analyzer: fix ICE on realloc of zeroed memory [PR104062]

gcc/analyzer/ChangeLog:
	PR analyzer/104062
	* region-model-manager.cc
	(region_model_manager::maybe_fold_sub_svalue): Avoid casting to
	NULL type when folding access to repeated svalue.

gcc/testsuite/ChangeLog:
	PR analyzer/104062
	* gcc.dg/analyzer/pr104062.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

2 files changed, 15 insertions, 1 deletions

diff --git a/gcc/analyzer/region-model-manager.cc b/gcc/analyzer/region-model-manager.cc
index 903cdfde..9d4f595 100644
--- a/gcc/analyzer/region-model-manager.cc
+++ b/gcc/analyzer/region-model-manager.cc
@@ -794,7 +794,8 @@ region_model_manager::maybe_fold_sub_svalue (tree type,
 
   if (const repeated_svalue *repeated_sval
 	= parent_svalue->dyn_cast_repeated_svalue ())
-    return get_or_create_cast (type, repeated_sval->get_inner_svalue ());
+    if (type)
+      return get_or_create_cast (type, repeated_sval->get_inner_svalue ());
 
   return NULL;
 }
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr104062.c b/gcc/testsuite/gcc.dg/analyzer/pr104062.c
new file mode 100644
index 0000000..7129c27
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr104062.c
@@ -0,0 +1,13 @@
+void *
+calloc (__SIZE_TYPE__, __SIZE_TYPE__);
+
+void *
+realloc (void *, __SIZE_TYPE__);
+
+void
+foo (void)
+{
+  int *ap5 = calloc (4, sizeof *ap5);
+  int *ap7 = realloc (ap5, sizeof *ap5);
+} /* { dg-warning "leak of 'ap5'" "leak of ap5" } */
+/* { dg-warning "leak of 'ap7'" "leak of ap7" { target *-*-* } .-1 } */