Rust: emit Const bodies in library mode

When skipping bodies in library code, we lose the information whether a
body was originally present. This can be important, for example when
determining whether a trait method has a default implementation.

With this change that information can be recovered via the
`hasImplementation` predicate.

.github/workflows/build-ripunzip.yml

@@ -6,18 +6,18 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v1.2.1
+        default: v2.0.2
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.3.0
+        default: openssl-3.5.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2019]
+        os: [ubuntu-22.04, macos-13, windows-2022]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/csharp-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-2019]
+        os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/go-tests-other-os.yml

@@ -26,9 +26,8 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
-    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest-xl
+    runs-on: windows-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/ruby-qltest-rtjo.yml

@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-13-xlarge]
+        runner: [ubuntu-latest, macos-15-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:

.gitignore

@@ -62,6 +62,7 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
+/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
 
 # cargo build directory
 /target
+
+# some upgrade/downgrade checks create these files
+**/upgrades/*/*.dbscheme.stats
+**/downgrades/*/*.dbscheme.stats

CODEOWNERS

@@ -16,7 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/quantum/ @github/ps-codeql
+**/experimental/**/quantum/ @github/ps-codeql
 /shared/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs

Cargo.lock

@@ -242,6 +242,8 @@ version = "1.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7"
 dependencies = [
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
@@ -390,6 +392,7 @@ dependencies = [
  "tree-sitter",
  "tree-sitter-json",
  "tree-sitter-ql",
+ "zstd",
 ]
 
 [[package]]
@@ -983,6 +986,15 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
+[[package]]
+name = "jobserver"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "jod-thread"
 version = "0.1.2"
@@ -1334,6 +1346,12 @@ version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
 
+[[package]]
+name = "pkg-config"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
 [[package]]
 name = "portable-atomic"
 version = "1.11.0"
@@ -3027,3 +3045,31 @@ dependencies = [
  "quote",
  "syn",
 ]
+
+[[package]]
+name = "zstd"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "7.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
+dependencies = [
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.15+zstd.1.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
+dependencies = [
+ "cc",
+ "pkg-config",
+]

Cargo.toml

@@ -10,6 +10,7 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
+exclude = ["mad-generation-build"]
 
 [patch.crates-io]
 # patch for build script bug preventing bazel build

MODULE.bazel

@@ -124,6 +124,7 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
+    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,16 +22,21 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/deploy-pages", "pages: write"]
+      - ["actions/deploy-pages", "id-token: write"]
+      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "contents: read"]
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "contents: read"]
       - ["actions/reusable-workflows", "actions: read"]
+      - ["actions/ai-inference", "contents: read"]
+      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
+      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-
-      
+      # No permissions needed for actions/configure-pages

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.9
+version: 0.4.10-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.1
+version: 0.6.2-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -3,3 +3,6 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
+| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
+| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
+| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

cpp/misc/bulk_generation_targets.json

@@ -0,0 +1,9 @@
+{
+  "strategy": "dca",
+  "language": "cpp",
+  "targets": [
+      { "name": "openssl", "with-sources": false, "with-sinks": false },
+      { "name": "sqlite", "with-sources": false, "with-sinks": false }
+  ],
+  "destination": "cpp/ql/lib/ext/generated"
+}

cpp/ql/lib/change-notes/2025-05-15-class-aggregate-literals.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.

cpp/ql/lib/change-notes/2025-05-16-wmain-support.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added support for `wmain` as part of the ArgvSource model.

cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md

@@ -0,0 +1,9 @@
+---
+category: breaking
+---
+* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
+* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
+* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.

cpp/ql/lib/change-notes/2025-05-23-windows-sources.md

@@ -0,0 +1,6 @@
+---
+category: feature
+---
+* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
+* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
+* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.

cpp/ql/lib/change-notes/2025-05-27-windows-sources-2.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.

cpp/ql/lib/experimental/quantum/Language.qll

@@ -1,6 +1,7 @@
 private import cpp as Language
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codeql.quantum.experimental.Model
+private import OpenSSL.GenericSourceCandidateLiteral
 
 module CryptoInput implements InputSig<Language::Location> {
   class DataFlowNode = DataFlow::Node;
@@ -86,6 +87,21 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
+module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
+
+private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
+  ConstantDataSource() { this instanceof OpenSSLGenericSourceCandidateLiteral }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source = any(Crypto::ArtifactInstance artifact).getOutputNode()

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -1,7 +1,9 @@
 import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import PaddingAlgorithmInstance
 
 /**
  * Traces 'known algorithms' to AVCs, specifically
@@ -18,6 +20,9 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     exists(OpenSSLAlgorithmValueConsumer c |
       c.getInputNode() = sink and
+      // exclude padding algorithm consumers, since
+      // these consumers take in different constant values
+      // not in the typical "known algorithm" set
       not c instanceof PaddingAlgorithmValueConsumer
     )
   }
@@ -42,9 +47,7 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
   DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
 
 module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
-  }
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral }
 
   predicate isSink(DataFlow::Node sink) {
     exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -1,13 +1,14 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import AlgToAVCFlow
 
 /**
  * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToBlockModeFamilyType(
   KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
@@ -70,7 +71,11 @@ class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmIns
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
   // the same as the raw name for now.
-  override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawModeAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -1,16 +1,17 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import Crypto::KeyOpAlg as KeyOpAlg
-import OpenSSLAlgorithmInstanceBase
-import PaddingAlgorithmInstance
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
-import BlockAlgorithmInstance
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import Crypto::KeyOpAlg as KeyOpAlg
+private import OpenSSLAlgorithmInstanceBase
+private import PaddingAlgorithmInstance
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+private import BlockAlgorithmInstance
 
 /**
  * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToCipherFamilyType(
   KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
@@ -101,13 +102,14 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
     // TODO or trace through getter ctx to set padding
   }
 
-  override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
-  override string getKeySizeFixed() {
-    exists(int keySize |
-      this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
-      result = keySize.toString()
-    )
+  override int getKeySizeFixed() {
+    this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
   }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -0,0 +1,53 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+
+class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override string getRawEllipticCurveName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
+
+  override Crypto::TEllipticCurveType getEllipticCurveType() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
+  }
+
+  override string getParsedEllipticCurveName() {
+    result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
+  }
+
+  override int getKeySize() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
+          .getNormalizedName(), result, _)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -1,8 +1,9 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToHashFamilyType(
   KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
@@ -75,7 +76,11 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
   }
 
-  override string getRawHashAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawHashAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override int getFixedDigestLength() {
     this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -0,0 +1,63 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
+
+predicate knownOpenSSLConstantToKeyAgreementFamilyType(
+  KnownOpenSSLKeyAgreementAlgorithmConstant e, Crypto::TKeyAgreementType type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name = "ECDH" and type = Crypto::ECDH()
+      or
+      name = "DH" and type = Crypto::DH()
+      or
+      name = "EDH" and type = Crypto::EDH()
+      or
+      name = "ESDH" and type = Crypto::EDH()
+    )
+  )
+}
+
+class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLHashConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override Crypto::TKeyAgreementType getKeyAgreementType() {
+    knownOpenSSLConstantToKeyAgreementFamilyType(this, result)
+    or
+    not knownOpenSSLConstantToKeyAgreementFamilyType(this, _) and
+    result = Crypto::OtherKeyAgreementType()
+  }
+
+  override string getRawKeyAgreementAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -1,5 +1,5 @@
 import cpp
-import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.GenericSourceCandidateLiteral
 
 predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) {
   resolveAlgorithmFromCall(e, normalizedName, algType)
@@ -20,7 +20,7 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 
   KnownOpenSSLCipherAlgorithmConstant() {
     resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%encryption")
+    algType.matches("%ENCRYPTION")
   }
 
   int getExplicitKeySize() {
@@ -33,30 +33,20 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 }
 
 class KnownOpenSSLPaddingAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
   KnownOpenSSLPaddingAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%padding")
+    exists(string algType |
+      resolveAlgorithmFromExpr(this, _, algType) and
+      algType.matches("%PADDING")
+    )
   }
 }
 
 class KnownOpenSSLBlockModeAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
-  KnownOpenSSLBlockModeAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%block_mode")
-  }
+  KnownOpenSSLBlockModeAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "BLOCK_MODE") }
 }
 
 class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
-  KnownOpenSSLHashAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%hash")
-  }
+  KnownOpenSSLHashAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "HASH") }
 
   int getExplicitDigestLength() {
     exists(string name |
@@ -67,6 +57,20 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
   }
 }
 
+class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLEllipticCurveAlgorithmConstant() {
+    resolveAlgorithmFromExpr(this, _, "ELLIPTIC_CURVE")
+  }
+}
+
+class KnownOpenSSLSignatureAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLSignatureAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "SIGNATURE") }
+}
+
+class KnownOpenSSLKeyAgreementAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLKeyAgreementAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "KEY_AGREEMENT") }
+}
+
 /**
  * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5()
  * This approach to fetching algorithms was used in OpenSSL 1.0.2.
@@ -80,7 +84,6 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
  *  alias = "dss1" and target = "dsaWithSHA1"
  */
 predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
-  isPossibleOpenSSLFunction(c.getTarget()) and
   exists(string name, string parsedTargetName |
     parsedTargetName =
       c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and
@@ -94,10 +97,10 @@ predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
  * if `e` resolves to a known algorithm.
  * If this predicate does not hold, then `e` can be interpreted as being of `UNKNOWN` type.
  */
-predicate resolveAlgorithmFromLiteral(Literal e, string normalized, string algType) {
-  exists(int nid |
-    nid = getPossibleNidFromLiteral(e) and knownOpenSSLAlgorithmLiteral(_, nid, normalized, algType)
-  )
+predicate resolveAlgorithmFromLiteral(
+  OpenSSLGenericSourceCandidateLiteral e, string normalized, string algType
+) {
+  knownOpenSSLAlgorithmLiteral(_, e.getValue().toInt(), normalized, algType)
   or
   exists(string name |
     name = resolveAlgorithmAlias(e.getValue()) and
@@ -116,30 +119,6 @@ string resolveAlgorithmAlias(string name) {
   )
 }
 
-private int getPossibleNidFromLiteral(Literal e) {
-  result = e.getValue().toInt() and
-  not e instanceof CharLiteral and
-  not e instanceof StringLiteral and
-  // ASSUMPTION, no negative numbers are allowed
-  // RATIONALE: this is a performance improvement to avoid having to trace every number
-  not exists(UnaryMinusExpr u | u.getOperand() = e) and
-  //  OPENSSL has a special macro for getting every line, ignore it
-  not exists(MacroInvocation mi | mi.getExpr() = e and mi.getMacroName() = "OPENSSL_LINE") and
-  // Filter out cases where an int is assigned into a pointer, e.g., char* x = NULL;
-  not exists(Assignment a |
-    a.getRValue() = e and a.getLValue().getType().getUnspecifiedType() instanceof PointerType
-  ) and
-  not exists(Initializer i |
-    i.getExpr() = e and
-    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof PointerType
-  ) and
-  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
-  not exists(ReturnStmt r |
-    r.getExpr() = e and
-    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof PointerType
-  )
-}
-
 string getAlgorithmAlias(string alias) {
   customAliases(result, alias)
   or
@@ -166,6 +145,14 @@ predicate customAliases(string target, string alias) {
  * The `target` and `alias` are converted to lowercase to be of a standard form.
  */
 predicate defaultAliases(string target, string alias) {
+  // "DH" and "DHX" are not aliases in the traditional sense,
+  // i.e., they are not registered as aliases explicitly,
+  // rather they appear in common usage, and experiments reveal their
+  // NID matches those of the `dhKeyAgreement` and `x9.42 dh` algorithms respectively.
+  alias = "dh" and target = "dhKeyAgreement"
+  or
+  alias = "dhx" and target = "x9.42 dh"
+  or
   alias = "aes128" and target = "aes-128-cbc"
   or
   alias = "aes192" and target = "aes-192-cbc"
@@ -253,11 +240,6 @@ predicate defaultAliases(string target, string alias) {
   alias = "ssl3-sha1" and target = "sha1"
 }
 
-predicate tbd(string normalized, string algType) {
-  knownOpenSSLAlgorithmLiteral(_, _, normalized, algType) and
-  algType = "HASH"
-}
-
 /**
  * Enumeration of all known crypto algorithms for openSSL
  * `name` is all lower case (caller's must ensure they pass in lower case)
@@ -266,6 +248,10 @@ predicate tbd(string normalized, string algType) {
  * `algType` is the type of algorithm (e.g., "SYMMETRIC_ENCRYPTION")
  */
 predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized, string algType) {
+  name = "dhKeyAgreement" and nid = 28 and normalized = "DH" and algType = "KEY_AGREEMENT"
+  or
+  name = "x9.42 dh" and nid = 29 and normalized = "DH" and algType = "KEY_AGREEMENT"
+  or
   name = "rsa" and nid = 19 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
   name = "prime192v1" and nid = 409 and normalized = "PRIME192V1" and algType = "ELLIPTIC_CURVE"
@@ -284,8 +270,12 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "ELLIPTIC_CURVE"
   or
+  name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "SIGNATURE"
+  or
   name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "ELLIPTIC_CURVE"
   or
+  name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "SIGNATURE"
+  or
   name = "md2" and nid = 3 and normalized = "MD2" and algType = "HASH"
   or
   name = "sha" and nid = 41 and normalized = "SHA" and algType = "HASH"
@@ -894,6 +884,8 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "SHA1" and algType = "HASH"
   or
+  name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "DH" and algType = "KEY_AGREEMENT"
+  or
   name = "aes-128-ofb" and nid = 420 and normalized = "AES-128" and algType = "SYMMETRIC_ENCRYPTION"
   or
   name = "aes-128-ofb" and nid = 420 and normalized = "OFB" and algType = "BLOCK_MODE"
@@ -1395,9 +1387,9 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "kx-rsa" and nid = 1037 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
-  name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
-  name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
   name = "kx-rsa-psk" and nid = 1042 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
@@ -1705,8 +1697,12 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "x448" and nid = 1035 and normalized = "X448" and algType = "ELLIPTIC_CURVE"
   or
+  name = "x448" and nid = 1035 and normalized = "X448" and algType = "KEY_AGREEMENT"
+  or
   name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "ELLIPTIC_CURVE"
   or
+  name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "KEY_AGREEMENT"
+  or
   name = "authecdsa" and nid = 1047 and normalized = "ECDSA" and algType = "SIGNATURE"
   or
   name = "authgost01" and nid = 1050 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"
@@ -1805,51 +1801,101 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "SHA1" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha1kdf-scheme" and
+  nid = 941 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha224kdf-scheme" and
   nid = 942 and
   normalized = "SHA-224" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha224kdf-scheme" and
+  nid = 942 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha256kdf-scheme" and
   nid = 943 and
   normalized = "SHA-256" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha256kdf-scheme" and
+  nid = 943 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha384kdf-scheme" and
   nid = 944 and
   normalized = "SHA-384" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha384kdf-scheme" and
+  nid = 944 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha512kdf-scheme" and
   nid = 945 and
   normalized = "SHA-512" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha512kdf-scheme" and
+  nid = 945 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha1kdf-scheme" and
   nid = 936 and
   normalized = "SHA1" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha1kdf-scheme" and
+  nid = 936 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha224kdf-scheme" and
   nid = 937 and
   normalized = "SHA-224" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha224kdf-scheme" and
+  nid = 937 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha256kdf-scheme" and
   nid = 938 and
   normalized = "SHA-256" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha256kdf-scheme" and
+  nid = 938 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha384kdf-scheme" and
   nid = 939 and
   normalized = "SHA-384" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha384kdf-scheme" and
+  nid = 939 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha512kdf-scheme" and
   nid = 940 and
   normalized = "SHA-512" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha512kdf-scheme" and
+  nid = 940 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dsa-old" and nid = 67 and normalized = "DSA" and algType = "SIGNATURE"
   or
   name = "dsa-sha" and nid = 66 and normalized = "DSA" and algType = "SIGNATURE"
@@ -2009,7 +2055,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "gost r 34.10-2001 dh" and
+  name = "gost r 34.10-2001 dh" and // TODO: review this algorithm
   nid = 817 and
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2079,7 +2125,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "gost r 34.10-94 dh" and
+  name = "gost r 34.10-94 dh" and // TODO: review this algorithm
   nid = 818 and
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2294,7 +2340,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOSTR34102001" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-gostr3410-2001dh" and
+  name = "id-gostr3410-2001dh" and // TODO: review this algorithm
   nid = 817 and
   normalized = "GOSTR34102001" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2359,7 +2405,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOSTR341094" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-gostr3410-94dh" and
+  name = "id-gostr3410-94dh" and // TODO: review this algorithm
   nid = 818 and
   normalized = "GOSTR341094" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2443,16 +2489,31 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "3DES" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
+  name = "id-smime-alg-esdhwith3des" and
+  nid = 241 and
+  normalized = "ESDH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "id-smime-alg-esdhwithrc2" and
   nid = 242 and
   normalized = "RC2" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
+  name = "id-smime-alg-esdhwithrc2" and
+  nid = 242 and
+  normalized = "ESDH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "id-smime-alg-rc2wrap" and
   nid = 244 and
   normalized = "RC2" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
+  name = "id_smime_alg_esdh" and
+  nid = 245 and
+  normalized = "ESDH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "id-tc26-gost-28147-param-z" and
   nid = 1003 and
   normalized = "GOST28147" and
@@ -2498,9 +2559,9 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST34102012" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
-  name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
   name = "kxgost" and nid = 1045 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"
   or

