analyzer: fix ICE on certain pointer subtractions [PR110387]

gcc/analyzer/ChangeLog:
	PR analyzer/110387
	* region.h (struct cast_region::key_t): Support "m_type" being
	null by using "m_original_region" for empty/deleted slots.

gcc/testsuite/ChangeLog:
	PR analyzer/110387
	* gcc.dg/analyzer/out-of-bounds-pr110387.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

gcc/analyzer/region.h

@@ -1107,7 +1107,7 @@ public:
     key_t (const region *original_region, tree type)
     : m_original_region (original_region), m_type (type)
     {
-      gcc_assert (type);
+      gcc_assert (original_region);
     }
 
     hashval_t hash () const
@@ -1124,10 +1124,16 @@ public:
 	      && m_type == other.m_type);
     }
 
-    void mark_deleted () { m_type = reinterpret_cast<tree> (1); }
-    void mark_empty () { m_type = NULL_TREE; }
-    bool is_deleted () const { return m_type == reinterpret_cast<tree> (1); }
-    bool is_empty () const { return m_type == NULL_TREE; }
+    void mark_deleted ()
+    {
+      m_original_region = reinterpret_cast<const region *> (1);
+    }
+    void mark_empty () { m_original_region = nullptr; }
+    bool is_deleted () const
+    {
+      return m_original_region == reinterpret_cast<const region *> (1);
+    }
+    bool is_empty () const { return m_original_region == nullptr; }
 
     const region *m_original_region;
     tree m_type;

gcc/testsuite/gcc.dg/analyzer/out-of-bounds-pr110387.c

@@ -0,0 +1,19 @@
+char a, b, c, d;
+long x;
+
+void
+_S_copy (long __n)
+{
+  __builtin_memcpy (&a, &d, __n); /* { dg-prune-output "-Wanalyzer-out-of-bounds" } */
+  /* This only warns on some targets; the purpose of the test is to verify that
+     we don't ICE.  */
+}
+
+void
+_M_construct ()
+{
+  x = &c - &b;
+  unsigned long __dnew = x;
+  if (__dnew > 1)
+    _S_copy (&c - &b);
+}