Merge pull request #11330 from MathiasVP/fix-performance-of-upcast-array-pointer-arith

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -20,21 +20,29 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow
 import DataFlow::PathGraph
 
+Type getFullyConvertedType(DataFlow::Node node) {
+  result = node.asExpr().getFullyConverted().getUnspecifiedType()
+}
+
 class CastToPointerArithFlow extends DataFlow::Configuration {
   CastToPointerArithFlow() { this = "CastToPointerArithFlow" }
 
-  override predicate isSource(DataFlow::Node node) {
+  override predicate isSource(DataFlow::Node node, DataFlow::FlowState state) {
     not node.asExpr() instanceof Conversion and
     exists(Type baseType1, Type baseType2 |
       hasBaseType(node.asExpr(), baseType1) and
       hasBaseType(node.asExpr().getConversion*(), baseType2) and
       introducesNewField(baseType1, baseType2)
-    )
+    ) and
+    getFullyConvertedType(node).getName() = state
   }
 
-  override predicate isSink(DataFlow::Node node) {
-    exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or
-    exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr())
+  override predicate isSink(DataFlow::Node node, DataFlow::FlowState state) {
+    (
+      exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or
+      exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr())
+    ) and
+    getFullyConvertedType(node).getName() = state
   }
 }
 
@@ -66,7 +74,7 @@ predicate introducesNewField(Class derived, Class base) {
 
 pragma[nomagic]
 predicate hasFullyConvertedType(DataFlow::PathNode node, Type t) {
-  t = node.getNode().asExpr().getFullyConverted().getUnspecifiedType()
+  getFullyConvertedType(node.getNode()) = t
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, CastToPointerArithFlow cfg, Type t