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll

@@ -1,5 +1,5 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
   abstract OpenSSLAlgorithmValueConsumer getAVC();

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll

@@ -3,3 +3,4 @@ import CipherAlgorithmInstance
 import PaddingAlgorithmInstance
 import BlockAlgorithmInstance
 import HashAlgorithmInstance
+import EllipticCurveAlgorithmInstance

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -1,13 +1,31 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import AlgToAVCFlow
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import AlgToAVCFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+
+/**
+ * A class to define padding specific integer values.
+ * from rsa.h in openssl:
+ *     # define RSA_PKCS1_PADDING          1
+ *     # define RSA_NO_PADDING             3
+ *     # define RSA_PKCS1_OAEP_PADDING     4
+ *     # define RSA_X931_PADDING           5
+ *     # define RSA_PKCS1_PSS_PADDING      6
+ *     # define RSA_PKCS1_WITH_TLS_PADDING 7
+ *     # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+ */
+class OpenSSLPaddingLiteral extends Literal {
+  // TODO: we can be more specific about where the literal is in a larger expression
+  // to avoid literals that are clealy not representing an algorithm, e.g., array indices.
+  OpenSSLPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
+}
 
 /**
  * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToPaddingFamilyType(
   KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
@@ -59,19 +77,8 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     this instanceof KnownOpenSSLPaddingAlgorithmConstant and
     isPaddingSpecificConsumer = false
     or
-    // Possibility 3:
-    // from rsa.h in openssl:
-    // # define RSA_PKCS1_PADDING          1
-    // # define RSA_NO_PADDING             3
-    // # define RSA_PKCS1_OAEP_PADDING     4
-    // # define RSA_X931_PADDING           5
-    // /* EVP_PKEY_ only */
-    // # define RSA_PKCS1_PSS_PADDING      6
-    // # define RSA_PKCS1_WITH_TLS_PADDING 7
-    // /* internal RSA_ only */
-    // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
-    this instanceof Literal and
-    this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and
+    // Possibility 3: padding-specific literal
+    this instanceof OpenSSLPaddingLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -83,28 +90,32 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     isPaddingSpecificConsumer = true
   }
 
-  override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawPaddingAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 
+  Crypto::TPaddingType getKnownPaddingType() {
+    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
+    or
+    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
+    or
+    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
+    or
+    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
+    or
+    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
+  }
+
   override Crypto::TPaddingType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
-      if this.(Literal).getValue().toInt() in [1, 7, 8]
-      then result = Crypto::PKCS1_v1_5()
-      else
-        if this.(Literal).getValue().toInt() = 3
-        then result = Crypto::NoPadding()
-        else
-          if this.(Literal).getValue().toInt() = 4
-          then result = Crypto::OAEP()
-          else
-            if this.(Literal).getValue().toInt() = 5
-            then result = Crypto::ANSI_X9_23()
-            else
-              if this.(Literal).getValue().toInt() = 6
-              then result = Crypto::PSS()
-              else result = Crypto::OtherPadding()
+      result = this.getKnownPaddingType()
+      or
+      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.LibraryDetector
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-import OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import OpenSSLAlgorithmValueConsumerBase
 
 abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -14,7 +13,6 @@ class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
 
   EVPCipherAlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
     (
       this.(Call).getTarget().getName() in [
           "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
-// TODO: can self referential to itself, which is also an algorithm (Known algorithm)
 /**
  * Cases like EVP_MD5(),
  * there is no input, rather it directly gets an algorithm

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll

@@ -0,0 +1,34 @@
+import cpp
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name
+class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPEllipticCurveAlgorithmConsumer() {
+    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
+    (
+      this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in [
+          "EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(2)
+    )
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -1,23 +1,16 @@
-// import EVPHashInitializer
-// import EVPHashOperation
-// import EVPHashAlgorithmSource
 import cpp
-import experimental.quantum.Language
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-import experimental.quantum.OpenSSL.LibraryDetector
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
 
 abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
 /**
  * EVP_Q_Digest directly consumes algorithm constant values
  */
-class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
-  EVP_Q_Digest_Algorithm_Consumer() {
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
-    this.(Call).getTarget().getName() = "EVP_Q_digest"
-  }
+class EVP_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
+  EVP_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
 
   override Crypto::ConsumerInputDataFlowNode getInputNode() {
     result.asExpr() = this.(Call).getArgument(1)
@@ -33,3 +26,33 @@ class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
     none()
   }
 }
+
+/**
+ * The EVP digest algorithm getters
+ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
+ */
+class EVPDigestAlgorithmValueConsumer extends HashAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPDigestAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    (
+      this.(Call).getTarget().getName() in [
+          "EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() = "EVP_MD_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/KEMAlgorithmValueConsumer.qll

@@ -0,0 +1,28 @@
+import cpp
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class KEMAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPKEMAlgorithmValueConsumer extends KEMAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPKEMAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    (
+      this.(Call).getTarget().getName() = "EVP_KEM_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/KeyExchangeAlgorithmValueConsumer.qll

@@ -0,0 +1,28 @@
+import cpp
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class KeyExchangeAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPKeyExchangeAlgorithmValueConsumer extends KeyExchangeAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPKeyExchangeAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    (
+      this.(Call).getTarget().getName() = "EVP_KEYEXCH_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll

@@ -1,5 +1,4 @@
-import experimental.quantum.Language
-import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.Language
 
 abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
   /**

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll

@@ -3,3 +3,5 @@ import CipherAlgorithmValueConsumer
 import DirectAlgorithmValueConsumer
 import PaddingAlgorithmValueConsumer
 import HashAlgorithmValueConsumer
+import EllipticCurveAlgorithmValueConsumer
+import PKeyAlgorithmValueConsumer

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll

@@ -0,0 +1,55 @@
+import cpp
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class PKeyValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPPKeyAlgorithmConsumer() {
+    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
+    (
+      // NOTE: some of these consumers are themselves key gen operations,
+      // in these cases, the operation will be created separately for the same function.
+      this.(Call).getTarget().getName() in [
+          "EVP_PKEY_CTX_new_id", "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key",
+          "EVP_PKEY_new_mac_key"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in [
+          "EVP_PKEY_CTX_new_from_name", "EVP_PKEY_new_raw_private_key_ex",
+          "EVP_PKEY_new_raw_public_key_ex", "EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+      or
+      // argInd 2 is 'type' which can be RSA, or EC
+      // if RSA argInd 3 is the key size, else if EC argInd 3 is the curve name
+      // In all other cases there is no argInd 3, and argInd 2 is the algorithm.
+      // Since this is a key gen operation, handling the key size should be handled
+      // when the operation is again modeled as a key gen operation.
+      this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen" and
+      (
+        // Elliptic curve case
+        // If the argInd 3 is a derived type (pointer or array) then assume it is a curve name
+        if this.(Call).getArgument(3).getType().getUnderlyingType() instanceof DerivedType
+        then valueArgNode.asExpr() = this.(Call).getArgument(3)
+        else
+          // All other cases
+          valueArgNode.asExpr() = this.(Call).getArgument(2)
+      )
+    )
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.LibraryDetector
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-import OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import OpenSSLAlgorithmValueConsumerBase
 
 abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -16,11 +15,8 @@ class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorit
 
   EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
-    (
-      this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-    )
+    this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_padding" and
+    valueArgNode.asExpr() = this.(Call).getArgument(1)
   }
 
   override DataFlow::Node getResultNode() { result = resultNode }

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

@@ -20,79 +20,119 @@
 
 import semmle.code.cpp.dataflow.new.DataFlow
 
-class CTXType extends Type {
-  CTXType() {
-    // TODO: should we limit this to an openssl path?
+/**
+ * An openSSL CTX type, which is type for which the stripped underlying type
+ * matches the pattern 'evp_%ctx_%st'.
+ * This includes types like:
+ * - EVP_CIPHER_CTX
+ * - EVP_MD_CTX
+ * - EVP_PKEY_CTX
+ */
+private class CtxType extends Type {
+  CtxType() {
+    // It is possible for users to use the underlying type of the CTX variables
+    // these have a name matching 'evp_%ctx_%st
     this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
+    or
+    // In principal the above check should be sufficient, but in case of build mode none issues
+    // i.e., if a typedef cannot be resolved,
+    // or issues with properly stubbing test cases, we also explicitly check for the wrapping type defs
+    // i.e., patterns matching 'EVP_%_CTX'
+    exists(Type base | base = this or base = this.(DerivedType).getBaseType() |
+      base.getName().matches("EVP_%_CTX")
+    )
   }
 }
 
-class CTXPointerExpr extends Expr {
-  CTXPointerExpr() {
-    this.getType() instanceof CTXType and
+/**
+ * A pointer to a CtxType
+ */
+private class CtxPointerExpr extends Expr {
+  CtxPointerExpr() {
+    this.getType() instanceof CtxType and
     this.getType() instanceof PointerType
   }
 }
 
-class CTXPointerArgument extends CTXPointerExpr {
-  CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
+/**
+ * A call argument of type CtxPointerExpr.
+ */
+private class CtxPointerArgument extends CtxPointerExpr {
+  CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) }
 
   Call getCall() { result.getAnArgument() = this }
 }
 
-class CTXClearCall extends Call {
-  CTXClearCall() {
+/**
+ * A call whose target contains 'free' or 'reset' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxClearCall extends Call {
+  CtxClearCall() {
     this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-class CTXCopyOutArgCall extends Call {
-  CTXCopyOutArgCall() {
-    this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument
+/**
+ * A call whose target contains 'copy' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxCopyOutArgCall extends Call {
+  CtxCopyOutArgCall() {
+    this.getTarget().getName().toLowerCase().matches("%copy%") and
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-class CTXCopyReturnCall extends Call {
-  CTXCopyReturnCall() {
-    this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument and
-    this instanceof CTXPointerExpr
+/**
+ * A call whose target contains 'dup' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxCopyReturnCall extends Call, CtxPointerExpr {
+  CtxCopyReturnCall() {
+    this.getTarget().getName().toLowerCase().matches("%dup%") and
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument }
+/**
+ * Flow from any CtxPointerArgument to any other CtxPointerArgument
+ */
+module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(CTXClearCall c | c.getAnArgument() = node.asExpr())
+    exists(CtxClearCall c | c.getAnArgument() = node.asExpr())
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(CTXCopyOutArgCall c |
+    exists(CtxCopyOutArgCall c |
       c.getAnArgument() = node1.asExpr() and
       c.getAnArgument() = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CTXType
+      node2.asExpr().getType() instanceof CtxType
     )
     or
-    exists(CTXCopyReturnCall c |
+    exists(CtxCopyReturnCall c |
       c.getAnArgument() = node1.asExpr() and
       c = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CTXType
+      node2.asExpr().getType() instanceof CtxType
     )
   }
 }
 
-module OpenSSLCTXArgumentFlow = DataFlow::Global<OpenSSLCTXArgumentFlowConfig>;
+module OpenSSLCtxArgumentFlow = DataFlow::Global<OpenSSLCtxArgumentFlowConfig>;
 
-predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) {
+/**
+ * Holds if there is a context flow from the source to the sink.
+ */
+predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) {
   exists(DataFlow::Node a, DataFlow::Node b |
-    OpenSSLCTXArgumentFlow::flow(a, b) and
+    OpenSSLCtxArgumentFlow::flow(a, b) and
     a.asExpr() = source and
     b.asExpr() = sink
   )

cpp/ql/lib/experimental/quantum/OpenSSL/GenericSourceCandidateLiteral.qll

@@ -0,0 +1,122 @@
+import cpp
+private import semmle.code.cpp.models.Models
+private import semmle.code.cpp.models.interfaces.FormattingFunction
+
+private class IntLiteral extends Literal {
+  IntLiteral() {
+    //Heuristics for distinguishing int literals from other literals
+    exists(this.getValue().toInt()) and
+    not this instanceof CharLiteral and
+    not this instanceof StringLiteral
+  }
+}
+
+/**
+ * Holds if a StringLiteral could conceivably be used in some way for cryptography.
+ * Note: this predicate should only consider restrictions with respect to strings only.
+ * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
+ */
+private predicate isOpenSSLStringLiteralGenericSourceCandidate(StringLiteral s) {
+  // 'EC' is a constant that may be used where typical algorithms are specified,
+  // but EC specifically means set up a default curve container, that will later be
+  //specified explicitly (or if not a default) curve is used.
+  s.getValue() != "EC" and
+  // Ignore empty strings
+  s.getValue() != "" and
+  // Filter out strings with "%", to filter out format strings
+  not s.getValue().matches("%\\%%") and
+  // Filter out strings in brackets or braces (commonly seen strings not relevant for crypto)
+  not s.getValue().matches(["[%]", "(%)"]) and
+  // Filter out all strings of length 1, since these are not algorithm names
+  // NOTE/ASSUMPTION: If a user legitimately passes a string of length 1 to some configuration
+  // we will assume this is generally unknown. We may need to reassess this in the future.
+  s.getValue().length() > 1 and
+  // Ignore all strings that are in format string calls outputing to a stream (e.g., stdout)
+  not exists(FormattingFunctionCall f |
+    exists(f.getOutputArgument(true)) and s = f.(Call).getAnArgument()
+  ) and
+  // Ignore all format string calls where there is no known out param (resulting string)
+  // i.e., ignore printf, since it will just output a string and not produce a new string
+  not exists(FormattingFunctionCall f |
+    // Note: using two ways of determining if there is an out param, since I'm not sure
+    // which way is canonical
+    not exists(f.getOutputArgument(false)) and
+    not f.getTarget().hasTaintFlow(_, _) and
+    f.(Call).getAnArgument() = s
+  )
+}
+
+/**
+ * Holds if a StringLiteral could conceivably be used in some way for cryptography.
+ * Note: this predicate should only consider restrictions with respect to integers only.
+ * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
+ */
+private predicate isOpenSSLIntLiteralGenericSourceCandidate(IntLiteral l) {
+  // Ignore integer values of 0, commonly referring to NULL only (no known algorithm 0)
+  l.getValue().toInt() != 0 and
+  // ASSUMPTION, no negative numbers are allowed
+  // RATIONALE: this is a performance improvement to avoid having to trace every number
+  not exists(UnaryMinusExpr u | u.getOperand() = l) and
+  //  OPENSSL has a special macro for getting every line, ignore it
+  not exists(MacroInvocation mi | mi.getExpr() = l and mi.getMacroName() = "OPENSSL_LINE") and
+  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
+  not exists(ReturnStmt r |
+    r.getExpr() = l and
+    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof DerivedType
+  ) and
+  // A literal as an array index should not be relevant for crypo
+  not exists(ArrayExpr op | op.getArrayOffset() = l) and
+  // A literal used in a bitwise should not be relevant for crypto
+  not exists(BinaryBitwiseOperation op | op.getAnOperand() = l) and
+  not exists(AssignBitwiseOperation op | op.getAnOperand() = l) and
+  //Filter out cases where an int is assigned or initialized into a pointer, e.g., char* x = NULL;
+  not exists(Assignment a |
+    a.getRValue() = l and
+    a.getLValue().getType().getUnspecifiedType() instanceof DerivedType
+  ) and
+  not exists(Initializer i |
+    i.getExpr() = l and
+    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof DerivedType
+  ) and
+  // Filter out cases where the literal is used in any kind of arithmetic operation
+  not exists(BinaryArithmeticOperation op | op.getAnOperand() = l) and
+  not exists(UnaryArithmeticOperation op | op.getOperand() = l) and
+  not exists(AssignArithmeticOperation op | op.getAnOperand() = l) and
+  // If a literal has no parent ignore it, this is a workaround for the current inability
+  // to find a literal in an array declaration: int x[100];
+  // NOTE/ASSUMPTION: this value might actually be relevant for finding hard coded sizes
+  // consider size as inferred through the allocation of a buffer.
+  // In these cases, we advise that the source is not generic and must be traced explicitly.
+  exists(l.getParent())
+}
+
+/**
+ * Any literal that may be conceivably be used in some way for cryptography.
+ * The set of all literals is restricted by this class to cases where there is higher
+ * plausibility that the literal could be used as a source of configuration.
+ * Literals are filtered, for example, if they are used in a way no indicative of an algorithm use
+ * such as in an array index, bitwise operation, or logical operation.
+ * Note a case like this:
+ *      if(algVal == "AES")
+ *
+ * "AES" may be a legitimate algorithm literal, but the literal will not be used for an operation directly
+ * since it is in a equality comparison, hence this case would also be filtered.
+ */
+class OpenSSLGenericSourceCandidateLiteral extends Literal {
+  OpenSSLGenericSourceCandidateLiteral() {
+    (
+      isOpenSSLIntLiteralGenericSourceCandidate(this) or
+      isOpenSSLStringLiteralGenericSourceCandidate(this)
+    ) and
+    // ********* General filters beyond what is filtered for strings and ints *********
+    // An algorithm literal in a switch case will not be directly applied to an operation.
+    not exists(SwitchCase sc | sc.getExpr() = this) and
+    // A literal in a logical operation may be an algorithm, but not a candidate
+    // for the purposes of finding applied algorithms
+    not exists(BinaryLogicalOperation op | op.getAnOperand() = this) and
+    not exists(UnaryLogicalOperation op | op.getOperand() = this) and
+    // A literal in a comparison operation may be an algorithm, but not a candidate
+    // for the purposes of finding applied algorithms
+    not exists(ComparisonOperation op | op.getAnOperand() = this)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll

@@ -1,9 +1,7 @@
-import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-
 module OpenSSLModel {
-  import experimental.quantum.Language
-  import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-  import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-  import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
+  import AlgorithmInstances.OpenSSLAlgorithmInstances
+  import AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+  import Operations.OpenSSLOperations
+  import Random
+  import GenericSourceCandidateLiteral
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll

@@ -0,0 +1,61 @@
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(ECKeyGenOperation c | c.getAlgorithmArg() = sink.asExpr())
+  }
+}
+
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
+class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
+  ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" }
+
+  override Expr getOutputArg() {
+    result = this.(Call) // return value of call
+  }
+
+  Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
+
+  override Expr getInputArg() {
+    // there is no 'input', in the sense that no data is being manipulated by the operation.
+    // There is an input of an algorithm, but that is not the intention of the operation input arg.
+    none()
+  }
+
+  override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
+    result = this.getOutputNode()
+  }
+
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getAlgorithmArg()))
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
+    none() // no explicit key size, inferred from algorithm
+  }
+
+  override int getKeySizeFixed() {
+    none()
+    // TODO: marked as none as the operation itself has no key size, it
+    // comes from the algorithm source, but note we could grab the
+    // algorithm source and get the key size (see below).
+    // We may need to reconsider what is the best approach here.
+    // result =
+    //   this.getAnAlgorithmValueConsumer()
+    //       .getAKnownAlgorithmSource()
+    //       .(Crypto::EllipticCurveInstance)
+    //       .getKeySize()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll

@@ -3,8 +3,8 @@
  * Models cipher initialization for EVP cipher operations.
  */
 
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
 
 module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -1,8 +1,8 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-import EVPCipherInitializer
-import OpenSSLOperationBase
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import EVPCipherInitializer
+private import OpenSSLOperationBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
@@ -10,7 +10,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(EVP_Cipher_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+    exists(EVP_Cipher_Operation c | c.getAlgorithmArg() = sink.asExpr())
   }
 }
 
@@ -32,6 +32,8 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsu
 abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
+  Expr getAlgorithmArg() { this.getInitCall().getAlgorithmArg() = result }
+
   override Expr getOutputArg() { result = this.(Call).getArgument(1) }
 
   override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
@@ -67,37 +69,42 @@ abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperati
   }
 }
 
-// abstract class EVP_Update_Call extends EVP_Cipher_Operation { }
-abstract class EVP_Final_Call extends EVP_Cipher_Operation {
-  override Expr getInputArg() { none() }
-}
-
-// TODO: only model Final (model final as operation and model update but not as an operation)
-// Updates are multiple input consumers (most important)
-// TODO: assuming update doesn't ouput, otherwise it outputs artifacts, but is not an operation
 class EVP_Cipher_Call extends EVP_Cipher_Operation {
   EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
 
   override Expr getInputArg() { result = this.(Call).getArgument(2) }
 }
 
-// ******* TODO: model UPDATE but not as the core operation, rather a step towards final
-// see the JCA
-// class EVP_Encrypt_Decrypt_or_Cipher_Update_Call extends EVP_Update_Call {
-//   EVP_Encrypt_Decrypt_or_Cipher_Update_Call() {
-//     this.(Call).getTarget().getName() in [
-//         "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
-//       ]
-//   }
-//   override Expr getInputArg() { result = this.(Call).getArgument(3) }
-// }
-class EVP_Encrypt_Decrypt_or_Cipher_Final_Call extends EVP_Final_Call {
-  EVP_Encrypt_Decrypt_or_Cipher_Final_Call() {
+// NOTE: not modeled as cipher operations, these are intermediate calls
+class EVP_Cipher_Update_Call extends Call {
+  EVP_Cipher_Update_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
+      ]
+  }
+
+  Expr getInputArg() { result = this.(Call).getArgument(3) }
+
+  DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
+
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+}
+
+class EVP_Cipher_Final_Call extends EVP_Cipher_Operation {
+  EVP_Cipher_Final_Call() {
     this.(Call).getTarget().getName() in [
         "EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
         "EVP_DecryptFinal", "EVP_CipherFinal"
       ]
   }
+
+  EVP_Cipher_Update_Call getUpdateCalls() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
+  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
 }
 
 class EVP_PKEY_Operation extends EVP_Cipher_Operation {

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll

@@ -2,20 +2,31 @@
  * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
  */
 
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-import experimental.quantum.OpenSSL.LibraryDetector
-import OpenSSLOperationBase
-import EVPHashInitializer
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
+private import EVPHashInitializer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 // import EVPHashConsumers
 abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
+  Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
+
   EVP_Hash_Initializer getInitCall() {
     CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
+
+  /**
+   * By default, the algorithm value comes from the init call.
+   * There are variants where this isn't true, in which case the
+   * subclass should override this method.
+   */
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getAlgorithmArg()))
+  }
 }
 
 private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
@@ -24,7 +35,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(EVP_Hash_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+    exists(EVP_Hash_Operation c | c.getAlgorithmArg() = sink.asExpr())
   }
 }
 
@@ -32,10 +43,7 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsu
 
 //https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
 class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
-  EVP_Q_Digest_Operation() {
-    this.(Call).getTarget().getName() = "EVP_Q_digest" and
-    isPossibleOpenSSLFunction(this.(Call).getTarget())
-  }
+  EVP_Q_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
 
   //override Crypto::AlgorithmConsumer getAlgorithmConsumer() {  }
   override EVP_Hash_Initializer getInitCall() {
@@ -58,28 +66,24 @@ class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
     // simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
     this = result
   }
+
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
 }
 
 class EVP_Digest_Operation extends EVP_Hash_Operation {
-  EVP_Digest_Operation() {
-    this.(Call).getTarget().getName() = "EVP_Digest" and
-    isPossibleOpenSSLFunction(this.(Call).getTarget())
-  }
+  EVP_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Digest" }
 
   // There is no context argument for this function
   override Expr getContextArg() { none() }
 
-  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-      DataFlow::exprNode(this.(Call).getArgument(4)))
-  }
-
   override EVP_Hash_Initializer getInitCall() {
     // This variant of digest does not use an init
     // and even if it were used, the init would be ignored/undefined
     none()
   }
 
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
+
   override Expr getOutputArg() { result = this.(Call).getArgument(2) }
 
   override Expr getInputArg() { result = this.(Call).getArgument(0) }
@@ -88,30 +92,34 @@ class EVP_Digest_Operation extends EVP_Hash_Operation {
 
   override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
 }
-// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-// //   AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-// //     DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
-// // }
-// // ***** TODO *** complete modelinlg for hash operations, but have consideration for terminal and non-terminal (non intermedaite) steps
-// // see the JCA. May need to update the cipher operations similarly
-// // ALSO SEE cipher for how we currently model initialization of the algorithm through an init call
-// class EVP_DigestUpdate_Operation extends EVP_Hash_Operation {
-//   EVP_DigestUpdate_Operation() {
-//     this.(Call).getTarget().getName() = "EVP_DigestUpdate" and
-//     isPossibleOpenSSLFunction(this.(Call).getTarget())
-//   }
-//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
-//     this.getInitCall().getAlgorithmArg() = result
-//   }
-// }
-// class EVP_DigestFinal_Variants_Operation extends EVP_Hash_Operation {
-//   EVP_DigestFinal_Variants_Operation() {
-//     this.(Call).getTarget().getName() in [
-//         "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
-//       ] and
-//     isPossibleOpenSSLFunction(this.(Call).getTarget())
-//   }
-//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
-//     this.getInitCall().getAlgorithmArg() = result
-//   }
-// }
+
+// NOTE: not modeled as hash operations, these are intermediate calls
+class EVP_Digest_Update_Call extends Call {
+  EVP_Digest_Update_Call() { this.(Call).getTarget().getName() in ["EVP_DigestUpdate"] }
+
+  Expr getInputArg() { result = this.(Call).getArgument(1) }
+
+  DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
+
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+}
+
+class EVP_Digest_Final_Call extends EVP_Hash_Operation {
+  EVP_Digest_Final_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
+      ]
+  }
+
+  EVP_Digest_Update_Call getUpdateCalls() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
+  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -1,4 +1,4 @@
-import experimental.quantum.Language
+private import experimental.quantum.Language
 
 abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
   abstract Expr getInputArg();

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll

@@ -1,3 +1,4 @@
 import OpenSSLOperationBase
 import EVPCipherOperation
 import EVPHashOperation
+import ECKeyGenOperation

