add length-addr to the metadata for patch-records

The length address of the function is useful for some downstream patch record consumers that need the address to patch the input length. This is used in conjunction with the currently exported 'length-argument' field.

Author: Dan Phung

chb/buffer/LibraryCallCallsites.py

@@ -212,6 +212,25 @@ def lenarg(self) -> Optional["XXpr"]:
                     return self.instr.call_arguments[lenindex - 1]
         return None
 
+    @property
+    def lenaddr(self) -> Optional[str]:
+        if self.lenarg is None:
+            return None
+        regname = str(self.lenarg)
+        locs = self.instr.reaching_definitions(regname)
+        valid = [loc for loc in locs if loc != "init"]
+        if len(valid) == 1:
+            return valid[0]
+        elif len(valid) == 0:
+            chklogger.logger.warning(
+                "No valid reaching def for %s at %s", regname, self.instr.iaddr)
+            return None
+        else:
+            # Multiple reaching defs means a join point — ambiguous, can't patch
+            chklogger.logger.warning(
+                "Multiple reaching defs for %s at %s: %s", regname, self.instr.iaddr, valid)
+            return None
+
     @property
     def lentype(self) -> str:
         lenarg = self.lenarg
@@ -254,6 +273,7 @@ def to_json_result(self,
         content["stack-offset"] = dstoffset
         if self.lenarg is not None:
             content["length-argument"] = str(self.lenarg)
+            content["length-addr"] = self.lenaddr
         else:
             content["length-argument"] = None
         content["spare"] = spare