analyzer: avoid ICE with missing arguments (PR 93375)

PR analyzer/93375 reports an ICE under certain circumstances
involving a call where the number of arguments at the callsite
is less than the parameter count of the callee,

Specifically, the ICE occurs when pruning a checker_path for a
diagnostic, when attempting to maintain which expression is of
interest through such a call.

The root cause is an assumption that there were enough arguments at
the callsite, within callgraph_superedge's methods for mapping
expressions between callee and caller.

This patch adds checks for this to the relevant methods, fixing the ICE.

gcc/analyzer/ChangeLog:
	PR analyzer/93375
	* supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
	gracefully is the number of parameters at the callee exceeds the
	number of arguments at the call stmt.
	(callgraph_superedge::get_parm_for_arg): Likewise.

gcc/testsuite/ChangeLog:
	PR analyzer/93375
	* gcc.dg/analyzer/pr93375.c: New test.

4 files changed, 38 insertions, 4 deletions

diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog
index 16613e4..34c311d 100644
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@@ -1,3 +1,11 @@
+2020-01-23  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93375
+	* supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
+	gracefully is the number of parameters at the callee exceeds the
+	number of arguments at the call stmt.
+	(callgraph_superedge::get_parm_for_arg): Likewise.
+
 2020-01-22  David Malcolm  <dmalcolm@redhat.com>
 
 	PR analyzer/93382
diff --git a/gcc/analyzer/supergraph.cc b/gcc/analyzer/supergraph.cc
index 4660239..a5bf52d 100644
--- a/gcc/analyzer/supergraph.cc
+++ b/gcc/analyzer/supergraph.cc
@@ -879,16 +879,19 @@ callgraph_superedge::get_arg_for_parm (tree parm_to_find,
   gcc_assert  (TREE_CODE (parm_to_find) == PARM_DECL);
 
   tree callee = get_callee_decl ();
+  const gcall *call_stmt = get_call_stmt ();
 
-  int i = 0;
+  unsigned i = 0;
   for (tree iter_parm = DECL_ARGUMENTS (callee); iter_parm;
        iter_parm = DECL_CHAIN (iter_parm), ++i)
     {
+      if (i >= gimple_call_num_args (call_stmt))
+	return NULL_TREE;
       if (iter_parm == parm_to_find)
 	{
 	  if (out)
 	    *out = callsite_expr::from_zero_based_param (i);
-	  return gimple_call_arg (get_call_stmt (), i);
+	  return gimple_call_arg (call_stmt, i);
 	}
     }
 
@@ -906,12 +909,15 @@ callgraph_superedge::get_parm_for_arg (tree arg_to_find,
 				       callsite_expr *out) const
 {
   tree callee = get_callee_decl ();
+  const gcall *call_stmt = get_call_stmt ();
 
-  int i = 0;
+  unsigned i = 0;
   for (tree iter_parm = DECL_ARGUMENTS (callee); iter_parm;
        iter_parm = DECL_CHAIN (iter_parm), ++i)
     {
-      tree param = gimple_call_arg (get_call_stmt (), i);
+      if (i >= gimple_call_num_args (call_stmt))
+	return NULL_TREE;
+      tree param = gimple_call_arg (call_stmt, i);
       if (arg_to_find == param)
 	{
 	  if (out)
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index 5c390ba..ef4c6fc 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,8 @@
+2020-01-23  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93375
+	* gcc.dg/analyzer/pr93375.c: New test.
+
 2020-01-23  Jason Merrill  <jason@redhat.com>
 
 	* lib/target-supports.exp (check_effective_target_unsigned_char):
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr93375.c b/gcc/testsuite/gcc.dg/analyzer/pr93375.c
new file mode 100644
index 0000000..93a3e87
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr93375.c
@@ -0,0 +1,15 @@
+/* { dg-additional-options "-Wno-implicit-int" } */
+
+void
+en (jm)
+{
+}
+
+void
+p2 ()
+{
+  char *rl = 0;
+
+  en ();
+  __builtin_memcpy (rl, 0, sizeof (0)); /* { dg-warning "dereference of NULL" } */
+}