diff mbox

c++/60760 - arithmetic on null pointers should not be allowed in constant expressions

Message ID 577D843C.9010608@gmail.com
State New
Headers show

Commit Message

Martin Sebor July 6, 2016, 10:20 p.m. UTC 
On 06/23/2016 03:36 PM, Jason Merrill wrote:
> On 06/20/2016 10:17 PM, Martin Sebor wrote:
>> +      && tree_int_cst_equal (lhs, null_pointer_node)
>> +      && !tree_int_cst_equal (rhs, integer_zero_node))
>
> Not integer_zerop?
>
>> +                "invalid conversion involving a null pointer");
> ...
>> +                "invalid conversion from %qT to %qT",
>
> The conversion isn't invalid, it just isn't a constant expression.

(Sorry for the delay following up on this review.  I got busy
with something else.)

I've adjusted the text of the diagnostics, though the first one
is also issued for conversions that are invalid even outside
constexpr, such as those that cast away constness, or those that
cast to incomplete type.  Without -fpermissve those are already
diagnosed by this point but I'm not sure how much trouble to go
to here to avoid diagnosing them again, or at all with
-fpermissve.

> For
> the null pointer to pointer conversion, does this properly allow
> conversion to void* or to base*?

It didn't handle either but does now.  Thank you for calling it
out.  Surprisingly, a regression run including libstdc++ didn't
catch it.  I've added tests to exercise it.

>
>> +        if (integer_zerop (op))
> ...
>> +         else if (!integer_zerop (op))
>
> The second test seems redundant.

I have removed it.

Martin

Comments

Martin Sebor July 14, 2016, 3:04 p.m. UTC | #1 
Ping.  Jason, do you have any further comments or concerns with
the updated patch?

https://gcc.gnu.org/ml/gcc-patches/2016-07/msg00280.html

Thanks
Martin

On 07/06/2016 04:20 PM, Martin Sebor wrote:
> On 06/23/2016 03:36 PM, Jason Merrill wrote:
>> On 06/20/2016 10:17 PM, Martin Sebor wrote:
>>> +      && tree_int_cst_equal (lhs, null_pointer_node)
>>> +      && !tree_int_cst_equal (rhs, integer_zero_node))
>>
>> Not integer_zerop?
>>
>>> +                "invalid conversion involving a null pointer");
>> ...
>>> +                "invalid conversion from %qT to %qT",
>>
>> The conversion isn't invalid, it just isn't a constant expression.
>
> (Sorry for the delay following up on this review.  I got busy
> with something else.)
>
> I've adjusted the text of the diagnostics, though the first one
> is also issued for conversions that are invalid even outside
> constexpr, such as those that cast away constness, or those that
> cast to incomplete type.  Without -fpermissve those are already
> diagnosed by this point but I'm not sure how much trouble to go
> to here to avoid diagnosing them again, or at all with
> -fpermissve.
>
>> For
>> the null pointer to pointer conversion, does this properly allow
>> conversion to void* or to base*?
>
> It didn't handle either but does now.  Thank you for calling it
> out.  Surprisingly, a regression run including libstdc++ didn't
> catch it.  I've added tests to exercise it.
>
>>
>>> +        if (integer_zerop (op))
>> ...
>>> +         else if (!integer_zerop (op))
>>
>> The second test seems redundant.
>
> I have removed it.
>
> Martin
Jason Merrill July 18, 2016, 5:51 p.m. UTC | #2 
On 07/06/2016 06:20 PM, Martin Sebor wrote:
> @@ -2911,6 +2923,14 @@ cxx_eval_indirect_ref (const constexpr_ctx *ctx, tree t,

>        if (*non_constant_p)

>  	return t;

>

> +      if (integer_zerop (op0))

> +	{

> +	  if (!ctx->quiet)

> +	    error ("dereferencing a null pointer");

> +	  *non_constant_p = true;

> +	  return t;

> +	}

I'm skeptical of checking this here, since *p is valid for null p; &*p 
is even a constant expression.  And removing this hunk doesn't seem to 
break any of your tests.

OK with that hunk removed.

Jason
Martin Sebor July 18, 2016, 10:15 p.m. UTC | #3 
On 07/18/2016 11:51 AM, Jason Merrill wrote:
> On 07/06/2016 06:20 PM, Martin Sebor wrote:
>> @@ -2911,6 +2923,14 @@ cxx_eval_indirect_ref (const constexpr_ctx
>> *ctx, tree t,
>
>>        if (*non_constant_p)
>
>>      return t;
>
>>
>
>> +      if (integer_zerop (op0))
>
>> +    {
>
>> +      if (!ctx->quiet)
>
>> +        error ("dereferencing a null pointer");
>
>> +      *non_constant_p = true;
>
>> +      return t;
>
>> +    }
>
> I'm skeptical of checking this here, since *p is valid for null p; &*p
> is even a constant expression.  And removing this hunk doesn't seem to
> break any of your tests.
>
> OK with that hunk removed.

