c++/60760 - arithmetic on null pointers should not be allowed in constant expressions

>> The new code in cxx_eval_component_reference diagnoses the following
>> problem that's not detected otherwise:
>>
>>   struct S { const S *s; };
>>
>>   constexpr S s = { 0 };
>>
>>   constexpr const void *p = &s.s->s;
>
> Note that this falls under core issue 1530, which has not been resolved.

I don't quite see the relevance of this issue.  It's concerned
with storage in which an object will exist at some point in
the future when its lifetime begins or where it existed in
the past before its lifetime ended.  There is no object or
storage at s.s above because s.s is null.

It might perhaps be okay to accept the expression above as
an extension with the rationale that the offset of the first
member is zero and so its address must be a null pointer, but
it surely wouldn't be okay in the modified test case below
where the second member's offset is non-zero and there may
not be a way to represent that offset as a pointer. This
seems unquestionably undefined to me.  Did I miss something?

   struct S { const S *s; int i; };

   constexpr S s = { 0 };

   constexpr const void *p = &s.s->i;

>   I believe that this is fine under the current wording; only "access"
> to a non-static data member is undefined, and "access" is defined as
> reading or writing.  There has been discussion in the context of UBsan
> about making this undefined, but that hasn't been decided yet.  But I'm
> OK with changing G++ to go in that direction.
>
> cxx_eval_component_reference could check whether 'whole' is a null (or
> other invalid) lvalue; for that testcase it's an INDIRECT_REF of 0.

Thanks for the hint.  I've made that change and also adjusted
the rest of the patch to avoid passing the nullptr_p around.
It was surprisingly simpler to do than I remembered from my
first attempt back in March.

Martin

On 06/01/2016 02:44 PM, Martin Sebor wrote:
>>> The new code in cxx_eval_component_reference diagnoses the following
>>> problem that's not detected otherwise:
>>>
>>>   struct S { const S *s; };
>>>
>>>   constexpr S s = { 0 };
>>>
>>>   constexpr const void *p = &s.s->s;
>>
>> Note that this falls under core issue 1530, which has not been resolved.
>
> I don't quite see the relevance of this issue.  It's concerned
> with storage in which an object will exist at some point in
> the future when its lifetime begins or where it existed in
> the past before its lifetime ended.  There is no object or
> storage at s.s above because s.s is null.

True.  Unfortunately there isn't any wording about what you can do with 
the result of indirecting a null pointer or pointer to one-past-the-end 
of an array.  There was some proposed for issue 232, but that hasn't 
been a high priority.  What do you see in the standard currently that 
makes it undefined?

> It might perhaps be okay to accept the expression above as
> an extension with the rationale that the offset of the first
> member is zero and so its address must be a null pointer, but
> it surely wouldn't be okay in the modified test case below
> where the second member's offset is non-zero and there may
> not be a way to represent that offset as a pointer.

Why not?  It would be a pointer to address 4 or whatever.

> Thanks for the hint.  I've made that change and also adjusted
> the rest of the patch to avoid passing the nullptr_p around.
> It was surprisingly simpler to do than I remembered from my
> first attempt back in March.

> +  if (code == POINTER_PLUS_EXPR && !*non_constant_p
> +      && tree_int_cst_equal (lhs, null_pointer_node))
> +    {
> +      if (!ctx->quiet)
> +        error ("arithmetic involving a null pointer in %qE", lhs);
> +      return t;
> +    }

> +  if (TREE_CODE (whole) == INDIRECT_REF
> +      && integer_zerop (TREE_OPERAND (whole, 0))
> +      && !ctx->quiet)
> +    error ("dereferencing a null pointer in %qE", orig_whole);

> +      if (TREE_CODE (t) == INTEGER_CST
> +          && TREE_CODE (TREE_TYPE (t)) == POINTER_TYPE
> +          && !integer_zerop (t))
> +        {
> +          if (!ctx->quiet)
> +            error ("arithmetic involving a null pointer in %qE", t);
> +        }

These places should all set *non_constant_p, and the second should 
return t after doing so.  OK with that change.

