analyzer: fix ICE merging dereferencing unknown ptrs [PR98628]

gcc/analyzer/ChangeLog:
	PR analyzer/98628
	* store.cc (binding_cluster::make_unknown_relative_to): Don't mark
	dereferenced unknown pointers as having escaped.

gcc/testsuite/ChangeLog:
	PR analyzer/98628
	* gcc.dg/analyzer/pr98628.c: New test.

diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
index 23118d05685637b82cded4a1877664bfd8a650f3..bbd2e7c2d40cac79377094e993960a6d397a7aca 100644 (file)
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@@ -1323,8 +1323,11 @@ binding_cluster::make_unknown_relative_to (const binding_cluster *other,
        {
          const region *base_reg
            = region_sval->get_pointee ()->get_base_region ();
-         binding_cluster *c = out_store->get_or_create_cluster (base_reg);
-         c->mark_as_escaped ();
+         if (!base_reg->symbolic_for_unknown_ptr_p ())
+           {
+             binding_cluster *c = out_store->get_or_create_cluster (base_reg);
+             c->mark_as_escaped ();
+           }
        }
     }
 }

diff --git a/gcc/testsuite/gcc.dg/analyzer/pr98628.c b/gcc/testsuite/gcc.dg/analyzer/pr98628.c
new file mode 100644 (file)
index 0000000..e2fa778
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr98628.c
@@ -0,0 +1,19 @@
+/* { dg-additional-options "-O1" } */
+
+void foo(void *);
+struct chanset_t help_subst_chan;
+struct chanset_t *help_subst_chan_0_0;
+struct chanset_t {
+  struct chanset_t *next;
+  char dname[];
+};
+void help_subst() {
+  char *writeidx;
+  for (;; help_subst_chan = *help_subst_chan_0_0) {
+    foo(help_subst_chan.next->dname);
+    if (help_subst_chan_0_0) {
+      writeidx++;
+      *writeidx++ = ' ';
+    }
+  }
+}