Merge pull request #19601 from github/release-prep/2.21.4

Release preparation for version 2.21.4

.github/workflows/go-tests-other-os.yml

@@ -26,9 +26,8 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
-    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest-xl
+    runs-on: windows-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/swift.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-13-xlarge]
+        runner: [ubuntu-latest, macos-15-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:

.gitignore

@@ -62,6 +62,7 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
+/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
 
 # cargo build directory
 /target
+
+# some upgrade/downgrade checks create these files
+**/upgrades/*/*.dbscheme.stats
+**/downgrades/*/*.dbscheme.stats

Cargo.toml

@@ -10,6 +10,7 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
+exclude = ["mad-generation-build"]
 
 [patch.crates-io]
 # patch for build script bug preventing bazel build

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.10
+
+No user-facing changes.
+
 ## 0.4.9
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.10.md

@@ -0,0 +1,3 @@
+## 0.4.10
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.9
+lastReleaseVersion: 0.4.10

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,16 +22,21 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/deploy-pages", "pages: write"]
+      - ["actions/deploy-pages", "id-token: write"]
+      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "contents: read"]
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "contents: read"]
       - ["actions/reusable-workflows", "actions: read"]
+      - ["actions/ai-inference", "contents: read"]
+      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
+      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-
-      
+      # No permissions needed for actions/configure-pages

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.9
+version: 0.4.10
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.6.2
+
+### Minor Analysis Improvements
+
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
+
 ## 0.6.1
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.2.md

@@ -0,0 +1,5 @@
+## 0.6.2
+
+### Minor Analysis Improvements
+
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.1
+lastReleaseVersion: 0.6.2

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.1
+version: 0.6.2
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -3,3 +3,6 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
+| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
+| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
+| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,27 @@
+## 5.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
+* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
+* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
+
+### New Features
+
+* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
+* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
+* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
+* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
+* Added support for `wmain` as part of the ArgvSource model.
+
+### Bug Fixes
+
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
+
 ## 4.3.1
 
 ### Bug Fixes

cpp/ql/lib/change-notes/released/5.0.0.md

@@ -0,0 +1,23 @@
+## 5.0.0
+
+### Breaking Changes
+
+* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
+* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
+* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
+
+### New Features
+
+* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
+* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
+* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
+* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
+* Added support for `wmain` as part of the ArgvSource model.
+
+### Bug Fixes
+
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.3.1
+lastReleaseVersion: 5.0.0

cpp/ql/lib/experimental/quantum/Language.qll

@@ -1,6 +1,7 @@
 private import cpp as Language
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codeql.quantum.experimental.Model
+private import OpenSSL.GenericSourceCandidateLiteral
 
 module CryptoInput implements InputSig<Language::Location> {
   class DataFlowNode = DataFlow::Node;
@@ -86,6 +87,21 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
+module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
+
+private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
+  ConstantDataSource() { this instanceof OpenSSLGenericSourceCandidateLiteral }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source = any(Crypto::ArtifactInstance artifact).getOutputNode()

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -1,7 +1,9 @@
 import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import PaddingAlgorithmInstance
 
 /**
  * Traces 'known algorithms' to AVCs, specifically
@@ -18,6 +20,9 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     exists(OpenSSLAlgorithmValueConsumer c |
       c.getInputNode() = sink and
+      // exclude padding algorithm consumers, since
+      // these consumers take in different constant values
+      // not in the typical "known algorithm" set
       not c instanceof PaddingAlgorithmValueConsumer
     )
   }
@@ -42,9 +47,7 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
   DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
 
 module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
-  }
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral }
 
   predicate isSink(DataFlow::Node sink) {
     exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -1,13 +1,14 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import AlgToAVCFlow
 
 /**
  * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToBlockModeFamilyType(
   KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -1,16 +1,17 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import Crypto::KeyOpAlg as KeyOpAlg
-import OpenSSLAlgorithmInstanceBase
-import PaddingAlgorithmInstance
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
-import BlockAlgorithmInstance
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import Crypto::KeyOpAlg as KeyOpAlg
+private import OpenSSLAlgorithmInstanceBase
+private import PaddingAlgorithmInstance
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+private import BlockAlgorithmInstance
 
 /**
  * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToCipherFamilyType(
   KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
@@ -103,11 +104,8 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
 
   override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
 
-  override string getKeySizeFixed() {
-    exists(int keySize |
-      this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
-      result = keySize.toString()
-    )
+  override int getKeySizeFixed() {
+    this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
   }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -0,0 +1,49 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+
+class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() }
+
+  override Crypto::TEllipticCurveType getEllipticCurveType() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
+  }
+
+  override string getParsedEllipticCurveName() {
+    result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
+  }
+
+  override int getKeySize() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
+          .getNormalizedName(), result, _)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -1,8 +1,9 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToHashFamilyType(
   KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -1,5 +1,5 @@
 import cpp
-import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.GenericSourceCandidateLiteral
 
 predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) {
   resolveAlgorithmFromCall(e, normalizedName, algType)
@@ -20,7 +20,7 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 
   KnownOpenSSLCipherAlgorithmConstant() {
     resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%encryption")
+    algType.matches("%ENCRYPTION")
   }
 
   int getExplicitKeySize() {
@@ -33,30 +33,20 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 }
 
 class KnownOpenSSLPaddingAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
   KnownOpenSSLPaddingAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%padding")
+    exists(string algType |
+      resolveAlgorithmFromExpr(this, _, algType) and
+      algType.matches("%PADDING")
+    )
   }
 }
 
 class KnownOpenSSLBlockModeAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
-  KnownOpenSSLBlockModeAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%block_mode")
-  }
+  KnownOpenSSLBlockModeAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "BLOCK_MODE") }
 }
 
 class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
-  KnownOpenSSLHashAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%hash")
-  }
+  KnownOpenSSLHashAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "HASH") }
 
   int getExplicitDigestLength() {
     exists(string name |
@@ -67,6 +57,16 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
   }
 }
 
+class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLEllipticCurveAlgorithmConstant() {
+    resolveAlgorithmFromExpr(this, _, "ELLIPTIC_CURVE")
+  }
+}
+
+class KnownOpenSSLSignatureAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLSignatureAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "SIGNATURE") }
+}
+
 /**
  * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5()
  * This approach to fetching algorithms was used in OpenSSL 1.0.2.
@@ -80,7 +80,6 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
  *  alias = "dss1" and target = "dsaWithSHA1"
  */
 predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
-  isPossibleOpenSSLFunction(c.getTarget()) and
   exists(string name, string parsedTargetName |
     parsedTargetName =
       c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and
@@ -94,10 +93,10 @@ predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
  * if `e` resolves to a known algorithm.
  * If this predicate does not hold, then `e` can be interpreted as being of `UNKNOWN` type.
  */
-predicate resolveAlgorithmFromLiteral(Literal e, string normalized, string algType) {
-  exists(int nid |
-    nid = getPossibleNidFromLiteral(e) and knownOpenSSLAlgorithmLiteral(_, nid, normalized, algType)
-  )
+predicate resolveAlgorithmFromLiteral(
+  OpenSSLGenericSourceCandidateLiteral e, string normalized, string algType
+) {
+  knownOpenSSLAlgorithmLiteral(_, e.getValue().toInt(), normalized, algType)
   or
   exists(string name |
     name = resolveAlgorithmAlias(e.getValue()) and
@@ -116,30 +115,6 @@ string resolveAlgorithmAlias(string name) {
   )
 }
 
-private int getPossibleNidFromLiteral(Literal e) {
-  result = e.getValue().toInt() and
-  not e instanceof CharLiteral and
-  not e instanceof StringLiteral and
-  // ASSUMPTION, no negative numbers are allowed
-  // RATIONALE: this is a performance improvement to avoid having to trace every number
-  not exists(UnaryMinusExpr u | u.getOperand() = e) and
-  //  OPENSSL has a special macro for getting every line, ignore it
-  not exists(MacroInvocation mi | mi.getExpr() = e and mi.getMacroName() = "OPENSSL_LINE") and
-  // Filter out cases where an int is assigned into a pointer, e.g., char* x = NULL;
-  not exists(Assignment a |
-    a.getRValue() = e and a.getLValue().getType().getUnspecifiedType() instanceof PointerType
-  ) and
-  not exists(Initializer i |
-    i.getExpr() = e and
-    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof PointerType
-  ) and
-  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
-  not exists(ReturnStmt r |
-    r.getExpr() = e and
-    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof PointerType
-  )
-}
-
 string getAlgorithmAlias(string alias) {
   customAliases(result, alias)
   or
@@ -253,11 +228,6 @@ predicate defaultAliases(string target, string alias) {
   alias = "ssl3-sha1" and target = "sha1"
 }
 
-predicate tbd(string normalized, string algType) {
-  knownOpenSSLAlgorithmLiteral(_, _, normalized, algType) and
-  algType = "HASH"
-}
-
 /**
  * Enumeration of all known crypto algorithms for openSSL
  * `name` is all lower case (caller's must ensure they pass in lower case)
@@ -284,8 +254,12 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "ELLIPTIC_CURVE"
   or
+  name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "SIGNATURE"
+  or
   name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "ELLIPTIC_CURVE"
   or
+  name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "SIGNATURE"
+  or
   name = "md2" and nid = 3 and normalized = "MD2" and algType = "HASH"
   or
   name = "sha" and nid = 41 and normalized = "SHA" and algType = "HASH"
@@ -1705,8 +1679,12 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "x448" and nid = 1035 and normalized = "X448" and algType = "ELLIPTIC_CURVE"
   or
+  name = "x448" and nid = 1035 and normalized = "X448" and algType = "KEY_EXCHANGE"
+  or
   name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "ELLIPTIC_CURVE"
   or
+  name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "KEY_EXCHANGE"
+  or
   name = "authecdsa" and nid = 1047 and normalized = "ECDSA" and algType = "SIGNATURE"
   or
   name = "authgost01" and nid = 1050 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll

@@ -1,5 +1,5 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
   abstract OpenSSLAlgorithmValueConsumer getAVC();

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll

@@ -3,3 +3,4 @@ import CipherAlgorithmInstance
 import PaddingAlgorithmInstance
 import BlockAlgorithmInstance
 import HashAlgorithmInstance
+import EllipticCurveAlgorithmInstance

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -1,13 +1,31 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import AlgToAVCFlow
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import AlgToAVCFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+
+/**
+ * A class to define padding specific integer values.
+ * from rsa.h in openssl:
+ *     # define RSA_PKCS1_PADDING          1
+ *     # define RSA_NO_PADDING             3
+ *     # define RSA_PKCS1_OAEP_PADDING     4
+ *     # define RSA_X931_PADDING           5
+ *     # define RSA_PKCS1_PSS_PADDING      6
+ *     # define RSA_PKCS1_WITH_TLS_PADDING 7
+ *     # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+ */
+class OpenSSLPaddingLiteral extends Literal {
+  // TODO: we can be more specific about where the literal is in a larger expression
+  // to avoid literals that are clealy not representing an algorithm, e.g., array indices.
+  OpenSSLPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
+}
 
 /**
  * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToPaddingFamilyType(
   KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
@@ -59,19 +77,8 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     this instanceof KnownOpenSSLPaddingAlgorithmConstant and
     isPaddingSpecificConsumer = false
     or
-    // Possibility 3:
-    // from rsa.h in openssl:
-    // # define RSA_PKCS1_PADDING          1
-    // # define RSA_NO_PADDING             3
-    // # define RSA_PKCS1_OAEP_PADDING     4
-    // # define RSA_X931_PADDING           5
-    // /* EVP_PKEY_ only */
-    // # define RSA_PKCS1_PSS_PADDING      6
-    // # define RSA_PKCS1_WITH_TLS_PADDING 7
-    // /* internal RSA_ only */
-    // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
-    this instanceof Literal and
-    this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and
+    // Possibility 3: padding-specific literal
+    this instanceof OpenSSLPaddingLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -87,24 +94,24 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 
+  Crypto::TPaddingType getKnownPaddingType() {
+    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
+    or
+    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
+    or
+    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
+    or
+    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
+    or
+    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
+  }
+
   override Crypto::TPaddingType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
-      if this.(Literal).getValue().toInt() in [1, 7, 8]
-      then result = Crypto::PKCS1_v1_5()
-      else
-        if this.(Literal).getValue().toInt() = 3
-        then result = Crypto::NoPadding()
-        else
-          if this.(Literal).getValue().toInt() = 4
-          then result = Crypto::OAEP()
-          else
-            if this.(Literal).getValue().toInt() = 5
-            then result = Crypto::ANSI_X9_23()
-            else
-              if this.(Literal).getValue().toInt() = 6
-              then result = Crypto::PSS()
-              else result = Crypto::OtherPadding()
+      result = this.getKnownPaddingType()
+      or
+      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.LibraryDetector
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-import OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import OpenSSLAlgorithmValueConsumerBase
 
 abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -14,7 +13,6 @@ class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
 
   EVPCipherAlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
     (
       this.(Call).getTarget().getName() in [
           "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
-// TODO: can self referential to itself, which is also an algorithm (Known algorithm)
 /**
  * Cases like EVP_MD5(),
  * there is no input, rather it directly gets an algorithm

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll

@@ -0,0 +1,34 @@
+import cpp
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name
+class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPEllipticCurveAlgorithmConsumer() {
+    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
+    (
+      this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in [
+          "EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(2)
+    )
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -1,12 +1,9 @@
-// import EVPHashInitializer
-// import EVPHashOperation
-// import EVPHashAlgorithmSource
 import cpp
-import experimental.quantum.Language
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-import experimental.quantum.OpenSSL.LibraryDetector
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+private import experimental.quantum.OpenSSL.LibraryDetector
 
 abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -33,3 +30,34 @@ class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
     none()
   }
 }
+
+/**
+ * The EVP digest algorithm getters
+ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
+ */
+class EVPDigestAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPDigestAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
+    (
+      this.(Call).getTarget().getName() in [
+          "EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() = "EVP_MD_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll

@@ -1,5 +1,4 @@
-import experimental.quantum.Language
-import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.Language
 
 abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
   /**

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll

@@ -3,3 +3,5 @@ import CipherAlgorithmValueConsumer
 import DirectAlgorithmValueConsumer
 import PaddingAlgorithmValueConsumer
 import HashAlgorithmValueConsumer
+import EllipticCurveAlgorithmValueConsumer
+import PKeyAlgorithmValueConsumer

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll

@@ -0,0 +1,55 @@
+import cpp
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class PKeyValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPPKeyAlgorithmConsumer() {
+    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
+    (
+      // NOTE: some of these consumers are themselves key gen operations,
+      // in these cases, the operation will be created separately for the same function.
+      this.(Call).getTarget().getName() in [
+          "EVP_PKEY_CTX_new_id", "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key",
+          "EVP_PKEY_new_mac_key"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in [
+          "EVP_PKEY_CTX_new_from_name", "EVP_PKEY_new_raw_private_key_ex",
+          "EVP_PKEY_new_raw_public_key_ex", "EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+      or
+      // argInd 2 is 'type' which can be RSA, or EC
+      // if RSA argInd 3 is the key size, else if EC argInd 3 is the curve name
+      // In all other cases there is no argInd 3, and argInd 2 is the algorithm.
+      // Since this is a key gen operation, handling the key size should be handled
+      // when the operation is again modeled as a key gen operation.
+      this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen" and
+      (
+        // Elliptic curve case
+        // If the argInd 3 is a derived type (pointer or array) then assume it is a curve name
+        if this.(Call).getArgument(3).getType().getUnderlyingType() instanceof DerivedType
+        then valueArgNode.asExpr() = this.(Call).getArgument(3)
+        else
+          // All other cases
+          valueArgNode.asExpr() = this.(Call).getArgument(2)
+      )
+    )
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.LibraryDetector
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-import OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import OpenSSLAlgorithmValueConsumerBase
 
 abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -16,11 +15,8 @@ class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorit
 
   EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
-    (
-      this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-    )
+    this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_padding" and
+    valueArgNode.asExpr() = this.(Call).getArgument(1)
   }
 
   override DataFlow::Node getResultNode() { result = resultNode }

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

@@ -20,79 +20,107 @@
 
 import semmle.code.cpp.dataflow.new.DataFlow
 
-class CTXType extends Type {
-  CTXType() {
-    // TODO: should we limit this to an openssl path?
-    this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
-  }
+/**
+ * An openSSL CTX type, which is type for which the stripped underlying type
+ * matches the pattern 'evp_%ctx_%st'.
+ * This includes types like:
+ * - EVP_CIPHER_CTX
+ * - EVP_MD_CTX
+ * - EVP_PKEY_CTX
+ */
+private class CtxType extends Type {
+  CtxType() { this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st") }
 }
 
-class CTXPointerExpr extends Expr {
-  CTXPointerExpr() {
-    this.getType() instanceof CTXType and
+/**
+ * A pointer to a CtxType
+ */
+private class CtxPointerExpr extends Expr {
+  CtxPointerExpr() {
+    this.getType() instanceof CtxType and
     this.getType() instanceof PointerType
   }
 }
 
