Merge pull request #4107 from geoffw0/vecmethods

C++: Initial models for std::vector
2026-04-20 22:44:52 +02:00 · 2020-08-20 15:53:35 +02:00
parent 2a8ff8785a 3d171f358a
commit d56a03389c
8 changed files with 725 additions and 76 deletions
--- a/change-notes/1.26/analysis-cpp.md
+++ b/change-notes/1.26/analysis-cpp.md
@@ -19,6 +19,7 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.

 ## Changes to libraries

+* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
 * The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
--- a/cpp/ql/src/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -13,6 +13,7 @@ private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
+private import implementations.StdContainer
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -0,0 +1,102 @@
+/**
+ * Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * Additional model for standard container constructors that reference the
+ * value type of the container (that is, the `T` in `std::vector<T>`).  For
+ * example the fill constructor:
+ * ```
+ * std::vector<std::string> v(100, potentially_tainted_string);
+ * ```
+ */
+class StdSequenceContainerConstructor extends Constructor, TaintFunction {
+  StdSequenceContainerConstructor() {
+    this.getDeclaringType().hasQualifiedName("std", "vector") or
+    this.getDeclaringType().hasQualifiedName("std", "deque") or
+    this.getDeclaringType().hasQualifiedName("std", "list") or
+    this.getDeclaringType().hasQualifiedName("std", "forward_list")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of the value type to the returned object
+    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
+/**
+ * The standard container functions `push_back` and `push_front`.
+ */
+class StdSequenceContainerPush extends TaintFunction {
+  StdSequenceContainerPush() {
+    this.hasQualifiedName("std", "vector", "push_back") or
+    this.hasQualifiedName("std", "deque", "push_back") or
+    this.hasQualifiedName("std", "deque", "push_front") or
+    this.hasQualifiedName("std", "list", "push_back") or
+    this.hasQualifiedName("std", "list", "push_front") or
+    this.hasQualifiedName("std", "forward_list", "push_front")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to qualifier
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard container functions `front` and `back`.
+ */
+class StdSequenceContainerFrontBack extends TaintFunction {
+  StdSequenceContainerFrontBack() {
+    this.hasQualifiedName("std", "array", "front") or
+    this.hasQualifiedName("std", "array", "back") or
+    this.hasQualifiedName("std", "vector", "front") or
+    this.hasQualifiedName("std", "vector", "back") or
+    this.hasQualifiedName("std", "deque", "front") or
+    this.hasQualifiedName("std", "deque", "back") or
+    this.hasQualifiedName("std", "list", "front") or
+    this.hasQualifiedName("std", "list", "back") or
+    this.hasQualifiedName("std", "forward_list", "front")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from object to returned reference
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
+/**
+ * The standard container `swap` functions.
+ */
+class StdSequenceContainerSwap extends TaintFunction {
+  StdSequenceContainerSwap() {
+    this.hasQualifiedName("std", "array", "swap") or
+    this.hasQualifiedName("std", "vector", "swap") or
+    this.hasQualifiedName("std", "deque", "swap") or
+    this.hasQualifiedName("std", "list", "swap") or
+    this.hasQualifiedName("std", "forward_list", "swap")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1513,57 +1513,429 @@
 | taint.cpp:483:18:483:19 | ref arg & ... | taint.cpp:483:19:483:19 | n [inner post update] |  |
 | taint.cpp:483:19:483:19 | n | taint.cpp:483:18:483:19 | & ... |  |
 | taint.cpp:483:28:483:34 | source1 | taint.cpp:483:11:483:15 | ref arg & ... | TAINT |
-| vector.cpp:8:43:8:49 | source1 | vector.cpp:12:21:12:27 | source1 |  |
-| vector.cpp:8:43:8:49 | source1 | vector.cpp:26:33:26:39 | source1 |  |
-| vector.cpp:12:21:12:27 | source1 | vector.cpp:12:21:12:28 | call to vector | TAINT |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:14:14:14:14 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:18:38:18:38 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to end | vector.cpp:14:14:14:14 | (__end) |  |
-| vector.cpp:14:14:14:14 | call to operator* | vector.cpp:15:8:15:8 | x |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__range) | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | call to operator* | TAINT |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:18:49:18:50 | it |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:18:66:18:67 | it |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:19:9:19:10 | it |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:18:49:18:50 | it |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:18:66:18:67 | it |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:19:9:19:10 | it |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to end | vector.cpp:22:15:22:15 | (__end) |  |
-| vector.cpp:22:15:22:15 | call to operator* | vector.cpp:23:8:23:8 | x |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__range) | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | call to operator* | TAINT |
-| vector.cpp:26:33:26:39 | source1 | vector.cpp:26:33:26:40 | call to vector | TAINT |
