C++: Fix barriers in invalid pointer deref

[MathiasVP]

Commit-by-commit review recommended.

• The first two commits fixes the FPs. The general theme here is that we shouldn't be clearing every node in a basic block based on a guard condition. This is quite interesting: we normally consider all dataflow nodes that are guarded by some specific condition as being safe. This is because we're reasoning about an unsafe value flowing to a specific sink:

void test() {
  char* s = my_dangerous_source();
  if(safe(s)) { sink(s); }
}

and here it makes sense that every dataflow node guarded by the safe(s) condition is safe because there's presumably no way to turn s unsafe again. However, when we're reasoning about buffer overflows, simply having a check like if(i < size) doesn't mean that there's not a a[i + 100000000] = 0 somewhere inside the block that's guarded by if(i < size). And i + 100000000 very likely isn't safe even though i < size.

• The third gets rid of an arbitrary bound on the flow state by precomputing the set of flow states. This could be achieved by piggy-backing on the existing dataflow traversal done using InvalidPointerToDerefBarrier::BarrierConfig, but this is needlessly complex and doesn't seem to give any additional performance boosts.
• Finally, the last commit fixes a bad join.

This will conflict with #13699, but it shouldn't be difficult to handle the resulting merge-conflict.

[geoffw0]

QL changes seem reasonable (though I won't pretend to have a deep understanding of all of them). Test results speak for themselves.

On DCA we lose 6 results, which appear to be false positives as well (as best I can tell).