-class CTXPointerArgument extends CTXPointerExpr {
-  CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
+/**
+ * A call argument of type CtxPointerExpr.
+ */
+private class CtxPointerArgument extends CtxPointerExpr {
+  CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) }
 
   Call getCall() { result.getAnArgument() = this }
 }
 
-class CTXClearCall extends Call {
-  CTXClearCall() {
+/**
+ * A call whose target contains 'free' or 'reset' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxClearCall extends Call {
+  CtxClearCall() {
     this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-class CTXCopyOutArgCall extends Call {
-  CTXCopyOutArgCall() {
-    this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument
+/**
+ * A call whose target contains 'copy' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxCopyOutArgCall extends Call {
+  CtxCopyOutArgCall() {
+    this.getTarget().getName().toLowerCase().matches("%copy%") and
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-class CTXCopyReturnCall extends Call {
-  CTXCopyReturnCall() {
-    this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument and
-    this instanceof CTXPointerExpr
+/**
+ * A call whose target contains 'dup' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxCopyReturnCall extends Call, CtxPointerExpr {
+  CtxCopyReturnCall() {
+    this.getTarget().getName().toLowerCase().matches("%dup%") and
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument }
+/**
+ * Flow from any CtxPointerArgument to any other CtxPointerArgument
+ */
+module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(CTXClearCall c | c.getAnArgument() = node.asExpr())
+    exists(CtxClearCall c | c.getAnArgument() = node.asExpr())
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(CTXCopyOutArgCall c |
+    exists(CtxCopyOutArgCall c |
       c.getAnArgument() = node1.asExpr() and
       c.getAnArgument() = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CTXType
+      node2.asExpr().getType() instanceof CtxType
     )
     or
-    exists(CTXCopyReturnCall c |
+    exists(CtxCopyReturnCall c |
       c.getAnArgument() = node1.asExpr() and
       c = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CTXType
+      node2.asExpr().getType() instanceof CtxType
     )
   }
 }
 
-module OpenSSLCTXArgumentFlow = DataFlow::Global<OpenSSLCTXArgumentFlowConfig>;
+module OpenSSLCtxArgumentFlow = DataFlow::Global<OpenSSLCtxArgumentFlowConfig>;
 
-predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) {
+/**
+ * Holds if there is a context flow from the source to the sink.
+ */
+predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) {
   exists(DataFlow::Node a, DataFlow::Node b |
-    OpenSSLCTXArgumentFlow::flow(a, b) and
+    OpenSSLCtxArgumentFlow::flow(a, b) and
     a.asExpr() = source and
     b.asExpr() = sink
   )

cpp/ql/lib/experimental/quantum/OpenSSL/GenericSourceCandidateLiteral.qll

@@ -0,0 +1,122 @@
+import cpp
+private import semmle.code.cpp.models.Models
+private import semmle.code.cpp.models.interfaces.FormattingFunction
+
+private class IntLiteral extends Literal {
+  IntLiteral() {
+    //Heuristics for distinguishing int literals from other literals
+    exists(this.getValue().toInt()) and
+    not this instanceof CharLiteral and
+    not this instanceof StringLiteral
+  }
+}
+
+/**
+ * Holds if a StringLiteral could conceivably be used in some way for cryptography.
+ * Note: this predicate should only consider restrictions with respect to strings only.
+ * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
+ */
+private predicate isOpenSSLStringLiteralGenericSourceCandidate(StringLiteral s) {
+  // 'EC' is a constant that may be used where typical algorithms are specified,
+  // but EC specifically means set up a default curve container, that will later be
+  //specified explicitly (or if not a default) curve is used.
+  s.getValue() != "EC" and
+  // Ignore empty strings
+  s.getValue() != "" and
+  // Filter out strings with "%", to filter out format strings
+  not s.getValue().matches("%\\%%") and
+  // Filter out strings in brackets or braces (commonly seen strings not relevant for crypto)
+  not s.getValue().matches(["[%]", "(%)"]) and
+  // Filter out all strings of length 1, since these are not algorithm names
+  // NOTE/ASSUMPTION: If a user legitimately passes a string of length 1 to some configuration
+  // we will assume this is generally unknown. We may need to reassess this in the future.
+  s.getValue().length() > 1 and
+  // Ignore all strings that are in format string calls outputing to a stream (e.g., stdout)
+  not exists(FormattingFunctionCall f |
+    exists(f.getOutputArgument(true)) and s = f.(Call).getAnArgument()
+  ) and
+  // Ignore all format string calls where there is no known out param (resulting string)
+  // i.e., ignore printf, since it will just output a string and not produce a new string
+  not exists(FormattingFunctionCall f |
+    // Note: using two ways of determining if there is an out param, since I'm not sure
+    // which way is canonical
+    not exists(f.getOutputArgument(false)) and
+    not f.getTarget().hasTaintFlow(_, _) and
+    f.(Call).getAnArgument() = s
+  )
+}
+
+/**
+ * Holds if a StringLiteral could conceivably be used in some way for cryptography.
+ * Note: this predicate should only consider restrictions with respect to integers only.
+ * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
+ */
+private predicate isOpenSSLIntLiteralGenericSourceCandidate(IntLiteral l) {
+  // Ignore integer values of 0, commonly referring to NULL only (no known algorithm 0)
+  l.getValue().toInt() != 0 and
+  // ASSUMPTION, no negative numbers are allowed
+  // RATIONALE: this is a performance improvement to avoid having to trace every number
+  not exists(UnaryMinusExpr u | u.getOperand() = l) and
+  //  OPENSSL has a special macro for getting every line, ignore it
+  not exists(MacroInvocation mi | mi.getExpr() = l and mi.getMacroName() = "OPENSSL_LINE") and
+  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
+  not exists(ReturnStmt r |
+    r.getExpr() = l and
+    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof DerivedType
+  ) and
+  // A literal as an array index should not be relevant for crypo
+  not exists(ArrayExpr op | op.getArrayOffset() = l) and
+  // A literal used in a bitwise should not be relevant for crypto
+  not exists(BinaryBitwiseOperation op | op.getAnOperand() = l) and
+  not exists(AssignBitwiseOperation op | op.getAnOperand() = l) and
+  //Filter out cases where an int is assigned or initialized into a pointer, e.g., char* x = NULL;
+  not exists(Assignment a |
+    a.getRValue() = l and
+    a.getLValue().getType().getUnspecifiedType() instanceof DerivedType
+  ) and
+  not exists(Initializer i |
+    i.getExpr() = l and
+    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof DerivedType
+  ) and
+  // Filter out cases where the literal is used in any kind of arithmetic operation
+  not exists(BinaryArithmeticOperation op | op.getAnOperand() = l) and
+  not exists(UnaryArithmeticOperation op | op.getOperand() = l) and
+  not exists(AssignArithmeticOperation op | op.getAnOperand() = l) and
+  // If a literal has no parent ignore it, this is a workaround for the current inability
+  // to find a literal in an array declaration: int x[100];
+  // NOTE/ASSUMPTION: this value might actually be relevant for finding hard coded sizes
+  // consider size as inferred through the allocation of a buffer.
+  // In these cases, we advise that the source is not generic and must be traced explicitly.
+  exists(l.getParent())
+}
+
+/**
+ * Any literal that may be conceivably be used in some way for cryptography.
+ * The set of all literals is restricted by this class to cases where there is higher
+ * plausibility that the literal could be used as a source of configuration.
+ * Literals are filtered, for example, if they are used in a way no indicative of an algorithm use
+ * such as in an array index, bitwise operation, or logical operation.
+ * Note a case like this:
+ *      if(algVal == "AES")
+ *
+ * "AES" may be a legitimate algorithm literal, but the literal will not be used for an operation directly
+ * since it is in a equality comparison, hence this case would also be filtered.
+ */
+class OpenSSLGenericSourceCandidateLiteral extends Literal {
+  OpenSSLGenericSourceCandidateLiteral() {
+    (
+      isOpenSSLIntLiteralGenericSourceCandidate(this) or
+      isOpenSSLStringLiteralGenericSourceCandidate(this)
+    ) and
+    // ********* General filters beyond what is filtered for strings and ints *********
+    // An algorithm literal in a switch case will not be directly applied to an operation.
+    not exists(SwitchCase sc | sc.getExpr() = this) and
+    // A literal in a logical operation may be an algorithm, but not a candidate
+    // for the purposes of finding applied algorithms
+    not exists(BinaryLogicalOperation op | op.getAnOperand() = this) and
+    not exists(UnaryLogicalOperation op | op.getOperand() = this) and
+    // A literal in a comparison operation may be an algorithm, but not a candidate
+    // for the purposes of finding applied algorithms
+    not exists(ComparisonOperation op | op.getAnOperand() = this)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll

@@ -1,9 +1,7 @@
-import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-
 module OpenSSLModel {
-  import experimental.quantum.Language
-  import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-  import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-  import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
+  import AlgorithmInstances.OpenSSLAlgorithmInstances
+  import AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+  import Operations.OpenSSLOperations
+  import Random
+  import GenericSourceCandidateLiteral
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll

@@ -0,0 +1,61 @@
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(ECKeyGenOperation c | c.getAlgorithmArg() = sink.asExpr())
+  }
+}
+
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
+class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
+  ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" }
+
+  override Expr getOutputArg() {
+    result = this.(Call) // return value of call
+  }
+
+  Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
+
+  override Expr getInputArg() {
+    // there is no 'input', in the sense that no data is being manipulated by the operation.
+    // There is an input of an algorithm, but that is not the intention of the operation input arg.
+    none()
+  }
+
+  override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
+    result = this.getOutputNode()
+  }
+
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getAlgorithmArg()))
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
+    none() // no explicit key size, inferred from algorithm
+  }
+
+  override int getKeySizeFixed() {
+    none()
+    // TODO: marked as none as the operation itself has no key size, it
+    // comes from the algorithm source, but note we could grab the
+    // algorithm source and get the key size (see below).
+    // We may need to reconsider what is the best approach here.
+    // result =
+    //   this.getAnAlgorithmValueConsumer()
+    //       .getAKnownAlgorithmSource()
+    //       .(Crypto::EllipticCurveInstance)
+    //       .getKeySize()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll

@@ -3,8 +3,8 @@
  * Models cipher initialization for EVP cipher operations.
  */
 
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
 
 module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -1,8 +1,8 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-import EVPCipherInitializer
-import OpenSSLOperationBase
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import EVPCipherInitializer
+private import OpenSSLOperationBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
@@ -67,37 +67,42 @@ abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperati
   }
 }
 
-// abstract class EVP_Update_Call extends EVP_Cipher_Operation { }
-abstract class EVP_Final_Call extends EVP_Cipher_Operation {
-  override Expr getInputArg() { none() }
-}
-
-// TODO: only model Final (model final as operation and model update but not as an operation)
-// Updates are multiple input consumers (most important)
-// TODO: assuming update doesn't ouput, otherwise it outputs artifacts, but is not an operation
 class EVP_Cipher_Call extends EVP_Cipher_Operation {
   EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
 
   override Expr getInputArg() { result = this.(Call).getArgument(2) }
 }
 
-// ******* TODO: model UPDATE but not as the core operation, rather a step towards final
-// see the JCA
-// class EVP_Encrypt_Decrypt_or_Cipher_Update_Call extends EVP_Update_Call {
-//   EVP_Encrypt_Decrypt_or_Cipher_Update_Call() {
-//     this.(Call).getTarget().getName() in [
-//         "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
-//       ]
-//   }
-//   override Expr getInputArg() { result = this.(Call).getArgument(3) }
-// }
-class EVP_Encrypt_Decrypt_or_Cipher_Final_Call extends EVP_Final_Call {
-  EVP_Encrypt_Decrypt_or_Cipher_Final_Call() {
+// NOTE: not modeled as cipher operations, these are intermediate calls
+class EVP_Cipher_Update_Call extends Call {
+  EVP_Cipher_Update_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
+      ]
+  }
+
+  Expr getInputArg() { result = this.(Call).getArgument(3) }
+
+  DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
+
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+}
+
+class EVP_Cipher_Final_Call extends EVP_Cipher_Operation {
+  EVP_Cipher_Final_Call() {
     this.(Call).getTarget().getName() in [
         "EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
         "EVP_DecryptFinal", "EVP_CipherFinal"
       ]
   }
+
+  EVP_Cipher_Update_Call getUpdateCalls() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
+  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
 }
 
 class EVP_PKEY_Operation extends EVP_Cipher_Operation {

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll

@@ -2,12 +2,11 @@
  * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
  */
 
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-import experimental.quantum.OpenSSL.LibraryDetector
-import OpenSSLOperationBase
-import EVPHashInitializer
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
+private import EVPHashInitializer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 // import EVPHashConsumers
 abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
@@ -16,6 +15,16 @@ abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperatio
   EVP_Hash_Initializer getInitCall() {
     CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
+
+  /**
+   * By default, the algorithm value comes from the init call.
+   * There are variants where this isn't true, in which case the
+   * subclass should override this method.
+   */
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
+  }
 }
 
 private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
@@ -32,10 +41,7 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsu
 
 //https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
 class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
-  EVP_Q_Digest_Operation() {
-    this.(Call).getTarget().getName() = "EVP_Q_digest" and
-    isPossibleOpenSSLFunction(this.(Call).getTarget())
-  }
+  EVP_Q_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
 
   //override Crypto::AlgorithmConsumer getAlgorithmConsumer() {  }
   override EVP_Hash_Initializer getInitCall() {
@@ -61,10 +67,7 @@ class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
 }
 
 class EVP_Digest_Operation extends EVP_Hash_Operation {
-  EVP_Digest_Operation() {
-    this.(Call).getTarget().getName() = "EVP_Digest" and
-    isPossibleOpenSSLFunction(this.(Call).getTarget())
-  }
+  EVP_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Digest" }
 
   // There is no context argument for this function
   override Expr getContextArg() { none() }
@@ -88,30 +91,34 @@ class EVP_Digest_Operation extends EVP_Hash_Operation {
 
   override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
 }
-// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-// //   AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-// //     DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
-// // }
-// // ***** TODO *** complete modelinlg for hash operations, but have consideration for terminal and non-terminal (non intermedaite) steps
-// // see the JCA. May need to update the cipher operations similarly
-// // ALSO SEE cipher for how we currently model initialization of the algorithm through an init call
-// class EVP_DigestUpdate_Operation extends EVP_Hash_Operation {
-//   EVP_DigestUpdate_Operation() {
-//     this.(Call).getTarget().getName() = "EVP_DigestUpdate" and
-//     isPossibleOpenSSLFunction(this.(Call).getTarget())
-//   }
-//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
-//     this.getInitCall().getAlgorithmArg() = result
-//   }
-// }
-// class EVP_DigestFinal_Variants_Operation extends EVP_Hash_Operation {
-//   EVP_DigestFinal_Variants_Operation() {
-//     this.(Call).getTarget().getName() in [
-//         "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
-//       ] and
-//     isPossibleOpenSSLFunction(this.(Call).getTarget())
-//   }
-//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
-//     this.getInitCall().getAlgorithmArg() = result
-//   }
-// }
+
+// NOTE: not modeled as hash operations, these are intermediate calls
+class EVP_Digest_Update_Call extends Call {
+  EVP_Digest_Update_Call() { this.(Call).getTarget().getName() in ["EVP_DigestUpdate"] }
+
+  Expr getInputArg() { result = this.(Call).getArgument(1) }
+
+  DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
+
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+}
+
+class EVP_Digest_Final_Call extends EVP_Hash_Operation {
+  EVP_Digest_Final_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
+      ]
+  }
+
+  EVP_Digest_Update_Call getUpdateCalls() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
+  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -1,4 +1,4 @@
-import experimental.quantum.Language
+private import experimental.quantum.Language
 
 abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
   abstract Expr getInputArg();

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll

@@ -1,3 +1,4 @@
 import OpenSSLOperationBase
 import EVPCipherOperation
 import EVPHashOperation
+import ECKeyGenOperation

