Ideally, we want generated flow summaries to be content-sensitive. That is, a summary for a function such as:

int read_f(S* s) { return s->f; }

should specify that we read the content f from Argument[*0].

However, if a function is super complex it may read/write many access paths, and this could cause an explosion in the number of summaries we generate.

To mitigate this, the flow summary generation library puts various restrictions on which callables receive content-sensitive summaries.

When a content-sensitive summary isn't generated, we currently fall back to a taint-configuration-based summary which means we only generate a taint summary and not a value-preserving summary.

This PR adds a "midpoint" in between the content-sensitive value-preserving summary and the taint-based summary so that we now:

• First check if we can generate a content-sensitive summary,
• If not, we check if we can generate a value-preserving summary,
• and finally, if that fails we check if we can generate a taint-based summary.

This seems to generate much better models on OpenSSL in particular.