This is probably too much to ask for. I recently fixed an issue caused by UB in openresty of the form "nginx uses a NULL pointer and a length of 0 to signify a null string" + "nginx sometimes searches for strings in other strings using a function that takes start and end pointers for the haystack". This function works fine on lots of 0-length haystack strings (probably returning no match), but as you probably know, NULL + 0 is allowed to evaluate to anything. This seems pretty hard to detect statically short of banning programs that do arithmetic on any pointer without first NULL checking it.