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -1,4 +1,4 @@
-  # partial model of the Boost::Asio network library
+# partial model of the Boost::Asio network library
 extensions:
   - addsTo:
       pack: codeql/cpp-all

cpp/ql/lib/ext/Windows.model.yml

@@ -0,0 +1,35 @@
+# partial model of windows system calls
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      # processenv.h
+      - ["", "", False, "GetCommandLineA", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetCommandLineW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsA", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableA", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableW", "", "", "Argument[*1]", "local", "manual"]
+      # fileapi.h
+      - ["", "", False, "ReadFile", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*1]", "local", "manual"]
+      # memoryapi.h
+      - ["", "", False, "MapViewOfFile", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile2", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile3", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile3FromApp", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileEx", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileFromApp", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileNuma2", "", "", "ReturnValue[*]", "local", "manual"]
+      # ntifs.h
+      - ["", "", False, "NtReadFile", "", "", "Argument[*5]", "local", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      # shellapi.h
+      - ["", "", False, "CommandLineToArgvA", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      - ["", "", False, "CommandLineToArgvW", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      # fileapi.h
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*3].Field[@hEvent]", "Argument[4].Parameter[*2].Field[@hEvent]", "value", "manual"]

cpp/ql/lib/ext/generated/sqlite.model.yml

@@ -0,0 +1,948 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data:
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[**0]", "Argument[**0].Field[**next]", "value", "dfc-generated"]
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[*0]", "Argument[**0].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[0]", "Argument[**0].Field[*next]", "taint", "dfc-generated"]
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*0].Field[**rp].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*0].Field[*dot]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*1].Field[**rp].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*1].Field[*dot]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configlist_add", "(rule *,int)", "", "Argument[*0]", "ReturnValue[*].Field[**rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_add", "(rule *,int)", "", "Argument[0]", "ReturnValue[*].Field[*rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_add", "(rule *,int)", "", "Argument[1]", "ReturnValue[*].Field[*dot]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_addbasis", "(rule *,int)", "", "Argument[*0]", "ReturnValue[*].Field[**rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_addbasis", "(rule *,int)", "", "Argument[0]", "ReturnValue[*].Field[*rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_addbasis", "(rule *,int)", "", "Argument[1]", "ReturnValue[*].Field[*dot]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[**0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[*0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[0]", "ReturnValue[**]", "taint", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "JimStringReplaceObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "JimStringReplaceObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AioFilehandle", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AioFilehandle", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AppendObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*2]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_AppendString", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[*2]", "Argument[*1].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AppendString", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[2]", "Argument[*1].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_AppendString", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[3]", "Argument[*1].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CallSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[**2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[**2]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[*2]", "Argument[**2]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[*2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[*2]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[2]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "Argument[*3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*2]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*2]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*3]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CompareStringImmediate", "(Jim_Interp *,Jim_Obj *,const char *)", "", "Argument[*2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CompareStringImmediate", "(Jim_Interp *,Jim_Obj *,const char *)", "", "Argument[2]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ConcatObj", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2].Field[*length]", "ReturnValue[*].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ConcatObj", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ConcatObj", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "ReturnValue[*].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommandObj", "(Jim_Interp *,Jim_Obj *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommandObj", "(Jim_Interp *,Jim_Obj *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DeleteCommand", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DeleteCommand", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DictAddElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictAddElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictInfo", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*0]", "Argument[**3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*0]", "Argument[*3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*2]", "Argument[*3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj **,int)", "", "Argument[*1]", "Argument[**4]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj **,int)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_DictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj **,int)", "", "Argument[1]", "Argument[*4]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DictMatchTypes", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int,int)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictMerge", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_DictPairs", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_DictSize", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DuplicateObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_DuplicateObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DuplicateObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_Eval", "(Jim_Interp *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_Eval", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_Eval", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalExpression", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalExpression", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalGlobal", "(Jim_Interp *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalGlobal", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalGlobal", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**evalFrame].Field[*scriptObj]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObjList", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObjList", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[**3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[**3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[**3]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[**3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalSource", "(Jim_Interp *,const char *,int,const char *)", "", "Argument[*3]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalSource", "(Jim_Interp *,const char *,int,const char *)", "", "Argument[3]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_FileStoreStatData", "(Jim_Interp *,Jim_Obj *,const jim_stat_t *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_FindHashEntry", "(Jim_HashTable *,const void *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_FindHashEntry", "(Jim_HashTable *,const void *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_FormatString", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_FreeObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_FreeObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GenHashFunction", "(const unsigned char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GenHashFunction", "(const unsigned char *,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GenHashFunction", "(const unsigned char *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolean", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "Argument[*2]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetCallFrameByLevel", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1].Field[**bytes]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetCallFrameByLevel", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1].Field[*bytes]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetCommand", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetCommand", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetDouble", "(Jim_Interp *,Jim_Obj *,double *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[**2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[*2]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[*2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[2]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetExitCode", "(Jim_Interp *)", "", "Argument[*0].Field[*exitCode]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetGlobalVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetHashTableIterator", "(Jim_HashTable *)", "", "Argument[*0]", "ReturnValue[*].Field[**ht]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetHashTableIterator", "(Jim_HashTable *)", "", "Argument[0]", "ReturnValue[*].Field[*ht]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetLong", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetReturnCode", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetSourceInfo", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetSourceInfo", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetSourceInfo", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetString", "(Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetString", "(Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetString", "(Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_GetVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWide", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[**2]", "Argument[*0].Field[***privdata]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[*1]", "Argument[*0].Field[**type]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[*2]", "Argument[*0].Field[**privdata]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[1]", "Argument[*0].Field[*type]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[2]", "Argument[*0].Field[*privdata]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_IntHashFunction", "(unsigned int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_InteractivePrompt", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_Length", "(Jim_Obj *)", "", "Argument[*0].Field[*length]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListAppendElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListAppendElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[2]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListAppendList", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListAppendList", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListGetIndex", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[2]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListIndex", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj **,int)", "", "Argument[2]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListIndex", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj **,int)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[*4]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[4]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListJoin", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[*2]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListJoin", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[2]", "ReturnValue[*].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListJoin", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[3]", "ReturnValue[*].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListLength", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListRange", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListRange", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListSetIndex", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListSetIndex", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListSetIndex", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*result]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeGlobalNamespaceName", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeGlobalNamespaceName", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewDictObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*1]", "Argument[**1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewDoubleObj", "(Jim_Interp *,double)", "", "Argument[1]", "ReturnValue[*].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewIntObj", "(Jim_Interp *,long)", "", "Argument[1]", "ReturnValue[*].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*1]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[1]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[2]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewObj", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewObj", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewStringObj", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObj", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObj", "(Jim_Interp *,const char *,int)", "", "Argument[2]", "ReturnValue[*].Field[*length]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjNoAlloc", "(Jim_Interp *,char *,int)", "", "Argument[*1]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjNoAlloc", "(Jim_Interp *,char *,int)", "", "Argument[1]", "ReturnValue[*].Field[*bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjNoAlloc", "(Jim_Interp *,char *,int)", "", "Argument[2]", "ReturnValue[*].Field[*length]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjUtf8", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjUtf8", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjUtf8", "(Jim_Interp *,const char *,int)", "", "Argument[2]", "ReturnValue[*].Field[*length]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NextHashEntry", "(Jim_HashTableIterator *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_NextHashEntry", "(Jim_HashTableIterator *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ReaddirCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RenameCommand", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_RenameCommand", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[2]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ReturnCode", "(int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ScanString", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_ScanString", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ScanString", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ScriptIsComplete", "(Jim_Interp *,Jim_Obj *,char *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[*result]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetResultFormatted", "(Jim_Interp *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetResultFormatted", "(Jim_Interp *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariable", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_SetVariableLink", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_CallFrame *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableLink", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_CallFrame *)", "", "Argument[2]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*2]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SignalId", "(int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StackLen", "(Jim_Stack *)", "", "Argument[*0].Field[*len]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StackPeek", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPeek", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPeek", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPop", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPop", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPop", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPush", "(Jim_Stack *,void *)", "", "Argument[*1]", "Argument[*0].Field[***vector]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StackPush", "(Jim_Stack *,void *)", "", "Argument[1]", "Argument[*0].Field[**vector]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StrDup", "(const char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StrDup", "(const char *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StrDupLen", "(const char *,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StrDupLen", "(const char *,int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_String", "(Jim_Obj *)", "", "Argument[*0].Field[**bytes]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_String", "(Jim_Obj *)", "", "Argument[*0].Field[*bytes]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StringByteRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_StringByteRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StringRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_StringRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StringToDouble", "(const char *,double *)", "", "Argument[*0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StringToDouble", "(const char *,double *)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StringToWide", "(const char *,long *,int)", "", "Argument[*0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StringToWide", "(const char *,long *,int)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SubCmdProc", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SubstObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SubstObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SubstObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_UnsetVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_Utf8Length", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1].Field[*length]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[*3]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[*3]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[*3]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[3]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[3]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[3]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_bootstrapInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_globInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_initjimshInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_stdlibInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_tclcompatInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[**0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[*0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[**0]", "Argument[**0].Field[**next]", "value", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[*0]", "Argument[**0].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[0]", "Argument[**0].Field[*next]", "taint", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[**0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*0]", "Argument[**0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*1]", "Argument[**0]", "value", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[0]", "Argument[**0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[0]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[1]", "Argument[**0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[1]", "Argument[*0]", "value", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[1]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_delete", "(plink *)", "", "Argument[0]", "Argument[*0].Field[**next].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "Plink_delete", "(plink *)", "", "Argument[0]", "Argument[*0].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "PrintAction", "(action *,FILE *,int)", "", "Argument[2]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "ResortStates", "(lemon *)", "", "Argument[*0].Field[*nstate]", "Argument[*0].Field[*nxstate]", "value", "dfc-generated"]
+      - ["", "", True, "RulePrint", "(FILE *,rule *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "SHA1Transform", "(unsigned int[5],const unsigned char[64])", "", "Argument[*1]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "SHA1Transform", "(unsigned int[5],const unsigned char[64])", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "SHA1Transform", "(unsigned int[5],const unsigned char[64])", "", "Argument[1]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "State_find", "(config *)", "", "Argument[*0].Field[**bp].Field[**bp]", "Argument[*0]", "value", "dfc-generated"]
+      - ["", "", True, "State_find", "(config *)", "", "Argument[*0].Field[**bp]", "Argument[*0]", "value", "dfc-generated"]
+      - ["", "", True, "State_insert", "(state *,config *)", "", "Argument[*1].Field[**bp].Field[**bp]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "State_insert", "(state *,config *)", "", "Argument[*1].Field[**bp]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "Strsafe", "(const char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Strsafe", "(const char *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Symbol_Nth", "(int)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Symbol_Nth", "(int)", "", "Argument[0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Symbol_new", "(const char *)", "", "Argument[*0]", "ReturnValue[*].Field[**name]", "value", "dfc-generated"]
+      - ["", "", True, "Symbol_new", "(const char *)", "", "Argument[0]", "ReturnValue[*].Field[**name]", "taint", "dfc-generated"]
+      - ["", "", True, "Symbolcmpp", "(const void *,const void *)", "", "Argument[**0].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Symbolcmpp", "(const void *,const void *)", "", "Argument[**1].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[1]", "Argument[*0].Field[**aLookahead].Field[*lookahead]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[1]", "Argument[*0].Field[*mnLookahead]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[1]", "Argument[*0].Field[*mxLookahead]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[2]", "Argument[*0].Field[**aLookahead].Field[*action]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[2]", "Argument[*0].Field[*mnAction]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action_size", "(acttab *)", "", "Argument[*0].Field[*nAction]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "acttab_alloc", "(int,int)", "", "Argument[0]", "ReturnValue[*].Field[*nsymbol]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_alloc", "(int,int)", "", "Argument[1]", "ReturnValue[*].Field[*nterminal]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_insert", "(acttab *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[1]", "ReturnValue[*].Field[*sz]", "taint", "dfc-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "close_db", "(sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "compute_action", "(lemon *,action *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "confighash", "(config *)", "", "Argument[*0].Field[**rp].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "confighash", "(config *)", "", "Argument[*0].Field[*dot]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "defossilize", "(char *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_code", "(FILE *,rule *,lemon *,int *)", "", "Argument[*3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_code", "(FILE *,rule *,lemon *,int *)", "", "Argument[3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_code", "(FILE *,rule *,lemon *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_destructor_code", "(FILE *,symbol *,lemon *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[*0].Field[**filename]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[*0].Field[*filename]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**outname]", "value", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[*1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**outname]", "taint", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "getstate", "(lemon *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "has_destructor", "(symbol *,lemon *)", "", "Argument[*1].Field[*tokendest]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "jim_regcomp", "(regex_t *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**regparse]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regcomp", "(regex_t *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[*regparse]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regcomp", "(regex_t *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[*cflags]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regerror", "(int,const regex_t *,char *,size_t)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*1]", "Argument[*0].Field[**regbol]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*1]", "Argument[*0].Field[**reginput]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*1]", "Argument[*0].Field[**start]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*3]", "Argument[*0].Field[**pmatch]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[2]", "Argument[*0].Field[*nmatch]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[3]", "Argument[*0].Field[*pmatch]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[4]", "Argument[*0].Field[*eflags]", "value", "dfc-generated"]
+      - ["", "", True, "print_stack_union", "(FILE *,lemon *,int *,int)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[**4]", "ReturnValue[*].Field[***pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[*1]", "ReturnValue[*].Field[**zDb]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[*2]", "ReturnValue[*].Field[**zUri]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[*4]", "ReturnValue[*].Field[**pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zDb].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zUri].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[1]", "ReturnValue[*].Field[**zDb]", "taint", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[2]", "ReturnValue[*].Field[**zUri]", "taint", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[3]", "ReturnValue[*].Field[*xSql]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[4]", "ReturnValue[*].Field[*pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "registerUDFs", "(sqlite3 *,sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "registerUDFs", "(sqlite3 *,sqlite3 *)", "", "Argument[1]", "Argument[*1].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "rule_print", "(FILE *,rule *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sha1sum_file", "(const char *,char *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sha3sum_file", "(const char *,char *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "shellReset", "(int *,sqlite3_stmt *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3CompletionVtabInit", "(sqlite3 *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_aggregate_context", "(sqlite3_context *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_aggregate_context", "(sqlite3_context *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_aggregate_count", "(sqlite3_context *)", "", "Argument[*0].Field[**pMem].Field[*n]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[**2]", "Argument[*0].Field[***pAutovacPagesArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[*2]", "Argument[*0].Field[**pAutovacPagesArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*xAutovacPages]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[*pAutovacPagesArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[3]", "Argument[*0].Field[*xAutovacDestr]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_finish", "(sqlite3_backup *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_backup_init", "(sqlite3 *,const char *,sqlite3 *,const char *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_init", "(sqlite3 *,const char *,sqlite3 *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[*pDestDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_init", "(sqlite3 *,const char *,sqlite3 *,const char *)", "", "Argument[2]", "ReturnValue[*].Field[*pSrcDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_pagecount", "(sqlite3_backup *)", "", "Argument[*0].Field[*nPagecount]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_remaining", "(sqlite3_backup *)", "", "Argument[*0].Field[*nRemaining]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_step", "(sqlite3_backup *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_base64_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_base85_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_blob64", "(sqlite3_stmt *,int,const void *,sqlite3_uint64,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_blob", "(sqlite3_stmt *,int,const void *,int,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_double", "(sqlite3_stmt *,int,double)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_int64", "(sqlite3_stmt *,int,sqlite3_int64,sqlite_int64)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_int", "(sqlite3_stmt *,int,int)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_count", "(sqlite3_stmt *)", "", "Argument[*0].Field[*nVar]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_index", "(sqlite3_stmt *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_name", "(sqlite3_stmt *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_name", "(sqlite3_stmt *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[*2]", "Argument[*0].Field[**aVar].Field[**z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[**aVar].Field[*z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[4]", "Argument[*0].Field[**aVar].Field[*xDel]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_text16", "(sqlite3_stmt *,int,const void *,int,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_text64", "(sqlite3_stmt *,int,const char *,sqlite3_uint64,..