analyzer: fix ICE merging dereferencing unknown ptrs [PR98628]

gcc/analyzer/ChangeLog:
	PR analyzer/98628
	* store.cc (binding_cluster::make_unknown_relative_to): Don't mark
	dereferenced unknown pointers as having escaped.

gcc/testsuite/ChangeLog:
	PR analyzer/98628
	* gcc.dg/analyzer/pr98628.c: New test.

2 files changed, 24 insertions, 2 deletions

diff --git a/gcc/analyzer/store.cc b/gcc/analyzer/store.cc
index 23118d0..bbd2e7c 100644
--- a/gcc/analyzer/store.cc
+++ b/gcc/analyzer/store.cc
@@ -1323,8 +1323,11 @@ binding_cluster::make_unknown_relative_to (const binding_cluster *other,
 	{
 	  const region *base_reg
 	    = region_sval->get_pointee ()->get_base_region ();
-	  binding_cluster *c = out_store->get_or_create_cluster (base_reg);
-	  c->mark_as_escaped ();
+	  if (!base_reg->symbolic_for_unknown_ptr_p ())
+	    {
+	      binding_cluster *c = out_store->get_or_create_cluster (base_reg);
+	      c->mark_as_escaped ();
+	    }
 	}
     }
 }
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr98628.c b/gcc/testsuite/gcc.dg/analyzer/pr98628.c
new file mode 100644
index 0000000..e2fa778
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr98628.c
@@ -0,0 +1,19 @@
+/* { dg-additional-options "-O1" } */
+
+void foo(void *);
+struct chanset_t help_subst_chan;
+struct chanset_t *help_subst_chan_0_0;
+struct chanset_t {
+  struct chanset_t *next;
+  char dname[];
+};
+void help_subst() {
+  char *writeidx;
+  for (;; help_subst_chan = *help_subst_chan_0_0) {
+    foo(help_subst_chan.next->dname);
+    if (help_subst_chan_0_0) {
+      writeidx++;
+      *writeidx++ = ' ';
+    }
+  }
+}