C++: Add object/flow conflation for unions when resolving function pointers.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1492,7 +1492,14 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 }
 
 /** Extra data-flow steps needed for lambda flow analysis. */
-predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
+predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) {
+  preservesValue = false and
+  exists(ContentSet cs | cs.isSingleton(any(UnionContent uc)) |
+    storeStep(nodeFrom, cs, nodeTo)
+    or
+    readStep(nodeFrom, cs, nodeTo)
+  )
+}
 
 predicate knownSourceModel(Node source, string model) { External::sourceNode(source, _, model) }
 

cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp

@@ -93,7 +93,7 @@ void callIdentityFunctions(Top *top, Bottom *bottom) { // $ ast-def=bottom ast-d
 using SinkFunctionType = void (*)(int);
 
 void callSink(int x) {
-  sink(x); // $ ir MISSING: ast,ir=107:17 ast,ir=140:8 ast,ir=144:8
+  sink(x); // $ ir=107:17 ir=140:8 ir=144:8 MISSING: ast=107:17 ast=140:8 ast=144:8
 }
 
 SinkFunctionType returnCallSink() {

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -183,6 +183,8 @@ irFlow
 | dispatch.cpp:107:17:107:22 | call to source | dispatch.cpp:96:8:96:8 | x |
 | dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:129:18:129:25 | call to isSource |
 | dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:130:17:130:24 | call to isSource |
+| dispatch.cpp:140:8:140:13 | call to source | dispatch.cpp:96:8:96:8 | x |
+| dispatch.cpp:144:8:144:13 | call to source | dispatch.cpp:96:8:96:8 | x |
 | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:31:9:31:9 | x |
 | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:61:8:61:11 | access to array |
 | flowOut.cpp:84:18:84:23 | call to source | flowOut.cpp:85:8:85:9 | * ... |