Well, aliasing can be reproduced with locals S s; int* r = getPayload(s); freePayload(s); int v = *r; //UAF
Multiparameter functions can be declared to be equivalent to
struct P { S* s; int* r; }
P p;
p.s = &s;
p.r = getPayload(s);
f(p); //as if f(S*,int*)
