C/C++: Disable constant folding of address-vs-null comparisons

IdrissRio · IdrissRio · commit d771f1ef0eca · 2026-02-04T10:14:25.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -62,12 +62,20 @@ private predicate ignoreConstantValue(Operation op) {
   op instanceof BitwiseXorExpr
 }
 
+/** Holds if `expr` contains an address-of expression that EDG may have constant-folded. */
+private predicate containsAddressOf(Expr expr) {
+  expr instanceof AddressOfExpr
+  or
+  containsAddressOf(expr.getAChild())
+}
+
 /**
  * Holds if `expr` is a constant of a type that can be replaced directly with
  * its value in the IR. This does not include address constants as we have no
  * means to express those as QL values.
  */
 predicate isIRConstant(Expr expr) {
+  not containsAddressOf(expr) and
   exists(expr.getValue()) and
   // We avoid constant folding certain operations since it's often useful to
   // mark one of those as a source in dataflow, and if the operation is
