From 8654ebcbbd6d37fb3e41cc676c989604213461c3 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Thu, 29 Nov 2018 13:33:45 +0100
Subject: [PATCH] C++: Avoid using nullValue predicate

The `nullValue` predicate performs a slow custom data-flow analysis to
find possible null values. It's so slow that it timed out after 1200s on
Wireshark.

In `UnsafeCreateProcessCall.ql`, the values found with `nullValue` were
used as sources in another data-flow analysis. By using the `NullValue`
class as sink instead of `nullValue`, we avoid the slow-down of doing
data flow twice. The `NullValue` class is essentially the base case of
`nullValue`. Confusing names, yes.
---
 cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
index 1518c6c1f0f0..c32ce5aae527 100644
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -68,7 +68,7 @@ class NullAppNameCreateProcessFunctionConfiguration extends DataFlow::Configurat
   }
 
   override predicate isSource(DataFlow::Node source) {
-    nullValue(source.asExpr()) 
+    source.asExpr() instanceof NullValue
   }
 
   override predicate isSink(DataFlow::Node sink) {