-| vector.cpp:26:33:26:40 | call to vector | vector.cpp:27:21:27:27 | const_v |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to end | vector.cpp:27:21:27:21 | (__end) |  |
-| vector.cpp:27:21:27:21 | call to operator* | vector.cpp:28:8:28:8 | x |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | (__range) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | (__range) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | call to operator* | TAINT |
+| vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
+| vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:23:38:23:38 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:23:55:23:55 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:27:15:27:15 | v |  |
+| vector.cpp:17:21:17:33 | call to vector | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:17:26:17:32 | source1 | vector.cpp:17:21:17:33 | call to vector | TAINT |
+| vector.cpp:19:14:19:14 | call to begin | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | call to begin | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | call to begin | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | call to end | vector.cpp:19:14:19:14 | (__end) |  |
+| vector.cpp:19:14:19:14 | call to operator* | vector.cpp:20:8:20:8 | x |  |
+| vector.cpp:19:14:19:14 | ref arg (__begin) | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | ref arg (__begin) | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | ref arg (__begin) | vector.cpp:19:14:19:14 | (__begin) |  |
+| vector.cpp:19:14:19:14 | ref arg (__range) | vector.cpp:19:14:19:14 | (__range) |  |
+| vector.cpp:19:14:19:14 | v | vector.cpp:19:14:19:14 | (__range) |  |
+| vector.cpp:19:14:19:14 | v | vector.cpp:19:14:19:14 | (__range) |  |
+| vector.cpp:19:14:19:14 | v | vector.cpp:19:14:19:14 | call to operator* | TAINT |
+| vector.cpp:23:38:23:38 | ref arg v | vector.cpp:23:55:23:55 | v |  |
+| vector.cpp:23:38:23:38 | ref arg v | vector.cpp:27:15:27:15 | v |  |
+| vector.cpp:23:38:23:38 | ref arg v | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:23:40:23:44 | call to begin | vector.cpp:23:49:23:50 | it |  |
+| vector.cpp:23:40:23:44 | call to begin | vector.cpp:23:66:23:67 | it |  |
+| vector.cpp:23:40:23:44 | call to begin | vector.cpp:24:9:24:10 | it |  |
+| vector.cpp:23:55:23:55 | ref arg v | vector.cpp:23:55:23:55 | v |  |
+| vector.cpp:23:55:23:55 | ref arg v | vector.cpp:27:15:27:15 | v |  |
+| vector.cpp:23:55:23:55 | ref arg v | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:23:66:23:67 | ref arg it | vector.cpp:23:49:23:50 | it |  |
+| vector.cpp:23:66:23:67 | ref arg it | vector.cpp:23:66:23:67 | it |  |
+| vector.cpp:23:66:23:67 | ref arg it | vector.cpp:24:9:24:10 | it |  |
+| vector.cpp:27:15:27:15 | call to begin | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | call to begin | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | call to begin | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | call to end | vector.cpp:27:15:27:15 | (__end) |  |
+| vector.cpp:27:15:27:15 | call to operator* | vector.cpp:28:8:28:8 | x |  |
+| vector.cpp:27:15:27:15 | ref arg (__begin) | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | ref arg (__begin) | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | ref arg (__begin) | vector.cpp:27:15:27:15 | (__begin) |  |
+| vector.cpp:27:15:27:15 | ref arg (__range) | vector.cpp:27:15:27:15 | (__range) |  |
+| vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | (__range) |  |
+| vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | (__range) |  |
+| vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | call to operator* | TAINT |
+| vector.cpp:31:33:31:45 | call to vector | vector.cpp:32:21:32:27 | const_v |  |
+| vector.cpp:31:33:31:45 | call to vector | vector.cpp:35:1:35:1 | const_v |  |
+| vector.cpp:31:38:31:44 | source1 | vector.cpp:31:33:31:45 | call to vector | TAINT |
+| vector.cpp:32:21:32:21 | call to begin | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | call to begin | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | call to begin | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | call to end | vector.cpp:32:21:32:21 | (__end) |  |
+| vector.cpp:32:21:32:21 | call to operator* | vector.cpp:33:8:33:8 | x |  |
+| vector.cpp:32:21:32:21 | ref arg (__begin) | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | ref arg (__begin) | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:21 | ref arg (__begin) | vector.cpp:32:21:32:21 | (__begin) |  |
+| vector.cpp:32:21:32:27 | const_v | vector.cpp:32:21:32:21 | (__range) |  |
+| vector.cpp:32:21:32:27 | const_v | vector.cpp:32:21:32:21 | (__range) |  |
+| vector.cpp:32:21:32:27 | const_v | vector.cpp:32:21:32:21 | call to operator* | TAINT |
+| vector.cpp:37:29:37:29 | x | vector.cpp:42:5:42:5 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:47:10:47:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:55:10:55:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:61:10:61:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:63:5:63:5 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:67:10:67:10 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:96:8:96:8 | x |  |