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -1,4 +1,4 @@
-  # partial model of the Boost::Asio network library
+# partial model of the Boost::Asio network library
 extensions:
   - addsTo:
       pack: codeql/cpp-all

cpp/ql/lib/ext/Windows.model.yml

@@ -0,0 +1,35 @@
+# partial model of windows system calls
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      # processenv.h
+      - ["", "", False, "GetCommandLineA", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetCommandLineW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsA", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableA", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableW", "", "", "Argument[*1]", "local", "manual"]
+      # fileapi.h
+      - ["", "", False, "ReadFile", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*1]", "local", "manual"]
+      # memoryapi.h
+      - ["", "", False, "MapViewOfFile", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile2", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile3", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile3FromApp", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileEx", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileFromApp", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileNuma2", "", "", "ReturnValue[*]", "local", "manual"]
+      # ntifs.h
+      - ["", "", False, "NtReadFile", "", "", "Argument[*5]", "local", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      # shellapi.h
+      - ["", "", False, "CommandLineToArgvA", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      - ["", "", False, "CommandLineToArgvW", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      # fileapi.h
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*3].Field[@hEvent]", "Argument[4].Parameter[*2].Field[@hEvent]", "value", "manual"]

cpp/ql/lib/ext/generated/sqlite/sqlite.model.yml

@@ -0,0 +1,948 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data:
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[**0]", "Argument[**0].Field[**next]", "value", "dfc-generated"]
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[*0]", "Argument[**0].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[0]", "Argument[**0].Field[*next]", "taint", "dfc-generated"]
+      - ["", "", True, "Action_add", "(action **,e_action,symbol *,char *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*0].Field[**rp].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*0].Field[*dot]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*1].Field[**rp].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configcmp", "(const char *,const char *)", "", "Argument[*1].Field[*dot]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Configlist_add", "(rule *,int)", "", "Argument[*0]", "ReturnValue[*].Field[**rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_add", "(rule *,int)", "", "Argument[0]", "ReturnValue[*].Field[*rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_add", "(rule *,int)", "", "Argument[1]", "ReturnValue[*].Field[*dot]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_addbasis", "(rule *,int)", "", "Argument[*0]", "ReturnValue[*].Field[**rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_addbasis", "(rule *,int)", "", "Argument[0]", "ReturnValue[*].Field[*rp]", "value", "dfc-generated"]
+      - ["", "", True, "Configlist_addbasis", "(rule *,int)", "", "Argument[1]", "ReturnValue[*].Field[*dot]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[**0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[*0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[0]", "ReturnValue[**]", "taint", "dfc-generated"]
+      - ["", "", True, "JimDefaultAllocator", "(void *,size_t)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "JimStringReplaceObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "JimStringReplaceObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AioFilehandle", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AioFilehandle", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AppendObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*2]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_AppendString", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[*2]", "Argument[*1].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_AppendString", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[2]", "Argument[*1].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_AppendString", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[3]", "Argument[*1].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CallSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[**2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[**2]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[*2]", "Argument[**2]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[*2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[*2]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CheckShowCommands", "(Jim_Interp *,Jim_Obj *,const char *const *)", "", "Argument[2]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "Argument[*3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*2]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*2]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*3]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[2]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*2]", "value", "df-generated"]
+      - ["", "", True, "Jim_CommandMatchObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[3]", "Argument[*3]", "value", "df-generated"]
+      - ["", "", True, "Jim_CompareStringImmediate", "(Jim_Interp *,Jim_Obj *,const char *)", "", "Argument[*2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CompareStringImmediate", "(Jim_Interp *,Jim_Obj *,const char *)", "", "Argument[2]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ConcatObj", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2].Field[*length]", "ReturnValue[*].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ConcatObj", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ConcatObj", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "ReturnValue[*].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommand", "(Jim_Interp *,const char *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommandObj", "(Jim_Interp *,Jim_Obj *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_CreateCommandObj", "(Jim_Interp *,Jim_Obj *,Jim_CmdProc *,void *,Jim_DelCmdProc *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DeleteCommand", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DeleteCommand", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DictAddElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictAddElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictInfo", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*0]", "Argument[**3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*0]", "Argument[*3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKey", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[*2]", "Argument[*3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj **,int)", "", "Argument[*1]", "Argument[**4]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj **,int)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_DictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj **,int)", "", "Argument[1]", "Argument[*4]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_DictMatchTypes", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int,int)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DictMerge", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_DictPairs", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_DictSize", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DuplicateObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_DuplicateObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_DuplicateObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_Eval", "(Jim_Interp *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_Eval", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_Eval", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalExpression", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalExpression", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFile", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**currentFilenameObj].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalFileGlobal", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_EvalGlobal", "(Jim_Interp *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalGlobal", "(Jim_Interp *,const char *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalGlobal", "(Jim_Interp *,const char *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**evalFrame].Field[*scriptObj]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObjList", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObjList", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[**3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[**3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[**3]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*1]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[**3]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjPrefix", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "value", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalObjVector", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_EvalSource", "(Jim_Interp *,const char *,int,const char *)", "", "Argument[*3]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_EvalSource", "(Jim_Interp *,const char *,int,const char *)", "", "Argument[3]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_FileStoreStatData", "(Jim_Interp *,Jim_Obj *,const jim_stat_t *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_FindHashEntry", "(Jim_HashTable *,const void *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_FindHashEntry", "(Jim_HashTable *,const void *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_FormatString", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_FreeObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_FreeObj", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GenHashFunction", "(const unsigned char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GenHashFunction", "(const unsigned char *,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GenHashFunction", "(const unsigned char *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolFromExpr", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetBoolean", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "Argument[*2]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetCallFrameByLevel", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1].Field[**bytes]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetCallFrameByLevel", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1].Field[*bytes]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetCommand", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetCommand", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetDouble", "(Jim_Interp *,Jim_Obj *,double *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[**2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[*2]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[*2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[2]", "Argument[*1].Field[*internalRep].Union[*(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetEnum", "(Jim_Interp *,Jim_Obj *,const char *const *,int *,const char *,int)", "", "Argument[2]", "Argument[*1].Field[*internalRep].Union[**(unnamed class/struct/union)]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_GetExitCode", "(Jim_Interp *)", "", "Argument[*0].Field[*exitCode]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetGlobalVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetGlobalVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetHashTableIterator", "(Jim_HashTable *)", "", "Argument[*0]", "ReturnValue[*].Field[**ht]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetHashTableIterator", "(Jim_HashTable *)", "", "Argument[0]", "ReturnValue[*].Field[*ht]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetIndex", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetLong", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetReturnCode", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetSourceInfo", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetSourceInfo", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetSourceInfo", "(Jim_Interp *,Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetString", "(Jim_Obj *,int *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetString", "(Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetString", "(Jim_Obj *,int *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_GetVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetVariableStr", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWide", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[*1]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_GetWideExpr", "(Jim_Interp *,Jim_Obj *,long *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[**2]", "Argument[*0].Field[***privdata]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[*1]", "Argument[*0].Field[**type]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[*2]", "Argument[*0].Field[**privdata]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[1]", "Argument[*0].Field[*type]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_InitHashTable", "(Jim_HashTable *,const Jim_HashTableType *,void *)", "", "Argument[2]", "Argument[*0].Field[*privdata]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_IntHashFunction", "(unsigned int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_InteractivePrompt", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_Length", "(Jim_Obj *)", "", "Argument[*0].Field[*length]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListAppendElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListAppendElement", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[2]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListAppendList", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListAppendList", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*0]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListGetIndex", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[2]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListIndex", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj **,int)", "", "Argument[2]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListIndex", "(Jim_Interp *,Jim_Obj *,int,Jim_Obj **,int)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[*4]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[3]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListInsertElements", "(Jim_Interp *,Jim_Obj *,int,int,Jim_Obj *const *)", "", "Argument[4]", "Argument[**4]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListJoin", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[*2]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListJoin", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[2]", "ReturnValue[*].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListJoin", "(Jim_Interp *,Jim_Obj *,const char *,int)", "", "Argument[3]", "ReturnValue[*].Field[*length]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ListLength", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ListRange", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListRange", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListSetIndex", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListSetIndex", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ListSetIndex", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[*result]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeGlobalNamespaceName", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeGlobalNamespaceName", "(Jim_Interp *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_MakeTempFile", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewDictObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*1]", "Argument[**1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewDoubleObj", "(Jim_Interp *,double)", "", "Argument[1]", "ReturnValue[*].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewIntObj", "(Jim_Interp *,long)", "", "Argument[1]", "ReturnValue[*].Field[*internalRep].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[*1]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[1]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewListObj", "(Jim_Interp *,Jim_Obj *const *,int)", "", "Argument[2]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewObj", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewObj", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_NewStringObj", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObj", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObj", "(Jim_Interp *,const char *,int)", "", "Argument[2]", "ReturnValue[*].Field[*length]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjNoAlloc", "(Jim_Interp *,char *,int)", "", "Argument[*1]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjNoAlloc", "(Jim_Interp *,char *,int)", "", "Argument[1]", "ReturnValue[*].Field[*bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjNoAlloc", "(Jim_Interp *,char *,int)", "", "Argument[2]", "ReturnValue[*].Field[*length]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjUtf8", "(Jim_Interp *,const char *,int)", "", "Argument[*1]", "ReturnValue[*].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjUtf8", "(Jim_Interp *,const char *,int)", "", "Argument[1]", "ReturnValue[*].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_NewStringObjUtf8", "(Jim_Interp *,const char *,int)", "", "Argument[2]", "ReturnValue[*].Field[*length]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_NextHashEntry", "(Jim_HashTableIterator *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_NextHashEntry", "(Jim_HashTableIterator *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[*3]", "Argument[**3]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ParseSubCmd", "(Jim_Interp *,const jim_subcmd_type *,int,Jim_Obj *const *)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ReaddirCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegexpCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[**2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[**2]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RegsubCmd", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_RenameCommand", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_RenameCommand", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[2]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_ReturnCode", "(int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_ScanString", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_ScanString", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ScanString", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_ScriptIsComplete", "(Jim_Interp *,Jim_Obj *,char *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetDictKeysVector", "(Jim_Interp *,Jim_Obj *,Jim_Obj *const *,int,Jim_Obj *,int)", "", "Argument[1]", "Argument[*0].Field[*result]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetGlobalVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetResultFormatted", "(Jim_Interp *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetResultFormatted", "(Jim_Interp *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariable", "(Jim_Interp *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_SetVariableLink", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_CallFrame *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableLink", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_CallFrame *)", "", "Argument[2]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStr", "(Jim_Interp *,const char *,Jim_Obj *)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[*2]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SetVariableStrWithStr", "(Jim_Interp *,const char *,const char *)", "", "Argument[2]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SignalId", "(int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StackLen", "(Jim_Stack *)", "", "Argument[*0].Field[*len]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StackPeek", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPeek", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPeek", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPop", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPop", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPop", "(Jim_Stack *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Jim_StackPush", "(Jim_Stack *,void *)", "", "Argument[*1]", "Argument[*0].Field[***vector]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StackPush", "(Jim_Stack *,void *)", "", "Argument[1]", "Argument[*0].Field[**vector]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StrDup", "(const char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StrDup", "(const char *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StrDupLen", "(const char *,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StrDupLen", "(const char *,int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_String", "(Jim_Obj *)", "", "Argument[*0].Field[**bytes]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_String", "(Jim_Obj *)", "", "Argument[*0].Field[*bytes]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StringByteRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_StringByteRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StringRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[*1]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "Jim_StringRangeObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj *,Jim_Obj *)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_StringToDouble", "(const char *,double *)", "", "Argument[*0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StringToDouble", "(const char *,double *)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StringToWide", "(const char *,long *,int)", "", "Argument[*0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_StringToWide", "(const char *,long *,int)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SubCmdProc", "(Jim_Interp *,int,Jim_Obj *const *)", "", "Argument[*2]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_SubstObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[1]", "Argument[*0].Field[**freeList].Field[*prevObjPtr]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SubstObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[1]", "Argument[*0].Field[*freeList]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_SubstObj", "(Jim_Interp *,Jim_Obj *,Jim_Obj **,int)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_UnsetVariable", "(Jim_Interp *,Jim_Obj *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Jim_Utf8Length", "(Jim_Interp *,Jim_Obj *)", "", "Argument[*1].Field[*length]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[*3]", "Argument[*0].Field[**freeList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[*3]", "Argument[*0].Field[**liveList].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[*3]", "Argument[*0].Field[**result].Field[**bytes]", "value", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[3]", "Argument[*0].Field[**freeList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[3]", "Argument[*0].Field[**liveList].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_WrongNumArgs", "(Jim_Interp *,int,Jim_Obj *const *,const char *)", "", "Argument[3]", "Argument[*0].Field[**result].Field[**bytes]", "taint", "dfc-generated"]
+      - ["", "", True, "Jim_bootstrapInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_globInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_initjimshInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_stdlibInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Jim_tclcompatInit", "(Jim_Interp *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[**0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[*0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "OptInit", "(char **,s_options *,FILE *)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[**0]", "Argument[**0].Field[**next]", "value", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[*0]", "Argument[**0].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[0]", "Argument[**0].Field[*next]", "taint", "dfc-generated"]
+      - ["", "", True, "Plink_add", "(plink **,config *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[**0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*0]", "Argument[**0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*1]", "Argument[**0]", "value", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[0]", "Argument[**0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[0]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[1]", "Argument[**0]", "taint", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[1]", "Argument[*0]", "value", "df-generated"]
