3 | ref arg v3 | TAINT |
+| vector.cpp:57:7:57:8 | v2 | vector.cpp:57:5:57:5 | call to operator= | TAINT |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:59:7:59:8 | v3 |  |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:60:7:60:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:60:7:60:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:61:7:61:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:64:7:64:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:65:7:65:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:63:10:63:15 | call to source | vector.cpp:63:2:63:17 | ... = ... |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:65:7:65:8 | v4 |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:66:7:66:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:66:7:66:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:67:7:67:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:70:7:70:8 | v5 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:71:7:71:8 | v5 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:69:15:69:20 | call to source | vector.cpp:69:2:69:3 | ref arg v5 | TAINT |
+| vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:71:7:71:8 | v5 |  |
+| vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:71:7:71:8 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:71:7:71:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:71:7:71:8 | v5 | vector.cpp:71:10:71:14 | call to front | TAINT |
+| vector.cpp:72:7:72:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:72:7:72:8 | v5 | vector.cpp:72:10:72:13 | call to back | TAINT |
+| vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:75:7:75:8 | v6 |  |
+| vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
+| vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
+| vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
+| vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
+| vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:7:76:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:10:76:13 | call to data | vector.cpp:76:7:76:18 | access to array | TAINT |
+| vector.cpp:76:17:76:17 | 2 | vector.cpp:76:7:76:18 | access to array | TAINT |
+| vector.cpp:79:33:79:34 | v7 | vector.cpp:80:41:80:43 | v7c |  |
+| vector.cpp:80:45:80:49 | call to begin | vector.cpp:81:13:81:14 | it |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:83:7:83:8 | v7 |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:84:7:84:8 | v7 |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:84:7:84:8 | v7 |  |
+| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:84:7:84:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:84:7:84:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:84:7:84:8 | v7 | vector.cpp:84:10:84:14 | call to front | TAINT |
+| vector.cpp:85:7:85:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:85:7:85:8 | v7 | vector.cpp:85:10:85:13 | call to back | TAINT |
+| vector.cpp:88:33:88:34 | v8 | vector.cpp:89:41:89:43 | v8c |  |
+| vector.cpp:89:45:89:49 | call to begin | vector.cpp:90:13:90:14 | it |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:92:7:92:8 | v8 |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:93:7:93:8 | v8 |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:93:7:93:8 | v8 |  |
+| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:93:7:93:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:93:7:93:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:93:7:93:8 | v8 | vector.cpp:93:10:93:14 | call to front | TAINT |
+| vector.cpp:94:7:94:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:94:7:94:8 | v8 | vector.cpp:94:10:94:13 | call to back | TAINT |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:97:7:97:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:98:7:98:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:96:13:96:18 | call to source | vector.cpp:96:2:96:20 | ... = ... |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:98:7:98:8 | v9 |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:99:7:99:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:99:7:99:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:100:7:100:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:106:2:106:3 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:109:7:109:8 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:114:2:114:3 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:110:7:110:8 | v2 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:114:10:114:11 | v2 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:118:7:118:8 | v2 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:111:7:111:8 | v3 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:115:2:115:3 | v3 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:119:7:119:8 | v3 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:107:2:107:3 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:112:7:112:8 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:115:10:115:11 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:109:7:109:8 | v1 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:114:2:114:3 | v1 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:106:15:106:20 | call to source | vector.cpp:106:2:106:3 | ref arg v1 | TAINT |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:112:7:112:8 | v4 |  |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:115:10:115:11 | v4 |  |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:107:15:107:20 | call to source | vector.cpp:107:2:107:3 | ref arg v4 | TAINT |
+| vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:114:2:114:3 | v1 |  |
+| vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:110:7:110:8 | ref arg v2 | vector.cpp:114:10:114:11 | v2 |  |
+| vector.cpp:110:7:110:8 | ref arg v2 | vector.cpp:118:7:118:8 | v2 |  |
+| vector.cpp:110:7:110:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:111:7:111:8 | ref arg v3 | vector.cpp:115:2:115:3 | v3 |  |
+| vector.cpp:111:7:111:8 | ref arg v3 | vector.cpp:119:7:119:8 | v3 |  |
+| vector.cpp:111:7:111:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:115:10:115:11 | v4 |  |
+| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:114:2:114:3 | v1 | vector.cpp:114:10:114:11 | ref arg v2 | TAINT |
+| vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:118:7:118:8 | v2 |  |
+| vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:114:10:114:11 | v2 | vector.cpp:114:2:114:3 | ref arg v1 | TAINT |
+| vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:119:7:119:8 | v3 |  |
+| vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:115:2:115:3 | v3 | vector.cpp:115:10:115:11 | ref arg v4 | TAINT |
+| vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:115:10:115:11 | v4 | vector.cpp:115:2:115:3 | ref arg v3 | TAINT |
+| vector.cpp:117:7:117:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:118:7:118:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:119:7:119:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:120:7:120:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:126:2:126:3 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:130:7:130:8 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:135:2:135:3 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:127:2:127:3 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:131:7:131:8 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:136:2:136:3 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:136:7:136:8 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:128:2:128:3 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:132:7:132:8 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:137:2:137:3 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:133:7:133:8 | v4 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:137:7:137:8 | v4 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:142:7:142:8 | v4 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:143:1:143:1 | v4 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:130:7:130:8 | v1 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:135:2:135:3 | v1 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:126:15:126:20 | call to source | vector.cpp:126:2:126:3 | ref arg v1 | TAINT |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:131:7:131:8 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:136:2:136:3 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:136:7:136:8 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:127:15:127:20 | call to source | vector.cpp:127:2:127:3 | ref arg v2 | TAINT |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:132:7:132:8 | v3 |  |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:137:2:137:3 | v3 |  |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:128:15:128:20 | call to source | vector.cpp:128:2:128:3 | ref arg v3 | TAINT |
+| vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:135:2:135:3 | v1 |  |
+| vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:136:2:136:3 | v2 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:136:7:136:8 | v2 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:132:7:132:8 | ref arg v3 | vector.cpp:137:2:137:3 | v3 |  |
+| vector.cpp:132:7:132:8 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:132:7:132:8 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:133:7:133:8 | ref arg v4 | vector.cpp:137:7:137:8 | v4 |  |
+| vector.cpp:133:7:133:8 | ref arg v4 | vector.cpp:142:7:142:8 | v4 |  |
+| vector.cpp:133:7:133:8 | ref arg v4 | vector.cpp:143:1:143:1 | v4 |  |
+| vector.cpp:135:2:135:3 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:135:2:135:3 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:136:2:136:3 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:136:2:136:3 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:136:7:136:8 | v2 | vector.cpp:136:2:136:3 | ref arg v2 | TAINT |
+| vector.cpp:136:7:136:8 | v2 | vector.cpp:136:5:136:5 | call to operator= | TAINT |
+| vector.cpp:137:2:137:3 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:137:2:137:3 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:137:7:137:8 | v4 | vector.cpp:137:2:137:3 | ref arg v3 | TAINT |
+| vector.cpp:137:7:137:8 | v4 | vector.cpp:137:5:137:5 | call to operator= | TAINT |
+| vector.cpp:139:7:139:8 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:140:7:140:8 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:141:7:141:8 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:142:7:142:8 | ref arg v4 | vector.cpp:143:1:143:1 | v4 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -127,23 +127,53 @@ namespace std
 // --- vector ---