+| vector.cpp:37:29:37:29 | x | vector.cpp:100:13:100:13 | x |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:40:2:40:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:41:2:41:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:42:2:42:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:38:22:38:24 | call to vector | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:51:2:51:3 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:52:7:52:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:53:7:53:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:38:30:38:32 | call to vector | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:57:2:57:3 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:58:7:58:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:59:7:59:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:38:38:38:40 | call to vector | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:63:2:63:3 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:64:7:64:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:65:7:65:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:38:46:38:48 | call to vector | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:69:2:69:3 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:70:7:70:8 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:71:7:71:8 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:38:54:38:56 | call to vector | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:74:2:74:3 | v6 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:75:7:75:8 | v6 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:76:7:76:8 | v6 |  |
+| vector.cpp:38:62:38:64 | call to vector | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:79:33:79:34 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:81:3:81:4 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:83:7:83:8 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:84:7:84:8 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:38:70:38:72 | call to vector | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:88:33:88:34 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:90:3:90:4 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:92:7:92:8 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:93:7:93:8 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:38:78:38:80 | call to vector | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:96:2:96:3 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:97:7:97:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:98:7:98:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:38:86:38:88 | call to vector | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:41:2:41:3 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:42:2:42:3 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:40:10:40:10 | 0 | vector.cpp:40:2:40:10 | ... = ... |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:42:2:42:3 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:41:10:41:10 | 0 | vector.cpp:41:2:41:10 | ... = ... |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:42:10:42:10 | 0 | vector.cpp:42:2:42:10 | ... = ... |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:43:15:43:15 | 1 | vector.cpp:43:2:43:3 | ref arg v1 | TAINT |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
+| vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:48:7:48:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
+| vector.cpp:48:7:48:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:48:7:48:8 | v1 | vector.cpp:48:10:48:14 | call to front | TAINT |
+| vector.cpp:49:7:49:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:49:7:49:8 | v1 | vector.cpp:49:10:49:13 | call to back | TAINT |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:52:7:52:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:53:7:53:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:51:10:51:15 | call to source | vector.cpp:51:2:51:17 | ... = ... |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:53:7:53:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
+| vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:55:7:55:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
+| vector.cpp:55:7:55:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:58:7:58:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:59:7:59:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:57:7:57:8 | v2 | vector.cpp:57:2:57:3 | ref arg v3 | TAINT |
+| vector.cpp:57:7:57:8 | v2 | vector.cpp:57:5:57:5 | call to operator= | TAINT |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:59:7:59:8 | v3 |  |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:58:7:58:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
+| vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:60:7:60:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
+| vector.cpp:60:7:60:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:61:7:61:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:64:7:64:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:65:7:65:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:63:10:63:15 | call to source | vector.cpp:63:2:63:17 | ... = ... |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:65:7:65:8 | v4 |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
+| vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:66:7:66:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
+| vector.cpp:66:7:66:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:67:7:67:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:70:7:70:8 | v5 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:71:7:71:8 | v5 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:69:15:69:20 | call to source | vector.cpp:69:2:69:3 | ref arg v5 | TAINT |
+| vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:71:7:71:8 | v5 |  |
+| vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:71:7:71:8 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
+| vector.cpp:71:7:71:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:71:7:71:8 | v5 | vector.cpp:71:10:71:14 | call to front | TAINT |
+| vector.cpp:72:7:72:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:72:7:72:8 | v5 | vector.cpp:72:10:72:13 | call to back | TAINT |
+| vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:75:7:75:8 | v6 |  |
+| vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
+| vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
+| vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
+| vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
+| vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:7:76:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:10:76:13 | call to data | vector.cpp:76:7:76:18 | access to array | TAINT |
+| vector.cpp:76:17:76:17 | 2 | vector.cpp:76:7:76:18 | access to array | TAINT |
+| vector.cpp:79:33:79:34 | v7 | vector.cpp:80:41:80:43 | v7c |  |
+| vector.cpp:80:45:80:49 | call to begin | vector.cpp:81:13:81:14 | it |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:83:7:83:8 | v7 |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:84:7:84:8 | v7 |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:84:7:84:8 | v7 |  |
+| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:84:7:84:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
+| vector.cpp:84:7:84:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:84:7:84:8 | v7 | vector.cpp:84:10:84:14 | call to front | TAINT |
+| vector.cpp:85:7:85:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:85:7:85:8 | v7 | vector.cpp:85:10:85:13 | call to back | TAINT |
+| vector.cpp:88:33:88:34 | v8 | vector.cpp:89:41:89:43 | v8c |  |
+| vector.cpp:89:45:89:49 | call to begin | vector.cpp:90:13:90:14 | it |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:92:7:92:8 | v8 |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:93:7:93:8 | v8 |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:93:7:93:8 | v8 |  |
+| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:93:7:93:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
+| vector.cpp:93:7:93:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:93:7:93:8 | v8 | vector.cpp:93:10:93:14 | call to front | TAINT |
+| vector.cpp:94:7:94:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:94:7:94:8 | v8 | vector.cpp:94:10:94:13 | call to back | TAINT |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:97:7:97:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:98:7:98:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:96:13:96:18 | call to source | vector.cpp:96:2:96:20 | ... = ... |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:98:7:98:8 | v9 |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
+| vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:99:7:99:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
+| vector.cpp:99:7:99:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:100:7:100:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:106:2:106:3 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:109:7:109:8 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:114:2:114:3 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:104:22:104:24 | call to vector | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:110:7:110:8 | v2 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:114:10:114:11 | v2 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:118:7:118:8 | v2 |  |
+| vector.cpp:104:30:104:32 | call to vector | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:111:7:111:8 | v3 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:115:2:115:3 | v3 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:119:7:119:8 | v3 |  |
+| vector.cpp:104:38:104:40 | call to vector | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:107:2:107:3 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:112:7:112:8 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:115:10:115:11 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:104:46:104:48 | call to vector | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:109:7:109:8 | v1 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:114:2:114:3 | v1 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:106:15:106:20 | call to source | vector.cpp:106:2:106:3 | ref arg v1 | TAINT |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:112:7:112:8 | v4 |  |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:115:10:115:11 | v4 |  |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:107:15:107:20 | call to source | vector.cpp:107:2:107:3 | ref arg v4 | TAINT |
+| vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:114:2:114:3 | v1 |  |
+| vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:110:7:110:8 | ref arg v2 | vector.cpp:114:10:114:11 | v2 |  |
+| vector.cpp:110:7:110:8 | ref arg v2 | vector.cpp:118:7:118:8 | v2 |  |
+| vector.cpp:110:7:110:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:111:7:111:8 | ref arg v3 | vector.cpp:115:2:115:3 | v3 |  |
