Line number is not correct when vulnerability occurs in helper routine

[kaisert]

For some operations helper routines are added to the binary during compilation. In the source mapping these instructions reference the whole contract. Therefore if some vulnerability is detected in these helper routines, the line number of the contract definition is returned by securify.

To counteract, either helper routines should be detected during the analysis and jump instructions to them returned as the vulnerable instruction or another mechanism to track the vulnerability back to the actual line of code should be implemented.

Example contract:

contract c {
    int[] a;
    function f() public {
        a.length = 1;
    } 
}

More information: https://github.com/ethereum/solidity/issues/5135

[hiqua]

I'm not sure about how many such examples there are, but I suspect there are not that many, in which case it could be enough to document them all. In any case I'm wary of working around the Solidity compiler, it'd be better to solve problems there directly rather than in Securify (in this case, it'd be better to improve the mappings returned by solc).