C++: Move fix to adjustedSink to avoid generating too many instructions

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -335,6 +335,12 @@ private Element adjustedSink(DataFlow::Node sink) {
   // For compatibility, send flow into a `NotExpr` even if it's part of a
   // short-circuiting condition and thus might get skipped.
   result.(NotExpr).getOperand() = sink.asExpr()
+  or
+  // Taint `e--` and `e++` when `e` is tainted.
+  exists(PostfixCrementOperation crement |
+    crement.getAnOperand() = sink.asExpr() and
+    result = crement
+  )
 }
 
 predicate tainted(Expr source, Element tainted) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2469,6 +2469,9 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
     expr instanceof PrefixCrementOperation and
     not expr.isPRValueCategory() // is C++
     or
+    // Because the load is on the `e` in `e++`.
+    expr instanceof PostfixCrementOperation
+    or
     expr instanceof PointerDereferenceExpr
     or
     expr instanceof AddressOfExpr
@@ -2486,12 +2489,6 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
     // TODO: simplify TranslatedStmtExpr too
   ) and
   not exprImmediatelyDiscarded(expr)
-  or
-  // For certain expressions we want to keep the CopyValue instruction even though the result might
-  // not be needed, as we otherwise cannot get back the original expression. For now the only such
-  // expressions we have encountered are `e++` and `e--`.
-  // Because the load is on the `e` in `e++`.
-  expr instanceof PostfixCrementOperation
 }
 
 /**