With it removed the constexpr-nullptr-2.C test fails on line 64:

   constexpr const int *pi0 = &pa2->pa1->pa0->i;   // { dg-error "null 
pointer|not a constant" }

Here, pa2 and pa1 are non-null but pa0 is null.

Martin
Jason Merrill July 20, 2016, 1:52 p.m. UTC | #4 
On Mon, Jul 18, 2016 at 6:15 PM, Martin Sebor <msebor@gmail.com> wrote:
> On 07/18/2016 11:51 AM, Jason Merrill wrote:
>>
>> On 07/06/2016 06:20 PM, Martin Sebor wrote:
>>>
>>> @@ -2911,6 +2923,14 @@ cxx_eval_indirect_ref (const constexpr_ctx
>>> *ctx, tree t,
>>>        if (*non_constant_p)
>>>      return t;
>>>
>>> +      if (integer_zerop (op0))
>>> +    {
>>> +      if (!ctx->quiet)
>>> +        error ("dereferencing a null pointer");
>>> +      *non_constant_p = true;
>>> +      return t;
>>> +    }
>>
>> I'm skeptical of checking this here, since *p is valid for null p; &*p
>> is even a constant expression.  And removing this hunk doesn't seem to
>> break any of your tests.
>>
>> OK with that hunk removed.
>
> With it removed the constexpr-nullptr-2.C test fails on line 64:
>
>   constexpr const int *pi0 = &pa2->pa1->pa0->i;   // { dg-error "null
> pointer|not a constant" }
>
> Here, pa2 and pa1 are non-null but pa0 is null.

It doesn't fail for me; that line hits the error in
cxx_eval_component_reference.  I'm only talking about removing the
cxx_eval_indirect_ref hunk.

Jason
Martin Sebor July 20, 2016, 6:15 p.m. UTC | #5 
On 07/20/2016 07:52 AM, Jason Merrill wrote:
> On Mon, Jul 18, 2016 at 6:15 PM, Martin Sebor <msebor@gmail.com> wrote:
>> On 07/18/2016 11:51 AM, Jason Merrill wrote:
>>>
>>> On 07/06/2016 06:20 PM, Martin Sebor wrote:
>>>>
>>>> @@ -2911,6 +2923,14 @@ cxx_eval_indirect_ref (const constexpr_ctx
>>>> *ctx, tree t,
>>>>         if (*non_constant_p)
>>>>       return t;
>>>>
>>>> +      if (integer_zerop (op0))
>>>> +    {
>>>> +      if (!ctx->quiet)
>>>> +        error ("dereferencing a null pointer");
>>>> +      *non_constant_p = true;
>>>> +      return t;
>>>> +    }
>>>
>>> I'm skeptical of checking this here, since *p is valid for null p; &*p
>>> is even a constant expression.  And removing this hunk doesn't seem to
>>> break any of your tests.
>>>
>>> OK with that hunk removed.
>>
>> With it removed the constexpr-nullptr-2.C test fails on line 64:
>>
>>    constexpr const int *pi0 = &pa2->pa1->pa0->i;   // { dg-error "null
>> pointer|not a constant" }
>>
>> Here, pa2 and pa1 are non-null but pa0 is null.
>
> It doesn't fail for me; that line hits the error in
> cxx_eval_component_reference.  I'm only talking about removing the
> cxx_eval_indirect_ref hunk.

Sorry, I may have been referring to an older patch.  With the latest
patch, the assertion is on line 75.  It's also not failing, even
though it should be.  The problem is that I had misunderstood how
the vertical bar in DejaGnu directives works.  I thought it meant
that both sides had to match a message on that line, when it means
only one side has to.  I'll need to fix that (how does one match
two messages on the same line?)

But removing the hunk as you suggest does break the intent of the
test.  With it there, we get a descriptive message for the invalid
code below clearly explaining the problem:

$ cat xyz.c && /build/gcc-60760/gcc/xgcc -B /build/gcc-60760/gcc -S 
-Wall -Wextra -Wpedantic -xc++ xyz.c
struct S { const S *p; int i; };

constexpr S s0 = { 0, 0 };
constexpr S s1 = { &s0, 1 };

constexpr int i = s1.p->p->i;
xyz.c:6:28: error: dereferencing a null pointer
  constexpr int i = s1.p->p->i;
                             ^

With the hunk removed, all we get is the generic:

xyz.c:6:28: error: ‘*(const S*)((const S*)s1.S::p)->S::p’ is not a 
constant expression
  constexpr int i = s1.p->p->i;
                             ^

Re-reading your comment above now: "since *p is valid for null p;"
I agree that &*p is valid when p is null.  Unless I missed a case
it is accepted with or without the hunk.  Otherwise, *p is not valid,
and it is also rejected with or without it.

