C++: Add testcase.

Author: MathiasVP

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/IteratorToExpiredContainer.expected

@@ -1,3 +1,5 @@
+| file://:0:0:0:0 | pointer to ~vector output argument | This object is destroyed before $@ is called. | test.cpp:780:41:780:45 | call to begin | call to begin |
+| file://:0:0:0:0 | pointer to ~vector output argument | This object is destroyed before $@ is called. | test.cpp:780:56:780:58 | call to end | call to end |
 | test.cpp:680:30:680:30 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:680:17:680:17 | call to begin | call to begin |
 | test.cpp:680:30:680:30 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:680:17:680:17 | call to end | call to end |
 | test.cpp:683:31:683:32 | call to at | This object is destroyed before $@ is called. | test.cpp:683:17:683:17 | call to begin | call to begin |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/test.cpp

@@ -770,4 +770,26 @@ void test2() {
 void test3() {
   const std::vector<std::vector<int>>& v = returnValue(); // GOOD
   for(const std::vector<int>& x : v) {}
+}
+
+struct A : public std::vector<int> {
+  void foo(std::vector<int>& result) {
+    int i = 0;
+    while (i < 10) {
+      A chunk;
+      result.insert(result.end(), chunk.begin(), chunk.end());
+      ++i;
+    }
+  }
+
+  ~A() = default;
+};
+
+void test4() {
+  // This creates a temporary, after which `~A` is called at the semicolon, and
+  // `~A` calls `~vector<int>` inside the compiler-generated destructor.
+  // If we don't preserve the call context and return to the destructor call in this
+  // function we may end up in the destructor call `chunk.~A()`in `A.foo`. This destructor
+  // call can flow to `begin` through the back-edge and cause a strange FP.
+  auto zero = A().size();
 }