(*)(..),unsigned char)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_text", "(sqlite3_stmt *,int,const char *,int,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_value", "(sqlite3_stmt *,int,const sqlite3_value *)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_zeroblob64", "(sqlite3_stmt *,int,sqlite3_uint64)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_zeroblob", "(sqlite3_stmt *,int,int)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_bytes", "(sqlite3_blob *)", "", "Argument[*0].Field[*nByte]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_close", "(sqlite3_blob *)", "", "Argument[*0].Field[**pStmt].Field[*rc]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*2]", "Argument[**6].Field[**pTab].Field[**zName]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*3]", "Argument[**6].Field[*iCol]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*3]", "Argument[**6].Field[*iOffset]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*3]", "Argument[**6].Field[*nByte]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[2]", "Argument[**6].Field[**pTab].Field[**zName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[3]", "Argument[**6].Field[*iCol]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[3]", "Argument[**6].Field[*iOffset]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[3]", "Argument[**6].Field[*nByte]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[2]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[3]", "Argument[*0].Field[**pCsr].Field[**aOverflow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[3]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_reopen", "(sqlite3_blob *,sqlite3_int64)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[2]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[3]", "Argument[*0].Field[**pCsr].Field[**aOverflow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[3]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[*busyHandler].Field[***pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[*busyHandler].Field[**pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*busyHandler].Field[*xBusyHandler]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*busyHandler].Field[*pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_timeout", "(sqlite3 *,int)", "", "Argument[*0]", "Argument[*0].Field[*busyHandler].Field[**pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_timeout", "(sqlite3 *,int)", "", "Argument[0]", "Argument[*0].Field[*busyHandler].Field[*pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_timeout", "(sqlite3 *,int)", "", "Argument[1]", "Argument[*0].Field[*busyTimeout]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_changes64", "(sqlite3 *)", "", "Argument[*0].Field[*nChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_changes", "(sqlite3 *)", "", "Argument[*0].Field[*nChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_close", "(sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[**1]", "Argument[*0].Field[***pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0].Field[**pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[*xCollNeeded16]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[**1]", "Argument[*0].Field[***pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0].Field[**pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[*xCollNeeded]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_blob", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_bytes16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_bytes", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_count", "(sqlite3_stmt *)", "", "Argument[*0].Field[*nResColumn]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_decltype16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_decltype", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_double", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_int64", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_int", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name16", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name16", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_text16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_text", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_type", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_value", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_value", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pCommitArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pCommitArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xCommitCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pCommitArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_compileoption_get", "(int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_completion_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_context_db_handle", "(sqlite3_context *)", "", "Argument[*0].Field[**pOut].Field[**db]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_context_db_handle", "(sqlite3_context *)", "", "Argument[*0].Field[**pOut].Field[*db]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_collation16", "(sqlite3 *,const void *,int,void *,..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_collation", "(sqlite3 *,const char *,int,void *,..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_collation_v2", "(sqlite3 *,const char *,int,void *,..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function16", "(sqlite3 *,const void *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function_v2", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function_v2", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function_v2", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_module", "(sqlite3 *,const char *,const sqlite3_module *,void *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module", "(sqlite3 *,const char *,const sqlite3_module *,void *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module", "(sqlite3 *,const char *,const sqlite3_module *,void *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module_v2", "(sqlite3 *,const char *,const sqlite3_module *,void *,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module_v2", "(sqlite3 *,const char *,const sqlite3_module *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module_v2", "(sqlite3 *,const char *,const sqlite3_module *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_window_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_window_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_window_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_data_count", "(sqlite3_stmt *)", "", "Argument[*0].Field[*nResColumn]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_handle", "(sqlite3_stmt *)", "", "Argument[*0].Field[**db]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_handle", "(sqlite3_stmt *)", "", "Argument[*0].Field[*db]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_mutex", "(sqlite3 *)", "", "Argument[*0].Field[**mutex]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_mutex", "(sqlite3 *)", "", "Argument[*0].Field[*mutex]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_name", "(sqlite3 *,int)", "", "Argument[*0].Field[**aDb].Field[**zDbSName]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_name", "(sqlite3 *,int)", "", "Argument[*0].Field[**aDb].Field[*zDbSName]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_status", "(sqlite3 *,int,int *,int *,int)", "", "Argument[1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_status", "(sqlite3 *,int,int *,int *,int)", "", "Argument[1]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_dbdata_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_decimal_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_declare_vtab", "(sqlite3 *,const char *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_deserialize", "(sqlite3 *,const char *,unsigned char *,sqlite3_int64,sqlite3_int64,unsigned int)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_errcode", "(sqlite3 *)", "", "Argument[*0].Field[*errCode]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_errcode", "(sqlite3 *)", "", "Argument[*0].Field[*errMask]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_errmsg16", "(sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_errmsg", "(sqlite3 *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_errmsg", "(sqlite3 *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_error_offset", "(sqlite3 *)", "", "Argument[*0].Field[*errByteOffset]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_errstr", "(int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[4]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expanded_sql", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_expert_analyze", "(sqlite3expert *,char **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_count", "(sqlite3expert *)", "", "Argument[*0].Field[**pStatement].Field[*iId]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_new", "(sqlite3 *,char **)", "", "Argument[0]", "ReturnValue[*].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_new", "(sqlite3 *,char **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_report", "(sqlite3expert *,int,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_expert_report", "(sqlite3expert *,int,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_expert_sql", "(sqlite3expert *,const char *,char **)", "", "Argument[*1]", "Argument[*0].Field[**pStatement].Field[**zSql]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_sql", "(sqlite3expert *,const char *,char **)", "", "Argument[1]", "Argument[*0].Field[**pStatement].Field[**zSql]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_sql", "(sqlite3expert *,const char *,char **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_extended_errcode", "(sqlite3 *)", "", "Argument[*0].Field[*errCode]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_file_control", "(sqlite3 *,const char *,int,void *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_fileio_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_database", "(const char *,sqlite3_filename)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_database", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_database", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_journal", "(const char *,sqlite3_filename)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_journal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_journal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_wal", "(const char *,sqlite3_filename)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_wal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_wal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_finalize", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_free_filename", "(const char *,sqlite3_filename)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_free_table", "(char **)", "", "Argument[*0]", "Argument[**0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_free_table", "(char **)", "", "Argument[0]", "Argument[**0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_free_table", "(char **)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_autocommit", "(sqlite3 *)", "", "Argument[*0].Field[*autoCommit]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_clientdata", "(sqlite3 *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_get_clientdata", "(sqlite3 *,const char *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_get_clientdata", "(sqlite3 *,const char *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[5]", "Argument[*5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_ieee_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_error", "(sqlite3_intck *,const char **)", "", "Argument[*0]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_error", "(sqlite3_intck *,const char **)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_error", "(sqlite3_intck *,const char **)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_message", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_message", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[*1]", "Argument[**2]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[0]", "Argument[**2].Field[**zDb].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[0]", "Argument[**2].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[1]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_step", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_test_sql", "(sqlite3_intck *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_test_sql", "(sqlite3_intck *,const char *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_unlock", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_keyword_name", "(int,const char **,int *)", "", "Argument[0]", "Argument[**1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_keyword_name", "(int,const char **,int *)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_keyword_name", "(int,const char **,int *)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_last_insert_rowid", "(sqlite3 *)", "", "Argument[*0].Field[*lastRowid]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[*0].Field[*aLimit]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[1]", "Argument[*0].Field[*aLimit]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[2]", "Argument[*0].Field[*aLimit]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_load_extension", "(sqlite3 *,const char *,const char *,char **)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_next_stmt", "(sqlite3 *,sqlite3_stmt *)", "", "Argument[*1].Field[**pVNext]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_next_stmt", "(sqlite3 *,sqlite3_stmt *)", "", "Argument[*1].Field[*pVNext]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_open16", "(const void *,sqlite3 **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_open_v2", "(const char *,sqlite3 **,int,const char *)", "", "Argument[2]", "Argument[**1].Field[*openFlags]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_overload_function", "(sqlite3 *,const char *,int)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_overload_function", "(sqlite3 *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_overload_function", "(sqlite3 *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_percentile_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[*1]", "Argument[**4]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[*1]", "Argument[**4]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[*1]", "Argument[**5]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[**5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[*5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[3]", "Argument[**4].Field[*prepFlags]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[*1]", "Argument[**4]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[*1]", "Argument[**4]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[*1]", "Argument[**5]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[**5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[*5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[3]", "Argument[**4].Field[*prepFlags]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pProfileArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pProfileArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xProfile]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pProfileArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[**3]", "Argument[*0].Field[***pProgressArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[*3]", "Argument[*0].Field[**pProgressArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*nProgressOps]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*xProgress]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[3]", "Argument[*0].Field[*pProgressArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_randomness", "(int,void *)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc64", "(void *,sqlite3_uint64)", "", "Argument[**0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc64", "(void *,sqlite3_uint64)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc64", "(void *,sqlite3_uint64)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc", "(void *,int)", "", "Argument[**0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc", "(void *,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc", "(void *,int)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_config", "(sqlite3_recover *,int,void *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_config", "(sqlite3_recover *,int,void *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_config", "(sqlite3_recover *,int,void *)", "", "Argument[2]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_errcode", "(sqlite3_recover *)", "", "Argument[*0].Field[*errCode]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_errmsg", "(sqlite3_recover *)", "", "Argument[*0].Field[**zErrMsg]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_errmsg", "(sqlite3_recover *)", "", "Argument[*0].Field[*zErrMsg]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_finish", "(sqlite3_recover *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[*1]", "ReturnValue[*].Field[**zDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[*2]", "ReturnValue[*].Field[**zUri]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[**zDb].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[**zUri].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[1]", "ReturnValue[*].Field[**zDb]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[2]", "ReturnValue[*].Field[**zUri]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[**3]", "ReturnValue[*].Field[***pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[*1]", "ReturnValue[*].Field[**zDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[*3]", "ReturnValue[*].Field[**pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zDb].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zUri].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[1]", "ReturnValue[*].Field[**zDb]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[2]", "ReturnValue[*].Field[*xSql]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[3]", "ReturnValue[*].Field[*pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_run", "(sqlite3_recover *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_step", "(sqlite3_recover *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_regexp_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_reset", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[*n]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[*n]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error_code", "(sqlite3_context *,int)", "", "Argument[1]", "Argument[*0].Field[*isError]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pRollbackArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pRollbackArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xRollbackCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pRollbackArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_geometry_callback", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_geometry_callback", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_geometry_callback", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_query_callback", "(sqlite3 *,const char *,..(*)(..),void *,..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_query_callback", "(sqlite3 *,const char *,..(*)(..),void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_query_callback", "(sqlite3 *,const char *,..(*)(..),void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_serialize", "(sqlite3 *,const char *,sqlite3_int64 *,unsigned int)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_series_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pAuthArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pAuthArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xAuth]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pAuthArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_clientdata", "(sqlite3 *,const char *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0].Field[**pDbData].Field[*zName]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_clientdata", "(sqlite3 *,const char *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[**pDbData].Field[*zName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_last_insert_rowid", "(sqlite3 *,sqlite3_int64)", "", "Argument[1]", "Argument[*0].Field[*lastRowid]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sha_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_shathree_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_snprintf", "(int,char *,const char *,...)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_snprintf", "(int,char *,const char *,...)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sql", "(sqlite3_stmt *)", "", "Argument[*0].Field[**zSql]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sql", "(sqlite3_stmt *)", "", "Argument[*0].Field[*zSql]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sqlar_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_status64", "(int,sqlite3_int64 *,sqlite3_int64 *,int)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_status64", "(int,sqlite3_int64 *,sqlite3_int64 *,int)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_status", "(int,int *,int *,int)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_status", "(int,int *,int *,int)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_step", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_step", "(sqlite3_stmt *)", "", "Argument[0]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_step", "(sqlite3_stmt *)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_stmt_explain", "(sqlite3_stmt *,int)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_explain", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[*explain]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_explain", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[*nResColumn]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_isexplain", "(sqlite3_stmt *)", "", "Argument[*0].Field[*explain]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_readonly", "(sqlite3_stmt *)", "", "Argument[*0].Field[*readOnly]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_status", "(sqlite3_stmt *,int,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmtrand_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendall", "(sqlite3_str *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendall", "(sqlite3_str *,const char *)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendchar", "(sqlite3_str *,int,char)", "", "Argument[1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendchar", "(sqlite3_str *,int,char)", "", "Argument[2]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_errcode", "(sqlite3_str *)", "", "Argument[*0].Field[*accError]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_finish", "(sqlite3_str *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_str_finish", "(sqlite3_str *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_str_length", "(sqlite3_str *)", "", "Argument[*0].Field[*nChar]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_new", "(sqlite3 *)", "", "Argument[*0].Field[*aLimit]", "ReturnValue[*].Field[*mxAlloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_value", "(sqlite3_str *)", "", "Argument[*0].Field[**zText]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_value", "(sqlite3_str *)", "", "Argument[*0].Field[*zText]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[*1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[*1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strglob", "(const char *,const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[*0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[*1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strlike", "(const char *,const char *,unsigned int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[*1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_system_errno", "(sqlite3 *)", "", "Argument[*0].Field[*iSysErrno]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_table_column_metadata", "(sqlite3 *,const char *,const char *,const char *,const char **,const char **,int *,int *,int *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_total_changes64", "(sqlite3 *)", "", "Argument[*0].Field[*nTotalChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_total_changes", "(sqlite3 *)", "", "Argument[*0].Field[*nTotalChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*trace].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[**3]", "Argument[*0].Field[***pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[*3]", "Argument[*0].Field[**pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*mTrace]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*trace].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[3]", "Argument[*0].Field[*pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_transfer_bindings", "(sqlite3_stmt *,sqlite3_stmt *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_uint_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pUpdateArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pUpdateArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xUpdateCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pUpdateArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_boolean", "(const char *,sqlite3_filename,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_boolean", "(const char *,sqlite3_filename,const char *,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_boolean", "(const char *,sqlite3_filename,const char *,int)", "", "Argument[2]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_int64", "(const char *,sqlite3_filename,const char *,sqlite3_int64)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_int64", "(const char *,sqlite3_filename,const char *,sqlite3_int64)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_int64", "(const char *,sqlite3_filename,const char *,sqlite3_int64)", "", "Argument[2]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_key", "(const char *,sqlite3_filename,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_key", "(const char *,sqlite3_filename,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_key", "(const char *,sqlite3_filename,int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_parameter", "(const char *,sqlite3_filename,const char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_parameter", "(const char *,sqlite3_filename,const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_parameter", "(const char *,sqlite3_filename,const char *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_user_data", "(sqlite3_context *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_user_data", "(sqlite3_context *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_user_data", "(sqlite3_context *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_blob", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_blob", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_bytes16", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_bytes", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_double", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_dup", "(const sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_value_dup", "(const sqlite3_value *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_encoding", "(sqlite3_value *)", "", "Argument[*0].Field[*enc]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_frombind", "(sqlite3_value *)", "", "Argument[*0].Field[*flags]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_int64", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_int", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_numeric_type", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_pointer", "(sqlite3_value *,const char *)", "", "Argument[*0].Field[**z]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_pointer", "(sqlite3_value *,const char *)", "", "Argument[*0].Field[*z]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_subtype", "(sqlite3_value *)", "", "Argument[*0].Field[*eSubtype]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_text16", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16be", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16be", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16le", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16le", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_type", "(sqlite3_value *)", "", "Argument[*0].Field[*flags]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vmprintf", "(const char *,va_list)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vsnprintf", "(int,char *,const char *,va_list)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vsnprintf", "(int,char *,const char *,va_list)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vsnprintf", "(int,char *,const char *,va_list)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_collation", "(sqlite3_index_info *,int)", "", "Argument[0]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_vtab_distinct", "(sqlite3_index_info *)", "", "Argument[*0].Field[*eDistinct]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in", "(sqlite3_index_info *,int,int)", "", "Argument[1]", "Argument[*0].Field[*mHandleIn]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_first", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[**pOut]", "Argument[**1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_first", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[*pOut]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_next", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[**pOut]", "Argument[**1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_next", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[*pOut]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_on_conflict", "(sqlite3 *)", "", "Argument[*0].Field[*vtabOnConflict]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_rhs_value", "(sqlite3_index_info *,int,sqlite3_value **)", "", "Argument[1]", "Argument[*0].Field[*aRhs]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_rhs_value", "(sqlite3_index_info *,int,sqlite3_value **)", "", "Argument[1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_autocheckpoint", "(sqlite3 *,int)", "", "Argument[1]", "Argument[*0].Field[*pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_checkpoint", "(sqlite3 *,const char *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_checkpoint_v2", "(sqlite3 *,const char *,int,int *,int *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xWalCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_zipfile_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "statecmp", "(config *,config *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "statecmp", "(config *,config *)", "", "Argument[*1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "statehash", "(config *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "strhash", "(const char *)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "strhash", "(const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_linedir", "(FILE *,int,char *)", "", "Argument[1]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_linedir", "(FILE *,int,char *)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[*1].Field[*outname]", "Argument[*1].Field[**outname]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[*3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_skip_header", "(FILE *,int *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[*0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[*1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "useDummyCS", "(void *,sqlite3 *,int,const char *)", "", "Argument[1]", "Argument[*1].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "utf8_fromunicode", "(char *,unsigned int)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "utf8_fromunicode", "(char *,unsigned int)", "", "Argument[1]", "Argument[*0]", "value", "dfc-generated"]
+      - ["", "", True, "zSkipValidUtf8", "(const char *,int,long)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "zSkipValidUtf8", "(const char *,int,long)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "zSkipValidUtf8", "(const char *,int,long)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.3.1
+version: 5.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -98,19 +98,6 @@ class Node extends TNode {
   /** Gets the location of this element. */
   Location getLocation() { none() } // overridden by subclasses
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  deprecated predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
   /**
    * Gets an upper bound on the type of this node.
    */

