From 9afd8b7b4de2ca7414e49f9265e5060d964f7629 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 21 Jan 2026 20:27:39 +0000
Subject: [PATCH 1/2] C++: Add ''isLiveAtEndOfBlock' predicate to 'Definition'.

---
 .../code/cpp/ir/dataflow/internal/SsaImpl.qll       | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
index 285e0dc8419e..d03f071c8123 100644
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
@@ -940,6 +940,11 @@ module SsaCached {
     SsaImpl::phiHasInputFromBlock(phi, inp, bb)
   }
 
+  cached
+  predicate ssaDefReachesEndOfBlock(IRBlock bb, Definition def) {
+    SsaImpl::ssaDefReachesEndOfBlock(bb, def, _)
+  }
+
   predicate variableRead = SsaInput::variableRead/4;
 
   predicate variableWrite = SsaInput::variableWrite/4;
@@ -1155,6 +1160,14 @@ class Definition extends SsaImpl::Definition {
     SsaImpl::uncertainWriteDefinitionInput(this, result)
   }
 
+  /**
+   * Holds if this SSA definition is live at the end of basic block `bb`.
+   * That is, this definition reaches the end of basic block `bb`, at which
+   * point it is still live, without crossing another SSA definition of the
+   * same source variable.
+   */
+  predicate isLiveAtEndOfBlock(IRBlock bb) { ssaDefReachesEndOfBlock(bb, this) }
+
   /**
    * Gets a definition that ultimately defines this SSA definition and is
    * not itself a phi node.

From 5c3dd3c87dd929ee92389aba71b6896ff63e4a4f Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 21 Jan 2026 20:28:28 +0000
Subject: [PATCH 2/2] C++: Drive-by fix: Don't use the uncached
 ''getAPhiInputOrPriorDefinition' predicate. Instead, cache it and call it
 like we are supposed to.

---
 .../lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
index d03f071c8123..c8b5d3b9369d 100644
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
@@ -940,6 +940,11 @@ module SsaCached {
     SsaImpl::phiHasInputFromBlock(phi, inp, bb)
   }
 
+  cached
+  predicate uncertainWriteDefinitionInput(Definition uncertain, Definition inp) {
+    SsaImpl::uncertainWriteDefinitionInput(uncertain, inp)
+  }
+
   cached
   predicate ssaDefReachesEndOfBlock(IRBlock bb, Definition def) {
     SsaImpl::ssaDefReachesEndOfBlock(bb, def, _)
@@ -1157,7 +1162,7 @@ class Definition extends SsaImpl::Definition {
   private Definition getAPhiInputOrPriorDefinition() {
     result = this.(PhiNode).getAnInput()
     or
-    SsaImpl::uncertainWriteDefinitionInput(this, result)
+    uncertainWriteDefinitionInput(this, result)
   }
 
   /**