analyzer: fix ICEs in region_model::get_lvalue_1 [PR 93388]

There have been various ICEs with -fanalyzer involving unhandled tree
codes in region_model::get_lvalue_1; PR analyzer/93388 reports various
others e.g. for IMAGPART_EXPR, REALPART_EXPR, and VIEW_CONVERT_EXPR seen
when running the testsuite with -fanalyzer forcibly enabled.

Whilst we could implement lvalue-handling in the region model for every
tree code, for some of these we're straying far from my primary goal for
GCC 10 of implementing a double-free checker for C.

This patch implements a fallback for unimplemented tree codes: create a
dummy region, but mark the new state as being invalid, and stop
exploring state along this path.  It also implements VIEW_CONVERT_EXPR.

Doing so fixes the ICEs, whilst effectively turning off the analyzer
along code paths that use such tree codes.  Hopefully this compromise
is sensible for GCC 10.

gcc/analyzer/ChangeLog:
	PR analyzer/93388
	* engine.cc (impl_region_model_context::on_unknown_tree_code):
	New.
	(exploded_graph::get_or_create_node): Reject invalid states.
	* exploded-graph.h
	(impl_region_model_context::on_unknown_tree_code): New decl.
	(point_and_state::point_and_state): Assert that the state is
	valid.
	* program-state.cc (program_state::program_state): Initialize
	m_valid to true.
	(program_state::operator=): Copy m_valid.
	(program_state::program_state): Likewise for move constructor.
	(program_state::print): Print m_valid.
	(program_state::dump_to_pp): Likewise.
	* program-state.h (program_state::m_valid): New field.
	* region-model.cc (region_model::get_lvalue_1): Implement the
	default case by returning a new symbolic region and calling
	the context's on_unknown_tree_code, rather than issuing an
	internal_error.  Implement VIEW_CONVERT_EXPR.
	* region-model.h (region_model_context::on_unknown_tree_code): New
	vfunc.
	(test_region_model_context::on_unknown_tree_code): New.

gcc/testsuite/ChangeLog:
	PR analyzer/93388
	* gcc.dg/analyzer/torture/20060625-1.c: New test.
	* gcc.dg/analyzer/torture/pr51628-30.c: New test.
	* gcc.dg/analyzer/torture/pr59037.c: New test.

1 files changed, 25 insertions, 0 deletions

diff --git a/gcc/analyzer/ChangeLog b/gcc/analyzer/ChangeLog
index 5945abc..d669c98 100644
--- a/gcc/analyzer/ChangeLog
+++ b/gcc/analyzer/ChangeLog
@@ -1,5 +1,30 @@
 2020-02-17  David Malcolm  <dmalcolm@redhat.com>
 
+	PR analyzer/93388
+	* engine.cc (impl_region_model_context::on_unknown_tree_code):
+	New.
+	(exploded_graph::get_or_create_node): Reject invalid states.
+	* exploded-graph.h
+	(impl_region_model_context::on_unknown_tree_code): New decl.
+	(point_and_state::point_and_state): Assert that the state is
+	valid.
+	* program-state.cc (program_state::program_state): Initialize
+	m_valid to true.
+	(program_state::operator=): Copy m_valid.
+	(program_state::program_state): Likewise for move constructor.
+	(program_state::print): Print m_valid.
+	(program_state::dump_to_pp): Likewise.
+	* program-state.h (program_state::m_valid): New field.
+	* region-model.cc (region_model::get_lvalue_1): Implement the
+	default case by returning a new symbolic region and calling
+	the context's on_unknown_tree_code, rather than issuing an
+	internal_error.  Implement VIEW_CONVERT_EXPR.
+	* region-model.h (region_model_context::on_unknown_tree_code): New
+	vfunc.
+	(test_region_model_context::on_unknown_tree_code): New.
+
+2020-02-17  David Malcolm  <dmalcolm@redhat.com>
+
 	* sm-malloc.cc (malloc_diagnostic::describe_state_change): For
 	transition to the "null" state, only say "assuming" when
 	transitioning from the "unchecked" state.