Reverse engineering

Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. “Automatic reverse engineering of data structures from binary execution”. In Network and Distributed System Security Symposium (NDSS), pages 409–426, San Diego, CA, USA, March 2010.
[Conference]

JongHyup Lee, Thanassis Avgerinos, and David Brumley. “TIE: Principled reverse engineering of types in binary programs”. In Network and Distributed System Security Symposium (NDSS), pages 251–268, San Diego, CA, USA, February 2011.
[Conference]

Question: The TIE paper argues that it is desirable for a binary type inference system to be conservative, but they do not claim that their system is conservative in any absolute sense. Instead they devise a metric for how conservative a system is, and measure how well they do: for instance, Table 2 shows that TIE was 93% conservative on average when doing static analysis. This must mean that at least one of their type inference rules, as shown in part in Figure 7 and also discussed in the text, is not conservative in all situations. Can you think of an example of such a situation? In other word, describe some C code in which a variable would have a particular type, and some corresponding machine code or BIL that might be produced by compiling that code, for which TIE would generate a constraint inconsistent with the C type.