[clang][analyzer] Fix a possible crash in CastSizeChecker (#134387)

clang/lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp

@@ -62,6 +62,8 @@ static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
   assert(Last && "empty structs should already be handled");
 
   const Type *ElemType = Last->getType()->getArrayElementTypeNoTypeQual();
+  if (!ElemType)
+    return false;
   CharUnits FlexSize;
   if (const ConstantArrayType *ArrayTy =
         Ctx.getAsConstantArrayType(Last->getType())) {

clang/test/Analysis/castsize.c

@@ -0,0 +1,26 @@
+// RUN: %clang_analyze_cc1 -verify %s \
+// RUN:   -analyzer-checker=core,unix.Malloc,alpha.core.CastSize
+
+typedef typeof(sizeof(int)) size_t;
+void *malloc(size_t);
+
+struct s1 {
+  int a;
+  char x[];
+};
+
+struct s2 {
+  int a[100];
+  char x[];
+};
+
+union u {
+  struct s1 a;
+  struct s2 b;
+};
+
+static union u *test() {
+  union u *req;
+  req = malloc(5); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
+  return req;
+}