analyzer: fix ICE seen with -fsanitize=undefined [PR114899]

gcc/analyzer/ChangeLog:
	PR analyzer/114899
	* access-diagram.cc
	(written_svalue_spatial_item::get_label_string): Bulletproof
	against SSA_NAME_VAR being null.

gcc/testsuite/ChangeLog:
	PR analyzer/114899
	* c-c++-common/analyzer/out-of-bounds-diagram-pr114899.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

2 files changed, 17 insertions, 1 deletions

diff --git a/gcc/analyzer/access-diagram.cc b/gcc/analyzer/access-diagram.cc
index 500480b..8d7461f 100644
--- a/gcc/analyzer/access-diagram.cc
+++ b/gcc/analyzer/access-diagram.cc
@@ -1632,7 +1632,8 @@ protected:
     if (rep_tree)
       {
 	if (TREE_CODE (rep_tree) == SSA_NAME)
-	  rep_tree = SSA_NAME_VAR (rep_tree);
+	  if (tree var = SSA_NAME_VAR (rep_tree))
+	    rep_tree = var;
 	switch (TREE_CODE (rep_tree))
 	  {
 	  default:
diff --git a/gcc/testsuite/c-c++-common/analyzer/out-of-bounds-diagram-pr114899.c b/gcc/testsuite/c-c++-common/analyzer/out-of-bounds-diagram-pr114899.c
new file mode 100644
index 0000000..14ba540
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/out-of-bounds-diagram-pr114899.c
@@ -0,0 +1,15 @@
+/* Verify we don't ICE generating out-of-bounds diagram.  */
+
+/* { dg-additional-options " -fsanitize=undefined -fdiagnostics-text-art-charset=unicode" } */
+
+int * a() {
+  int *b = (int *)__builtin_malloc(sizeof(int));
+  int *c = b - 1;
+  ++*c;
+  return b;
+}
+
+/* We don't care about the exact diagram, just that we don't ICE.  */
+
+/* { dg-allow-blank-lines-in-output 1 } */
+/* { dg-prune-output ".*" } */