Address review.

Most important fix is that VNLength is now restricted to the subset
of value numbers that are Bounds in the RangeAnalysis.

cpp/ql/test/experimental/library-tests/arraylengthanalysis/ArrayLengthAnalysisTest.expected

@@ -2,7 +2,6 @@
 | test.cpp:19:8:19:8 | Load: a | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
 | test.cpp:21:8:21:8 | Load: a | VNLength(Chi: ptr) | -1 | ZeroOffset | 0 |
 | test.cpp:23:8:23:8 | Load: a | VNLength(Chi: ptr) | 1 | ZeroOffset | 0 |
-| test.cpp:25:8:25:8 | Load: a | VNLength(Mul: ... * ...) | 0 | ZeroOffset | 0 |
 | test.cpp:27:8:27:8 | Load: c | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
 | test.cpp:28:8:28:24 | Convert: (unsigned char *)... | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
 | test.cpp:30:8:30:8 | Load: v | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
@@ -22,4 +21,3 @@
 | test.cpp:80:8:80:8 | Load: a | VNLength(InitializeParameter: count) | 1 | OpOffset(Load: count) | 1 |
 | test.cpp:85:8:85:8 | Load: a | VNLength(InitializeParameter: count) | 1 | OpOffset(Add: ... + ...) | 0 |
 | test.cpp:87:8:87:8 | Load: a | VNLength(InitializeParameter: count) | 1 | OpOffset(Add: ... + ...) | 1 |
-| test.cpp:89:8:89:8 | Load: a | VNLength(Sub: ... - ...) | 0 | ZeroOffset | 0 |

cpp/ql/test/experimental/library-tests/arraylengthanalysis/test.cpp

@@ -22,7 +22,7 @@ void test1(unsigned int count) {
   a = (int *) malloc(sizeof(int) * (count + 1));
   sink(a); // (count, 1, Zero, 0)
   a = (int *) malloc(sizeof(int) * (2 * count));
-  sink(a); // (2*count, 0, Zero, 0)
+  sink(a); // none, as the size expression is too complicated
   char* c = (char *)malloc(count);
   sink(c); // /count, 0, Zero, 0)
   sink((unsigned char*)c); // (count, 0, Zero, 0)
@@ -86,5 +86,5 @@ void test2(unsigned int count, bool b) {
   a += 1;
   sink(a); // TODO, should be (count, 1, count, 2), but is (count, 1, count + 1, 1)
   a = (int*) malloc(sizeof(int) * (1024 - count));
-  sink(a); // (1024-count, 0, Zero, 0)
+  sink(a); // none, as the size expression is too complicated
 }