[analyzer] CStringChecker: Fix a crash on unknown value passed to strlcat.

Checkers should always account for unknown values.

Also use a slightly more high-level API that naturally avoids the problem.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

@@ -1706,13 +1706,12 @@ void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
           } else {
             if (appendK == ConcatFnKind::none) {
               // strlcpy returns strlen(src)
-              StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *strLengthNL);
-            } else if (dstStrLengthNL) {
+              StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength);
+            } else {
               // strlcat returns strlen(src) + strlen(dst)
-              SVal retSize = svalBuilder.evalBinOpNN(
-                  state, BO_Add, *strLengthNL, *dstStrLengthNL, sizeTy);
-              StateZeroSize =
-                  StateZeroSize->BindExpr(CE, LCtx, *(retSize.getAs<NonLoc>()));
+              SVal retSize = svalBuilder.evalBinOp(
+                  state, BO_Add, strLength, dstStrLength, sizeTy);
+              StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize);
             }
           }
           C.addTransition(StateZeroSize);

clang/test/Analysis/bsd-string.c

@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -verify %s \
+// RUN: %clang_analyze_cc1 -w -verify %s \
 // RUN:   -analyzer-checker=core \
 // RUN:   -analyzer-checker=unix.cstring.NullArg \
 // RUN:   -analyzer-checker=alpha.unix.cstring \
@@ -131,3 +131,9 @@ void f11() {
   strlcpy(b, "hello ", sizeof(b));
   strlcat(b, a, sizeof(b)); // no-warning
 }
+
+int a, b;
+void unknown_val_crash() {
+  // We're unable to evaluate the integer-to-pointer cast.
+  strlcat(&b, a, 0); // no-crash
+}