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -22,7 +22,11 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
 
   ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
 
-  ReturnKind getStandardReturnValueKind() { result.(NormalReturnKind).getIndirectionIndex() = 0 }
+  ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
+
+  ReturnKind getReturnValueKind(string arg) {
+    arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex())
+  }
 
   string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1143,6 +1143,10 @@ private newtype TDataFlowCall =
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
   }
 
+private predicate summarizedCallableIsManual(SummarizedCallable sc) {
+  sc.asSummarizedCallable().applyManualModel()
+}
+
 /**
  * A function call relevant for data flow. This includes calls from source
  * code and calls inside library callables with a flow summary.
@@ -1164,15 +1168,27 @@ class DataFlowCall extends TDataFlowCall {
   Function getStaticCallSourceTarget() { none() }
 
   /**
-   * Gets the target of this call. If a summarized callable exists for the
-   * target this is chosen, and otherwise the callable is the implementation
-   * from the source code.
+   * Gets the target of this call. We use the following strategy for deciding
+   * between the source callable and a summarized callable:
+   * - If there is a manual summary then we always use the manual summary.
+   * - If there is a source callable and we only have generated summaries
+   * we use the source callable.
+   * - If there is no source callable then we use the summary regardless of
+   * whether is it manual or generated.
    */
-  DataFlowCallable getStaticCallTarget() {
+  final DataFlowCallable getStaticCallTarget() {
     exists(Function target | target = this.getStaticCallSourceTarget() |
-      not exists(TSummarizedCallable(target)) and
+      // Don't use the source callable if there is a manual model for the
+      // target
+      not exists(SummarizedCallable sc |
+        sc.asSummarizedCallable() = target and
+        summarizedCallableIsManual(sc)
+      ) and
       result.asSourceCallable() = target
       or
+      // When there is no function body, or when we have a manual model then
+      // we dispatch to the summary.
+      (not target.hasDefinition() or summarizedCallableIsManual(result)) and
       result.asSummarizedCallable() = target
     )
   }
@@ -1887,6 +1903,10 @@ module IteratorFlow {
     predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }
 
     class Guard extends Void {
+      predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+        none()
+      }
+
       predicate controlsBranchEdge(
         SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
       ) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -538,19 +538,6 @@ class Node extends TIRDataFlowNode {
     none() // overridden by subclasses
   }
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  deprecated predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
   /** Gets a textual representation of this element. */
   cached
   final string toString() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll

@@ -45,6 +45,28 @@ private module Cached {
     )
   }
 
+  private Expr getRankedElementExpr(ArrayAggregateLiteral aggr, int rnk) {
+    result =
+      rank[rnk + 1](Expr e, int elementIndex, int position |
+        e = aggr.getElementExpr(elementIndex, position)
+      |
+        e order by elementIndex, position
+      )
+  }
+
+  private class LastArrayAggregateStore extends StoreInstruction {
+    ArrayAggregateLiteral aggr;
+
+    LastArrayAggregateStore() {
+      exists(int rnk |
+        this.getSourceValue().getUnconvertedResultExpression() = getRankedElementExpr(aggr, rnk) and
+        not exists(getRankedElementExpr(aggr, rnk + 1))
+      )
+    }
+
+    ArrayAggregateLiteral getArrayAggregateLiteral() { result = aggr }
+  }
+
   private Expr getConvertedResultExpressionImpl0(Instruction instr) {
     // IR construction inserts an additional cast to a `size_t` on the extent
     // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
@@ -95,6 +117,16 @@ private module Cached {
       tco.producesExprResult() and
       result = asDefinitionImpl0(instr)
     )
+    or
+    // IR construction breaks an array aggregate literal `{1, 2, 3}` into a
+    // sequence of `StoreInstruction`s. So there's no instruction `i` for which
+    // `i.getUnconvertedResultExpression() instanceof ArrayAggregateLiteral`.
+    // So we map the instruction node corresponding to the last `Store`
+    // instruction of the sequence to the result of the array aggregate
+    // literal. This makes sense since this store will immediately flow into
+    // the indirect node representing the array. So this node does represent
+    // the array after it has been fully initialized.
+    result = instr.(LastArrayAggregateStore).getArrayAggregateLiteral()
   }
 
   private Expr getConvertedResultExpressionImpl(Instruction instr) {
@@ -264,6 +296,41 @@ private module Cached {
     e = getConvertedResultExpression(node.asInstruction(), n)
   }
 
+  /**
+   * The IR doesn't have an instruction `i` for which this holds:
+   * ```
+   * i.getUnconvertedResultExpression() instanceof ClassAggregateLiteral
+   * ```
+   * and thus we don't automatically get a dataflow node for which:
+   * ```
+   * node.asExpr() instanceof ClassAggregateLiteral
+   * ```
+   * This is because the IR represents a `ClassAggregateLiteral` as a sequence
+   * of field writes. To work around this we map `asExpr` on the
+   * `PostUpdateNode` for the last field write to the class aggregate literal.
+   */
+  private class ClassAggregateInitializerPostUpdateNode extends PostFieldUpdateNode {
+    ClassAggregateLiteral aggr;
+
+    ClassAggregateInitializerPostUpdateNode() {
+      exists(Node node1, FieldContent fc, int position, StoreInstruction store |
+        store.getSourceValue().getUnconvertedResultExpression() =
+          aggr.getFieldExpr(fc.getField(), position) and
+        node1.asInstruction() = store and
+        // This is the last field write from the aggregate initialization.
+        not exists(aggr.getFieldExpr(_, position + 1)) and
+        storeStep(node1, fc, this)
+      )
+    }
+
+    ClassAggregateLiteral getClassAggregateLiteral() { result = aggr }
+  }
+
+  private predicate exprNodeShouldBePostUpdateNode(Node node, Expr e, int n) {
+    node.(ClassAggregateInitializerPostUpdateNode).getClassAggregateLiteral() = e and
+    n = 0
+  }
+
   /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
   private predicate indirectExprNodeShouldBeIndirectInstruction(
     IndirectInstruction node, Expr e, int n, int indirectionIndex
@@ -294,7 +361,8 @@ private module Cached {
     exprNodeShouldBeInstruction(_, e, n) or
     exprNodeShouldBeOperand(_, e, n) or
     exprNodeShouldBeIndirectOutNode(_, e, n) or
-    exprNodeShouldBeIndirectOperand(_, e, n)
+    exprNodeShouldBeIndirectOperand(_, e, n) or
+    exprNodeShouldBePostUpdateNode(_, e, n)
   }
 
   private class InstructionExprNode extends ExprNodeBase, InstructionNode {
@@ -442,6 +510,12 @@ private module Cached {
     final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
   }
 
+  private class PostUpdateExprNode extends ExprNodeBase instanceof PostUpdateNode {
+    PostUpdateExprNode() { exprNodeShouldBePostUpdateNode(this, _, _) }
+
+    final override Expr getConvertedExpr(int n) { exprNodeShouldBePostUpdateNode(this, result, n) }
+  }
+
   /**
    * An expression, viewed as a node in a data flow graph.
    */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -991,13 +991,17 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
   class Guard instanceof IRGuards::IRGuardCondition {
     string toString() { result = super.toString() }
 
-    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+    predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
       exists(EdgeKind kind |
         super.getBlock() = bb1 and
         kind = getConditionalEdge(branch) and
         bb1.getSuccessor(kind) = bb2
       )
     }
+
+    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+      this.hasBranchEdge(bb1, bb2, branch)
+    }
   }
 
   predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll

@@ -67,8 +67,13 @@ class Class = Cpp::Class; // Used for inheritance conversions
 predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }
 
 predicate hasPositionalArgIndex(int argIndex) {
-  exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex))) or
+  exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex)))
+  or
   exists(Cpp::BuiltInOperation op | exists(op.getChild(argIndex)))
+  or
+  // Ensure we are always able to output the argument of a call to the delete operator.
+  exists(Cpp::DeleteExpr d) and
+  argIndex = 0
 }
 
 predicate hasAsmOperandIndex(int operandIndex) {

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll

@@ -10,7 +10,7 @@ private import SemanticExprSpecific::SemanticExprConfig as Specific
  */
 class SemBasicBlock extends Specific::BasicBlock {
   /** Holds if this block (transitively) dominates `otherblock`. */
-  final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
+  final predicate dominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
 
   /** Gets an expression that is evaluated in this basic block. */
   final SemExpr getAnExpr() { result.getBasicBlock() = this }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -264,10 +264,6 @@ module SemanticExprConfig {
 
   Guard comparisonGuard(Expr e) { getSemanticExpr(result) = e }
 
-  predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
-    none() // TODO
-  }
-
   /** Gets the expression associated with `instr`. */
   SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll

@@ -18,11 +18,11 @@ class SemGuard instanceof Specific::Guard {
     Specific::equalityGuard(this, e1, e2, polarity)
   }
 
-  final predicate directlyControls(SemBasicBlock controlled, boolean branch) {
+  final predicate controls(SemBasicBlock controlled, boolean branch) {
     Specific::guardDirectlyControlsBlock(this, controlled, branch)
   }
 
-  final predicate hasBranchEdge(SemBasicBlock bb1, SemBasicBlock bb2, boolean branch) {
+  final predicate controlsBranchEdge(SemBasicBlock bb1, SemBasicBlock bb2, boolean branch) {
     Specific::guardHasBranchEdge(this, bb1, bb2, branch)
   }
 
@@ -31,8 +31,4 @@ class SemGuard instanceof Specific::Guard {
   final SemExpr asExpr() { result = Specific::getGuardAsExpr(this) }
 }
 
-predicate semImplies_v2(SemGuard g1, boolean b1, SemGuard g2, boolean b2) {
-  Specific::implies_v2(g1, b1, g2, b2)
-}
-
 SemGuard semGetComparisonGuard(SemRelationalExpr e) { result = Specific::comparisonGuard(e) }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -77,8 +77,6 @@ module Sem implements Semantic<SemLocation> {
 
   class Guard = SemGuard;
 
-  predicate implies_v2 = semImplies_v2/4;
-
   class Type = SemType;
 
   class IntegerType = SemIntegerType;

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -55,12 +55,12 @@ private class LocalModelSource extends LocalFlowSource {
 }
 
 /**
- * A local data flow source that the `argv` parameter to `main`.
+ * A local data flow source that is the `argv` parameter to `main` or `wmain`.
  */
 private class ArgvSource extends LocalFlowSource {
   ArgvSource() {
     exists(Function main, Parameter argv |
-      main.hasGlobalName("main") and
+      main.hasGlobalName(["main", "wmain"]) and
       main.getParameter(1) = argv and
       this.asParameter(2) = argv
     )
@@ -69,6 +69,21 @@ private class ArgvSource extends LocalFlowSource {
   override string getSourceType() { result = "a command-line argument" }
 }
 
+/**
+ * A local data flow source that is the `pCmdLine` parameter to `WinMain` or `wWinMain`.
+ */
+private class CmdLineSource extends LocalFlowSource {
+  CmdLineSource() {
+    exists(Function main, Parameter pCmdLine |
+      main.hasGlobalName(["WinMain", "wWinMain"]) and
+      main.getParameter(2) = pCmdLine and
+      this.asParameter(1) = pCmdLine
+    )
+  }
+
+  override string getSourceType() { result = "a command-line" }
+}
+
 /**
  * A remote data flow source that is defined through 'models as data'.
  */

cpp/ql/lib/semmle/code/cpp/security/Security.qll

@@ -42,58 +42,6 @@ class SecurityOptions extends string {
     )
   }
 
-  /**
-   * The argument of the given function is filled in from user input.
-   */
-  deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
-    exists(string fname |
-      functionCall.getTarget().hasGlobalOrStdName(fname) and
-      exists(functionCall.getArgument(arg)) and
-      (
-        fname = ["fread", "fgets", "fgetws", "gets"] and arg = 0
-        or
-        fname = "scanf" and arg >= 1
-        or
-        fname = "fscanf" and arg >= 2
-      )
-      or
-      functionCall.getTarget().hasGlobalName(fname) and
-      exists(functionCall.getArgument(arg)) and
-      fname = "getaddrinfo" and
-      arg = 3
-    )
-    or
-    exists(RemoteFlowSourceFunction remote, FunctionOutput output |
-      functionCall.getTarget() = remote and
-      output.isParameterDerefOrQualifierObject(arg) and
-      remote.hasRemoteFlowSource(output, _)
-    )
-  }
-
-  /**
-   * The return value of the given function is filled in from user input.
-   */
-  deprecated predicate userInputReturned(FunctionCall functionCall) {
-    exists(string fname |
-      functionCall.getTarget().getName() = fname and
-      (
-        fname = ["fgets", "gets"] or
-        this.userInputReturn(fname)
-      )
-    )
-    or
-    exists(RemoteFlowSourceFunction remote, FunctionOutput output |
-      functionCall.getTarget() = remote and
-      (output.isReturnValue() or output.isReturnValueDeref()) and
-      remote.hasRemoteFlowSource(output, _)
-    )
-  }
-
-  /**
-   * DEPRECATED: Users should override `userInputReturned()` instead.
-   */
-  deprecated predicate userInputReturn(string function) { none() }
-
   /**
    * The argument of the given function is used for running a process or loading
    * a library.
@@ -108,29 +56,6 @@ class SecurityOptions extends string {
     function = ["LoadLibrary", "LoadLibraryA", "LoadLibraryW"] and arg = 0
   }
 
-  /**
-   * This predicate should hold if the expression is directly
-   * computed from user input. Such expressions are treated as
-   * sources of taint.
-   */
-  deprecated predicate isUserInput(Expr expr, string cause) {
-    exists(FunctionCall fc, int i |
-      this.userInputArgument(fc, i) and
-      expr = fc.getArgument(i) and
-      cause = fc.getTarget().getName()
-    )
-    or
-    exists(FunctionCall fc |
-      this.userInputReturned(fc) and
-      expr = fc and
-      cause = fc.getTarget().getName()
-    )
-    or
-    commandLineArg(expr) and cause = "argv"
-    or
-    expr.(EnvironmentRead).getSourceDescription() = cause
-  }
-
   /**
    * This predicate should hold if the expression raises privilege for the
    * current session. The default definition only holds true for some
@@ -152,16 +77,6 @@ class SecurityOptions extends string {
   }
 }
 
-/**
- * An access to the argv argument to main().
- */
-private predicate commandLineArg(Expr e) {
-  exists(Parameter argv |
-    argv(argv) and
-    argv.getAnAccess() = e
-  )
-}
-
 /** The argv parameter to the main function */
 predicate argv(Parameter argv) {
   exists(Function f |
@@ -173,21 +88,6 @@ predicate argv(Parameter argv) {
 /** Convenience accessor for SecurityOptions.isPureFunction */
 predicate isPureFunction(string name) { exists(SecurityOptions opts | opts.isPureFunction(name)) }
 
-/** Convenience accessor for SecurityOptions.userInputArgument */
-deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
-  exists(SecurityOptions opts | opts.userInputArgument(functionCall, arg))
-}
-
-/** Convenience accessor for SecurityOptions.userInputReturn */
-deprecated predicate userInputReturned(FunctionCall functionCall) {
-  exists(SecurityOptions opts | opts.userInputReturned(functionCall))
-}
-
-/** Convenience accessor for SecurityOptions.isUserInput */
-deprecated predicate isUserInput(Expr expr, string cause) {
-  exists(SecurityOptions opts | opts.isUserInput(expr, cause))
-}
-
 /** Convenience accessor for SecurityOptions.isProcessOperationArgument */
 predicate isProcessOperationArgument(string function, int arg) {
   exists(SecurityOptions opts | opts.isProcessOperationArgument(function, arg))

cpp/ql/lib/semmle/code/cpp/security/SecurityOptions.qll

@@ -22,28 +22,4 @@ class CustomSecurityOptions extends SecurityOptions {
     // for example: (function = "MySpecialSqlFunction" and arg = 0)
     none() // rules to match custom functions replace this line
   }
-
-  deprecated override predicate userInputArgument(FunctionCall functionCall, int arg) {
-    SecurityOptions.super.userInputArgument(functionCall, arg)
-    or
-    exists(string fname |
-      functionCall.getTarget().hasGlobalName(fname) and
-      exists(functionCall.getArgument(arg)) and
-      // --- custom functions that return user input via one of their arguments:
-      // 'arg' is the 0-based index of the argument that is used to return user input
-      // for example: (fname = "readXmlInto" and arg = 1)
-      none() // rules to match custom functions replace this line
-    )
-  }
-
-  deprecated override predicate userInputReturned(FunctionCall functionCall) {
-    SecurityOptions.super.userInputReturned(functionCall)
-    or
-    exists(string fname |
-      functionCall.getTarget().hasGlobalName(fname) and
-      // --- custom functions that return user input via their return value:
-      // for example: fname = "xmlReadAttribute"
-      none() // rules to match custom functions replace this line
-    )
-  }
 }

cpp/ql/lib/utils/test/dataflow/FlowTestCommon.qll

@@ -26,7 +26,7 @@ module IRFlowTest<IRDataFlow::GlobalFlowSig Flow> implements TestSig {
       n =
         strictcount(int line, int column |
           Flow::flow(any(IRDataFlow::Node otherSource |
-              otherSource.hasLocationInfo(_, line, column, _, _)
+              otherSource.getLocation().hasLocationInfo(_, line, column, _, _)
             ), sink)
         ) and
       (
@@ -55,7 +55,7 @@ module AstFlowTest<AstDataFlow::GlobalFlowSig Flow> implements TestSig {
       n =
         strictcount(int line, int column |
           Flow::flow(any(AstDataFlow::Node otherSource |
-              otherSource.hasLocationInfo(_, line, column, _, _)
+              otherSource.getLocation().hasLocationInfo(_, line, column, _, _)
             ), sink)
         ) and
       (

