From bfba95f9f7b57efbc5f51ae23bb0f3e98cf91fa3 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 18 Nov 2022 14:50:18 +0000
Subject: [PATCH] C++: Fix performance of
 'cpp/upcast-array-pointer-arithmetic'.

---
 .../Conversion/CastArrayPointerArithmetic.ql  | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
index 3f27b770c81..9a012775831 100644
--- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
+++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
@@ -20,21 +20,29 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow
 import DataFlow::PathGraph
 
+Type getFullyConvertedType(DataFlow::Node node) {
+  result = node.asExpr().getFullyConverted().getUnspecifiedType()
+}
+
 class CastToPointerArithFlow extends DataFlow::Configuration {
   CastToPointerArithFlow() { this = "CastToPointerArithFlow" }
 
-  override predicate isSource(DataFlow::Node node) {
+  override predicate isSource(DataFlow::Node node, DataFlow::FlowState state) {
     not node.asExpr() instanceof Conversion and
     exists(Type baseType1, Type baseType2 |
       hasBaseType(node.asExpr(), baseType1) and
       hasBaseType(node.asExpr().getConversion*(), baseType2) and
       introducesNewField(baseType1, baseType2)
-    )
+    ) and
+    getFullyConvertedType(node).getName() = state
   }
 
-  override predicate isSink(DataFlow::Node node) {
-    exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or
-    exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr())
+  override predicate isSink(DataFlow::Node node, DataFlow::FlowState state) {
+    (
+      exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or
+      exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr())
+    ) and
+    getFullyConvertedType(node).getName() = state
   }
 }
 
@@ -66,7 +74,7 @@ predicate introducesNewField(Class derived, Class base) {
 
 pragma[nomagic]
 predicate hasFullyConvertedType(DataFlow::PathNode node, Type t) {
-  t = node.getNode().asExpr().getFullyConverted().getUnspecifiedType()
+  getFullyConvertedType(node.getNode()) = t
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, CastToPointerArithFlow cfg, Type t