+      - ["", "", True, "Plink_copy", "(plink **,plink *)", "", "Argument[1]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "Plink_delete", "(plink *)", "", "Argument[0]", "Argument[*0].Field[**next].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "Plink_delete", "(plink *)", "", "Argument[0]", "Argument[*0].Field[*next]", "value", "dfc-generated"]
+      - ["", "", True, "PrintAction", "(action *,FILE *,int)", "", "Argument[2]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "ResortStates", "(lemon *)", "", "Argument[*0].Field[*nstate]", "Argument[*0].Field[*nxstate]", "value", "dfc-generated"]
+      - ["", "", True, "RulePrint", "(FILE *,rule *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "SHA1Transform", "(unsigned int[5],const unsigned char[64])", "", "Argument[*1]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "SHA1Transform", "(unsigned int[5],const unsigned char[64])", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "SHA1Transform", "(unsigned int[5],const unsigned char[64])", "", "Argument[1]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "State_find", "(config *)", "", "Argument[*0].Field[**bp].Field[**bp]", "Argument[*0]", "value", "dfc-generated"]
+      - ["", "", True, "State_find", "(config *)", "", "Argument[*0].Field[**bp]", "Argument[*0]", "value", "dfc-generated"]
+      - ["", "", True, "State_insert", "(state *,config *)", "", "Argument[*1].Field[**bp].Field[**bp]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "State_insert", "(state *,config *)", "", "Argument[*1].Field[**bp]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "Strsafe", "(const char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "Strsafe", "(const char *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "Symbol_Nth", "(int)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "Symbol_Nth", "(int)", "", "Argument[0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "Symbol_new", "(const char *)", "", "Argument[*0]", "ReturnValue[*].Field[**name]", "value", "dfc-generated"]
+      - ["", "", True, "Symbol_new", "(const char *)", "", "Argument[0]", "ReturnValue[*].Field[**name]", "taint", "dfc-generated"]
+      - ["", "", True, "Symbolcmpp", "(const void *,const void *)", "", "Argument[**0].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "Symbolcmpp", "(const void *,const void *)", "", "Argument[**1].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[1]", "Argument[*0].Field[**aLookahead].Field[*lookahead]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[1]", "Argument[*0].Field[*mnLookahead]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[1]", "Argument[*0].Field[*mxLookahead]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[2]", "Argument[*0].Field[**aLookahead].Field[*action]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action", "(acttab *,int,int)", "", "Argument[2]", "Argument[*0].Field[*mnAction]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_action_size", "(acttab *)", "", "Argument[*0].Field[*nAction]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "acttab_alloc", "(int,int)", "", "Argument[0]", "ReturnValue[*].Field[*nsymbol]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_alloc", "(int,int)", "", "Argument[1]", "ReturnValue[*].Field[*nterminal]", "value", "dfc-generated"]
+      - ["", "", True, "acttab_insert", "(acttab *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[1]", "ReturnValue[*].Field[*sz]", "taint", "dfc-generated"]
+      - ["", "", True, "append_str", "(const char *,int,int,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "close_db", "(sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "compute_action", "(lemon *,action *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "confighash", "(config *)", "", "Argument[*0].Field[**rp].Field[*index]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "confighash", "(config *)", "", "Argument[*0].Field[*dot]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "defossilize", "(char *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_code", "(FILE *,rule *,lemon *,int *)", "", "Argument[*3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_code", "(FILE *,rule *,lemon *,int *)", "", "Argument[3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_code", "(FILE *,rule *,lemon *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "emit_destructor_code", "(FILE *,symbol *,lemon *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[*0].Field[**filename]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[*0].Field[*filename]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "file_makename", "(lemon *,const char *)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**outname]", "value", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[*1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[1]", "Argument[*0].Field[**outname]", "taint", "dfc-generated"]
+      - ["", "", True, "file_open", "(lemon *,const char *,const char *)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "getstate", "(lemon *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "has_destructor", "(symbol *,lemon *)", "", "Argument[*1].Field[*tokendest]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "jim_regcomp", "(regex_t *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**regparse]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regcomp", "(regex_t *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[*regparse]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regcomp", "(regex_t *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[*cflags]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regerror", "(int,const regex_t *,char *,size_t)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*1]", "Argument[*0].Field[**regbol]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*1]", "Argument[*0].Field[**reginput]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*1]", "Argument[*0].Field[**start]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[*3]", "Argument[*0].Field[**pmatch]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[2]", "Argument[*0].Field[*nmatch]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[3]", "Argument[*0].Field[*pmatch]", "value", "dfc-generated"]
+      - ["", "", True, "jim_regexec", "(regex_t *,const char *,size_t,regmatch_t[],int)", "", "Argument[4]", "Argument[*0].Field[*eflags]", "value", "dfc-generated"]
+      - ["", "", True, "print_stack_union", "(FILE *,lemon *,int *,int)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[**4]", "ReturnValue[*].Field[***pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[*1]", "ReturnValue[*].Field[**zDb]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[*2]", "ReturnValue[*].Field[**zUri]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[*4]", "ReturnValue[*].Field[**pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zDb].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zUri].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[1]", "ReturnValue[*].Field[**zDb]", "taint", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[2]", "ReturnValue[*].Field[**zUri]", "taint", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[3]", "ReturnValue[*].Field[*xSql]", "value", "dfc-generated"]
+      - ["", "", True, "recoverInit", "(sqlite3 *,const char *,const char *,..(*)(..),void *)", "", "Argument[4]", "ReturnValue[*].Field[*pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "registerUDFs", "(sqlite3 *,sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "registerUDFs", "(sqlite3 *,sqlite3 *)", "", "Argument[1]", "Argument[*1].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "rule_print", "(FILE *,rule *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sha1sum_file", "(const char *,char *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sha3sum_file", "(const char *,char *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "shellReset", "(int *,sqlite3_stmt *)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3CompletionVtabInit", "(sqlite3 *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_aggregate_context", "(sqlite3_context *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_aggregate_context", "(sqlite3_context *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_aggregate_count", "(sqlite3_context *)", "", "Argument[*0].Field[**pMem].Field[*n]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[**2]", "Argument[*0].Field[***pAutovacPagesArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[*2]", "Argument[*0].Field[**pAutovacPagesArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*xAutovacPages]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[*pAutovacPagesArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_autovacuum_pages", "(sqlite3 *,..(*)(..),void *,..(*)(..))", "", "Argument[3]", "Argument[*0].Field[*xAutovacDestr]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_finish", "(sqlite3_backup *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_backup_init", "(sqlite3 *,const char *,sqlite3 *,const char *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_init", "(sqlite3 *,const char *,sqlite3 *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[*pDestDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_init", "(sqlite3 *,const char *,sqlite3 *,const char *)", "", "Argument[2]", "ReturnValue[*].Field[*pSrcDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_pagecount", "(sqlite3_backup *)", "", "Argument[*0].Field[*nPagecount]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_remaining", "(sqlite3_backup *)", "", "Argument[*0].Field[*nRemaining]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_backup_step", "(sqlite3_backup *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_base64_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_base85_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_blob64", "(sqlite3_stmt *,int,const void *,sqlite3_uint64,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_blob", "(sqlite3_stmt *,int,const void *,int,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_double", "(sqlite3_stmt *,int,double)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_int64", "(sqlite3_stmt *,int,sqlite3_int64,sqlite_int64)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_int", "(sqlite3_stmt *,int,int)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_count", "(sqlite3_stmt *)", "", "Argument[*0].Field[*nVar]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_index", "(sqlite3_stmt *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_name", "(sqlite3_stmt *,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_parameter_name", "(sqlite3_stmt *,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[*2]", "Argument[*0].Field[**aVar].Field[**z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[**aVar].Field[*z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_pointer", "(sqlite3_stmt *,int,void *,const char *,..(*)(..))", "", "Argument[4]", "Argument[*0].Field[**aVar].Field[*xDel]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_text16", "(sqlite3_stmt *,int,const void *,int,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_text64", "(sqlite3_stmt *,int,const char *,sqlite3_uint64,..(*)(..),unsigned char)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_text", "(sqlite3_stmt *,int,const char *,int,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_bind_value", "(sqlite3_stmt *,int,const sqlite3_value *)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_zeroblob64", "(sqlite3_stmt *,int,sqlite3_uint64)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_bind_zeroblob", "(sqlite3_stmt *,int,int)", "", "Argument[1]", "Argument[*0].Field[**aVar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_bytes", "(sqlite3_blob *)", "", "Argument[*0].Field[*nByte]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_close", "(sqlite3_blob *)", "", "Argument[*0].Field[**pStmt].Field[*rc]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*2]", "Argument[**6].Field[**pTab].Field[**zName]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*3]", "Argument[**6].Field[*iCol]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*3]", "Argument[**6].Field[*iOffset]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[*3]", "Argument[**6].Field[*nByte]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[2]", "Argument[**6].Field[**pTab].Field[**zName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[3]", "Argument[**6].Field[*iCol]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[3]", "Argument[**6].Field[*iOffset]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_open", "(sqlite3 *,const char *,const char *,const char *,sqlite3_int64,sqlite_int64,int,sqlite3_blob **)", "", "Argument[3]", "Argument[**6].Field[*nByte]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[2]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[3]", "Argument[*0].Field[**pCsr].Field[**aOverflow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_read", "(sqlite3_blob *,void *,int,int)", "", "Argument[3]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_reopen", "(sqlite3_blob *,sqlite3_int64)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[2]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[3]", "Argument[*0].Field[**pCsr].Field[**aOverflow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_blob_write", "(sqlite3_blob *,const void *,int,int)", "", "Argument[3]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[*busyHandler].Field[***pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[*busyHandler].Field[**pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*busyHandler].Field[*xBusyHandler]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_handler", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*busyHandler].Field[*pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_timeout", "(sqlite3 *,int)", "", "Argument[*0]", "Argument[*0].Field[*busyHandler].Field[**pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_timeout", "(sqlite3 *,int)", "", "Argument[0]", "Argument[*0].Field[*busyHandler].Field[*pBusyArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_busy_timeout", "(sqlite3 *,int)", "", "Argument[1]", "Argument[*0].Field[*busyTimeout]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_changes64", "(sqlite3 *)", "", "Argument[*0].Field[*nChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_changes", "(sqlite3 *)", "", "Argument[*0].Field[*nChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_close", "(sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[**1]", "Argument[*0].Field[***pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0].Field[**pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed16", "(sqlite3 *,void *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[*xCollNeeded16]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[**1]", "Argument[*0].Field[***pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0].Field[**pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*pCollNeededArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_collation_needed", "(sqlite3 *,void *,..(*)(..))", "", "Argument[2]", "Argument[*0].Field[*xCollNeeded]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_blob", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_bytes16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_bytes", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_count", "(sqlite3_stmt *)", "", "Argument[*0].Field[*nResColumn]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_decltype16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_decltype", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_double", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_int64", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_int", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name16", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name16", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**aColName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_name", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_text16", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_text", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_type", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[**pResultRow]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_value", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_column_value", "(sqlite3_stmt *,int)", "", "Argument[1]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pCommitArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pCommitArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xCommitCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_commit_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pCommitArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_compileoption_get", "(int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_completion_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_context_db_handle", "(sqlite3_context *)", "", "Argument[*0].Field[**pOut].Field[**db]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_context_db_handle", "(sqlite3_context *)", "", "Argument[*0].Field[**pOut].Field[*db]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_collation16", "(sqlite3 *,const void *,int,void *,..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_collation", "(sqlite3 *,const char *,int,void *,..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_collation_v2", "(sqlite3 *,const char *,int,void *,..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function16", "(sqlite3 *,const void *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function_v2", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function_v2", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_function_v2", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_module", "(sqlite3 *,const char *,const sqlite3_module *,void *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module", "(sqlite3 *,const char *,const sqlite3_module *,void *)", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module", "(sqlite3 *,const char *,const sqlite3_module *,void *)", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module_v2", "(sqlite3 *,const char *,const sqlite3_module *,void *,..(*)(..))", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module_v2", "(sqlite3 *,const char *,const sqlite3_module *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_module_v2", "(sqlite3 *,const char *,const sqlite3_module *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_create_window_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_window_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_create_window_function", "(sqlite3 *,const char *,int,int,void *,..(*)(..),..(*)(..),..(*)(..),..(*)(..),..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_data_count", "(sqlite3_stmt *)", "", "Argument[*0].Field[*nResColumn]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_handle", "(sqlite3_stmt *)", "", "Argument[*0].Field[**db]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_handle", "(sqlite3_stmt *)", "", "Argument[*0].Field[*db]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_mutex", "(sqlite3 *)", "", "Argument[*0].Field[**mutex]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_mutex", "(sqlite3 *)", "", "Argument[*0].Field[*mutex]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_name", "(sqlite3 *,int)", "", "Argument[*0].Field[**aDb].Field[**zDbSName]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_name", "(sqlite3 *,int)", "", "Argument[*0].Field[**aDb].Field[*zDbSName]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_status", "(sqlite3 *,int,int *,int *,int)", "", "Argument[1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_db_status", "(sqlite3 *,int,int *,int *,int)", "", "Argument[1]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_dbdata_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_decimal_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_declare_vtab", "(sqlite3 *,const char *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_deserialize", "(sqlite3 *,const char *,unsigned char *,sqlite3_int64,sqlite3_int64,unsigned int)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_errcode", "(sqlite3 *)", "", "Argument[*0].Field[*errCode]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_errcode", "(sqlite3 *)", "", "Argument[*0].Field[*errMask]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_errmsg16", "(sqlite3 *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_errmsg", "(sqlite3 *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_errmsg", "(sqlite3 *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_error_offset", "(sqlite3 *)", "", "Argument[*0].Field[*errByteOffset]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_errstr", "(int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_exec", "(sqlite3 *,const char *,..(*)(..),sqlite3_callback,void *,char **)", "", "Argument[4]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expanded_sql", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_expert_analyze", "(sqlite3expert *,char **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_count", "(sqlite3expert *)", "", "Argument[*0].Field[**pStatement].Field[*iId]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_new", "(sqlite3 *,char **)", "", "Argument[0]", "ReturnValue[*].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_new", "(sqlite3 *,char **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_report", "(sqlite3expert *,int,int)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_expert_report", "(sqlite3expert *,int,int)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_expert_sql", "(sqlite3expert *,const char *,char **)", "", "Argument[*1]", "Argument[*0].Field[**pStatement].Field[**zSql]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_sql", "(sqlite3expert *,const char *,char **)", "", "Argument[1]", "Argument[*0].Field[**pStatement].Field[**zSql]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_expert_sql", "(sqlite3expert *,const char *,char **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_extended_errcode", "(sqlite3 *)", "", "Argument[*0].Field[*errCode]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_file_control", "(sqlite3 *,const char *,int,void *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_fileio_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_database", "(const char *,sqlite3_filename)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_database", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_database", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_journal", "(const char *,sqlite3_filename)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_journal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_journal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_wal", "(const char *,sqlite3_filename)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_wal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_filename_wal", "(const char *,sqlite3_filename)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_finalize", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_free_filename", "(const char *,sqlite3_filename)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_free_table", "(char **)", "", "Argument[*0]", "Argument[**0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_free_table", "(char **)", "", "Argument[0]", "Argument[**0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_free_table", "(char **)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_autocommit", "(sqlite3 *)", "", "Argument[*0].Field[*autoCommit]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_clientdata", "(sqlite3 *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_get_clientdata", "(sqlite3 *,const char *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_get_clientdata", "(sqlite3 *,const char *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[*1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_get_table", "(sqlite3 *,const char *,char ***,int *,int *,char **)", "", "Argument[5]", "Argument[*5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_ieee_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_error", "(sqlite3_intck *,const char **)", "", "Argument[*0]", "Argument[**1]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_error", "(sqlite3_intck *,const char **)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_error", "(sqlite3_intck *,const char **)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_message", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_message", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[*1]", "Argument[**2]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[0]", "Argument[**2].Field[**zDb].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[0]", "Argument[**2].