From d771f1ef0ecacd44ec9cbf71c1ddae7e9db45972 Mon Sep 17 00:00:00 2001 From: idrissrio Date: Wed, 4 Feb 2026 09:36:17 +0100 Subject: [PATCH] C/C++: Disable constant folding of address-vs-null comparisons --- .../ir/implementation/raw/internal/TranslatedElement.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll index 9829388ef17..7828f5a3674 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll @@ -62,12 +62,20 @@ private predicate ignoreConstantValue(Operation op) { op instanceof BitwiseXorExpr } +/** Holds if `expr` contains an address-of expression that EDG may have constant-folded. */ +private predicate containsAddressOf(Expr expr) { + expr instanceof AddressOfExpr + or + containsAddressOf(expr.getAChild()) +} + /** * Holds if `expr` is a constant of a type that can be replaced directly with * its value in the IR. This does not include address constants as we have no * means to express those as QL values. */ predicate isIRConstant(Expr expr) { + not containsAddressOf(expr) and exists(expr.getValue()) and // We avoid constant folding certain operations since it's often useful to // mark one of those as a source in dataflow, and if the operation is