The lower left pane contains the original program, and the lower right pane contains the program with qualifier annotations.
In this example, the call to getenv returns the value of environment variable LD_LIBRARY_PATH, which may be controlled by a malicious adversary. The result of getenv is stored in unclean, which is passed to f1. The function f1 returns exactly what it is passed by calling f2 which in turn calls f3. Thus the result of the call to getenv is ultimately stored in s, which is passed to printf. Thus this program has a potential format-string vulnerability.