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.4.1
+
+### Minor Analysis Improvements
+
+* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
+
 ## 1.4.0
 
 ### Query Metadata Changes

cpp/ql/src/change-notes/released/1.4.1.md

@@ -0,0 +1,5 @@
+## 1.4.1
+
+### Minor Analysis Improvements
+
+* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.0
+lastReleaseVersion: 1.4.1

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.0
+version: 1.4.1
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

@@ -10,5 +10,5 @@ import internal.CaptureModels
 import SummaryModels
 
 from DataFlowSummaryTargetApi api, string flow
-where flow = ContentSensitive::captureFlow(api, _)
+where flow = ContentSensitive::captureFlow(api, _, _, _, _)
 select flow order by flow

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -13,6 +13,8 @@ private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
 private import semmle.code.cpp.dataflow.new.TaintTracking as Tt
 private import semmle.code.cpp.dataflow.new.DataFlow as Df
 private import codeql.mad.modelgenerator.internal.ModelGeneratorImpl
+private import semmle.code.cpp.models.interfaces.Taint as Taint
+private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
 
 /**
  * Holds if `f` is a "private" function.
@@ -45,6 +47,26 @@ private predicate isUninterestingForModels(Callable api) {
   api = any(Cpp::LambdaExpression lambda).getLambdaFunction()
   or
   api.isFromUninstantiatedTemplate(_)
+  or
+  // No need to generate models for functions modeled by hand in QL
+  api instanceof Taint::TaintFunction
+  or
+  api instanceof DataFlow::DataFlowFunction
+  or
+  // Don't generate models for main functions
+  api.hasGlobalName("main")
+  or
+  // Don't generate models for system-provided functions. If we want to
+  // generate models for these we should use a database containing the
+  // implementations of those system-provided functions in the source root.
+  not exists(api.getLocation().getFile().getRelativePath())
+  or
+  // Exclude functions in test directories (but not the ones in the CodeQL test directory)
+  exists(Cpp::File f |
+    f = api.getFile() and
+    f.getAbsolutePath().matches("%test%") and
+    not f.getAbsolutePath().matches("%test/library-tests/dataflow/modelgenerator/dataflow/%")
+  )
 }
 
 private predicate relevant(Callable api) {
@@ -189,15 +211,15 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
     )
   }
 
-  string parameterAccess(Parameter p) { parameterContentAccessImpl(p, result) }
+  string parameterApproximateAccess(Parameter p) { parameterContentAccessImpl(p, result) }
 
-  string parameterContentAccess(Parameter p) { parameterContentAccessImpl(p, result) }
+  string parameterExactAccess(Parameter p) { parameterContentAccessImpl(p, result) }
 
   bindingset[c]
-  string paramReturnNodeAsOutput(Callable c, DataFlowPrivate::Position pos) {
+  string paramReturnNodeAsExactOutput(Callable c, DataFlowPrivate::Position pos) {
     exists(Parameter p |
       p.isSourceParameterOf(c, pos) and
-      result = parameterAccess(p)
+      result = parameterExactAccess(p)
     )
     or
     pos.getArgumentIndex() = -1 and
@@ -206,8 +228,8 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
   }
 
   bindingset[c]
-  string paramReturnNodeAsContentOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
-    result = paramReturnNodeAsOutput(c, pos)
+  string paramReturnNodeAsApproximateOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
+    result = paramReturnNodeAsExactOutput(c, pos)
   }
 
   pragma[nomagic]

cpp/ql/test/library-tests/dataflow/asExpr/test.cpp

@@ -21,3 +21,20 @@ A& get_ref();
 void test2() {
   take_ref(get_ref()); // $ asExpr="call to get_ref" asIndirectExpr="call to get_ref"
 }
+
+struct S {
+  int a;
+  int b;
+};
+
+void test_aggregate_literal() {
+  S s1 = {1, 2}; // $ asExpr=1 asExpr=2 asExpr={...}
+  const S s2 = {3, 4}; // $ asExpr=3 asExpr=4 asExpr={...}
+  S s3 = (S){5, 6}; // $ asExpr=5 asExpr=6 asExpr={...}
+  const S s4 = (S){7, 8}; // $ asExpr=7 asExpr=8 asExpr={...}
+
+  S s5 = {.a = 1, .b = 2}; // $ asExpr=1 asExpr=2 asExpr={...}
+
+  int xs[] = {1, 2, 3}; // $ asExpr=1 asExpr=2 asExpr=3 asExpr={...}
+  const int ys[] = {[0] = 4, [1] = 5, [0] = 6}; // $ asExpr=4 asExpr=5 asExpr=6 asExpr={...}
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/TestBase.qll

@@ -124,7 +124,11 @@ module IRTest {
 
   /** Common data flow configuration to be used by tests. */
   module IRTestAllocationConfig implements DataFlow::ConfigSig {
+    private import semmle.code.cpp.security.FlowSources
+
     predicate isSource(DataFlow::Node source) {
+      source instanceof FlowSource
+      or
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
       or
       source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -17,7 +17,6 @@
 | example.c:17:11:17:16 | *definition of coords | example.c:17:11:17:16 | *definition of coords |
 | example.c:17:11:17:16 | *definition of coords | example.c:17:11:17:16 | *definition of coords |
 | example.c:17:11:17:16 | *definition of coords | example.c:24:13:24:18 | *coords |
-| example.c:17:11:17:16 | *definition of coords [post update] | example.c:17:11:17:16 | *definition of coords |
 | example.c:17:11:17:16 | *definition of coords [post update] | example.c:24:13:24:18 | *coords |
 | example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | *definition of coords |
 | example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | definition of coords |
@@ -27,6 +26,7 @@
 | example.c:17:11:17:16 | definition of coords | example.c:24:13:24:18 | coords |
 | example.c:17:11:17:16 | definition of coords [post update] | example.c:17:11:17:16 | definition of coords |
 | example.c:17:11:17:16 | definition of coords [post update] | example.c:24:13:24:18 | coords |
+| example.c:17:11:17:16 | {...} | example.c:17:11:17:16 | *definition of coords |
 | example.c:17:19:17:22 | {...} | example.c:17:19:17:22 | {...} |
 | example.c:17:21:17:21 | 0 | example.c:17:21:17:21 | 0 |
 | example.c:19:6:19:6 | *b | example.c:15:37:15:37 | *b |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -337,3 +337,4 @@ irFlow
 | true_upon_entry.cpp:70:11:70:16 | call to source | true_upon_entry.cpp:78:8:78:8 | x |
 | true_upon_entry.cpp:83:11:83:16 | call to source | true_upon_entry.cpp:86:8:86:8 | x |
 | true_upon_entry.cpp:98:11:98:16 | call to source | true_upon_entry.cpp:105:8:105:8 | x |
+| winmain.cpp:4:57:4:64 | *pCmdLine | winmain.cpp:6:8:6:16 | * ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/winmain.cpp

@@ -0,0 +1,9 @@
+void sink(char);
+void sink(char*);
+
+int WinMain(void *hInstance, void *hPrevInstance, char *pCmdLine, int nCmdShow) { // $ ast-def=hInstance ast-def=hPrevInstance ast-def=pCmdLine ir-def=*hInstance ir-def=*hPrevInstance ir-def=*pCmdLine 
+  sink(pCmdLine);
+  sink(*pCmdLine); // $ ir
+
+  return 0;
+}

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -10,14 +10,95 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
-| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:969 |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:967  |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:968 |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance |  |
-| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance |  |
-| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:968 |
-| test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance |  |
-| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:969 |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:23508 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:23509 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:23510 |
+| test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
+| test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:23506  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:23507 |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:17:24:17:24 | x | provenance |  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:21:27:21:27 | x | provenance |  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:25:35:25:35 | x | provenance |  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:32:41:32:41 | x | provenance |  |
+| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
+| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:23507 |
+| test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:23508 |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:23507 |
+| test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:23509 |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:23507 |
+| test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:23510 |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:23507 |
+| test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
+| test.cpp:32:41:32:41 | x | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:341 |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:325  |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:27:36:27:38 | *cmd | provenance |  |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance |  |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:30:8:30:15 | * ... | provenance |  |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | provenance |  |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:341 |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:327  |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:36:10:36:13 | * ... | provenance |  |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:329  |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | provenance |  |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:343 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:343 |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | provenance |  |
+| windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | provenance |  |
+| windows.cpp:149:18:149:62 | *hEvent | windows.cpp:149:18:149:62 | *hEvent | provenance |  |
+| windows.cpp:149:18:149:62 | *hEvent | windows.cpp:151:8:151:14 | * ... | provenance |  |
+| windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | windows.cpp:149:18:149:62 | *hEvent | provenance |  |
+| windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | windows.cpp:149:56:149:61 | *hEvent | provenance |  |
+| windows.cpp:149:56:149:61 | *hEvent | windows.cpp:149:18:149:62 | *hEvent | provenance |  |
+| windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | provenance |  |
+| windows.cpp:159:12:159:55 | hEvent | windows.cpp:159:12:159:55 | hEvent | provenance |  |
+| windows.cpp:159:12:159:55 | hEvent | windows.cpp:160:8:160:8 | c | provenance |  |
+| windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
+| windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
+| windows.cpp:168:35:168:40 | ReadFile output argument | windows.cpp:170:10:170:16 | * ... | provenance | Src:MaD:331  |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | windows.cpp:179:10:179:16 | * ... | provenance | Src:MaD:332  |
+| windows.cpp:189:21:189:26 | ReadFile output argument | windows.cpp:190:5:190:56 | *... = ... | provenance | Src:MaD:331  |
+| windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | windows.cpp:192:53:192:63 | *& ... [*hEvent] | provenance |  |
+| windows.cpp:190:5:190:56 | *... = ... | windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | provenance |  |
+| windows.cpp:192:53:192:63 | *& ... [*hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | provenance |  |
+| windows.cpp:198:21:198:26 | ReadFile output argument | windows.cpp:199:5:199:57 | ... = ... | provenance | Src:MaD:331  |
+| windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | windows.cpp:201:53:201:63 | *& ... [hEvent] | provenance |  |
+| windows.cpp:199:5:199:57 | ... = ... | windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | provenance |  |
+| windows.cpp:201:53:201:63 | *& ... [hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | provenance |  |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | windows.cpp:211:10:211:16 | * ... | provenance | Src:MaD:340  |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:286:23:286:35 | *call to MapViewOfFile | provenance | Src:MaD:333  |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:287:20:287:52 | *pMapView | provenance |  |
+| windows.cpp:287:20:287:52 | *pMapView | windows.cpp:289:10:289:16 | * ... | provenance |  |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | provenance | Src:MaD:334  |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:294:20:294:52 | *pMapView | provenance |  |
+| windows.cpp:294:20:294:52 | *pMapView | windows.cpp:296:10:296:16 | * ... | provenance |  |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | provenance | Src:MaD:335  |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:303:20:303:52 | *pMapView | provenance |  |
+| windows.cpp:303:20:303:52 | *pMapView | windows.cpp:305:10:305:16 | * ... | provenance |  |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | provenance | Src:MaD:336  |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:312:20:312:52 | *pMapView | provenance |  |
+| windows.cpp:312:20:312:52 | *pMapView | windows.cpp:314:10:314:16 | * ... | provenance |  |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | provenance | Src:MaD:337  |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:319:20:319:52 | *pMapView | provenance |  |
+| windows.cpp:319:20:319:52 | *pMapView | windows.cpp:321:10:321:16 | * ... | provenance |  |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | provenance | Src:MaD:338  |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:326:20:326:52 | *pMapView | provenance |  |
+| windows.cpp:326:20:326:52 | *pMapView | windows.cpp:328:10:328:16 | * ... | provenance |  |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:339  |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:333:20:333:52 | *pMapView | provenance |  |
+| windows.cpp:333:20:333:52 | *pMapView | windows.cpp:335:10:335:16 | * ... | provenance |  |
 nodes
 | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer |
 | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer |
@@ -31,15 +112,113 @@ nodes
 | asio_streams.cpp:100:64:100:71 | *send_str | semmle.label | *send_str |
 | asio_streams.cpp:101:7:101:17 | send_buffer | semmle.label | send_buffer |
 | asio_streams.cpp:103:29:103:39 | *send_buffer | semmle.label | *send_buffer |
-| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | semmle.label | [summary param] 0 in ymlStep |
-| test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | semmle.label | [summary] to write: ReturnValue in ymlStep |
-| test.cpp:7:10:7:18 | call to ymlSource | semmle.label | call to ymlSource |
-| test.cpp:7:10:7:18 | call to ymlSource | semmle.label | call to ymlSource |
-| test.cpp:11:10:11:10 | x | semmle.label | x |
-| test.cpp:13:10:13:16 | call to ymlStep | semmle.label | call to ymlStep |
-| test.cpp:13:10:13:16 | call to ymlStep | semmle.label | call to ymlStep |
-| test.cpp:13:18:13:18 | x | semmle.label | x |
-| test.cpp:15:10:15:10 | y | semmle.label | y |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | semmle.label | [summary param] 0 in ymlStepManual |
+| test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | semmle.label | [summary] to write: ReturnValue in ymlStepManual |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | semmle.label | [summary param] 0 in ymlStepGenerated |
+| test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | semmle.label | [summary] to write: ReturnValue in ymlStepGenerated |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | semmle.label | [summary param] 0 in ymlStepManual_with_body |
+| test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | semmle.label | [summary] to write: ReturnValue in ymlStepManual_with_body |
+| test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | semmle.label | *ymlStepGenerated_with_body |
+| test.cpp:7:47:7:52 | value2 | semmle.label | value2 |
+| test.cpp:7:64:7:69 | value2 | semmle.label | value2 |
+| test.cpp:10:10:10:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:10:10:10:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:14:10:14:10 | x | semmle.label | x |
+| test.cpp:17:10:17:22 | call to ymlStepManual | semmle.label | call to ymlStepManual |
+| test.cpp:17:10:17:22 | call to ymlStepManual | semmle.label | call to ymlStepManual |
+| test.cpp:17:24:17:24 | x | semmle.label | x |
+| test.cpp:18:10:18:10 | y | semmle.label | y |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | semmle.label | call to ymlStepGenerated |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | semmle.label | call to ymlStepGenerated |
+| test.cpp:21:27:21:27 | x | semmle.label | x |
+| test.cpp:22:10:22:10 | z | semmle.label | z |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | semmle.label | call to ymlStepManual_with_body |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | semmle.label | call to ymlStepManual_with_body |
+| test.cpp:25:35:25:35 | x | semmle.label | x |
+| test.cpp:26:10:26:11 | y2 | semmle.label | y2 |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | semmle.label | call to ymlStepGenerated_with_body |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | semmle.label | call to ymlStepGenerated_with_body |
+| test.cpp:32:41:32:41 | x | semmle.label | x |
+| test.cpp:33:10:33:11 | z2 | semmle.label | z2 |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
+| windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
+| windows.cpp:24:8:24:11 | * ... | semmle.label | * ... |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | semmle.label | **call to CommandLineToArgvA |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | semmle.label | **call to CommandLineToArgvA |
+| windows.cpp:27:36:27:38 | *cmd | semmle.label | *cmd |
+| windows.cpp:30:8:30:15 | * ... | semmle.label | * ... |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | semmle.label | *call to GetEnvironmentStringsA |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | semmle.label | *call to GetEnvironmentStringsA |
+| windows.cpp:36:10:36:13 | * ... | semmle.label | * ... |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | semmle.label | GetEnvironmentVariableA output argument |
+| windows.cpp:41:10:41:13 | * ... | semmle.label | * ... |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | semmle.label | [summary param] *3 in ReadFileEx [*hEvent] |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | semmle.label | [summary param] *3 in ReadFileEx [hEvent] |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | semmle.label | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | semmle.label | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | semmle.label | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | semmle.label | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | semmle.label | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | semmle.label | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx |
+| windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | semmle.label | *lpOverlapped [*hEvent] |
+| windows.cpp:149:18:149:62 | *hEvent | semmle.label | *hEvent |
+| windows.cpp:149:18:149:62 | *hEvent | semmle.label | *hEvent |
+| windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | semmle.label | *lpOverlapped [*hEvent] |
+| windows.cpp:149:56:149:61 | *hEvent | semmle.label | *hEvent |
+| windows.cpp:151:8:151:14 | * ... | semmle.label | * ... |
+| windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | semmle.label | *lpOverlapped [hEvent] |
+| windows.cpp:159:12:159:55 | hEvent | semmle.label | hEvent |
+| windows.cpp:159:12:159:55 | hEvent | semmle.label | hEvent |
+| windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | semmle.label | *lpOverlapped [hEvent] |
+| windows.cpp:160:8:160:8 | c | semmle.label | c |
+| windows.cpp:168:35:168:40 | ReadFile output argument | semmle.label | ReadFile output argument |
+| windows.cpp:170:10:170:16 | * ... | semmle.label | * ... |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | semmle.label | ReadFileEx output argument |
+| windows.cpp:179:10:179:16 | * ... | semmle.label | * ... |
+| windows.cpp:189:21:189:26 | ReadFile output argument | semmle.label | ReadFile output argument |
+| windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | semmle.label | *overlapped [post update] [*hEvent] |
+| windows.cpp:190:5:190:56 | *... = ... | semmle.label | *... = ... |
+| windows.cpp:192:53:192:63 | *& ... [*hEvent] | semmle.label | *& ... [*hEvent] |
+| windows.cpp:198:21:198:26 | ReadFile output argument | semmle.label | ReadFile output argument |
+| windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | semmle.label | *overlapped [post update] [hEvent] |
+| windows.cpp:199:5:199:57 | ... = ... | semmle.label | ... = ... |
+| windows.cpp:201:53:201:63 | *& ... [hEvent] | semmle.label | *& ... [hEvent] |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | semmle.label | NtReadFile output argument |
+| windows.cpp:211:10:211:16 | * ... | semmle.label | * ... |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | semmle.label | *call to MapViewOfFile |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | semmle.label | *call to MapViewOfFile |
+| windows.cpp:287:20:287:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:289:10:289:16 | * ... | semmle.label | * ... |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | semmle.label | *call to MapViewOfFile2 |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | semmle.label | *call to MapViewOfFile2 |
+| windows.cpp:294:20:294:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:296:10:296:16 | * ... | semmle.label | * ... |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | semmle.label | *call to MapViewOfFile3 |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | semmle.label | *call to MapViewOfFile3 |
+| windows.cpp:303:20:303:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:305:10:305:16 | * ... | semmle.label | * ... |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | semmle.label | *call to MapViewOfFile3FromApp |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | semmle.label | *call to MapViewOfFile3FromApp |
+| windows.cpp:312:20:312:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:314:10:314:16 | * ... | semmle.label | * ... |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | semmle.label | *call to MapViewOfFileEx |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | semmle.label | *call to MapViewOfFileEx |
+| windows.cpp:319:20:319:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:321:10:321:16 | * ... | semmle.label | * ... |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | semmle.label | *call to MapViewOfFileFromApp |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | semmle.label | *call to MapViewOfFileFromApp |
+| windows.cpp:326:20:326:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:328:10:328:16 | * ... | semmle.label | * ... |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | semmle.label | *call to MapViewOfFileNuma2 |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | semmle.label | *call to MapViewOfFileNuma2 |
+| windows.cpp:333:20:333:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:335:10:335:16 | * ... | semmle.label | * ... |
 subpaths
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | asio_streams.cpp:100:44:100:62 | call to buffer |
-| test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | test.cpp:13:10:13:16 | call to ymlStep |
+| test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual |
+| test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated |
+| test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
+| test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -13,4 +13,7 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "", False, "ymlStep", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "ymlStepManual", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "ymlStepGenerated", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -1,5 +1,10 @@
 | asio_streams.cpp:93:29:93:39 | *recv_buffer | remote-sink |
 | asio_streams.cpp:103:29:103:39 | *send_buffer | remote-sink |
-| test.cpp:9:10:9:10 | 0 | test-sink |
-| test.cpp:11:10:11:10 | x | test-sink |
-| test.cpp:15:10:15:10 | y | test-sink |
+| test.cpp:12:10:12:10 | 0 | test-sink |
+| test.cpp:14:10:14:10 | x | test-sink |
+| test.cpp:18:10:18:10 | y | test-sink |
+| test.cpp:22:10:22:10 | z | test-sink |
+| test.cpp:26:10:26:11 | y2 | test-sink |
+| test.cpp:29:10:29:11 | y3 | test-sink |
+| test.cpp:33:10:33:11 | z2 | test-sink |
+| test.cpp:36:10:36:11 | z3 | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -1,2 +1,19 @@
 | asio_streams.cpp:87:34:87:44 | read_until output argument | remote |
-| test.cpp:7:10:7:18 | call to ymlSource | local |
+| test.cpp:10:10:10:18 | call to ymlSource | local |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |
+| windows.cpp:168:35:168:40 | ReadFile output argument | local |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | local |
+| windows.cpp:189:21:189:26 | ReadFile output argument | local |
+| windows.cpp:192:23:192:29 | ReadFileEx output argument | local |
+| windows.cpp:198:21:198:26 | ReadFile output argument | local |
+| windows.cpp:201:23:201:29 | ReadFileEx output argument | local |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | local |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | local |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | local |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | local |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | local |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | local |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | local |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | local |

