C++: Fix cpp/alloca-in-loop regressions with use-use dataflow

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -185,6 +185,19 @@ class LoopWithAlloca extends Stmt {
     not this.conditionReachesWithoutUpdate(var, this.(Loop).getCondition())
   }
 
+  /**
+   * Gets an expression associated with a dataflow node.
+   */
+  private Expr getExpr(DataFlow::Node node) {
+    result = node.asInstruction().getAst()
+    or
+    result = node.asOperand().getUse().getAst()
+    or
+    result = node.(DataFlow::RawIndirectInstruction).getInstruction().getAst()
+    or
+    result = node.(DataFlow::RawIndirectOperand).getOperand().getUse().getAst()
+  }
+
   /**
    * Gets a definition that may be the most recent definition of the
    * controlling variable `var` before this loop.
@@ -194,14 +207,10 @@ class LoopWithAlloca extends Stmt {
       va = var.getAnAccess() and
       this.conditionRequiresInequality(va, _, _) and
       DataFlow::localFlow(result, DataFlow::exprNode(va)) and
+      // Phi nodes will be preceded by nodes that represent actual definitions
+      not result instanceof DataFlow::SsaPhiNode and
       // A source is outside the loop if it's not inside the loop
-      not exists(Expr e |
-        e = result.asExpr()
-        or
-        e = result.asDefiningArgument()
-      |
-        this = getAnEnclosingLoopOfExpr(e)
-      )
+      not exists(Expr e | e = getExpr(result) | this = getAnEnclosingLoopOfExpr(e))
     )
   }
 
@@ -211,7 +220,11 @@ class LoopWithAlloca extends Stmt {
    */
   private int getAControllingVarInitialValue(Variable var, DataFlow::Node source) {
     source = this.getAPrecedingDef(var) and
-    result = source.asExpr().getValue().toInt()
+    (
+      result = getExpr(source).(Expr).getValue().toInt()
+      or
+      result = getExpr(source).(Assignment).getRValue().getValue().toInt()
+    )
   }
 
   /**