 namespace std {
-	template <class T>
-	class vector {
-	private:
-		void *data_;
+	template<class T, class Allocator = allocator<T>>
+	class vector { 
 	public:
-		vector(int size);
+		using value_type = T;
+		using reference = value_type&;
+		using const_reference = const value_type&; 
+		using size_type = unsigned int;
+		using iterator = std::iterator<random_access_iterator_tag, T>;
+		using const_iterator = std::iterator<random_access_iterator_tag, const T>;

-		T& operator[](int idx);
-		const T& operator[](int idx) const;
+		vector() noexcept(noexcept(Allocator())) : vector(Allocator()) { }
+		explicit vector(const Allocator&) noexcept;
+		explicit vector(size_type n, const Allocator& = Allocator());
+		vector(size_type n, const T& value, const Allocator& = Allocator()); 
+		~vector();

-		typedef std::iterator<random_access_iterator_tag, T> iterator;
-		typedef std::iterator<random_access_iterator_tag, const T> const_iterator;
+		vector& operator=(const vector& x);
+		vector& operator=(vector&& x) noexcept/*(allocator_traits<Allocator>::propagate_on_container_move_assignment::value || allocator_traits<Allocator>::is_always_equal::value)*/;

 		iterator begin() noexcept;
-		iterator end() noexcept;
-
 		const_iterator begin() const noexcept;
+		iterator end() noexcept;
 		const_iterator end() const noexcept;
+
+		size_type size() const noexcept;
+
+		reference operator[](size_type n);
+		const_reference operator[](size_type n) const;
+		const_reference at(size_type n) const;
+		reference at(size_type n);
+		reference front();
+		const_reference front() const;
+		reference back();
+		const_reference back() const;
+
+		T* data() noexcept;
+		const T* data() const noexcept;
+
+		void push_back(const T& x);
+		void push_back(T&& x);
+
+		iterator insert(const_iterator position, const T& x);
+		iterator insert(const_iterator position, T&& x);
+		iterator insert(const_iterator position, size_type n, const T& x);
+
+		void swap(vector&) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
+
+		void clear() noexcept;
 	};
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -210,6 +210,21 @@
 | taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:471:7:471:7 | y | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:485:7:485:10 | line | taint.cpp:480:26:480:32 | source1 |
-| vector.cpp:15:8:15:8 | x | vector.cpp:8:43:8:49 | source1 |
-| vector.cpp:23:8:23:8 | x | vector.cpp:8:43:8:49 | source1 |
-| vector.cpp:28:8:28:8 | x | vector.cpp:8:43:8:49 | source1 |
+| vector.cpp:20:8:20:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:28:8:28:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:33:8:33:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:70:7:70:8 | v5 | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:71:10:71:14 | call to front | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:109:7:109:8 | v1 | vector.cpp:106:15:106:20 | call to source |
+| vector.cpp:112:7:112:8 | v4 | vector.cpp:107:15:107:20 | call to source |
+| vector.cpp:117:7:117:8 | v1 | vector.cpp:106:15:106:20 | call to source |
+| vector.cpp:118:7:118:8 | v2 | vector.cpp:106:15:106:20 | call to source |
+| vector.cpp:119:7:119:8 | v3 | vector.cpp:107:15:107:20 | call to source |
+| vector.cpp:120:7:120:8 | v4 | vector.cpp:107:15:107:20 | call to source |
+| vector.cpp:130:7:130:8 | v1 | vector.cpp:126:15:126:20 | call to source |
+| vector.cpp:131:7:131:8 | v2 | vector.cpp:127:15:127:20 | call to source |
+| vector.cpp:132:7:132:8 | v3 | vector.cpp:128:15:128:20 | call to source |
+| vector.cpp:139:7:139:8 | v1 | vector.cpp:126:15:126:20 | call to source |
+| vector.cpp:140:7:140:8 | v2 | vector.cpp:127:15:127:20 | call to source |
+| vector.cpp:141:7:141:8 | v3 | vector.cpp:128:15:128:20 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -145,6 +145,21 @@
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
-| vector.cpp:15:8:15:8 | vector.cpp:8:43:8:49 | AST only |
-| vector.cpp:23:8:23:8 | vector.cpp:8:43:8:49 | AST only |
-| vector.cpp:28:8:28:8 | vector.cpp:8:43:8:49 | AST only |
+| vector.cpp:20:8:20:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:28:8:28:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:33:8:33:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:70:7:70:8 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:71:10:71:14 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:109:7:109:8 | vector.cpp:106:15:106:20 | AST only |
+| vector.cpp:112:7:112:8 | vector.cpp:107:15:107:20 | AST only |
+| vector.cpp:117:7:117:8 | vector.cpp:106:15:106:20 | AST only |
+| vector.cpp:118:7:118:8 | vector.cpp:106:15:106:20 | AST only |
+| vector.cpp:119:7:119:8 | vector.cpp:107:15:107:20 | AST only |
+| vector.cpp:120:7:120:8 | vector.cpp:107:15:107:20 | AST only |
+| vector.cpp:130:7:130:8 | vector.cpp:126:15:126:20 | AST only |
+| vector.cpp:131:7:131:8 | vector.cpp:127:15:127:20 | AST only |
+| vector.cpp:132:7:132:8 | vector.cpp:128:15:128:20 | AST only |
+| vector.cpp:139:7:139:8 | vector.cpp:126:15:126:20 | AST only |
+| vector.cpp:140:7:140:8 | vector.cpp:127:15:127:20 | AST only |
+| vector.cpp:141:7:141:8 | vector.cpp:128:15:128:20 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -3,13 +3,18 @@

 using namespace std;

+int source();
+
+namespace ns_char
+{
+	char source();
+}
+
 void sink(int);
+void sink(std::vector<int> &);

 void test_range_based_for_loop_vector(int source1) {
-	// Tainting the vector by allocating a tainted length. This doesn't represent
-	// how a vector would typically get tainted, but it allows this test to avoid
-	// being concerned with std::vector modeling.
-	std::vector<int> v(source1);
+	std::vector<int> v(100, source1);

 	for(int x : v) {
 		sink(x); // tainted [NOT DETECTED by IR]
@@ -23,8 +28,116 @@ void test_range_based_for_loop_vector(int source1) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}