+| vector.cpp:111:7:111:8 | ref arg v3 | vector.cpp:119:7:119:8 | v3 |  |
+| vector.cpp:111:7:111:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:115:10:115:11 | v4 |  |
+| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
+| vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:114:2:114:3 | v1 | vector.cpp:114:10:114:11 | ref arg v2 | TAINT |
+| vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:118:7:118:8 | v2 |  |
+| vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:114:10:114:11 | v2 | vector.cpp:114:2:114:3 | ref arg v1 | TAINT |
+| vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:119:7:119:8 | v3 |  |
+| vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:115:2:115:3 | v3 | vector.cpp:115:10:115:11 | ref arg v4 | TAINT |
+| vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
+| vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:115:10:115:11 | v4 | vector.cpp:115:2:115:3 | ref arg v3 | TAINT |
+| vector.cpp:117:7:117:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:118:7:118:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
+| vector.cpp:119:7:119:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
+| vector.cpp:120:7:120:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:126:2:126:3 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:130:7:130:8 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:135:2:135:3 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:124:22:124:24 | call to vector | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:127:2:127:3 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:131:7:131:8 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:136:2:136:3 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:136:7:136:8 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:124:30:124:32 | call to vector | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:128:2:128:3 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:132:7:132:8 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:137:2:137:3 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:124:38:124:40 | call to vector | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:133:7:133:8 | v4 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:137:7:137:8 | v4 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:142:7:142:8 | v4 |  |
+| vector.cpp:124:46:124:48 | call to vector | vector.cpp:143:1:143:1 | v4 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:130:7:130:8 | v1 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:135:2:135:3 | v1 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:126:15:126:20 | call to source | vector.cpp:126:2:126:3 | ref arg v1 | TAINT |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:131:7:131:8 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:136:2:136:3 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:136:7:136:8 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:127:15:127:20 | call to source | vector.cpp:127:2:127:3 | ref arg v2 | TAINT |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:132:7:132:8 | v3 |  |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:137:2:137:3 | v3 |  |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:128:15:128:20 | call to source | vector.cpp:128:2:128:3 | ref arg v3 | TAINT |
+| vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:135:2:135:3 | v1 |  |
+| vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:136:2:136:3 | v2 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:136:7:136:8 | v2 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:131:7:131:8 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:132:7:132:8 | ref arg v3 | vector.cpp:137:2:137:3 | v3 |  |
+| vector.cpp:132:7:132:8 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:132:7:132:8 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:133:7:133:8 | ref arg v4 | vector.cpp:137:7:137:8 | v4 |  |
+| vector.cpp:133:7:133:8 | ref arg v4 | vector.cpp:142:7:142:8 | v4 |  |
+| vector.cpp:133:7:133:8 | ref arg v4 | vector.cpp:143:1:143:1 | v4 |  |
+| vector.cpp:135:2:135:3 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
+| vector.cpp:135:2:135:3 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:136:2:136:3 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
+| vector.cpp:136:2:136:3 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:136:7:136:8 | v2 | vector.cpp:136:2:136:3 | ref arg v2 | TAINT |
+| vector.cpp:136:7:136:8 | v2 | vector.cpp:136:5:136:5 | call to operator= | TAINT |
+| vector.cpp:137:2:137:3 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
+| vector.cpp:137:2:137:3 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:137:7:137:8 | v4 | vector.cpp:137:2:137:3 | ref arg v3 | TAINT |
+| vector.cpp:137:7:137:8 | v4 | vector.cpp:137:5:137:5 | call to operator= | TAINT |
+| vector.cpp:139:7:139:8 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:140:7:140:8 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:141:7:141:8 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:142:7:142:8 | ref arg v4 | vector.cpp:143:1:143:1 | v4 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -117,23 +117,53 @@ namespace std
 // --- vector ---

 namespace std {
-	template <class T>
-	class vector {
-	private:
-		void *data_;
+	template<class T, class Allocator = allocator<T>>
+	class vector { 
 	public:
-		vector(int size);
+		using value_type = T;