cpp/ql/test/library-tests/dataflow/external-models/steps.expected

@@ -1,2 +1,8 @@
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer |
-| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
+| test.cpp:28:35:28:35 | 0 | test.cpp:28:11:28:33 | call to ymlStepManual_with_body |
+| test.cpp:32:38:32:38 | 0 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
+| test.cpp:35:38:35:38 | x | test.cpp:35:11:35:36 | call to ymlStepGenerated_with_body |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |

cpp/ql/test/library-tests/dataflow/external-models/steps.ext.yml

@@ -3,4 +3,7 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "", False, "ymlStep", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "ymlStepManual", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "ymlStepGenerated", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -1,7 +1,10 @@
 
 int ymlSource();
 void ymlSink(int value);
-int ymlStep(int value);
+int ymlStepManual(int value);
+int ymlStepGenerated(int value);
+int ymlStepManual_with_body(int value1, int value2) { return value2; }
+int ymlStepGenerated_with_body(int value, int value2) { return value2; }
 
 void test() {
 	int x = ymlSource();
@@ -10,7 +13,25 @@ void test() {
 
 	ymlSink(x); // $ ir
 
-	int y = ymlStep(x);
-
+	// ymlStepManual is manually modeled so we should always use the model
+	int y = ymlStepManual(x);
 	ymlSink(y); // $ ir
+
+	// ymlStepGenerated is modeled by the model generator so we should use the model only if there is no body
+	int z = ymlStepGenerated(x);
+	ymlSink(z); // $ ir
+
+	// ymlStepManual_with_body is manually modeled so we should always use the model
+	int y2 = ymlStepManual_with_body(x, 0);
+	ymlSink(y2); // $ ir
+
+	int y3 = ymlStepManual_with_body(0, x);
+	ymlSink(y3); // clean
+
+	// ymlStepGenerated_with_body is modeled by the model generator so we should use the model only if there is no body
+	int z2 = ymlStepGenerated_with_body(0, x);
+	ymlSink(z2); // $ ir
+
+	int z3 = ymlStepGenerated_with_body(x, 0);
+	ymlSink(z3); // clean
 }

cpp/ql/test/library-tests/dataflow/external-models/windows.cpp

@@ -0,0 +1,337 @@
+void sink(char);
+void sink(char*);
+void sink(char**);
+
+using HANDLE = void*;
+using DWORD = unsigned long;
+using LPCH = char*;
+using LPSTR = char*;
+using LPCSTR = const char*;
+using LPVOID = void*;
+using LPDWORD = unsigned long*;
+using PVOID = void*;
+using ULONG_PTR = unsigned long*;
+using SIZE_T = decltype(sizeof(0));
+
+LPSTR GetCommandLineA();
+LPSTR* CommandLineToArgvA(LPSTR, int*);
+LPCH GetEnvironmentStringsA();
+DWORD GetEnvironmentVariableA(LPCSTR, LPSTR, DWORD);
+
+void getCommandLine() {
+  char* cmd = GetCommandLineA();
+  sink(cmd);
+  sink(*cmd); // $ ir
+
+  int argc;
+  char** argv = CommandLineToArgvA(cmd, &argc);
+  sink(argv);
+  sink(argv[1]);
+  sink(*argv[1]); // $ ir
+}
+
+void getEnvironment() {
+    char* env = GetEnvironmentStringsA();
+    sink(env);
+    sink(*env); // $ ir
+
+    char buf[1024];
+    GetEnvironmentVariableA("FOO", buf, sizeof(buf));
+    sink(buf);
+    sink(*buf); // $ ir
+}
+
+typedef struct _OVERLAPPED {
+  ULONG_PTR Internal;
+  ULONG_PTR InternalHigh;
+  union {
+    struct {
+      DWORD Offset;
+      DWORD OffsetHigh;
+    } DUMMYSTRUCTNAME;
+    PVOID Pointer;
+  } DUMMYUNIONNAME;
+  HANDLE    hEvent;
+} OVERLAPPED, *LPOVERLAPPED;
+
+using BOOL = int;
+#define FILE_MAP_READ 0x0004
+
+using ULONG64 = unsigned long long;
+using ULONG = unsigned long;
+
+using DWORD64 = unsigned long long;
+#define MEM_EXTENDED_PARAMETER_TYPE_BITS 8
+
+typedef struct MEM_EXTENDED_PARAMETER {
+  struct {
+    DWORD64 Type : MEM_EXTENDED_PARAMETER_TYPE_BITS;
+    DWORD64 Reserved : 64 - MEM_EXTENDED_PARAMETER_TYPE_BITS;
+  } DUMMYSTRUCTNAME;
+  union {
+    DWORD64 ULong64;
+    PVOID   Pointer;
+    SIZE_T  Size;
+    HANDLE  Handle;
+    DWORD   ULong;
+  } DUMMYUNIONNAME;
+} MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
+
+BOOL ReadFile(
+  HANDLE       hFile,
+  LPVOID       lpBuffer,
+  DWORD        nNumberOfBytesToRead,
+  LPDWORD      lpNumberOfBytesRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+using LPOVERLAPPED_COMPLETION_ROUTINE = void (*)(DWORD, DWORD, LPOVERLAPPED);
+
+BOOL ReadFileEx(
+  HANDLE                          hFile,
+  LPVOID                          lpBuffer,
+  DWORD                           nNumberOfBytesToRead,
+  LPOVERLAPPED                    lpOverlapped,
+  LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
+);
+
+using NTSTATUS = long;
+using PIO_APC_ROUTINE = void (*)(struct _DEVICE_OBJECT*, struct _IRP*, PVOID);
+typedef struct _IO_STATUS_BLOCK {
+  union {
+    NTSTATUS Status;
+    PVOID    Pointer;
+  } DUMMYUNIONNAME;
+  ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+using LONGLONG = long long;
+using LONG = long;
+typedef struct _LARGE_INTEGER {
+  union {
+    struct {
+      ULONG LowPart;
+      LONG  HighPart;
+    } DUMMYSTRUCTNAME;
+    LONGLONG QuadPart;
+  } DUMMYUNIONNAME;
+} LARGE_INTEGER, *PLARGE_INTEGER;
+
+using PULONG = unsigned long*;
+
+NTSTATUS NtReadFile(
+  HANDLE           FileHandle,
+  HANDLE           Event,
+  PIO_APC_ROUTINE  ApcRoutine,
+  PVOID            ApcContext,
+  PIO_STATUS_BLOCK IoStatusBlock,
+  PVOID            Buffer,
+  ULONG            Length,
+  PLARGE_INTEGER   ByteOffset,
+  PULONG           Key
+);
+
+
+void FileIOCompletionRoutine(
+  DWORD dwErrorCode,
+  DWORD dwNumberOfBytesTransfered,
+  LPOVERLAPPED lpOverlapped
+) {
+  char* buffer = reinterpret_cast<char*>(lpOverlapped->hEvent);
+  sink(buffer);
+  sink(*buffer); // $ MISSING: ir
+}
+
+void FileIOCompletionRoutine2(
+  DWORD dwErrorCode,
+  DWORD dwNumberOfBytesTransfered,
+  LPOVERLAPPED lpOverlapped
+) {
+  char* buffer = reinterpret_cast<char*>(lpOverlapped->hEvent);
+  sink(buffer);
+  sink(*buffer); // $ ir
+}
+
+void FileIOCompletionRoutine3(
+  DWORD dwErrorCode,
+  DWORD dwNumberOfBytesTransfered,
+  LPOVERLAPPED lpOverlapped
+) {
+  char c = reinterpret_cast<char>(lpOverlapped->hEvent);
+  sink(c); // $ ir
+}
+
+void readFile(HANDLE hFile) {
+  {
+    char buffer[1024];
+    DWORD bytesRead;
+    OVERLAPPED overlapped;
+    BOOL result = ReadFile(hFile, buffer, sizeof(buffer), &bytesRead, &overlapped);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    char buffer[1024];
+    OVERLAPPED overlapped;
+    overlapped.hEvent = reinterpret_cast<HANDLE>(buffer);
+    ReadFileEx(hFile, buffer, sizeof(buffer) - 1, &overlapped, FileIOCompletionRoutine);
+    sink(buffer);
+    sink(*buffer); // $ ir
+
+    char* p = reinterpret_cast<char*>(overlapped.hEvent);
+    sink(p);
+    sink(*p); // $ MISSING: ir
+  }
+  
+  {
+    char buffer[1024];
+    OVERLAPPED overlapped;
+    ReadFile(hFile, buffer, sizeof(buffer), nullptr, nullptr);
+    overlapped.hEvent = reinterpret_cast<HANDLE>(buffer);
+    char buffer2[1024];
+    ReadFileEx(hFile, buffer2, sizeof(buffer2) - 1, &overlapped, FileIOCompletionRoutine2);
+  }
+
+  {
+    char buffer[1024];
+    OVERLAPPED overlapped;
+    ReadFile(hFile, buffer, sizeof(buffer), nullptr, nullptr);
+    overlapped.hEvent = reinterpret_cast<HANDLE>(*buffer);
+    char buffer2[1024];
+    ReadFileEx(hFile, buffer2, sizeof(buffer2) - 1, &overlapped, FileIOCompletionRoutine3);
+  }
+
+  {
+    char buffer[1024];
+    IO_STATUS_BLOCK ioStatusBlock;
+    LARGE_INTEGER byteOffset;
+    ULONG key;
+    NTSTATUS status = NtReadFile(hFile, nullptr, nullptr, nullptr, &ioStatusBlock, buffer, sizeof(buffer), &byteOffset, &key);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+}
+
+LPVOID MapViewOfFile(
+  HANDLE hFileMappingObject,
+  DWORD  dwDesiredAccess,
+  DWORD  dwFileOffsetHigh,
+  DWORD  dwFileOffsetLow,
+  SIZE_T dwNumberOfBytesToMap
+);
+
+PVOID MapViewOfFile2(
+  HANDLE  FileMappingHandle,
+  HANDLE  ProcessHandle,
+  ULONG64 Offset,
+  PVOID   BaseAddress,
+  SIZE_T  ViewSize,
+  ULONG   AllocationType,
+  ULONG   PageProtection
+);
+
+PVOID MapViewOfFile3(
+  HANDLE                 FileMapping,
+  HANDLE                 Process,
+  PVOID                  BaseAddress,
+  ULONG64                Offset,
+  SIZE_T                 ViewSize,
+  ULONG                  AllocationType,
+  ULONG                  PageProtection,
+  MEM_EXTENDED_PARAMETER *ExtendedParameters,
+  ULONG                  ParameterCount
+);
+
+PVOID MapViewOfFile3FromApp(
+  HANDLE                 FileMapping,
+  HANDLE                 Process,
+  PVOID                  BaseAddress,
+  ULONG64                Offset,
+  SIZE_T                 ViewSize,
+  ULONG                  AllocationType,
+  ULONG                  PageProtection,
+  MEM_EXTENDED_PARAMETER *ExtendedParameters,
+  ULONG                  ParameterCount
+);
+
+LPVOID MapViewOfFileEx(
+  HANDLE hFileMappingObject,
+  DWORD  dwDesiredAccess,
+  DWORD  dwFileOffsetHigh,
+  DWORD  dwFileOffsetLow,
+  SIZE_T dwNumberOfBytesToMap,
+  LPVOID lpBaseAddress
+);
+
+PVOID MapViewOfFileFromApp(
+  HANDLE  hFileMappingObject,
+  ULONG   DesiredAccess,
+  ULONG64 FileOffset,
+  SIZE_T  NumberOfBytesToMap
+);
+
+PVOID MapViewOfFileNuma2(
+  HANDLE  FileMappingHandle,
+  HANDLE  ProcessHandle,
+  ULONG64 Offset,
+  PVOID   BaseAddress,
+  SIZE_T  ViewSize,
+  ULONG   AllocationType,
+  ULONG   PageProtection,
+  ULONG   PreferredNode
+);
+
+void mapViewOfFile(HANDLE hMapFile) {
+  {
+    LPVOID pMapView = MapViewOfFile(hMapFile, FILE_MAP_READ, 0, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFile2(hMapFile, nullptr, 0, nullptr, 0, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    MEM_EXTENDED_PARAMETER extendedParams;
+
+    LPVOID pMapView = MapViewOfFile3(hMapFile, nullptr, 0, 0, 0, 0, 0, &extendedParams, 1);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    MEM_EXTENDED_PARAMETER extendedParams;
+
+    LPVOID pMapView = MapViewOfFile3FromApp(hMapFile, nullptr, 0, 0, 0, 0, 0, &extendedParams, 1);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFileEx(hMapFile, FILE_MAP_READ, 0, 0, 0, nullptr);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFileFromApp(hMapFile, FILE_MAP_READ, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFileNuma2(hMapFile, nullptr, 0, nullptr, 0, 0, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+}