-	const std::vector<int> const_v(source1);
+	const std::vector<int> const_v(100, source1);
 	for(const int& x : const_v) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}
 }
+
+void test_element_taint(int x) {
+	std::vector<int> v1(10), v2(10), v3(10), v4(10), v5(10), v6(10), v7(10), v8(10), v9(10);
+
+	v1[0] = 0;
+	v1[1] = 0;
+	v1[x] = 0;
+	v1.push_back(1);
+	sink(v1);
+	sink(v1[0]);
+	sink(v1[1]);
+	sink(v1[x]);
+	sink(v1.front());
+	sink(v1.back());
+
+	v2[0] = source();
+	sink(v2); // tainted [NOT DETECTED]
+	sink(v2[0]); // tainted [NOT DETECTED]
+	sink(v2[1]);
+	sink(v2[x]); // potentially tainted
+
+	v3 = v2;
+	sink(v3); // tainted [NOT DETECTED]
+	sink(v3[0]); // tainted [NOT DETECTED]
+	sink(v3[1]);
+	sink(v3[x]); // potentially tainted
+
+	v4[x] = source();
+	sink(v4); // tainted [NOT DETECTED]
+	sink(v4[0]); // potentially tainted
+	sink(v4[1]); // potentially tainted
+	sink(v4[x]); // tainted [NOT DETECTED]
+
+	v5.push_back(source());
+	sink(v5); // tainted
+	sink(v5.front()); // [FALSE POSITIVE]
+	sink(v5.back()); // tainted
+
+	v6.data()[2] = source();
+	sink(v6); // tainted [NOT DETECTED]
+	sink(v6.data()[2]); // tainted [NOT DETECTED]
+
+	{
+		const std::vector<int> &v7c = v7; // (workaround because our iterators don't convert to const_iterator)
+		std::vector<int>::const_iterator it = v7c.begin();
+		v7.insert(it, source());
+	}
+	sink(v7); // tainted [NOT DETECTED]
+	sink(v7.front()); // tainted [NOT DETECTED]
+	sink(v7.back());
+
+	{
+		const std::vector<int> &v8c = v8;
+		std::vector<int>::const_iterator it = v8c.begin();
+		v8.insert(it, 10, ns_char::source());
+	}
+	sink(v8); // tainted [NOT DETECTED]
+	sink(v8.front()); // tainted [NOT DETECTED]
+	sink(v8.back());
+
+	v9.at(x) = source();
+	sink(v9); // tainted [NOT DETECTED]
+	sink(v9.at(0)); // potentially tainted
+	sink(v9.at(1)); // potentially tainted
+	sink(v9.at(x)); // tainted [NOT DETECTED]
+}
+
+void test_vector_swap() {
+	std::vector<int> v1(10), v2(10), v3(10), v4(10);
+
+	v1.push_back(source());
+	v4.push_back(source());
+
+	sink(v1); // tainted
+	sink(v2);
+	sink(v3);
+	sink(v4); // tainted
+
+	v1.swap(v2);
+	v3.swap(v4);
+
+	sink(v1); // [FALSE POSITIVE]
+	sink(v2); // tainted
+	sink(v3); // tainted
+	sink(v4); // [FALSE POSITIVE]
+}
+
+void test_vector_clear() {
+	std::vector<int> v1(10), v2(10), v3(10), v4(10);
+
+	v1.push_back(source());
+	v2.push_back(source());
+	v3.push_back(source());
+
+	sink(v1); // tainted
+	sink(v2); // tainted
+	sink(v3); // tainted
+	sink(v4);
+
+	v1.clear();
+	v2 = v2;
+	v3 = v4;
+
+	sink(v1); // [FALSE POSITIVE]
+	sink(v2); // tainted
+	sink(v3); // [FALSE POSITIVE]
+	sink(v4);
+}
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
@@ -510,6 +510,28 @@
 | test.c:504:3:504:9 | ulconst | 10 |
 | test.c:505:10:505:16 | uiconst | 40 |
 | test.c:505:20:505:26 | ulconst | 40 |
+| test.c:509:7:509:7 | i | -2147483648 |
+| test.c:509:18:509:18 | i | -1 |
+| test.c:510:5:510:5 | i | -2147483648 |
+| test.c:510:13:510:13 | i | -1 |
+| test.c:511:9:511:9 | i | -5 |
+| test.c:513:5:513:5 | i | -2147483648 |
+| test.c:513:9:513:9 | i | -5 |
+| test.c:514:9:514:9 | i | -30 |
+| test.c:516:5:516:5 | i | -30 |
