analyzer: fix ICE merging models containing label pointers (PR 93546)

PR analyzer/93546 reports an ICE within region_model::add_region_for_type
when merging two region_models each containing a label pointer.  The
two labels are stored as pointers to symbolic_regions, but these regions
were created with NULL type, leading to an assertion failure when a
merged copy is created.

The labels themselves have void (but not NULL) type.

This patch updates make_region_for_type to use the type of the decl when
creating such regions, rather than implicitly setting the region's type
to NULL, fixing the ICE.

gcc/analyzer/ChangeLog:
	PR analyzer/93546
	* region-model.cc (region_model::on_call_pre): Update for new
	param of symbolic_region ctor.
	(region_model::deref_rvalue): Likewise.
	(region_model::add_new_malloc_region): Likewise.
	(make_region_for_type): Likewise, preserving type.
	* region-model.h (symbolic_region::symbolic_region): Add "type"
	param and pass it to base class ctor.

gcc/testsuite/ChangeLog:
	PR analyzer/93546
	* gcc.dg/analyzer/pr93546.c: New test.

gcc/analyzer/ChangeLog

@@ -1,3 +1,14 @@
+2020-02-03  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93546
+	* region-model.cc (region_model::on_call_pre): Update for new
+	param of symbolic_region ctor.
+	(region_model::deref_rvalue): Likewise.
+	(region_model::add_new_malloc_region): Likewise.
+	(make_region_for_type): Likewise, preserving type.
+	* region-model.h (symbolic_region::symbolic_region): Add "type"
+	param and pass it to base class ctor.
+
 2020-02-03  David Malcolm  <dmalcolm@redhat.com>
 
 	PR analyzer/93547

gcc/analyzer/region-model.cc

@@ -4163,7 +4163,7 @@ region_model::on_call_pre (const gcall *call, region_model_context *ctxt)
 	{
 	  region_id frame_rid = get_current_frame_id ();
 	  region_id new_rid
-	    = add_region (new symbolic_region (frame_rid, false));
+	    = add_region (new symbolic_region (frame_rid, NULL_TREE, false));
 	  if (!lhs_rid.null_p ())
 	    {
 	      svalue_id ptr_sid
@@ -5113,7 +5113,7 @@ region_model::deref_rvalue (svalue_id ptr_sid, region_model_context *ctxt)
 	   We don't know if it on the heap, stack, or a global,
 	   so use the root region as parent.  */
 	region_id new_rid
-	  = add_region (new symbolic_region (m_root_rid, false));
+	  = add_region (new symbolic_region (m_root_rid, NULL_TREE, false));
 
 	/* We need to write the region back into the pointer,
 	   or we'll get a new, different region each time.
@@ -5455,7 +5455,7 @@ region_model::add_new_malloc_region ()
 {
   region_id heap_rid
     = get_root_region ()->ensure_heap_region (this);
-  return add_region (new symbolic_region (heap_rid, true));
+  return add_region (new symbolic_region (heap_rid, NULL_TREE, true));
 }
 
 /* Attempt to return a tree that represents SID, or return NULL_TREE.
@@ -6006,7 +6006,7 @@ make_region_for_type (region_id parent_rid, tree type)
 
   /* If we have a void *, make a new symbolic region.  */
   if (VOID_TYPE_P (type))
-    return new symbolic_region (parent_rid, false);
+    return new symbolic_region (parent_rid, type, false);
 
   gcc_unreachable ();
 }

gcc/analyzer/region-model.h

@@ -1606,8 +1606,8 @@ namespace ana {
 class symbolic_region : public region
 {
 public:
-  symbolic_region (region_id parent_rid, bool possibly_null)
-  : region (parent_rid, svalue_id::null (), NULL_TREE),
+  symbolic_region (region_id parent_rid, tree type, bool possibly_null)
+  : region (parent_rid, svalue_id::null (), type),
     m_possibly_null (possibly_null)
   {}
   symbolic_region (const symbolic_region &other);

gcc/testsuite/ChangeLog

@@ -1,3 +1,8 @@
+2020-02-03  David Malcolm  <dmalcolm@redhat.com>
+
+	PR analyzer/93546
+	* gcc.dg/analyzer/pr93546.c: New test.
+
 2020-02-03  David Malcolm  <dmalcolm@redhat.com>
 
 	PR analyzer/93547

gcc/testsuite/gcc.dg/analyzer/pr93546.c

@@ -0,0 +1,10 @@
+/* { dg-do compile } */
+
+void
+ch (int x1)
+{
+  ({ bx: &&bx; });
+  while (x1 == 0)
+    {
+    }
+}