+		using reference = value_type&;
+		using const_reference = const value_type&; 
+		using size_type = unsigned int;
+		using iterator = std::iterator<random_access_iterator_tag, T>;
+		using const_iterator = std::iterator<random_access_iterator_tag, const T>;

-		T& operator[](int idx);
-		const T& operator[](int idx) const;
+		vector() noexcept(noexcept(Allocator())) : vector(Allocator()) { }
+		explicit vector(const Allocator&) noexcept;
+		explicit vector(size_type n, const Allocator& = Allocator());
+		vector(size_type n, const T& value, const Allocator& = Allocator()); 
+		~vector();

-		typedef std::iterator<random_access_iterator_tag, T> iterator;
-		typedef std::iterator<random_access_iterator_tag, const T> const_iterator;
+		vector& operator=(const vector& x);
+		vector& operator=(vector&& x) noexcept/*(allocator_traits<Allocator>::propagate_on_container_move_assignment::value || allocator_traits<Allocator>::is_always_equal::value)*/;

 		iterator begin() noexcept;
-		iterator end() noexcept;
-
 		const_iterator begin() const noexcept;
+		iterator end() noexcept;
 		const_iterator end() const noexcept;
+
+		size_type size() const noexcept;
+
+		reference operator[](size_type n);
+		const_reference operator[](size_type n) const;
+		const_reference at(size_type n) const;
+		reference at(size_type n);
+		reference front();
+		const_reference front() const;
+		reference back();
+		const_reference back() const;
+
+		T* data() noexcept;
+		const T* data() const noexcept;
+
+		void push_back(const T& x);
+		void push_back(T&& x);
+
+		iterator insert(const_iterator position, const T& x);
+		iterator insert(const_iterator position, T&& x);
+		iterator insert(const_iterator position, size_type n, const T& x);
+
+		void swap(vector&) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
+
+		void clear() noexcept;
 	};
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -197,6 +197,21 @@
 | taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:471:7:471:7 | y | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:485:7:485:10 | line | taint.cpp:480:26:480:32 | source1 |
-| vector.cpp:15:8:15:8 | x | vector.cpp:8:43:8:49 | source1 |
-| vector.cpp:23:8:23:8 | x | vector.cpp:8:43:8:49 | source1 |
-| vector.cpp:28:8:28:8 | x | vector.cpp:8:43:8:49 | source1 |
+| vector.cpp:20:8:20:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:28:8:28:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:33:8:33:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:70:7:70:8 | v5 | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:71:10:71:14 | call to front | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:109:7:109:8 | v1 | vector.cpp:106:15:106:20 | call to source |
+| vector.cpp:112:7:112:8 | v4 | vector.cpp:107:15:107:20 | call to source |
+| vector.cpp:117:7:117:8 | v1 | vector.cpp:106:15:106:20 | call to source |
+| vector.cpp:118:7:118:8 | v2 | vector.cpp:106:15:106:20 | call to source |
+| vector.cpp:119:7:119:8 | v3 | vector.cpp:107:15:107:20 | call to source |
+| vector.cpp:120:7:120:8 | v4 | vector.cpp:107:15:107:20 | call to source |
+| vector.cpp:130:7:130:8 | v1 | vector.cpp:126:15:126:20 | call to source |
+| vector.cpp:131:7:131:8 | v2 | vector.cpp:127:15:127:20 | call to source |
+| vector.cpp:132:7:132:8 | v3 | vector.cpp:128:15:128:20 | call to source |
+| vector.cpp:139:7:139:8 | v1 | vector.cpp:126:15:126:20 | call to source |
+| vector.cpp:140:7:140:8 | v2 | vector.cpp:127:15:127:20 | call to source |
+| vector.cpp:141:7:141:8 | v3 | vector.cpp:128:15:128:20 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -132,6 +132,21 @@
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
-| vector.cpp:15:8:15:8 | vector.cpp:8:43:8:49 | AST only |
-| vector.cpp:23:8:23:8 | vector.cpp:8:43:8:49 | AST only |
-| vector.cpp:28:8:28:8 | vector.cpp:8:43:8:49 | AST only |
+| vector.cpp:20:8:20:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:28:8:28:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:33:8:33:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:70:7:70:8 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:71:10:71:14 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:109:7:109:8 | vector.cpp:106:15:106:20 | AST only |
+| vector.cpp:112:7:112:8 | vector.cpp:107:15:107:20 | AST only |
+| vector.cpp:117:7:117:8 | vector.cpp:106:15:106:20 | AST only |
+| vector.cpp:118:7:118:8 | vector.cpp:106:15:106:20 | AST only |
+| vector.cpp:119:7:119:8 | vector.cpp:107:15:107:20 | AST only |
+| vector.cpp:120:7:120:8 | vector.cpp:107:15:107:20 | AST only |
+| vector.cpp:130:7:130:8 | vector.cpp:126:15:126:20 | AST only |
+| vector.cpp:131:7:131:8 | vector.cpp:127:15:127:20 | AST only |
+| vector.cpp:132:7:132:8 | vector.cpp:128:15:128:20 | AST only |
+| vector.cpp:139:7:139:8 | vector.cpp:126:15:126:20 | AST only |
+| vector.cpp:140:7:140:8 | vector.cpp:127:15:127:20 | AST only |
+| vector.cpp:141:7:141:8 | vector.cpp:128:15:128:20 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -3,13 +3,18 @@

 using namespace std;

+int source();
+
+namespace ns_char
+{
+	char source();
+}
+
 void sink(int);
+void sink(std::vector<int> &);

 void test_range_based_for_loop_vector(int source1) {
-	// Tainting the vector by allocating a tainted length. This doesn't represent
-	// how a vector would typically get tainted, but it allows this test to avoid
-	// being concerned with std::vector modeling.
-	std::vector<int> v(source1);
+	std::vector<int> v(100, source1);

 	for(int x : v) {
 		sink(x); // tainted [NOT DETECTED by IR]
@@ -23,8 +28,116 @@ void test_range_based_for_loop_vector(int source1) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}

-	const std::vector<int> const_v(source1);
+	const std::vector<int> const_v(100, source1);
 	for(const int& x : const_v) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}
 }
+
+void test_element_taint(int x) {
+	std::vector<int> v1(10), v2(10), v3(10), v4(10), v5(10), v6(10), v7(10), v8(10), v9(10);
+
+	v1[0] = 0;
+	v1[1] = 0;
+	v1[x] = 0;
+	v1.push_back(1);
+	sink(v1);
+	sink(v1[0]);
+	sink(v1[1]);
+	sink(v1[x]);
+	sink(v1.front());
+	sink(v1.back());
+
+	v2[0] = source();
+	sink(v2); // tainted [NOT DETECTED]
+	sink(v2[0]); // tainted [NOT DETECTED]
+	sink(v2[1]);
+	sink(v2[x]); // potentially tainted
+
+	v3 = v2;
+	sink(v3); // tainted [NOT DETECTED]
+	sink(v3[0]); // tainted [NOT DETECTED]
+	sink(v3[1]);
+	sink(v3[x]); // potentially tainted
+
+	v4[x] = source();
+	sink(v4); // tainted [NOT DETECTED]
+	sink(v4[0]); // potentially tainted
+	sink(v4[1]); // potentially tainted
+	sink(v4[x]); // tainted [NOT DETECTED]
+
+	v5.push_back(source());
+	sink(v5); // tainted
+	sink(v5.front()); // [FALSE POSITIVE]
+	sink(v5.back()); // tainted
+
+	v6.data()[2] = source();
+	sink(v6); // tainted [NOT DETECTED]
+	sink(v6.data()[2]); // tainted [NOT DETECTED]
+
+	{
+		const std::vector<int> &v7c = v7; // (workaround because our iterators don't convert to const_iterator)
+		std::vector<int>::const_iterator it = v7c.begin();
+		v7.insert(it, source());
+	}
+	sink(v7); // tainted [NOT DETECTED]
+	sink(v7.front()); // tainted [NOT DETECTED]
+	sink(v7.back());
+
+	{
+		const std::vector<int> &v8c = v8;
+		std::vector<int>::const_iterator it = v8c.begin();
+		v8.insert(it, 10, ns_char::source());
+	}
+	sink(v8); // tainted [NOT DETECTED]
+	sink(v8.front()); // tainted [NOT DETECTED]
+	sink(v8.back());
+
+	v9.at(x) = source();
+	sink(v9); // tainted [NOT DETECTED]
+	sink(v9.at(0)); // potentially tainted
+	sink(v9.at(1)); // potentially tainted
+	sink(v9.at(x)); // tainted [NOT DETECTED]
+}
+
+void test_vector_swap() {
+	std::vector<int> v1(10), v2(10), v3(10), v4(10);
+
+	v1.push_back(source());
+	v4.push_back(source());
+
+	sink(v1); // tainted
+	sink(v2);
+	sink(v3);
+	sink(v4); // tainted
+
+	v1.swap(v2);
+	v3.swap(v4);
+
+	sink(v1); // [FALSE POSITIVE]
+	sink(v2); // tainted
+	sink(v3); // tainted
+	sink(v4); // [FALSE POSITIVE]
+}
+
+void test_vector_clear() {
+	std::vector<int> v1(10), v2(10), v3(10), v4(10);
+
+	v1.push_back(source());
+	v2.push_back(source());
+	v3.push_back(source());
+
+	sink(v1); // tainted
+	sink(v2); // tainted
+	sink(v3); // tainted
+	sink(v4);
+
+	v1.clear();
+	v2 = v2;
+	v3 = v4;
+
+	sink(v1); // [FALSE POSITIVE]
+	sink(v2); // tainted
+	sink(v3); // [FALSE POSITIVE]
+	sink(v4);
+}