C++: Add reverse taint as well.

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -1868,6 +1868,7 @@
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:5:74:8 | call to data [inner post update] | vector.cpp:74:2:74:3 | ref arg v6 | TAINT |
 | vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
 | vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
@@ -2320,6 +2321,7 @@
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:257:7:257:8 | v1 |  |
 | vector.cpp:256:7:256:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:256:7:256:8 | v1 | vector.cpp:256:10:256:13 | call to data | TAINT |
+| vector.cpp:256:10:256:13 | ref arg call to data | vector.cpp:256:7:256:8 | ref arg v1 | TAINT |
 | vector.cpp:257:7:257:8 | ref arg v1 | vector.cpp:263:1:263:1 | v1 |  |
 | vector.cpp:257:7:257:8 | v1 | vector.cpp:257:10:257:13 | call to data | TAINT |
 | vector.cpp:257:10:257:13 | call to data | vector.cpp:257:7:257:18 | access to array | TAINT |
@@ -2332,6 +2334,7 @@
 | vector.cpp:259:4:259:5 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:259:4:259:5 | v2 | vector.cpp:259:7:259:10 | call to data | TAINT |
 | vector.cpp:259:7:259:10 | call to data | vector.cpp:259:2:259:13 | * ... | TAINT |
+| vector.cpp:259:7:259:10 | call to data [inner post update] | vector.cpp:259:4:259:5 | ref arg v2 | TAINT |
 | vector.cpp:259:17:259:30 | call to source | vector.cpp:259:2:259:32 | ... = ... |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:261:7:261:8 | v2 |  |
 | vector.cpp:260:7:260:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
@@ -2339,6 +2342,7 @@
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:262:7:262:8 | v2 |  |
 | vector.cpp:261:7:261:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:261:7:261:8 | v2 | vector.cpp:261:10:261:13 | call to data | TAINT |
+| vector.cpp:261:10:261:13 | ref arg call to data | vector.cpp:261:7:261:8 | ref arg v2 | TAINT |
 | vector.cpp:262:7:262:8 | ref arg v2 | vector.cpp:263:1:263:1 | v2 |  |
 | vector.cpp:262:7:262:8 | v2 | vector.cpp:262:10:262:13 | call to data | TAINT |
 | vector.cpp:262:10:262:13 | call to data | vector.cpp:262:7:262:18 | access to array | TAINT |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -218,6 +218,8 @@
 | vector.cpp:70:7:70:8 | v5 | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:71:10:71:14 | call to front | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:75:7:75:8 | v6 | vector.cpp:74:17:74:22 | call to source |
+| vector.cpp:76:7:76:18 | access to array | vector.cpp:74:17:74:22 | call to source |
 | vector.cpp:97:7:97:8 | v9 | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:98:10:98:11 | call to at | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:99:10:99:11 | call to at | vector.cpp:96:13:96:18 | call to source |
@@ -241,3 +243,6 @@
 | vector.cpp:255:7:255:8 | v1 | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:256:10:256:13 | call to data | vector.cpp:254:15:254:20 | call to source |
 | vector.cpp:257:7:257:18 | access to array | vector.cpp:254:15:254:20 | call to source |
+| vector.cpp:260:7:260:8 | v2 | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:261:10:261:13 | call to data | vector.cpp:259:17:259:30 | call to source |
+| vector.cpp:262:7:262:18 | access to array | vector.cpp:259:17:259:30 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -153,6 +153,8 @@
 | vector.cpp:70:7:70:8 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:71:10:71:14 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:75:7:75:8 | vector.cpp:74:17:74:22 | AST only |
+| vector.cpp:76:7:76:18 | vector.cpp:74:17:74:22 | AST only |
 | vector.cpp:97:7:97:8 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:98:10:98:11 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:99:10:99:11 | vector.cpp:96:13:96:18 | AST only |
@@ -177,3 +179,6 @@
 | vector.cpp:255:7:255:8 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:256:10:256:13 | vector.cpp:254:15:254:20 | AST only |
 | vector.cpp:257:7:257:18 | vector.cpp:254:15:254:20 | AST only |
+| vector.cpp:260:7:260:8 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:261:10:261:13 | vector.cpp:259:17:259:30 | AST only |
+| vector.cpp:262:7:262:18 | vector.cpp:259:17:259:30 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

@@ -72,8 +72,8 @@ void test_element_taint(int x) {
 	sink(v5.back()); // tainted
 
 	v6.data()[2] = source();
-	sink(v6); // tainted [NOT DETECTED]
-	sink(v6.data()[2]); // tainted [NOT DETECTED]
+	sink(v6); // tainted
+	sink(v6.data()[2]); // tainted
 
 	{
 		const std::vector<int> &v7c = v7; // (workaround because our iterators don't convert to const_iterator)
@@ -257,7 +257,7 @@ void test_data_more() {
 	sink(v1.data()[2]); // tainted
 
 	*(v2.data()) = ns_int::source();
-	sink(v2); // tainted [NOT DETECTED]
-	sink(v2.data()); // tainted [NOT DETECTED]
-	sink(v2.data()[2]); // tainted [NOT DETECTED]
+	sink(v2); // tainted
+	sink(v2.data()); // tainted
+	sink(v2.data()[2]); // tainted
 }