Jason

On 06/01/2016 01:20 PM, Jason Merrill wrote:
> On 06/01/2016 02:44 PM, Martin Sebor wrote:
>>>> The new code in cxx_eval_component_reference diagnoses the following
>>>> problem that's not detected otherwise:
>>>>
>>>>   struct S { const S *s; };
>>>>
>>>>   constexpr S s = { 0 };
>>>>
>>>>   constexpr const void *p = &s.s->s;
>>>
>>> Note that this falls under core issue 1530, which has not been resolved.
>>
>> I don't quite see the relevance of this issue.  It's concerned
>> with storage in which an object will exist at some point in
>> the future when its lifetime begins or where it existed in
>> the past before its lifetime ended.  There is no object or
>> storage at s.s above because s.s is null.
>
> True.  Unfortunately there isn't any wording about what you can do with
> the result of indirecting a null pointer or pointer to one-past-the-end
> of an array.  There was some proposed for issue 232, but that hasn't
> been a high priority.  What do you see in the standard currently that
> makes it undefined?

In N4567, expr.ref, the E1->E2 expression which is equivalent
to (*E1).E2, the closest match is paragraph 4.2:

   If E2 is a non-static data member and the type of E1 is "cq1
   vq1 X", and the type of E2 is "cq2 vq2 T", the expression
   designates the named member of the object designated by the
   first expression.

There is no object, so 4.2 doesn't apply, and since there is
no other bullet that would apply, the behavior is undefined.

>> It might perhaps be okay to accept the expression above as
>> an extension with the rationale that the offset of the first
>> member is zero and so its address must be a null pointer, but
>> it surely wouldn't be okay in the modified test case below
>> where the second member's offset is non-zero and there may
>> not be a way to represent that offset as a pointer.
>
> Why not?  It would be a pointer to address 4 or whatever.

Because the hardware may simply not have a representation for
4 (or any small integer) in a pointer type.  Possibly because
it uses that bit pattern for some special mapping and when
there is no mapping, using the invalid pointer value traps.
Whether or not this is the case is implementation-defined
(certainly in C for this reason, and I expect also in C++).

For core constant expressions, my impression is that they
are deliberately constrained to a fairly narrow guaranteed-
to-be-valid subset, which is why things like reinterpret_cast
are not allowed.  The expression we're discussing basically
boils down to a conversion of the offset 4 to a pointer,
which is equivalent to the forbidden reinterpret_cast.

I agree that the standard text isn't ironclad on this, but
I can't think of a useful purpose that allowing constexpr
expressions to form invalid addresses would serve even in
the (common) case where the hardware does allow it.

 From a practical point of view, if GCC were to continue to
allow it, it would need to track those pointers and diagnose
them on their first use, because that is undefined in any
case.

>> +  if (code == POINTER_PLUS_EXPR && !*non_constant_p
>> +      && tree_int_cst_equal (lhs, null_pointer_node))
>> +    {
>> +      if (!ctx->quiet)
>> +        error ("arithmetic involving a null pointer in %qE", lhs);
>> +      return t;
>> +    }
>
>> +  if (TREE_CODE (whole) == INDIRECT_REF
>> +      && integer_zerop (TREE_OPERAND (whole, 0))
>> +      && !ctx->quiet)
>> +    error ("dereferencing a null pointer in %qE", orig_whole);
>
>> +      if (TREE_CODE (t) == INTEGER_CST
>> +          && TREE_CODE (TREE_TYPE (t)) == POINTER_TYPE
>> +          && !integer_zerop (t))
>> +        {
>> +          if (!ctx->quiet)
>> +            error ("arithmetic involving a null pointer in %qE", t);
>> +        }
>
> These places should all set *non_constant_p, and the second should
> return t after doing so.  OK with that change.

Thanks.  I've made the change, but I haven't managed to come up
with a test to exercise it.  IIUC, the purpose setting
non_constant_p while the quiet flag is set is to determine without
causing errors that expressions are not valid constant expressions
by passing them to __builtin_constant_p, correct?