+| test.c:517:9:517:9 | i | -210 |
+| test.c:519:5:519:5 | i | -210 |
+| test.c:520:9:520:9 | i | -1155 |
+| test.c:522:7:522:7 | i | -2147483648 |
+| test.c:523:5:523:5 | i | -2147483648 |
+| test.c:523:9:523:9 | i | -1 |
+| test.c:524:9:524:9 | i | 1 |
+| test.c:526:3:526:3 | i | -2147483648 |
+| test.c:526:7:526:7 | i | -2147483648 |
+| test.c:527:10:527:10 | i | -2147483648 |
+| test.c:530:3:530:3 | i | -2147483648 |
+| test.c:530:10:530:11 | sc | 1 |
+| test.c:532:7:532:7 | i | -128 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
@@ -504,3 +504,32 @@ unsigned long mul_assign(unsigned int ui) {
  ulconst *= 4;
  return uiconst + ulconst; // 40 .. 40 for both
 }
+
+int mul_by_constant(int i, int j) {
+  if (i >= -1 && i <= 2) {
+    i = 5 * i;
+    out(i); // -5 .. 10
+
+    i = i * -3;
+    out(i); // -30 .. 15
+
+    i *= 7;
+    out(i); // -210 .. 105
+
+    i *= -11;
+    out(i); // -1155 .. 2310
+  }
+  if (i == -1) {
+    i = i * (int)0xffFFffFF; // fully converted literal is -1
+    out(i); // 1 .. 1
+  }
+  i = i * -1;
+  out(   i); // -2^31 .. 2^31-1
+
+  signed char sc = 1;
+  i = (*&sc *= 2);
+  out(sc); // demonstrate that we couldn't analyze the LHS of the `*=` above...
+  out(i); // -128 .. 127 // ... but we can still bound its result by its type.
+
+  return 0;
+}
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
@@ -510,6 +510,28 @@
 | test.c:504:3:504:9 | ulconst | 10 |
 | test.c:505:10:505:16 | uiconst | 40 |
 | test.c:505:20:505:26 | ulconst | 40 |
+| test.c:509:7:509:7 | i | 2147483647 |
+| test.c:509:18:509:18 | i | 2147483647 |
+| test.c:510:5:510:5 | i | 2147483647 |
+| test.c:510:13:510:13 | i | 2 |
+| test.c:511:9:511:9 | i | 10 |
+| test.c:513:5:513:5 | i | 2147483647 |
+| test.c:513:9:513:9 | i | 10 |
+| test.c:514:9:514:9 | i | 15 |
+| test.c:516:5:516:5 | i | 15 |
+| test.c:517:9:517:9 | i | 105 |
+| test.c:519:5:519:5 | i | 105 |
+| test.c:520:9:520:9 | i | 2310 |
+| test.c:522:7:522:7 | i | 2147483647 |
+| test.c:523:5:523:5 | i | 2147483647 |
+| test.c:523:9:523:9 | i | -1 |
+| test.c:524:9:524:9 | i | 1 |
+| test.c:526:3:526:3 | i | 2147483647 |
+| test.c:526:7:526:7 | i | 2147483647 |
+| test.c:527:10:527:10 | i | 2147483647 |
+| test.c:530:3:530:3 | i | 2147483647 |
+| test.c:530:10:530:11 | sc | 1 |
+| test.c:532:7:532:7 | i | 127 |
 | test.cpp:10:7:10:7 | b | 2147483647 |
 | test.cpp:11:5:11:5 | x | 2147483647 |
 | test.cpp:13:10:13:10 | x | 2147483647 |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
@@ -2,5 +2,8 @@
 | test3.c:13:16:13:19 | * ... | $@ flows to here and is used in an expression which might overflow negatively. | test3.c:11:15:11:18 | argv | User-provided value |
 | test4.cpp:13:17:13:20 | access to array | $@ flows to here and is used in an expression which might overflow negatively. | test4.cpp:9:13:9:16 | argv | User-provided value |
 | test5.cpp:10:9:10:15 | call to strtoul | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:17:6:17:27 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:19:6:19:13 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
 | test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |