From 4b821c7efbe12cfbb129a88541108b39058da526 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Mon, 23 Aug 2021 14:09:44 -0400
Subject: [PATCH] analyzer: fix ICE when failing to reconstruct a fn ptr
 [PR101837]

gcc/analyzer/ChangeLog:
	PR analyzer/101837
	* analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
	NULL, and assert that it's non-NULL before passing it to
	build_call_array_loc.

gcc/testsuite/ChangeLog:
	PR analyzer/101837
	* gcc.dg/analyzer/pr101837.c: New test.
---
 gcc/analyzer/analyzer.cc                 |  3 +++
 gcc/testsuite/gcc.dg/analyzer/pr101837.c | 10 ++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr101837.c

diff --git a/gcc/analyzer/analyzer.cc b/gcc/analyzer/analyzer.cc
index 5578877..f6e9c9d 100644
--- a/gcc/analyzer/analyzer.cc
+++ b/gcc/analyzer/analyzer.cc
@@ -145,6 +145,8 @@ maybe_reconstruct_from_def_stmt (tree ssa_name,
 	tree return_type = gimple_call_return_type (call_stmt);
 	tree fn = fixup_tree_for_diagnostic_1 (gimple_call_fn (call_stmt),
 					       visited);
+	if (fn == NULL_TREE)
+	  return NULL_TREE;
 	unsigned num_args = gimple_call_num_args (call_stmt);
 	auto_vec<tree> args (num_args);
 	for (unsigned i = 0; i < num_args; i++)
@@ -155,6 +157,7 @@ maybe_reconstruct_from_def_stmt (tree ssa_name,
 	      return NULL_TREE;
 	    args.quick_push (arg);
 	  }
+	gcc_assert (fn);
 	return build_call_array_loc (gimple_location (call_stmt),
 				     return_type, fn,
 				     num_args, args.address ());
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr101837.c b/gcc/testsuite/gcc.dg/analyzer/pr101837.c
new file mode 100644
index 0000000..f99374d
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr101837.c
@@ -0,0 +1,10 @@
+/* { dg-additional-options "-O3 -fsanitize=undefined" } */
+
+void memory_exhausted();
+void memcheck(void *ptr) {
+  if (ptr) /* { dg-warning "leak" } */
+    memory_exhausted();
+}
+
+int emalloc(int size) { memcheck(__builtin_malloc(size)); } /* { dg-message "allocated here" } */
+int main() { int max_envvar_len = emalloc(max_envvar_len + 1); } /* { dg-message "use of uninitialized value 'max_envvar_len'" } */
-- 
2.7.4