[committed] analyzer: fix ICE with negative bit offsets [PR96648]

[David Malcolm <dmalcolm@redhat.com>]

PR analyzer/96648 reports an ICE within get_field_at_bit_offset due
to a negative bit offset, arising due to pointer arithmetic.

This patch replaces an assertion with handling for this case, fixing the
ICE.

Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to master as r11-2753-g400abebf48a90d0797718ab7c3864de331e85b70.

gcc/analyzer/ChangeLog:
	PR analyzer/96648
	* region.cc (get_field_at_bit_offset): Gracefully handle negative
	values for bit_offset.

gcc/testsuite/ChangeLog:
	PR analyzer/96648
	* gcc.dg/analyzer/pr96648.c: New test.
---
 gcc/analyzer/region.cc                  |  3 ++-
 gcc/testsuite/gcc.dg/analyzer/pr96648.c | 36 +++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/pr96648.c

diff --git a/gcc/analyzer/region.cc b/gcc/analyzer/region.cc
index eab1f2771cf..770e2cb849e 100644
--- a/gcc/analyzer/region.cc
+++ b/gcc/analyzer/region.cc
@@ -226,7 +226,8 @@ static tree
 get_field_at_bit_offset (tree record_type, bit_offset_t bit_offset)
 {
   gcc_assert (TREE_CODE (record_type) == RECORD_TYPE);
-  gcc_assert (bit_offset >= 0);
+  if (bit_offset < 0)
+    return NULL;
 
   /* Find the first field that has an offset > BIT_OFFSET,
      then return the one preceding it.
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr96648.c b/gcc/testsuite/gcc.dg/analyzer/pr96648.c
new file mode 100644
index 00000000000..a6b0c727287
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr96648.c
@@ -0,0 +1,36 @@
+/* { dg-additional-options "-O1" } */
+
+struct vd {
+  struct vd *rs;
+};
+
+struct fh {
+  struct vd cl;
+};
+
+struct i3 {
+  struct fh *h4;
+};
+
+struct fh *
+gm (void);
+
+void
+j7 (struct vd *);
+
+inline void
+mb (struct vd *e7)
+{
+  j7 (e7->rs);
+}
+
+void
+po (struct i3 *d2)
+{
+  struct i3 *s2;
+
+  d2->h4 = gm ();
+  mb (&d2->h4->cl);
+  s2 = ({ d2 - 1; });
+  po (s2);
+}
-- 
2.26.2