C++ IR: allow inexact defs in taint tracking

cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking.qll

@@ -145,6 +145,11 @@ module TaintTracking {
       nodeTo instanceof PointerArithmeticInstruction
       or
       nodeTo instanceof FieldAddressInstruction
+      or
+      // The `CopyInstruction` case is also present in non-taint data flow, but
+      // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
+      // from a definition of `myStruct` to a `myStruct.myField` expression.
+      nodeTo instanceof CopyInstruction
     )
     or
     nodeTo.(LoadInstruction).getSourceAddress() = nodeFrom

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -143,7 +143,7 @@ UninitializedNode uninitializedNode(LocalVariable v) { result.getLocalVariable()
  */
 predicate localFlowStep(Node nodeFrom, Node nodeTo) {
   nodeTo.(CopyInstruction).getSourceValue() = nodeFrom or
-  nodeTo.(PhiInstruction).getAnOperand().getAnyDef() = nodeFrom or
+  nodeTo.(PhiInstruction).getAnOperand().getDef() = nodeFrom or
   // Treat all conversions as flow, even conversions between different numeric types.
   nodeTo.(ConvertInstruction).getUnary() = nodeFrom
 }