C++: Respond to review comments.

cpp/ql/src/Critical/DoubleFree.ql

@@ -16,10 +16,11 @@ import semmle.code.cpp.dataflow.new.DataFlow
 import FlowAfterFree
 import DoubleFree::PathGraph
 
-predicate isFree(DataFlow::Node n, Expr e) {
-  n.asExpr() = e and
-  isFree(_, e, _)
-}
+/**
+ * Holds if `n` is a dataflow node that represents a pointer going into a
+ * deallocation function, and `e` is the corresponding expression.
+ */
+predicate isFree(DataFlow::Node n, Expr e) { isFree(_, n, e, _) }
 
 /**
  * `dealloc1` is a deallocation expression and `e` is an expression such
@@ -31,7 +32,7 @@ predicate isFree(DataFlow::Node n, Expr e) {
  */
 bindingset[dealloc1, e]
 predicate isExcludeFreePair(DeallocationExpr dealloc1, Expr e) {
-  exists(DeallocationExpr dealloc2 | isFree(_, e, dealloc2) |
+  exists(DeallocationExpr dealloc2 | isFree(_, _, e, dealloc2) |
     dealloc1.(FunctionCall).getTarget().hasGlobalName("MmFreePagesFromMdl") and
     // From https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmfreepagesfrommdl:
     // "After calling MmFreePagesFromMdl, the caller must also call ExFreePool
@@ -45,7 +46,7 @@ module DoubleFree = FlowFromFree<isFree/2, isExcludeFreePair/2>;
 from DoubleFree::PathNode source, DoubleFree::PathNode sink, DeallocationExpr dealloc, Expr e2
 where
   DoubleFree::flowPath(source, sink) and
-  isFree(source.getNode(), _, dealloc) and
+  isFree(source.getNode(), _, _, dealloc) and
   isFree(sink.getNode(), e2)
 select sink.getNode(), source, sink,
   "Memory pointed to by '" + e2.toString() + "' may already have been freed by $@.", dealloc,