CQUAL performs interprocedural inferencing to verify that
between an initializing function and the controlling function, there
exists a security check. The controlled object variable has
an unchecked qualifier when it's defined in the initializing
function. When the initializing function calls other functions
passing the controlled variable as a parameter, the unchecked
qualifier is propagated down the calling chain, until the
authorizing function is reached, at which point, a new checked
variable is defined and used after the security check (Step 4 in
Section 2). When the authorizing function calls
other functions passed the new checked variable, the checked
qualifier is again propagated along the calling chain, until it reaches
the controlling function. If a controlling function is reached
without passing through an authorizing function, then an error will
be raised, because the variable will have an unchecked type
and the controlling function expects a checked type.