diff --git a/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h b/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
--- a/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
+++ b/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
@@ -136,6 +136,26 @@
     return ThisPointeeLoc;
   }
 
+  /// Assigns `Val` as the singleton pointer value representing null pointers of
+  /// `PointeeType`
+  ///
+  /// Requirements:
+  ///
+  ///  There must not already exist a singleton value corresponding to
+  ///  `PointeeType`.
+  void setNullPointerVal(QualType PointeeType, PointerValue &Val) {
+    assert(NullPointerVals.find(PointeeType.getAsString()) ==
+           NullPointerVals.end());
+    NullPointerVals[PointeeType.getAsString()] = &Val;
+  }
+
+  /// Returns the singleton pointer value representing null pointers of
+  /// `PointeeType` or null if there is no corresponding singleton value.
+  PointerValue *getNullPointerVal(QualType PointeeType) const {
+    auto It = NullPointerVals.find(PointeeType.getAsString());
+    return It == NullPointerVals.end() ? nullptr : It->second;
+  }
+
   /// Returns a symbolic boolean value that models a boolean literal equal to
   /// `Value`.
   AtomicBoolValue &getBoolLiteralValue(bool Value) const {
@@ -216,6 +236,10 @@
 
   StorageLocation *ThisPointeeLoc = nullptr;
 
+  // Index used to avoid recreating pointer values for null pointers of the
+  // same pointee type
+  llvm::StringMap<PointerValue *> NullPointerVals;
+
   AtomicBoolValue &TrueVal;
   AtomicBoolValue &FalseVal;
 
diff --git a/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h b/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
--- a/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
+++ b/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
@@ -313,6 +313,10 @@
   /// imply that `Val` is true.
   bool flowConditionImplies(BoolValue &Val) const;
 
+  /// Returns the singleton pointer value representing null pointers of
+  /// `PointeeType`. The singleton value will be created if it doesn't exist.
+  PointerValue &getOrCreateNullPointerValue(QualType PointeeType);
+
 private:
   /// Creates a value appropriate for `Type`, if `Type` is supported, otherwise
   /// return null.
diff --git a/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp b/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
--- a/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
+++ b/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
@@ -546,5 +546,15 @@
   return DACtx->flowConditionImplies(*FlowConditionToken, Val);
 }
 
+PointerValue &Environment::getOrCreateNullPointerValue(QualType PointeeType) {
+  auto *PointerVal = DACtx->getNullPointerVal(PointeeType);
+  if (PointerVal == nullptr) {
+    auto &PointeeLoc = createStorageLocation(PointeeType);
+    PointerVal = &takeOwnership(std::make_unique<PointerValue>(PointeeLoc));
+    DACtx->setNullPointerVal(PointeeType, *PointerVal);
+  }
+  return *PointerVal;
+}
+
 } // namespace dataflow
 } // namespace clang
diff --git a/clang/lib/Analysis/FlowSensitive/Transfer.cpp b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
--- a/clang/lib/Analysis/FlowSensitive/Transfer.cpp
+++ b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
@@ -246,6 +246,16 @@
       Env.setStorageLocation(*S, *SubExprLoc);
       break;
     }
+    case CK_NullToPointer:
+    case CK_NullToMemberPointer: {
+      auto &Loc = Env.createStorageLocation(S->getType());
+      Env.setStorageLocation(*S, Loc);
+
+      auto &NullPointerVal =
+          Env.getOrCreateNullPointerValue(S->getType()->getPointeeType());
+      Env.setValue(Loc, NullPointerVal);
+      break;
+    }
     default:
       break;
     }
diff --git a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
--- a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
+++ b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
@@ -2214,6 +2214,93 @@
               });
 }
 
+TEST_F(TransferTest, NullToPointerCast) {
+  std::string Code = R"(
+    struct Baz {};
+    void target() {
+      int *FooX = nullptr;
+      int *FooY = nullptr;
+      bool **Bar = nullptr;
+      Baz *Baz = nullptr;
+      // [[p]]
+    }
+  )";
+  runDataflow(Code,
+              [](llvm::ArrayRef<
+                     std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
+                     Results,
+                 ASTContext &ASTCtx) {
+                ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
+                const Environment &Env = Results[0].second.Env;
+
+                const ValueDecl *FooXDecl = findValueDecl(ASTCtx, "FooX");
+                ASSERT_THAT(FooXDecl, NotNull());
+
+                const ValueDecl *FooYDecl = findValueDecl(ASTCtx, "FooY");
+                ASSERT_THAT(FooYDecl, NotNull());
+
+                const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar");
+                ASSERT_THAT(BarDecl, NotNull());
+
+                const ValueDecl *BazDecl = findValueDecl(ASTCtx, "Baz");
+                ASSERT_THAT(BazDecl, NotNull());
+
+                const auto *FooXVal =
+                    cast<PointerValue>(Env.getValue(*FooXDecl, SkipPast::None));
+                const auto *FooYVal =
+                    cast<PointerValue>(Env.getValue(*FooYDecl, SkipPast::None));
+                const auto *BarVal =
+                    cast<PointerValue>(Env.getValue(*BarDecl, SkipPast::None));
+                const auto *BazVal =
+                    cast<PointerValue>(Env.getValue(*BazDecl, SkipPast::None));
+
+                EXPECT_EQ(FooXVal, FooYVal);
+                EXPECT_NE(FooXVal, BarVal);
+                EXPECT_NE(FooXVal, BazVal);
+                EXPECT_NE(BarVal, BazVal);
+
+                const StorageLocation &FooPointeeLoc = FooXVal->getPointeeLoc();
+                EXPECT_TRUE(isa<ScalarStorageLocation>(FooPointeeLoc));
+                EXPECT_THAT(Env.getValue(FooPointeeLoc), IsNull());
+
+                const StorageLocation &BarPointeeLoc = BarVal->getPointeeLoc();
+                EXPECT_TRUE(isa<ScalarStorageLocation>(BarPointeeLoc));
+                EXPECT_THAT(Env.getValue(BarPointeeLoc), IsNull());
+
+                const StorageLocation &BazPointeeLoc = BazVal->getPointeeLoc();
+                EXPECT_TRUE(isa<AggregateStorageLocation>(BazPointeeLoc));
+                EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull());
+              });
+}
+
+TEST_F(TransferTest, NullToMemberPointerCast) {
+  std::string Code = R"(
+    struct Foo {};
+    void target(Foo *Foo) {
+      int Foo::*MemberPointer = nullptr;
+      // [[p]]
+    }
+  )";
+  runDataflow(
+      Code, [](llvm::ArrayRef<
+                   std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
+                   Results,
+               ASTContext &ASTCtx) {
+        ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
+        const Environment &Env = Results[0].second.Env;
+
+        const ValueDecl *MemberPointerDecl =
+            findValueDecl(ASTCtx, "MemberPointer");
+        ASSERT_THAT(MemberPointerDecl, NotNull());
+
+        const auto *MemberPointerVal = cast<PointerValue>(
+            Env.getValue(*MemberPointerDecl, SkipPast::None));
+
+        const StorageLocation &MemberLoc = MemberPointerVal->getPointeeLoc();
+        EXPECT_THAT(Env.getValue(MemberLoc), IsNull());
+      });
+}
+
 TEST_F(TransferTest, AddrOfValue) {
   std::string Code = R"(
     void target() {