analyzer: fix ICE on NULL change.m_expr [PR100244]

PR analyzer/100244 reports an ICE on a -Wanalyzer-free-of-non-heap
due to a case where free_of_non_heap::describe_state_change can be
passed a NULL change.m_expr for a suitably complicated symbolic value.

Bulletproof it by checking for change.m_expr being NULL before
dereferencing it.

gcc/analyzer/ChangeLog:
	PR analyzer/100244
	* sm-malloc.cc (free_of_non_heap::describe_state_change):
	Bulletproof against change.m_expr being NULL.

gcc/testsuite/ChangeLog:
	PR analyzer/100244
	* g++.dg/analyzer/pr100244.C: New test.

2 files changed, 23 insertions, 1 deletions

diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc
index 1d5b860..f02b73a 100644
--- a/gcc/analyzer/sm-malloc.cc
+++ b/gcc/analyzer/sm-malloc.cc
@@ -1303,7 +1303,7 @@ public:
   {
     /* Attempt to reconstruct what kind of pointer it is.
        (It seems neater for this to be a part of the state, though).  */
-    if (TREE_CODE (change.m_expr) == SSA_NAME)
+    if (change.m_expr && TREE_CODE (change.m_expr) == SSA_NAME)
       {
 	gimple *def_stmt = SSA_NAME_DEF_STMT (change.m_expr);
 	if (gcall *call = dyn_cast <gcall *> (def_stmt))
diff --git a/gcc/testsuite/g++.dg/analyzer/pr100244.C b/gcc/testsuite/g++.dg/analyzer/pr100244.C
new file mode 100644
index 0000000..261b3cf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/analyzer/pr100244.C
@@ -0,0 +1,22 @@
+// { dg-additional-options "-O1 -Wno-free-nonheap-object" }
+
+inline void *operator new (__SIZE_TYPE__, void *__p) { return __p; }
+
+struct __aligned_buffer {
+  int _M_storage;
+  int *_M_addr() { return &_M_storage; }
+};
+
+struct _Hashtable_alloc {
+  int _M_single_bucket;
+  int *_M_buckets;
+  _Hashtable_alloc () { _M_buckets = &_M_single_bucket; }
+  ~_Hashtable_alloc () { delete _M_buckets; } // { dg-warning "not on the heap" }
+};
+
+void
+test01 (__aligned_buffer buf)
+{
+  _Hashtable_alloc *tmp = new (buf._M_addr ()) _Hashtable_alloc;
+  tmp->~_Hashtable_alloc ();
+}