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_open", "(sqlite3 *,const char *,sqlite3_intck **)", "", "Argument[1]", "Argument[**2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_intck_step", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_test_sql", "(sqlite3_intck *,const char *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_test_sql", "(sqlite3_intck *,const char *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_intck_unlock", "(sqlite3_intck *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_keyword_name", "(int,const char **,int *)", "", "Argument[0]", "Argument[**1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_keyword_name", "(int,const char **,int *)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_keyword_name", "(int,const char **,int *)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_last_insert_rowid", "(sqlite3 *)", "", "Argument[*0].Field[*lastRowid]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[*0].Field[*aLimit]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[1]", "Argument[*0].Field[*aLimit]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_limit", "(sqlite3 *,int,int)", "", "Argument[2]", "Argument[*0].Field[*aLimit]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_load_extension", "(sqlite3 *,const char *,const char *,char **)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_next_stmt", "(sqlite3 *,sqlite3_stmt *)", "", "Argument[*1].Field[**pVNext]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_next_stmt", "(sqlite3 *,sqlite3_stmt *)", "", "Argument[*1].Field[*pVNext]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_open16", "(const void *,sqlite3 **)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_open_v2", "(const char *,sqlite3 **,int,const char *)", "", "Argument[2]", "Argument[**1].Field[*openFlags]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_overload_function", "(sqlite3 *,const char *,int)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_overload_function", "(sqlite3 *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_overload_function", "(sqlite3 *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_percentile_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[*1]", "Argument[**4]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[*1]", "Argument[**4]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v2", "(sqlite3 *,const void *,int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[*1]", "Argument[**5]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[**5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[1]", "Argument[*5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare16_v3", "(sqlite3 *,const void *,int,unsigned int,sqlite3_stmt **,const void **)", "", "Argument[3]", "Argument[**4].Field[*prepFlags]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[*1]", "Argument[**4]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[*1]", "Argument[**4]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[**4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v2", "(sqlite3 *,const char *,int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[*4]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[*1]", "Argument[**5]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[**5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[2]", "Argument[*5]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_prepare_v3", "(sqlite3 *,const char *,int,unsigned int,sqlite3_stmt **,const char **)", "", "Argument[3]", "Argument[**4].Field[*prepFlags]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pProfileArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pProfileArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xProfile]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_profile", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pProfileArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[**3]", "Argument[*0].Field[***pProgressArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[*3]", "Argument[*0].Field[**pProgressArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*nProgressOps]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*xProgress]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_progress_handler", "(sqlite3 *,int,..(*)(..),void *)", "", "Argument[3]", "Argument[*0].Field[*pProgressArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_randomness", "(int,void *)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc64", "(void *,sqlite3_uint64)", "", "Argument[**0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc64", "(void *,sqlite3_uint64)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc64", "(void *,sqlite3_uint64)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc", "(void *,int)", "", "Argument[**0]", "ReturnValue[**]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc", "(void *,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_realloc", "(void *,int)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_config", "(sqlite3_recover *,int,void *)", "", "Argument[*2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_config", "(sqlite3_recover *,int,void *)", "", "Argument[2]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_config", "(sqlite3_recover *,int,void *)", "", "Argument[2]", "Argument[*2]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_errcode", "(sqlite3_recover *)", "", "Argument[*0].Field[*errCode]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_errmsg", "(sqlite3_recover *)", "", "Argument[*0].Field[**zErrMsg]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_errmsg", "(sqlite3_recover *)", "", "Argument[*0].Field[*zErrMsg]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_finish", "(sqlite3_recover *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[*1]", "ReturnValue[*].Field[**zDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[*2]", "ReturnValue[*].Field[**zUri]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[**zDb].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[**zUri].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[0]", "ReturnValue[*].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[1]", "ReturnValue[*].Field[**zDb]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init", "(sqlite3 *,const char *,const char *)", "", "Argument[2]", "ReturnValue[*].Field[**zUri]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[**3]", "ReturnValue[*].Field[***pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[*1]", "ReturnValue[*].Field[**zDb]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[*3]", "ReturnValue[*].Field[**pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zDb].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[**zUri].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "ReturnValue[*].Field[*dbIn]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[1]", "ReturnValue[*].Field[**zDb]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[2]", "ReturnValue[*].Field[*xSql]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_init_sql", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[3]", "ReturnValue[*].Field[*pSqlCtx]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_recover_run", "(sqlite3_recover *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_recover_step", "(sqlite3_recover *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_regexp_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_reset", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error16", "(sqlite3_context *,const void *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[*n]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**pOut].Field[**z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*zMalloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**pOut].Field[*z]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[**z]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error", "(sqlite3_context *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[**pOut].Field[*n]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_result_error_code", "(sqlite3_context *,int)", "", "Argument[1]", "Argument[*0].Field[*isError]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pRollbackArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pRollbackArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xRollbackCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rollback_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pRollbackArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_geometry_callback", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_geometry_callback", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_geometry_callback", "(sqlite3 *,const char *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_query_callback", "(sqlite3 *,const char *,..(*)(..),void *,..(*)(..))", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_query_callback", "(sqlite3 *,const char *,..(*)(..),void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_rtree_query_callback", "(sqlite3 *,const char *,..(*)(..),void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[*lookaside].Field[**pSmallFree]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_serialize", "(sqlite3 *,const char *,sqlite3_int64 *,unsigned int)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_series_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pAuthArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pAuthArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xAuth]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_authorizer", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pAuthArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_clientdata", "(sqlite3 *,const char *,void *,..(*)(..))", "", "Argument[*1]", "Argument[*0].Field[**pDbData].Field[*zName]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_clientdata", "(sqlite3 *,const char *,void *,..(*)(..))", "", "Argument[1]", "Argument[*0].Field[**pDbData].Field[*zName]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_set_last_insert_rowid", "(sqlite3 *,sqlite3_int64)", "", "Argument[1]", "Argument[*0].Field[*lastRowid]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sha_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_shathree_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_snprintf", "(int,char *,const char *,...)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_snprintf", "(int,char *,const char *,...)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sql", "(sqlite3_stmt *)", "", "Argument[*0].Field[**zSql]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sql", "(sqlite3_stmt *)", "", "Argument[*0].Field[*zSql]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_sqlar_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_status64", "(int,sqlite3_int64 *,sqlite3_int64 *,int)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_status64", "(int,sqlite3_int64 *,sqlite3_int64 *,int)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_status", "(int,int *,int *,int)", "", "Argument[0]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_status", "(int,int *,int *,int)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_step", "(sqlite3_stmt *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_step", "(sqlite3_stmt *)", "", "Argument[0]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_step", "(sqlite3_stmt *)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_stmt_explain", "(sqlite3_stmt *,int)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_explain", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[*explain]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_explain", "(sqlite3_stmt *,int)", "", "Argument[1]", "Argument[*0].Field[*nResColumn]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_isexplain", "(sqlite3_stmt *)", "", "Argument[*0].Field[*explain]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_readonly", "(sqlite3_stmt *)", "", "Argument[*0].Field[*readOnly]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmt_status", "(sqlite3_stmt *,int,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stmtrand_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_append", "(sqlite3_str *,const char *,int)", "", "Argument[2]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendall", "(sqlite3_str *,const char *)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendall", "(sqlite3_str *,const char *)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendchar", "(sqlite3_str *,int,char)", "", "Argument[1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendchar", "(sqlite3_str *,int,char)", "", "Argument[2]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[*1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_appendf", "(StrAccum *,sqlite3_str *,const char *,...)", "", "Argument[1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_errcode", "(sqlite3_str *)", "", "Argument[*0].Field[*accError]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_finish", "(sqlite3_str *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_str_finish", "(sqlite3_str *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_str_length", "(sqlite3_str *)", "", "Argument[*0].Field[*nChar]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_new", "(sqlite3 *)", "", "Argument[*0].Field[*aLimit]", "ReturnValue[*].Field[*mxAlloc]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_value", "(sqlite3_str *)", "", "Argument[*0].Field[**zText]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_value", "(sqlite3_str *)", "", "Argument[*0].Field[*zText]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[*1]", "Argument[*0].Field[**zText]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[*1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[*1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[1]", "Argument[*0].Field[**zText]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[1]", "Argument[*0].Field[*nAlloc]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_str_vappendf", "(sqlite3_str *,const char *,va_list)", "", "Argument[1]", "Argument[*0].Field[*nChar]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strglob", "(const char *,const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[*0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[*1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_stricmp", "(const char *,const char *)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strlike", "(const char *,const char *,unsigned int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[*1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_strnicmp", "(const char *,const char *,int)", "", "Argument[1]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_system_errno", "(sqlite3 *)", "", "Argument[*0].Field[*iSysErrno]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_table_column_metadata", "(sqlite3 *,const char *,const char *,const char *,const char **,const char **,int *,int *,int *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_total_changes64", "(sqlite3 *)", "", "Argument[*0].Field[*nTotalChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_total_changes", "(sqlite3 *)", "", "Argument[*0].Field[*nTotalChange]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*trace].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[**3]", "Argument[*0].Field[***pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[*3]", "Argument[*0].Field[**pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*mTrace]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*trace].Union[*(unnamed class/struct/union)]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_trace_v2", "(sqlite3 *,unsigned int,..(*)(..),void *)", "", "Argument[3]", "Argument[*0].Field[*pTraceArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_transfer_bindings", "(sqlite3_stmt *,sqlite3_stmt *)", "", "Argument[*0]", "Argument[*1]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_uint_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pUpdateArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pUpdateArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xUpdateCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_update_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pUpdateArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_boolean", "(const char *,sqlite3_filename,const char *,int)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_boolean", "(const char *,sqlite3_filename,const char *,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_boolean", "(const char *,sqlite3_filename,const char *,int)", "", "Argument[2]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_int64", "(const char *,sqlite3_filename,const char *,sqlite3_int64)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_int64", "(const char *,sqlite3_filename,const char *,sqlite3_int64)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_int64", "(const char *,sqlite3_filename,const char *,sqlite3_int64)", "", "Argument[2]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_key", "(const char *,sqlite3_filename,int)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_key", "(const char *,sqlite3_filename,int)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_key", "(const char *,sqlite3_filename,int)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_parameter", "(const char *,sqlite3_filename,const char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_parameter", "(const char *,sqlite3_filename,const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_uri_parameter", "(const char *,sqlite3_filename,const char *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_user_data", "(sqlite3_context *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_user_data", "(sqlite3_context *)", "", "Argument[*0]", "ReturnValue[**]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_user_data", "(sqlite3_context *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_blob", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_blob", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_bytes16", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_bytes", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_double", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_dup", "(const sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "value", "df-generated"]
+      - ["", "", True, "sqlite3_value_dup", "(const sqlite3_value *)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_encoding", "(sqlite3_value *)", "", "Argument[*0].Field[*enc]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_frombind", "(sqlite3_value *)", "", "Argument[*0].Field[*flags]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_int64", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_int", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_numeric_type", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_pointer", "(sqlite3_value *,const char *)", "", "Argument[*0].Field[**z]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_pointer", "(sqlite3_value *,const char *)", "", "Argument[*0].Field[*z]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_subtype", "(sqlite3_value *)", "", "Argument[*0].Field[*eSubtype]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_value_text16", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16be", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16be", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16le", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text16le", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_text", "(sqlite3_value *)", "", "Argument[*0]", "ReturnValue[*]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_value_type", "(sqlite3_value *)", "", "Argument[*0].Field[*flags]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vmprintf", "(const char *,va_list)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vsnprintf", "(int,char *,const char *,va_list)", "", "Argument[*1]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vsnprintf", "(int,char *,const char *,va_list)", "", "Argument[1]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vsnprintf", "(int,char *,const char *,va_list)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_collation", "(sqlite3_index_info *,int)", "", "Argument[0]", "Argument[*0]", "taint", "df-generated"]
+      - ["", "", True, "sqlite3_vtab_distinct", "(sqlite3_index_info *)", "", "Argument[*0].Field[*eDistinct]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in", "(sqlite3_index_info *,int,int)", "", "Argument[1]", "Argument[*0].Field[*mHandleIn]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_first", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[**pOut]", "Argument[**1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_first", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[*pOut]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_next", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[**pOut]", "Argument[**1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_in_next", "(sqlite3_value *,sqlite3_value **)", "", "Argument[*0].Field[**z].Field[*pOut]", "Argument[*1]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_on_conflict", "(sqlite3 *)", "", "Argument[*0].Field[*vtabOnConflict]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_rhs_value", "(sqlite3_index_info *,int,sqlite3_value **)", "", "Argument[1]", "Argument[*0].Field[*aRhs]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_vtab_rhs_value", "(sqlite3_index_info *,int,sqlite3_value **)", "", "Argument[1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_autocheckpoint", "(sqlite3 *,int)", "", "Argument[1]", "Argument[*0].Field[*pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_checkpoint", "(sqlite3 *,const char *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_checkpoint_v2", "(sqlite3 *,const char *,int,int *,int *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[**2]", "Argument[*0].Field[***pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[*2]", "Argument[*0].Field[**pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[1]", "Argument[*0].Field[*xWalCallback]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_wal_hook", "(sqlite3 *,..(*)(..),void *)", "", "Argument[2]", "Argument[*0].Field[*pWalArg]", "value", "dfc-generated"]
+      - ["", "", True, "sqlite3_zipfile_init", "(sqlite3 *,char **,const sqlite3_api_routines *)", "", "Argument[0]", "Argument[*0].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "statecmp", "(config *,config *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "statecmp", "(config *,config *)", "", "Argument[*1]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "statehash", "(config *)", "", "Argument[*0]", "ReturnValue", "taint", "df-generated"]
+      - ["", "", True, "strhash", "(const char *)", "", "Argument[*0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "strhash", "(const char *)", "", "Argument[0]", "ReturnValue", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_linedir", "(FILE *,int,char *)", "", "Argument[1]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_linedir", "(FILE *,int,char *)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[*1].Field[*outname]", "Argument[*1].Field[**outname]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[*3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[2]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[3]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_print", "(FILE *,lemon *,char *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_skip_header", "(FILE *,int *)", "", "Argument[1]", "Argument[*1]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[*0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[*1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[0]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[1]", "Argument[*2]", "taint", "dfc-generated"]
+      - ["", "", True, "tplt_xfer", "(char *,FILE *,FILE *,int *)", "", "Argument[3]", "Argument[*3]", "taint", "dfc-generated"]
+      - ["", "", True, "useDummyCS", "(void *,sqlite3 *,int,const char *)", "", "Argument[1]", "Argument[*1].Field[**pErr].Field[*db]", "value", "dfc-generated"]
+      - ["", "", True, "utf8_fromunicode", "(char *,unsigned int)", "", "Argument[0]", "Argument[*0]", "taint", "dfc-generated"]
+      - ["", "", True, "utf8_fromunicode", "(char *,unsigned int)", "", "Argument[1]", "Argument[*0]", "value", "dfc-generated"]
+      - ["", "", True, "zSkipValidUtf8", "(const char *,int,long)", "", "Argument[*0]", "ReturnValue[*]", "value", "dfc-generated"]
+      - ["", "", True, "zSkipValidUtf8", "(const char *,int,long)", "", "Argument[0]", "ReturnValue", "value", "dfc-generated"]
+      - ["", "", True, "zSkipValidUtf8", "(const char *,int,long)", "", "Argument[0]", "ReturnValue[*]", "taint", "dfc-generated"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.3.1
+version: 4.3.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -17,7 +17,7 @@ dependencies:
   codeql/xml: ${workspace}
 dataExtensions:
   - ext/*.model.yml
-  - ext/generated/*.model.yml
+  - ext/generated/**/*.model.yml
   - ext/deallocation/*.model.yml
   - ext/allocation/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -98,19 +98,6 @@ class Node extends TNode {
   /** Gets the location of this element. */
   Location getLocation() { none() } // overridden by subclasses
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  deprecated predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
   /**
    * Gets an upper bound on the type of this node.
    */

