[Bug analyzer/113505] [14 Regression] ICE: SIGSEGV in tree_class_check (tree.h:3766) with -O -fdump-analyzer -fanalyzer since r14-6239

["jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113505

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Seems this is because the analyzer creates invalid IL.
MEM_REF second argument should be always INTEGER_CST, with value which is the
offset from the base and pointer type used for TBAA purposes:
/* Memory addressing.  Operands are a pointer and a tree constant integer
   byte offset of the pointer type that when dereferenced yields the
   type of the base object the pointer points into and which is used for
   TBAA purposes.
   The type of the MEM_REF is the type the bytes at the memory location
   are interpreted as.
   MEM_REF <p, c> is equivalent to ((typeof(c))p)->x... where x... is a
   chain of component references offsetting p by c.  */
DEFTREECODE (MEM_REF, "mem_ref", tcc_reference, 2)

Now, analyzer in some cases creates MEM_REFs right:
      tree len_ptr = cd.get_arg_tree (2);
      tree star_len_ptr = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (len_ptr)),
                                  len_ptr,
                                  build_int_cst (TREE_TYPE (len_ptr), 0));
in sm-fd.cc most likely has POINTER_TYPE, but
static tree
get_tree_for_byte_offset (tree ptr_expr, byte_offset_t byte_offset)
{
  gcc_assert (ptr_expr);
  return fold_build2 (MEM_REF,
                      char_type_node,
                      ptr_expr, wide_int_to_tree (size_type_node,
byte_offset));
}
and
  tree offset_0 = build_int_cst (integer_type_node, 0);
  tree star_p = build2 (MEM_REF, integer_type_node, p, offset_0);
and
  tree offset_0 = build_int_cst (integer_type_node, 0);
  tree mem_ref = build2 (MEM_REF, integer_type_node,
                         pointer_plus_expr, offset_0);
are definitely wrong, the two other spots in region-model.cc which create
MEM_REFs not really sure about.
Now, if such MEM_REFs will be around only during the pass and not actually
emitted
into the IL nor TBAA analyzed if they can or can't be aliased with some other
reference, I'd suggest just to use something that can alias anything, so:
build_pointer_type_for_mode (char_type_node, ptr_mode, true)