Document some heuristics around out of bounds indices

Author: eholk

docs/code-quality/c6200.md

@@ -47,3 +47,27 @@ void f()
     delete[] buff;
 }
 ```
+
+## Heuristics
+
+Code analysis cannot always prove whether an array index is in range. This can be particularly true when the index is computed from a complex expression, including those that use call into other functions. In these cases, code analysis may fall back on other clues to determine the range an array index expression may fall into.
+
+For example, consider the following function which uses `rand()` in index calculations as a standin for a function call that code analysis cannot analyze:
+
+```cpp
+#include <stdlib.h>
+
+void f()
+{
+    int* buff = new int[14];
+    for (int i = 1; i < 14; i++)
+    {
+        buff[rand()] = 0;       // no warning, nothing is known about the return value of rand()
+        buff[rand() % 15] = 0;  // warning C6200, rand() % 15 is known to be in the range 0..14 and index 14 is out of bounds
+        buff[rand() % 14] = 0;  // no warning, rand() % 14 is known to be in the range 0..13
+    }
+    delete[] buff;
+}
+```
+
+Code analysis does not warn with just `rand()` because it does not have any information about its return value. On the other hand, `rand() % 15` and `rand() % 14` provide hints as to the range of the return value of `rand()` and code analysis can use that information to determine that the index is out of bounds in the first case but not the second.