analyzer: fix ICEs treeifying offset_region [PR96646, PR96841]

gcc/analyzer/ChangeLog:
	PR analyzer/96646
	PR analyzer/96841
	* region-model.cc (region_model::get_representative_path_var):
	When handling offset_region, wrap the MEM_REF's first argument in
	an ADDR_EXPR of pointer type, rather than simply using the tree
	for the parent region.  Require the MEM_REF's second argument to
	be an integer constant.

gcc/testsuite/ChangeLog:
	PR analyzer/96646
	PR analyzer/96841
	* gcc.dg/analyzer/pr96646.c: New test.
	* gcc.dg/analyzer/pr96841.c: New test.

gcc/analyzer/region-model.cc

@@ -2140,11 +2140,14 @@ region_model::get_representative_path_var (const region *reg,
 	path_var offset_pv
 	  = get_representative_path_var (offset_reg->get_byte_offset (),
 					 visited);
-	if (!offset_pv)
+	if (!offset_pv || TREE_CODE (offset_pv.m_tree) != INTEGER_CST)
 	  return path_var (NULL_TREE, 0);
+	tree addr_parent = build1 (ADDR_EXPR,
+				   build_pointer_type (reg->get_type ()),
+				   parent_pv.m_tree);
 	return path_var (build2 (MEM_REF,
 				 reg->get_type (),
-				 parent_pv.m_tree, offset_pv.m_tree),
+				 addr_parent, offset_pv.m_tree),
 			 parent_pv.m_stack_depth);
       }
 

gcc/testsuite/gcc.dg/analyzer/pr96646.c

@@ -0,0 +1,24 @@
+/* { dg-additional-options "-O1" } */
+
+struct zx {
+  struct zx *b4, *g0;
+};
+
+struct oo {
+  void *ph;
+  struct zx el;
+};
+
+inline void
+k7 (struct zx *xj)
+{
+  xj->b4->g0 = 0; /* { dg-warning "dereference of NULL" } */
+  xj->b4 = 0;
+}
+
+void
+n8 (struct oo *yx)
+{
+  k7 (&yx->el);
+  n8 (yx);
+}

gcc/testsuite/gcc.dg/analyzer/pr96841.c

@@ -0,0 +1,23 @@
+/* { dg-additional-options "-O1 -Wno-builtin-declaration-mismatch" } */
+
+int
+l8 (void);
+
+__SIZE_TYPE__
+malloc (__SIZE_TYPE__);
+
+void
+th (int *);
+
+void
+bv (__SIZE_TYPE__ ny)
+{
+  int ***mf;
+
+  while (l8 ())
+    {
+      *mf = 0;
+      (*mf)[ny] = (int *) malloc (sizeof (int));
+      th ((*mf)[ny]); /* { dg-warning "leak" } */
+    }
+}