[clang] [clang][analyzer] Support strlen with offset to string literal in CStringChecker (PR #159795)

[Donát Nagy via cfe-commits]

================
@@ -1042,10 +1049,29 @@ SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
   case MemRegion::CompoundLiteralRegionKind:
     // FIXME: Can we track this? Is it necessary?
     return UnknownVal();
-  case MemRegion::ElementRegionKind:
-    // FIXME: How can we handle this? It's not good enough to subtract the
-    // offset from the base string length; consider "123\x00567" and &a[5].
+  case MemRegion::ElementRegionKind: {
+    // If an offset into the string literal is used, use the original length
+    // minus the offset.
+    // FIXME: Embedded null characters are not handled.
+    const ElementRegion *ER = cast<ElementRegion>(MR);
+    const SubRegion *SuperReg =
+        cast<SubRegion>(ER->getSuperRegion()->StripCasts());
+    const StringLiteral *StrLit = getStringLiteralFromRegion(SuperReg);
+    if (!StrLit)
+      return UnknownVal();
+    SValBuilder &SVB = C.getSValBuilder();
+    NonLoc Idx = ER->getIndex();
+    NonLoc LengthVal =
+        SVB.makeIntVal(StrLit->getLength(), SVB.getContext().getSizeType())
+            .castAs<NonLoc>();
+    if (state->assume(SVB.evalBinOpNN(state, BO_LE, Idx, LengthVal,
+                                      SVB.getConditionType())
+                          .castAs<DefinedOrUnknownSVal>(),
+                      true))
----------------
NagyDonat wrote:

Here you validate that `Idx` can be less than or equal to the length of the string literal, but you don't record this assumption in the state.

At first glance I thought that this is surprising/problematic, but now that I think more about this I feel that this bounds checking should be the responsibility of the `ArrayBound` checker, so I think the current code is good.

(No action expected.)

https://github.com/llvm/llvm-project/pull/159795