1. Map content of local variables to know where `\0` appears.
2. If buffer is uninitialized or not null terminated, set its content length until `\0` if we know it or indefinitely if we don't know it.
3. Consider static variables (RIP referenced)
4. Consider direct write access, as a way of corrupting memory (eg. `a[10]=20`), only literal values need to be considered for indexing.
5. Consider `jmp` and conditional statements. `cmp`, `test`, `je`, `jne`
6. Consider `sprintf`, `scanf`, `fscanf`, `snprintf`, `read`
3. Consider static variables (RIP referenced).
4. Assembly instruction `test`.
5. Consider parameters in the stack (after 6th parameter).
6. Parameters can be literals.
7. File name path may not have `./` as prefix (bug).
8. Functions like `scanf` can receive more arguments and of different types.
