analyzer: fix ICE when failing to reconstruct a fn ptr [PR101837]

gcc/analyzer/ChangeLog:
	PR analyzer/101837
	* analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
	NULL, and assert that it's non-NULL before passing it to
	build_call_array_loc.

gcc/testsuite/ChangeLog:
	PR analyzer/101837
	* gcc.dg/analyzer/pr101837.c: New test.

diff --git a/gcc/analyzer/analyzer.cc b/gcc/analyzer/analyzer.cc
index 557887724e8eb98c25e10b18b7b8495656f6dc42..f6e9c9d66d2c5ec571e939558f7e22a329f2d757 100644 (file)
--- a/gcc/analyzer/analyzer.cc
+++ b/gcc/analyzer/analyzer.cc
@@ -145,6 +145,8 @@ maybe_reconstruct_from_def_stmt (tree ssa_name,
        tree return_type = gimple_call_return_type (call_stmt);
        tree fn = fixup_tree_for_diagnostic_1 (gimple_call_fn (call_stmt),
                                               visited);
+       if (fn == NULL_TREE)
+         return NULL_TREE;
        unsigned num_args = gimple_call_num_args (call_stmt);
        auto_vec<tree> args (num_args);
        for (unsigned i = 0; i < num_args; i++)
@@ -155,6 +157,7 @@ maybe_reconstruct_from_def_stmt (tree ssa_name,
              return NULL_TREE;
            args.quick_push (arg);
          }
+       gcc_assert (fn);
        return build_call_array_loc (gimple_location (call_stmt),
                                     return_type, fn,
                                     num_args, args.address ());

diff --git a/gcc/testsuite/gcc.dg/analyzer/pr101837.c b/gcc/testsuite/gcc.dg/analyzer/pr101837.c
new file mode 100644 (file)
index 0000000..f99374d
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr101837.c
@@ -0,0 +1,10 @@
+/* { dg-additional-options "-O3 -fsanitize=undefined" } */
+
+void memory_exhausted();
+void memcheck(void *ptr) {
+  if (ptr) /* { dg-warning "leak" } */
+    memory_exhausted();
+}
+
+int emalloc(int size) { memcheck(__builtin_malloc(size)); } /* { dg-message "allocated here" } */
+int main() { int max_envvar_len = emalloc(max_envvar_len + 1); } /* { dg-message "use of uninitialized value 'max_envvar_len'" } */