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -22,7 +22,11 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
 
   ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
 
-  ReturnKind getStandardReturnValueKind() { result.(NormalReturnKind).getIndirectionIndex() = 0 }
+  ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
+
+  ReturnKind getReturnValueKind(string arg) {
+    arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex())
+  }
 
   string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1143,6 +1143,10 @@ private newtype TDataFlowCall =
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
   }
 
+private predicate summarizedCallableIsManual(SummarizedCallable sc) {
+  sc.asSummarizedCallable().applyManualModel()
+}
+
 /**
  * A function call relevant for data flow. This includes calls from source
  * code and calls inside library callables with a flow summary.
@@ -1164,15 +1168,27 @@ class DataFlowCall extends TDataFlowCall {
   Function getStaticCallSourceTarget() { none() }
 
   /**
-   * Gets the target of this call. If a summarized callable exists for the
-   * target this is chosen, and otherwise the callable is the implementation
-   * from the source code.
+   * Gets the target of this call. We use the following strategy for deciding
+   * between the source callable and a summarized callable:
+   * - If there is a manual summary then we always use the manual summary.
+   * - If there is a source callable and we only have generated summaries
+   * we use the source callable.
+   * - If there is no source callable then we use the summary regardless of
+   * whether is it manual or generated.
    */
-  DataFlowCallable getStaticCallTarget() {
+  final DataFlowCallable getStaticCallTarget() {
     exists(Function target | target = this.getStaticCallSourceTarget() |
-      not exists(TSummarizedCallable(target)) and
+      // Don't use the source callable if there is a manual model for the
+      // target
+      not exists(SummarizedCallable sc |
+        sc.asSummarizedCallable() = target and
+        summarizedCallableIsManual(sc)
+      ) and
       result.asSourceCallable() = target
       or
+      // When there is no function body, or when we have a manual model then
+      // we dispatch to the summary.
+      (not target.hasDefinition() or summarizedCallableIsManual(result)) and
       result.asSummarizedCallable() = target
     )
   }
@@ -1887,6 +1903,10 @@ module IteratorFlow {
     predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }
 
     class Guard extends Void {
+      predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+        none()
+      }
+
       predicate controlsBranchEdge(
         SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
       ) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -538,19 +538,6 @@ class Node extends TIRDataFlowNode {
     none() // overridden by subclasses
   }
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  deprecated predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
   /** Gets a textual representation of this element. */
   cached
   final string toString() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll

@@ -45,6 +45,28 @@ private module Cached {
     )
   }
 
+  private Expr getRankedElementExpr(ArrayAggregateLiteral aggr, int rnk) {
+    result =
+      rank[rnk + 1](Expr e, int elementIndex, int position |
+        e = aggr.getElementExpr(elementIndex, position)
+      |
+        e order by elementIndex, position
+      )
+  }
+
+  private class LastArrayAggregateStore extends StoreInstruction {
+    ArrayAggregateLiteral aggr;
+
+    LastArrayAggregateStore() {
+      exists(int rnk |
+        this.getSourceValue().getUnconvertedResultExpression() = getRankedElementExpr(aggr, rnk) and
+        not exists(getRankedElementExpr(aggr, rnk + 1))
+      )
+    }
+
+    ArrayAggregateLiteral getArrayAggregateLiteral() { result = aggr }
+  }
+
   private Expr getConvertedResultExpressionImpl0(Instruction instr) {
     // IR construction inserts an additional cast to a `size_t` on the extent
     // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
@@ -95,6 +117,16 @@ private module Cached {
       tco.producesExprResult() and
       result = asDefinitionImpl0(instr)
     )
+    or
+    // IR construction breaks an array aggregate literal `{1, 2, 3}` into a
+    // sequence of `StoreInstruction`s. So there's no instruction `i` for which
+    // `i.getUnconvertedResultExpression() instanceof ArrayAggregateLiteral`.
+    // So we map the instruction node corresponding to the last `Store`
+    // instruction of the sequence to the result of the array aggregate
+    // literal. This makes sense since this store will immediately flow into
+    // the indirect node representing the array. So this node does represent
+    // the array after it has been fully initialized.
+    result = instr.(LastArrayAggregateStore).getArrayAggregateLiteral()
   }
 
   private Expr getConvertedResultExpressionImpl(Instruction instr) {
@@ -264,6 +296,41 @@ private module Cached {
     e = getConvertedResultExpression(node.asInstruction(), n)
   }
 
+  /**
+   * The IR doesn't have an instruction `i` for which this holds:
+   * ```
+   * i.getUnconvertedResultExpression() instanceof ClassAggregateLiteral
+   * ```
+   * and thus we don't automatically get a dataflow node for which:
+   * ```
+   * node.asExpr() instanceof ClassAggregateLiteral
+   * ```
+   * This is because the IR represents a `ClassAggregateLiteral` as a sequence
+   * of field writes. To work around this we map `asExpr` on the
+   * `PostUpdateNode` for the last field write to the class aggregate literal.
+   */
+  private class ClassAggregateInitializerPostUpdateNode extends PostFieldUpdateNode {
+    ClassAggregateLiteral aggr;
+
+    ClassAggregateInitializerPostUpdateNode() {
+      exists(Node node1, FieldContent fc, int position, StoreInstruction store |
+        store.getSourceValue().getUnconvertedResultExpression() =
+          aggr.getFieldExpr(fc.getField(), position) and
+        node1.asInstruction() = store and
+        // This is the last field write from the aggregate initialization.
+        not exists(aggr.getFieldExpr(_, position + 1)) and
+        storeStep(node1, fc, this)
+      )
+    }
+
+    ClassAggregateLiteral getClassAggregateLiteral() { result = aggr }
+  }
+
+  private predicate exprNodeShouldBePostUpdateNode(Node node, Expr e, int n) {
+    node.(ClassAggregateInitializerPostUpdateNode).getClassAggregateLiteral() = e and
+    n = 0
+  }
+
   /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
   private predicate indirectExprNodeShouldBeIndirectInstruction(
     IndirectInstruction node, Expr e, int n, int indirectionIndex
@@ -294,7 +361,8 @@ private module Cached {
     exprNodeShouldBeInstruction(_, e, n) or
     exprNodeShouldBeOperand(_, e, n) or
     exprNodeShouldBeIndirectOutNode(_, e, n) or
-    exprNodeShouldBeIndirectOperand(_, e, n)
+    exprNodeShouldBeIndirectOperand(_, e, n) or
+    exprNodeShouldBePostUpdateNode(_, e, n)
   }
 
   private class InstructionExprNode extends ExprNodeBase, InstructionNode {
@@ -442,6 +510,12 @@ private module Cached {
     final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
   }
 
+  private class PostUpdateExprNode extends ExprNodeBase instanceof PostUpdateNode {
+    PostUpdateExprNode() { exprNodeShouldBePostUpdateNode(this, _, _) }
+
+    final override Expr getConvertedExpr(int n) { exprNodeShouldBePostUpdateNode(this, result, n) }
+  }
+
   /**
    * An expression, viewed as a node in a data flow graph.
    */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -991,13 +991,17 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
   class Guard instanceof IRGuards::IRGuardCondition {
     string toString() { result = super.toString() }
 
-    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+    predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
       exists(EdgeKind kind |
         super.getBlock() = bb1 and
         kind = getConditionalEdge(branch) and
         bb1.getSuccessor(kind) = bb2
       )
     }
+
+    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+      this.hasBranchEdge(bb1, bb2, branch)
+    }
   }
 
   predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll

@@ -67,8 +67,13 @@ class Class = Cpp::Class; // Used for inheritance conversions
 predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }
 
 predicate hasPositionalArgIndex(int argIndex) {
-  exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex))) or
+  exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex)))
+  or
   exists(Cpp::BuiltInOperation op | exists(op.getChild(argIndex)))
+  or
+  // Ensure we are always able to output the argument of a call to the delete operator.
+  exists(Cpp::DeleteExpr d) and
+  argIndex = 0
 }
 
 predicate hasAsmOperandIndex(int operandIndex) {

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll

@@ -10,7 +10,7 @@ private import SemanticExprSpecific::SemanticExprConfig as Specific
  */
 class SemBasicBlock extends Specific::BasicBlock {
   /** Holds if this block (transitively) dominates `otherblock`. */
-  final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
+  final predicate dominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
 
   /** Gets an expression that is evaluated in this basic block. */
   final SemExpr getAnExpr() { result.getBasicBlock() = this }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -264,10 +264,6 @@ module SemanticExprConfig {
 
   Guard comparisonGuard(Expr e) { getSemanticExpr(result) = e }
 
-  predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
-    none() // TODO
-  }
-
   /** Gets the expression associated with `instr`. */
   SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll

@@ -18,11 +18,11 @@ class SemGuard instanceof Specific::Guard {
     Specific::equalityGuard(this, e1, e2, polarity)
   }
 
-  final predicate directlyControls(SemBasicBlock controlled, boolean branch) {
+  final predicate controls(SemBasicBlock controlled, boolean branch) {
     Specific::guardDirectlyControlsBlock(this, controlled, branch)
   }
 
-  final predicate hasBranchEdge(SemBasicBlock bb1, SemBasicBlock bb2, boolean branch) {
+  final predicate controlsBranchEdge(SemBasicBlock bb1, SemBasicBlock bb2, boolean branch) {
     Specific::guardHasBranchEdge(this, bb1, bb2, branch)
   }
 
@@ -31,8 +31,4 @@ class SemGuard instanceof Specific::Guard {
   final SemExpr asExpr() { result = Specific::getGuardAsExpr(this) }
 }
 
-predicate semImplies_v2(SemGuard g1, boolean b1, SemGuard g2, boolean b2) {
-  Specific::implies_v2(g1, b1, g2, b2)
-}
-
 SemGuard semGetComparisonGuard(SemRelationalExpr e) { result = Specific::comparisonGuard(e) }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -77,8 +77,6 @@ module Sem implements Semantic<SemLocation> {
 
   class Guard = SemGuard;
 
-  predicate implies_v2 = semImplies_v2/4;
-
   class Type = SemType;
 
   class IntegerType = SemIntegerType;

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -55,12 +55,12 @@ private class LocalModelSource extends LocalFlowSource {
 }
 
 /**
- * A local data flow source that the `argv` parameter to `main`.
+ * A local data flow source that is the `argv` parameter to `main` or `wmain`.
  */
 private class ArgvSource extends LocalFlowSource {
   ArgvSource() {
     exists(Function main, Parameter argv |
-      main.hasGlobalName("main") and
+      main.hasGlobalName(["main", "wmain"]) and
       main.getParameter(1) = argv and
       this.asParameter(2) = argv
     )
@@ -69,6 +69,21 @@ private class ArgvSource extends LocalFlowSource {
   override string getSourceType() { result = "a command-line argument" }
 }
 
+/**
+ * A local data flow source that is the `pCmdLine` parameter to `WinMain` or `wWinMain`.
+ */
+private class CmdLineSource extends LocalFlowSource {
+  CmdLineSource() {
+    exists(Function main, Parameter pCmdLine |
+      main.hasGlobalName(["WinMain", "wWinMain"]) and
+      main.getParameter(2) = pCmdLine and
+      this.asParameter(1) = pCmdLine
+    )
+  }
+
+  override string getSourceType() { result = "a command-line" }
+}
+
 /**
  * A remote data flow source that is defined through 'models as data'.
  */

cpp/ql/lib/semmle/code/cpp/security/Security.qll

@@ -42,58 +42,6 @@ class SecurityOptions extends string {
     )
   }
 
-  /**
-   * The argument of the given function is filled in from user input.
-   */
-  deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
-    exists(string fname |
-      functionCall.getTarget().hasGlobalOrStdName(fname) and
-      exists(functionCall.getArgument(arg)) and
-      (
-        fname = ["fread", "fgets", "fgetws", "gets"] and arg = 0
-        or
-        fname = "scanf" and arg >= 1
-        or
-        fname = "fscanf" and arg >= 2
-      )
-      or
-      functionCall.getTarget().hasGlobalName(fname) and
-      exists(functionCall.getArgument(arg)) and
-      fname = "getaddrinfo" and
-      arg = 3
-    )
-    or
-    exists(RemoteFlowSourceFunction remote, FunctionOutput output |
-      functionCall.getTarget() = remote and
-      output.isParameterDerefOrQualifierObject(arg) and
-      remote.hasRemoteFlowSource(output, _)
-    )
-  }
-
-  /**
-   * The return value of the given function is filled in from user input.
-   */
-  deprecated predicate userInputReturned(FunctionCall functionCall) {
-    exists(string fname |
-      functionCall.getTarget().getName() = fname and
-      (
-        fname = ["fgets", "gets"] or
-        this.userInputReturn(fname)
-      )
-    )
-    or
-    exists(RemoteFlowSourceFunction remote, FunctionOutput output |
-      functionCall.getTarget() = remote and
-      (output.isReturnValue() or output.isReturnValueDeref()) and
-      remote.hasRemoteFlowSource(output, _)
-    )
-  }
-
-  /**
-   * DEPRECATED: Users should override `userInputReturned()` instead.
-   */
-  deprecated predicate userInputReturn(string function) { none() }
-
   /**
    * The argument of the given function is used for running a process or loading
    * a library.
@@ -108,29 +56,6 @@ class SecurityOptions extends string {
     function = ["LoadLibrary", "LoadLibraryA", "LoadLibraryW"] and arg = 0
   }
 
-  /**
-   * This predicate should hold if the expression is directly
-   * computed from user input. Such expressions are treated as
-   * sources of taint.
-   */
-  deprecated predicate isUserInput(Expr expr, string cause) {
-    exists(FunctionCall fc, int i |
-      this.userInputArgument(fc, i) and
-      expr = fc.getArgument(i) and
-      cause = fc.getTarget().getName()
-    )
-    or
-    exists(FunctionCall fc |
-      this.userInputReturned(fc) and
-      expr = fc and
-      cause = fc.getTarget().getName()
-    )
-    or
-    commandLineArg(expr) and cause = "argv"
-    or
-    expr.(EnvironmentRead).getSourceDescription() = cause
-  }
-
   /**
    * This predicate should hold if the expression raises privilege for the
    * current session. The default definition only holds true for some
@@ -152,16 +77,6 @@ class SecurityOptions extends string {
   }
 }
 
-/**
- * An access to the argv argument to main().
- */
-private predicate commandLineArg(Expr e) {
-  exists(Parameter argv |
-    argv(argv) and
-    argv.getAnAccess() = e
-  )
-}
-
 /** The argv parameter to the main function */
 predicate argv(Parameter argv) {
   exists(Function f |
@@ -173,21 +88,6 @@ predicate argv(Parameter argv) {
 /** Convenience accessor for SecurityOptions.isPureFunction */
 predicate isPureFunction(string name) { exists(SecurityOptions opts | opts.isPureFunction(name)) }
 