If so, then there must be something wrong somewhere because the
test case below fails the static assertion (the first error is
expected with the patch):

$ cat null.c && /home/msebor/build/gcc-60760/gcc/xgcc -B 
/home/msebor/build/gcc-60760/gcc -S -Wall -Wextra -Wpedantic -xc++ null.c
constexpr int *p = 0;
constexpr int *q = p + 1;

static_assert (!__builtin_constant_p (p + 1), "<<<");

null.c:2:24: error: arithmetic involving a null pointer in ‘0u’
  constexpr int *q = p + 1;
                         ^
null.c:4:1: error: static assertion failed: <<<
  static_assert (!__builtin_constant_p (p + 1), "<<<");
  ^~~~~~~~~~~~~

(I know of at least one bug here, c++/70552, but this one is new.)

Martin

On 06/01/2016 10:49 PM, Martin Sebor wrote:
> On 06/01/2016 01:20 PM, Jason Merrill wrote:
>> On 06/01/2016 02:44 PM, Martin Sebor wrote:
>>>>> The new code in cxx_eval_component_reference diagnoses the following
>>>>> problem that's not detected otherwise:
>>>>>
>>>>>   struct S { const S *s; };
>>>>>
>>>>>   constexpr S s = { 0 };
>>>>>
>>>>>   constexpr const void *p = &s.s->s;
>>>>
>>>> Note that this falls under core issue 1530, which has not been
>>>> resolved.
>>>
>>> I don't quite see the relevance of this issue.  It's concerned
>>> with storage in which an object will exist at some point in
>>> the future when its lifetime begins or where it existed in
>>> the past before its lifetime ended.  There is no object or
>>> storage at s.s above because s.s is null.
>>
>> True.  Unfortunately there isn't any wording about what you can do with
>> the result of indirecting a null pointer or pointer to one-past-the-end
>> of an array.  There was some proposed for issue 232, but that hasn't
>> been a high priority.  What do you see in the standard currently that
>> makes it undefined?
>
> In N4567, expr.ref, the E1->E2 expression which is equivalent
> to (*E1).E2, the closest match is paragraph 4.2:
>
>   If E2 is a non-static data member and the type of E1 is "cq1
>   vq1 X", and the type of E2 is "cq2 vq2 T", the expression
>   designates the named member of the object designated by the
>   first expression.
>
> There is no object, so 4.2 doesn't apply, and since there is
> no other bullet that would apply, the behavior is undefined.

OK, I'll buy that.

>>> +  if (code == POINTER_PLUS_EXPR && !*non_constant_p
>>> +      && tree_int_cst_equal (lhs, null_pointer_node))
>>> +    {
>>> +      if (!ctx->quiet)
>>> +        error ("arithmetic involving a null pointer in %qE", lhs);
>>> +      return t;
>>> +    }
>>
>>> +  if (TREE_CODE (whole) == INDIRECT_REF
>>> +      && integer_zerop (TREE_OPERAND (whole, 0))
>>> +      && !ctx->quiet)
>>> +    error ("dereferencing a null pointer in %qE", orig_whole);
>>
>>> +      if (TREE_CODE (t) == INTEGER_CST
>>> +          && TREE_CODE (TREE_TYPE (t)) == POINTER_TYPE
>>> +          && !integer_zerop (t))
>>> +        {
>>> +          if (!ctx->quiet)
>>> +            error ("arithmetic involving a null pointer in %qE", t);
>>> +        }
>>
>> These places should all set *non_constant_p, and the second should
>> return t after doing so.  OK with that change.
>
> Thanks.  I've made the change, but I haven't managed to come up
> with a test to exercise it.  IIUC, the purpose setting
> non_constant_p while the quiet flag is set is to determine without
> causing errors that expressions are not valid constant expressions
> by passing them to __builtin_constant_p, correct?

No, __builtin_constant_p allows more things than C++ constant 
expressions.  The purpose of setting *non_constant_p is to cause 
maybe_constant_value to return its argument unchanged.

Jason