`MayPointTo` is not subset of `ReachableFrom`

[sim642]

In #1174 I made pthread_join invalidate its second argument with w instead of the default r_deep; w_deep; s_deep. Surprisingly, this caused test failures due to additional unknown pointer accesses if the pthread_join argument happens to be NULL.
This means that the MayPointTo for w accesses returns more addresses than ReachableFrom for w_deep, although I've always thought the former should be a subset of the latter as the latter is a recursive closure of the former. But apparently not?!

First, ReachableFrom for some reason excludes unknown pointers:

analyzer/src/analyses/base.ml

Lines 1288 to 1290 in 851c6b3

	let a' = AD.remove Addr.UnknownPtr a in (* run reachable_vars without unknown just to be safe: TODO why? *)
	let addrs = reachable_vars (Analyses.ask_of_ctx ctx) [a'] ctx.global ctx.local in
	List.fold_left (AD.join) (AD.empty ()) addrs

Second, reachable_from_value for some reason excludes NULL pointers:

analyzer/src/analyses/base.ml

Line 523 in 851c6b3

| Address adrs -> AD.remove Addr.NullPtr adrs

This explains why ReachableFrom NULL doesn't yield any accesses, but it doesn't explain why those exclusions are there in the first place.

In a4fb621 reachable_from_value was not just moved around but also the AD.remove Addr.NullPtr was introduced without explanation.

[sim642]

There's also a third difference which affects NULL constants in particular because they evaluate to Int variants in base.
MayPointTo returns the top pointer for them:

analyzer/src/analyses/base.ml

Line 1273 in 851c6b3

| _ -> Queries.Result.top q

But ReachableFrom returns an empty points-to set:

analyzer/src/analyses/base.ml

Line 1291 in 851c6b3

| _ -> AD.empty ()