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -863,12 +863,12 @@ edges
 | struct_init.c:24:10:24:12 | absink output argument [a] | struct_init.c:28:5:28:7 | *& ... [a] | provenance |  |
 | struct_init.c:26:16:26:20 | *definition of outer [nestedAB, a] | struct_init.c:31:8:31:12 | *outer [nestedAB, a] | provenance |  |
 | struct_init.c:26:16:26:20 | *definition of outer [nestedAB, a] | struct_init.c:36:11:36:15 | *outer [nestedAB, a] | provenance |  |
-| struct_init.c:26:16:26:20 | *definition of outer [post update] [*pointerAB, a] | struct_init.c:33:8:33:12 | *outer [*pointerAB, a] | provenance |  |
 | struct_init.c:26:16:26:20 | *definition of outer [post update] [nestedAB, a] | struct_init.c:26:16:26:20 | *definition of outer [nestedAB, a] | provenance |  |
+| struct_init.c:26:16:26:20 | {...} [*pointerAB, a] | struct_init.c:33:8:33:12 | *outer [*pointerAB, a] | provenance |  |
 | struct_init.c:26:23:29:3 | *{...} [post update] [a] | struct_init.c:26:16:26:20 | *definition of outer [post update] [nestedAB, a] | provenance |  |
 | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:26:23:29:3 | *{...} [post update] [a] | provenance |  |
 | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:7:27:16 | call to user_input | provenance |  |
-| struct_init.c:28:5:28:7 | *& ... [a] | struct_init.c:26:16:26:20 | *definition of outer [post update] [*pointerAB, a] | provenance |  |
+| struct_init.c:28:5:28:7 | *& ... [a] | struct_init.c:26:16:26:20 | {...} [*pointerAB, a] | provenance |  |
 | struct_init.c:31:8:31:12 | *outer [nestedAB, a] | struct_init.c:31:14:31:21 | *nestedAB [a] | provenance |  |
 | struct_init.c:31:14:31:21 | *nestedAB [a] | struct_init.c:31:23:31:23 | a | provenance |  |
 | struct_init.c:33:8:33:12 | *outer [*pointerAB, a] | struct_init.c:33:14:33:22 | *pointerAB [a] | provenance |  |
@@ -879,8 +879,8 @@ edges
 | struct_init.c:40:13:40:14 | *definition of ab [post update] [a] | struct_init.c:40:13:40:14 | *definition of ab [a] | provenance |  |
 | struct_init.c:40:20:40:29 | call to user_input | struct_init.c:40:13:40:14 | *definition of ab [post update] [a] | provenance |  |
 | struct_init.c:40:20:40:29 | call to user_input | struct_init.c:40:20:40:29 | call to user_input | provenance |  |
-| struct_init.c:41:16:41:20 | *definition of outer [post update] [*pointerAB, a] | struct_init.c:46:10:46:14 | *outer [*pointerAB, a] | provenance |  |
-| struct_init.c:43:5:43:7 | *& ... [a] | struct_init.c:41:16:41:20 | *definition of outer [post update] [*pointerAB, a] | provenance |  |
+| struct_init.c:41:16:41:20 | {...} [*pointerAB, a] | struct_init.c:46:10:46:14 | *outer [*pointerAB, a] | provenance |  |
+| struct_init.c:43:5:43:7 | *& ... [a] | struct_init.c:41:16:41:20 | {...} [*pointerAB, a] | provenance |  |
 | struct_init.c:46:10:46:14 | *outer [*pointerAB, a] | struct_init.c:46:16:46:24 | *pointerAB [a] | provenance |  |
 | struct_init.c:46:16:46:24 | *pointerAB [a] | struct_init.c:14:24:14:25 | *ab [a] | provenance |  |
 nodes
@@ -1773,8 +1773,8 @@ nodes
 | struct_init.c:24:10:24:12 | *& ... [a] | semmle.label | *& ... [a] |
 | struct_init.c:24:10:24:12 | absink output argument [a] | semmle.label | absink output argument [a] |
 | struct_init.c:26:16:26:20 | *definition of outer [nestedAB, a] | semmle.label | *definition of outer [nestedAB, a] |
-| struct_init.c:26:16:26:20 | *definition of outer [post update] [*pointerAB, a] | semmle.label | *definition of outer [post update] [*pointerAB, a] |
 | struct_init.c:26:16:26:20 | *definition of outer [post update] [nestedAB, a] | semmle.label | *definition of outer [post update] [nestedAB, a] |
+| struct_init.c:26:16:26:20 | {...} [*pointerAB, a] | semmle.label | {...} [*pointerAB, a] |
 | struct_init.c:26:23:29:3 | *{...} [post update] [a] | semmle.label | *{...} [post update] [a] |
 | struct_init.c:27:7:27:16 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:27:7:27:16 | call to user_input | semmle.label | call to user_input |
@@ -1791,7 +1791,7 @@ nodes
 | struct_init.c:40:13:40:14 | *definition of ab [post update] [a] | semmle.label | *definition of ab [post update] [a] |
 | struct_init.c:40:20:40:29 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:40:20:40:29 | call to user_input | semmle.label | call to user_input |
-| struct_init.c:41:16:41:20 | *definition of outer [post update] [*pointerAB, a] | semmle.label | *definition of outer [post update] [*pointerAB, a] |
+| struct_init.c:41:16:41:20 | {...} [*pointerAB, a] | semmle.label | {...} [*pointerAB, a] |
 | struct_init.c:43:5:43:7 | *& ... [a] | semmle.label | *& ... [a] |
 | struct_init.c:46:10:46:14 | *outer [*pointerAB, a] | semmle.label | *outer [*pointerAB, a] |
 | struct_init.c:46:16:46:24 | *pointerAB [a] | semmle.label | *pointerAB [a] |

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql

@@ -4,7 +4,9 @@ import SummaryModels
 import InlineModelsAsDataTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {
-  string getCapturedModel(MadRelevantFunction c) { result = ContentSensitive::captureFlow(c, _) }
+  string getCapturedModel(MadRelevantFunction c) {
+    result = ContentSensitive::captureFlow(c, _, _, _, _)
+  }
 
   string getKind() { result = "contentbased-summary" }
 }

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql

@@ -4,7 +4,7 @@ import SummaryModels
 import InlineModelsAsDataTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {
-  string getCapturedModel(MadRelevantFunction c) { result = Heuristic::captureFlow(c) }
+  string getCapturedModel(MadRelevantFunction c) { result = Heuristic::captureFlow(c, _) }
 
   string getKind() { result = "heuristic-summary" }
 }

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp

@@ -10,32 +10,32 @@ namespace Models {
         //No model as destructors are excluded from model generation.
         ~BasicFlow() = default;
 
-        //heuristic-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];value;dfc-generated
         BasicFlow* returnThis(int* input) {
             return this;
         }
 
-        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;value;dfc-generated
         //contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];value;dfc-generated
         int* returnParam0(int* input0, int* input1) {
             return input0;
         }
 
-        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;value;dfc-generated
         //contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
         int* returnParam1(int* input0, int* input1) {
             return input1;
         }
 
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;value;dfc-generated
         //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
         //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;value;dfc-generated
@@ -46,9 +46,9 @@ namespace Models {
 
         //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;df-generated
         //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;value;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];value;df-generated
         //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;dfc-generated
         //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;dfc-generated
         //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];value;dfc-generated
@@ -79,14 +79,14 @@ namespace Models {
     struct TemplatedFlow {
         T tainted;
 
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];value;dfc-generated
         TemplatedFlow<T>* template_returnThis(T input) {
             return this;
         }
 
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;value;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;value;dfc-generated
         //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
         T* template_returnParam0(T* input0, T* input1) {
@@ -105,8 +105,8 @@ namespace Models {
             return tainted;
         }
 
-        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;taint;df-generated
-        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;value;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];value;df-generated
         //contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;value;dfc-generated
         //contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
         template<typename U>
@@ -130,7 +130,7 @@ namespace Models {
 }
 
 //heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;df-generated
-//heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;taint;df-generated
+//heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;value;df-generated
 //heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;df-generated
 //contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;dfc-generated
 //contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;dfc-generated
@@ -145,13 +145,13 @@ static int static_toplevel_function(int* p) {
 }
 
 struct NonFinalStruct {
-    //heuristic-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
+    //heuristic-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;value;df-generated
     //contentbased-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
     virtual int public_not_final_member_function(int x) {
         return x;
     }
 
-    //heuristic-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
+    //heuristic-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;value;df-generated
     //contentbased-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
     virtual int public_final_member_function(int x) final {
         return x;
@@ -171,13 +171,13 @@ protected:
 };
 
 struct FinalStruct final {
-    //heuristic-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
+    //heuristic-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;value;df-generated
     //contentbased-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
     virtual int public_not_final_member_function_2(int x) {
         return x;
     }
 
-    //heuristic-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
+    //heuristic-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;value;df-generated
     //contentbased-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
     virtual int public_final_member_function_2(int x) final {
         return x;
@@ -211,7 +211,7 @@ struct HasInt {
 //contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];value;dfc-generated
 //heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*0];taint;df-generated
 //heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*1];taint;df-generated
-//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];taint;df-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];value;df-generated
 int copy_struct(HasInt *out, const HasInt *in) {
     *out = *in;
     return 1;

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

@@ -56,9 +56,9 @@ void test_sources() {
 	sink(v_direct); // $ ir
 
 	sink(remoteMadSourceIndirect());
-	sink(*remoteMadSourceIndirect()); // $ MISSING: ir
+	sink(*remoteMadSourceIndirect()); // $ ir
 	sink(*remoteMadSourceDoubleIndirect());
-	sink(**remoteMadSourceDoubleIndirect()); // $ MISSING: ir
+	sink(**remoteMadSourceDoubleIndirect()); // $ ir
 
 	int a, b, c, d;
 
@@ -124,7 +124,7 @@ void test_sinks() {
 	// test sources + sinks together
 
 	madSinkArg0(localMadSource()); // $ ir
-	madSinkIndirectArg0(remoteMadSourceIndirect()); // $ MISSING: ir
+	madSinkIndirectArg0(remoteMadSourceIndirect()); // $ ir
 	madSinkVar = remoteMadSourceVar; // $ ir
 	*madSinkVarIndirect = remoteMadSourceVar; // $ MISSING: ir
 }

cpp/ql/test/library-tests/ir/no-function-calls/PrintAST.expected

@@ -0,0 +1,36 @@
+#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const __va_list_tag &
+#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] __va_list_tag &&
+#-----| [Operator,TopLevelFunction] void operator delete(void*)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [VoidPointerType] void *
+test.cpp:
+#    5| [TopLevelFunction] void foo(int*)
+#    5|   <params>: 
+#    5|     getParameter(0): [Parameter] x
+#    5|         Type = [IntPointerType] int *
+#    5|   getEntryPoint(): [BlockStmt] { ... }
+#    6|     getStmt(0): [ExprStmt] ExprStmt
+#    6|       getExpr(): [DeleteExpr] delete
+#    6|           Type = [VoidType] void
+#    6|           ValueCategory = prvalue
+#    6|         getExprWithReuse(): [VariableAccess] x
+#    6|             Type = [IntPointerType] int *
+#    6|             ValueCategory = prvalue(load)
+#    7|     getStmt(1): [ReturnStmt] return ...
+#    9| [TopLevelFunction] void bar()
+#    9|   <params>: 
+#   11| [TopLevelFunction] void jazz()
+#   11|   <params>: 
+#   11|   getEntryPoint(): [BlockStmt] { ... }
+#   12|     getStmt(0): [ExprStmt] ExprStmt
+#   12|       getExpr(): [FunctionCall] call to bar
+#   12|           Type = [VoidType] void
+#   12|           ValueCategory = prvalue
+#   13|     getStmt(1): [ReturnStmt] return ...

cpp/ql/test/library-tests/ir/no-function-calls/PrintAST.ql

@@ -0,0 +1,11 @@
+/**
+ * @kind graph
+ */
+
+private import cpp
+private import semmle.code.cpp.PrintAST
+private import PrintConfig
+
+private class PrintConfig extends PrintAstConfiguration {
+  override predicate shouldPrintDeclaration(Declaration decl) { shouldDumpDeclaration(decl) }
+}

cpp/ql/test/library-tests/ir/no-function-calls/PrintConfig.qll

@@ -0,0 +1,24 @@
+private import cpp
+
+/**
+ * Holds if the specified location is in standard headers.
+ */
+predicate locationIsInStandardHeaders(Location loc) {
+  loc.getFile().getAbsolutePath().regexpMatch(".*/include/[^/]+")
+}
+
+/**
+ * Holds if the AST or IR for the specified declaration should be printed in the test output.
+ *
+ * This predicate excludes declarations defined in standard headers.
+ */
+predicate shouldDumpDeclaration(Declaration decl) {
+  not locationIsInStandardHeaders(decl.getLocation()) and
+  (
+    decl instanceof Function
+    or
+    decl.(GlobalOrNamespaceVariable).hasInitializer()
+    or
+    decl.(StaticLocalVariable).hasInitializer()
+  )
+}

cpp/ql/test/library-tests/ir/no-function-calls/aliased_ir.expected

@@ -0,0 +1,38 @@
+test.cpp:
+#    5| void foo(int*)
+#    5|   Block 0
+#    5|     v5_1(void)           = EnterFunction                    : 
+#    5|     m5_2(unknown)        = AliasedDefinition                : 
+#    5|     m5_3(unknown)        = InitializeNonLocal               : 
+#    5|     m5_4(unknown)        = Chi                              : total:m5_2, partial:m5_3
+#    5|     r5_5(glval<int *>)   = VariableAddress[x]               : 
+#    5|     m5_6(int *)          = InitializeParameter[x]           : &:r5_5
+#    5|     r5_7(int *)          = Load[x]                          : &:r5_5, m5_6
+#    5|     m5_8(unknown)        = InitializeIndirection[x]         : &:r5_7
+#    5|     m5_9(unknown)        = Chi                              : total:m5_4, partial:m5_8
+#    6|     r6_1(glval<unknown>) = FunctionAddress[operator delete] : 
+#    6|     r6_2(glval<int *>)   = VariableAddress[x]               : 
+#    6|     r6_3(int *)          = Load[x]                          : &:r6_2, m5_6
+#    6|     v6_4(void)           = Call[operator delete]            : func:r6_1, 0:r6_3
+#    6|     m6_5(unknown)        = ^CallSideEffect                  : ~m5_9
+#    6|     m6_6(unknown)        = Chi                              : total:m5_9, partial:m6_5
+#    7|     v7_1(void)           = NoOp                             : 
+#    5|     v5_10(void)          = ReturnIndirection[x]             : &:r5_7, ~m6_6
+#    5|     v5_11(void)          = ReturnVoid                       : 
+#    5|     v5_12(void)          = AliasedUse                       : ~m6_6
+#    5|     v5_13(void)          = ExitFunction                     : 
+
+#   11| void jazz()
+#   11|   Block 0
+#   11|     v11_1(void)           = EnterFunction        : 
+#   11|     m11_2(unknown)        = AliasedDefinition    : 
+#   11|     m11_3(unknown)        = InitializeNonLocal   : 
+#   11|     m11_4(unknown)        = Chi                  : total:m11_2, partial:m11_3
+#   12|     r12_1(glval<unknown>) = FunctionAddress[bar] : 
+#   12|     v12_2(void)           = Call[bar]            : func:r12_1
+#   12|     m12_3(unknown)        = ^CallSideEffect      : ~m11_4
+#   12|     m12_4(unknown)        = Chi                  : total:m11_4, partial:m12_3
+#   13|     v13_1(void)           = NoOp                 : 
+#   11|     v11_5(void)           = ReturnVoid           : 
+#   11|     v11_6(void)           = AliasedUse           : ~m12_4
+#   11|     v11_7(void)           = ExitFunction         : 

cpp/ql/test/library-tests/ir/no-function-calls/aliased_ir.ql

@@ -0,0 +1,11 @@
+/**
+ * @kind graph
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.implementation.aliased_ssa.PrintIR
+private import PrintConfig
+
+private class PrintConfig extends PrintIRConfiguration {
+  override predicate shouldPrintDeclaration(Declaration decl) { shouldDumpDeclaration(decl) }
+}

cpp/ql/test/library-tests/ir/no-function-calls/test.cpp

@@ -0,0 +1,13 @@
+// Test for edge case, where we have a database without any function calls or
+// where none of the function calls have any arguments, but where we do have
+// a delete expression.
+
+void foo(int* x) {
+  delete x;
+}
+
+void bar();
+
+void jazz() {
+  bar();
+}

cpp/ql/test/library-tests/structs/compatible_c/c1_gnu.c

@@ -7,4 +7,4 @@ struct Kiwi {
 struct Lemon {
   unsigned int __attribute__ ((vector_size (16))) lemon_x;
 };
-// semmle-extractor-options: -std=c99 --clang --edg --clang_vector_types --gnu_version 40700
+// semmle-extractor-options: -std=c99 --clang --gnu_version 40700