-/** Convenience accessor for SecurityOptions.userInputArgument */
-deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
-  exists(SecurityOptions opts | opts.userInputArgument(functionCall, arg))
-}
-
-/** Convenience accessor for SecurityOptions.userInputReturn */
-deprecated predicate userInputReturned(FunctionCall functionCall) {
-  exists(SecurityOptions opts | opts.userInputReturned(functionCall))
-}
-
-/** Convenience accessor for SecurityOptions.isUserInput */
-deprecated predicate isUserInput(Expr expr, string cause) {
-  exists(SecurityOptions opts | opts.isUserInput(expr, cause))
-}
-
 /** Convenience accessor for SecurityOptions.isProcessOperationArgument */
 predicate isProcessOperationArgument(string function, int arg) {
   exists(SecurityOptions opts | opts.isProcessOperationArgument(function, arg))

cpp/ql/lib/semmle/code/cpp/security/SecurityOptions.qll

@@ -22,28 +22,4 @@ class CustomSecurityOptions extends SecurityOptions {
     // for example: (function = "MySpecialSqlFunction" and arg = 0)
     none() // rules to match custom functions replace this line
   }
-
-  deprecated override predicate userInputArgument(FunctionCall functionCall, int arg) {
-    SecurityOptions.super.userInputArgument(functionCall, arg)
-    or
-    exists(string fname |
-      functionCall.getTarget().hasGlobalName(fname) and
-      exists(functionCall.getArgument(arg)) and
-      // --- custom functions that return user input via one of their arguments:
-      // 'arg' is the 0-based index of the argument that is used to return user input
-      // for example: (fname = "readXmlInto" and arg = 1)
-      none() // rules to match custom functions replace this line
-    )
-  }
-
-  deprecated override predicate userInputReturned(FunctionCall functionCall) {
-    SecurityOptions.super.userInputReturned(functionCall)
-    or
-    exists(string fname |
-      functionCall.getTarget().hasGlobalName(fname) and
-      // --- custom functions that return user input via their return value:
-      // for example: fname = "xmlReadAttribute"
-      none() // rules to match custom functions replace this line
-    )
-  }
 }

cpp/ql/lib/utils/test/dataflow/FlowTestCommon.qll

@@ -26,7 +26,7 @@ module IRFlowTest<IRDataFlow::GlobalFlowSig Flow> implements TestSig {
       n =
         strictcount(int line, int column |
           Flow::flow(any(IRDataFlow::Node otherSource |
-              otherSource.hasLocationInfo(_, line, column, _, _)
+              otherSource.getLocation().hasLocationInfo(_, line, column, _, _)
             ), sink)
         ) and
       (
@@ -55,7 +55,7 @@ module AstFlowTest<AstDataFlow::GlobalFlowSig Flow> implements TestSig {
       n =
         strictcount(int line, int column |
           Flow::flow(any(AstDataFlow::Node otherSource |
-              otherSource.hasLocationInfo(_, line, column, _, _)
+              otherSource.getLocation().hasLocationInfo(_, line, column, _, _)
             ), sink)
         ) and
       (

cpp/ql/src/change-notes/2025-05-14-openssl-sqlite-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.0
+version: 1.4.1-dev
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

@@ -10,5 +10,5 @@ import internal.CaptureModels
 import SummaryModels
 
 from DataFlowSummaryTargetApi api, string flow
-where flow = ContentSensitive::captureFlow(api, _)
+where flow = ContentSensitive::captureFlow(api, _, _, _, _)
 select flow order by flow

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -13,6 +13,8 @@ private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
 private import semmle.code.cpp.dataflow.new.TaintTracking as Tt
 private import semmle.code.cpp.dataflow.new.DataFlow as Df
 private import codeql.mad.modelgenerator.internal.ModelGeneratorImpl
+private import semmle.code.cpp.models.interfaces.Taint as Taint
+private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
 
 /**
  * Holds if `f` is a "private" function.
@@ -45,6 +47,26 @@ private predicate isUninterestingForModels(Callable api) {
   api = any(Cpp::LambdaExpression lambda).getLambdaFunction()
   or
   api.isFromUninstantiatedTemplate(_)
+  or
+  // No need to generate models for functions modeled by hand in QL
+  api instanceof Taint::TaintFunction
+  or
+  api instanceof DataFlow::DataFlowFunction
+  or
+  // Don't generate models for main functions
+  api.hasGlobalName("main")
+  or
+  // Don't generate models for system-provided functions. If we want to
+  // generate models for these we should use a database containing the
+  // implementations of those system-provided functions in the source root.
+  not exists(api.getLocation().getFile().getRelativePath())
+  or
+  // Exclude functions in test directories (but not the ones in the CodeQL test directory)
+  exists(Cpp::File f |
+    f = api.getFile() and
+    f.getAbsolutePath().matches("%test%") and
+    not f.getAbsolutePath().matches("%test/library-tests/dataflow/modelgenerator/dataflow/%")
+  )
 }
 
 private predicate relevant(Callable api) {
@@ -189,15 +211,15 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
     )
   }
 
-  string parameterAccess(Parameter p) { parameterContentAccessImpl(p, result) }
+  string parameterApproximateAccess(Parameter p) { parameterContentAccessImpl(p, result) }
 
-  string parameterContentAccess(Parameter p) { parameterContentAccessImpl(p, result) }
+  string parameterExactAccess(Parameter p) { parameterContentAccessImpl(p, result) }
 
   bindingset[c]
-  string paramReturnNodeAsOutput(Callable c, DataFlowPrivate::Position pos) {
+  string paramReturnNodeAsExactOutput(Callable c, DataFlowPrivate::Position pos) {
     exists(Parameter p |
       p.isSourceParameterOf(c, pos) and
-      result = parameterAccess(p)
+      result = parameterExactAccess(p)
     )
     or
     pos.getArgumentIndex() = -1 and
@@ -206,8 +228,8 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
   }
 
   bindingset[c]
-  string paramReturnNodeAsContentOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
-    result = paramReturnNodeAsOutput(c, pos)
+  string paramReturnNodeAsApproximateOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
+    result = paramReturnNodeAsExactOutput(c, pos)
   }
 
   pragma[nomagic]

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_key_sources.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:179:43:179:76 | Constant |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:179:43:179:76 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_key_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode op, Crypto::KeyArtifactNode k
+where op.getAKey() = k
+select op, k, k.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_nonce_sources.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:180:42:180:59 | Constant |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:180:42:180:59 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_nonce_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode op, Crypto::NonceArtifactNode n
+where op.getANonce() = n
+select op, n, n.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.expected

@@ -0,0 +1,8 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode n
+select n, n.getAnInputArtifact(), n.getAnOutputArtifact(), n.getAKey(), n.getANonce(),
+  n.getAnAlgorithmOrGenericSource(), n.getKeyOperationSubtype()

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_plaintext_sources.expected

@@ -0,0 +1 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:181:49:181:87 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_plaintext_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode n, Crypto::MessageArtifactNode m
+where n.getAnInputArtifact() = m
+select n, m, m.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_input_sources.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:120:37:120:43 | Message | openssl_basic.c:181:49:181:87 | Constant |
+| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:24:144:30 | Message | openssl_basic.c:181:49:181:87 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_input_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::HashOperationNode n, Crypto::MessageArtifactNode m
+where n.getInputArtifact() = m
+select n, m, m.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:13:124:30 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
+| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:13:144:22 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.ql

@@ -0,0 +1,5 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::HashOperationNode n
+select n, n.getDigest(), n.getAnAlgorithmOrGenericSource(), n.getInputArtifact()

cpp/ql/test/experimental/library-tests/quantum/openssl/openssl_basic.c

@@ -0,0 +1,221 @@
+#include "openssl/evp_stubs.h"
+#include "openssl/alg_macro_stubs.h"
+#include "openssl/rand_stubs.h"
+
+size_t strlen(const char* str);
+
+// Sample OpenSSL code that demonstrates various cryptographic operations
+// that can be detected by the quantum model
+
+// Function to perform AES-256-GCM encryption
+int encrypt_aes_gcm(const unsigned char *plaintext, int plaintext_len,
+                   const unsigned char *key, const unsigned char *iv, int iv_len,
+                   unsigned char *ciphertext, unsigned char *tag) {
+    EVP_CIPHER_CTX *ctx;
+    int len;
+    int ciphertext_len;
+
+    // Create and initialize the context
+    if(!(ctx = EVP_CIPHER_CTX_new()))
+        return -1;
+
+    // Initialize the encryption operation
+    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL))
+        return -1;
+
+    // Set IV length (for GCM mode)
+    if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL))
+        return -1;
+
+    // Initialize key and IV
+    if(1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
+        return -1;
+
+    // Provide the plaintext to be encrypted
+    if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
+        return -1;
+    ciphertext_len = len;
+
+    // Finalize the encryption
+    if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len))
+        return -1;
+    ciphertext_len += len;
+
+    // Get the tag
+    if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+        return -1;
+
+    // Clean up
+    EVP_CIPHER_CTX_free(ctx);
+
+    return ciphertext_len;
+}
+
+// Function to perform AES-256-GCM decryption
+int decrypt_aes_gcm(const unsigned char *ciphertext, int ciphertext_len,
+                   const unsigned char *tag, const unsigned char *key,
+                   const unsigned char *iv, int iv_len, 
+                   unsigned char *plaintext) {
+    EVP_CIPHER_CTX *ctx;
+    int len;
+    int plaintext_len;
+    int ret;
+
+    // Create and initialize the context
+    if(!(ctx = EVP_CIPHER_CTX_new()))
+        return -1;
+
+    // Initialize the decryption operation
+    if(!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL))
+        return -1;
+
+    // Set IV length
+    if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL))
+        return -1;
+
+    // Initialize key and IV
+    if(!EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv))
+        return -1;
+
+    // Provide the ciphertext to be decrypted
+    if(!EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len))
+        return -1;
+    plaintext_len = len;
+
+    // Set expected tag value
+    if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void*)tag))
+        return -1;
+
+    // Finalize the decryption
+    ret = EVP_DecryptFinal_ex(ctx, plaintext + len, &len);
+
+    // Clean up
+    EVP_CIPHER_CTX_free(ctx);
+
+    if(ret > 0) {
+        // Success
+        plaintext_len += len;
+        return plaintext_len;
+    } else {
+        // Verification failed
+        return -1;
+    }
+}
+
+// Function to calculate SHA-256 hash
+int calculate_sha256(const unsigned char *message, size_t message_len,
+                    unsigned char *digest) {
+    EVP_MD_CTX *mdctx;
+    unsigned int digest_len;
+
+    // Create and initialize the context
+    if(!(mdctx = EVP_MD_CTX_new()))
+        return 0;
+
+    // Initialize the hash operation
+    if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
+        return 0;
+
+    // Provide the message to be hashed
+    if(1 != EVP_DigestUpdate(mdctx, message, message_len))
+        return 0;
+
+    // Finalize the hash
+    if(1 != EVP_DigestFinal_ex(mdctx, digest, &digest_len))
+        return 0;
+
+    // Clean up
+    EVP_MD_CTX_free(mdctx);
+
+    return 1;
+}
+
+// Function to generate random bytes
+int generate_random_bytes(unsigned char *buffer, size_t length) {
+    return RAND_bytes(buffer, length);
+}
+
+// Function using direct EVP_Digest function (one-shot hash)
+int calculate_md5_oneshot(const unsigned char *message, size_t message_len,
+                         unsigned char *digest) {
+    unsigned int digest_len;
+    
+    // Calculate MD5 in a single call
+    if(1 != EVP_Digest(message, message_len, digest, &digest_len, EVP_md5(), NULL))
+        return 0;
+        
+    return 1;
+}
+
+// Function using HMAC
+int calculate_hmac_sha256(const unsigned char *key, size_t key_len,
+                         const unsigned char *message, size_t message_len,
+                         unsigned char *mac) {
+    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_PKEY *pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
+    
+    if (!ctx || !pkey)
+        return 0;
+        
+    if (EVP_DigestSignInit(ctx, NULL, EVP_sha256(), NULL, pkey) != 1)
+        return 0;
+        
+    if (EVP_DigestSignUpdate(ctx, message, message_len) != 1)
+        return 0;
+        
+    size_t mac_len = 32; // SHA-256 output size
+    if (EVP_DigestSignFinal(ctx, mac, &mac_len) != 1)
+        return 0;
+        
+    EVP_MD_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
+    
+    return 1;
+}
+
+// Test function
+int test_main() {
+    // Test encryption and decryption
+    unsigned char *key = (unsigned char *)"01234567890123456789012345678901"; // 32 bytes
+    unsigned char *iv = (unsigned char *)"0123456789012345"; // 16 bytes
+    unsigned char *plaintext = (unsigned char *)"This is a test message for encryption";
+    unsigned char ciphertext[1024];
+    unsigned char tag[16];
+    unsigned char decrypted[1024];
+    int plaintext_len = strlen((char *)plaintext);
+    int ciphertext_len;
+    int decrypted_len;
+    
+    // Test SHA-256 hash
+    unsigned char hash[32];
+    
+    // Test random generation
+    unsigned char random_bytes[32];
+    
+    // // Initialize OpenSSL
+    // ERR_load_crypto_strings();
+    
+    // Encrypt data
+    ciphertext_len = encrypt_aes_gcm(plaintext, plaintext_len, key, iv, 16, ciphertext, tag);
+    
+    // Decrypt data
+    decrypted_len = decrypt_aes_gcm(ciphertext, ciphertext_len, tag, key, iv, 16, decrypted);
+
+    //printf("decrypted: %s\n", decrypted);
+    
+    // Calculate hash
+    calculate_sha256(plaintext, plaintext_len, hash);
+    
+    // Generate random bytes
+    generate_random_bytes(random_bytes, 32);
+    
+    // Calculate one-shot MD5
+    unsigned char md5_hash[16];
+    calculate_md5_oneshot(plaintext, plaintext_len, md5_hash);
+    
+    // Calculate HMAC
+    unsigned char hmac[32];
+    calculate_hmac_sha256(key, 32, plaintext, plaintext_len, hmac);
+    
+    return 0;
+} 

cpp/ql/test/experimental/library-tests/quantum/openssl/options

@@ -0,0 +1 @@
+semmle-extractor-options: -I ../../../stubs

cpp/ql/test/experimental/stubs/README.md

@@ -0,0 +1,4 @@
+The stubs in this directory are derived from various open-source projects, and
+used to test that the relevant APIs are correctly modelled. Where a disclaimer
+or third-party-notice is required, this is included in the top-level directory
+for each particular library.

cpp/ql/test/experimental/stubs/openssl/license.txt

@@ -0,0 +1,177 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

cpp/ql/test/experimental/stubs/openssl/rand_stubs.h

@@ -0,0 +1,3 @@
+int RAND_bytes(unsigned char *buf, int num);
+
+int RAND_pseudo_bytes(unsigned char *buf, int num);

cpp/ql/test/library-tests/dataflow/asExpr/test.cpp

@@ -21,3 +21,20 @@ A& get_ref();
 void test2() {
   take_ref(get_ref()); // $ asExpr="call to get_ref" asIndirectExpr="call to get_ref"
 }
+
+struct S {
+  int a;
+  int b;
+};
+
+void test_aggregate_literal() {
+  S s1 = {1, 2}; // $ asExpr=1 asExpr=2 asExpr={...}
+  const S s2 = {3, 4}; // $ asExpr=3 asExpr=4 asExpr={...}
+  S s3 = (S){5, 6}; // $ asExpr=5 asExpr=6 asExpr={...}
+  const S s4 = (S){7, 8}; // $ asExpr=7 asExpr=8 asExpr={...}
+
+  S s5 = {.a = 1, .b = 2}; // $ asExpr=1 asExpr=2 asExpr={...}
+
+  int xs[] = {1, 2, 3}; // $ asExpr=1 asExpr=2 asExpr=3 asExpr={...}
+  const int ys[] = {[0] = 4, [1] = 5, [0] = 6}; // $ asExpr=4 asExpr=5 asExpr=6 asExpr={...}
+}