Is there something else you're worried about with the hunk that
makes you want to trade it off for the less informative message?

Martin
Jason Merrill July 20, 2016, 6:47 p.m. UTC | #6 
On Wed, Jul 20, 2016 at 2:15 PM, Martin Sebor <msebor@gmail.com> wrote:
> On 07/20/2016 07:52 AM, Jason Merrill wrote:
>>
>> On Mon, Jul 18, 2016 at 6:15 PM, Martin Sebor <msebor@gmail.com> wrote:
>>>
>>> On 07/18/2016 11:51 AM, Jason Merrill wrote:
>>>>
>>>>
>>>> On 07/06/2016 06:20 PM, Martin Sebor wrote:
>>>>>
>>>>>
>>>>> @@ -2911,6 +2923,14 @@ cxx_eval_indirect_ref (const constexpr_ctx
>>>>> *ctx, tree t,
>>>>>         if (*non_constant_p)
>>>>>       return t;
>>>>>
>>>>> +      if (integer_zerop (op0))
>>>>> +    {
>>>>> +      if (!ctx->quiet)
>>>>> +        error ("dereferencing a null pointer");
>>>>> +      *non_constant_p = true;
>>>>> +      return t;
>>>>> +    }
>>>>
>>>>
>>>> I'm skeptical of checking this here, since *p is valid for null p; &*p
>>>> is even a constant expression.  And removing this hunk doesn't seem to
>>>> break any of your tests.
>>>>
>>>> OK with that hunk removed.
>>>
>>>
>>> With it removed the constexpr-nullptr-2.C test fails on line 64:
>>>
>>>    constexpr const int *pi0 = &pa2->pa1->pa0->i;   // { dg-error "null
>>> pointer|not a constant" }
>>>
>>> Here, pa2 and pa1 are non-null but pa0 is null.
>>
>>
>> It doesn't fail for me; that line hits the error in
>> cxx_eval_component_reference.  I'm only talking about removing the
>> cxx_eval_indirect_ref hunk.
>
>
> Sorry, I may have been referring to an older patch.  With the latest
> patch, the assertion is on line 75.  It's also not failing, even
> though it should be.  The problem is that I had misunderstood how
> the vertical bar in DejaGnu directives works.  I thought it meant
> that both sides had to match a message on that line, when it means
> only one side has to.  I'll need to fix that (how does one match
> two messages on the same line?)
>
> But removing the hunk as you suggest does break the intent of the
> test.  With it there, we get a descriptive message for the invalid
> code below clearly explaining the problem:
>
> $ cat xyz.c && /build/gcc-60760/gcc/xgcc -B /build/gcc-60760/gcc -S -Wall
> -Wextra -Wpedantic -xc++ xyz.c
> struct S { const S *p; int i; };
>
> constexpr S s0 = { 0, 0 };
> constexpr S s1 = { &s0, 1 };
>
> constexpr int i = s1.p->p->i;
> xyz.c:6:28: error: dereferencing a null pointer
>  constexpr int i = s1.p->p->i;
>                             ^
>
> With the hunk removed, all we get is the generic:
>
> xyz.c:6:28: error: ‘*(const S*)((const S*)s1.S::p)->S::p’ is not a constant
> expression
>  constexpr int i = s1.p->p->i;
>                             ^
>
> Re-reading your comment above now: "since *p is valid for null p;"
> I agree that &*p is valid when p is null.  Unless I missed a case
> it is accepted with or without the hunk.  Otherwise, *p is not valid,
> and it is also rejected with or without it.
>
> Is there something else you're worried about with the hunk that
> makes you want to trade it off for the less informative message?

OK, we can keep the hunk, but only when !lval, since that means we
access the value.

Jason
Thomas Schwinge Aug. 2, 2016, 6:34 a.m. UTC | #7 
Hi!

On Wed, 6 Jul 2016 16:20:44 -0600, Martin Sebor <msebor@gmail.com> wrote:
> PR c++/60760 - arithmetic on null pointers should not be allowed in constant
>   expressions
> PR c++/71091 - constexpr reference bound to a null pointer dereference
>    accepted
> 
> [...]
> 	* g++.dg/cpp0x/constexpr-cast.C: New test.

In x86_64 GNU/Linux testing, I see that one FAIL for the -m32 multilib:

    +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11  (test for errors, line 10)
    +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11  (test for errors, line 11)
    +PASS: g++.dg/cpp0x/constexpr-cast.C  -std=c++11  (test for errors, line 24)
    +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11 (test for excess errors)
    +XFAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11 bug c++/49171 (test for errors, line 8)
    +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14  (test for errors, line 10)
    +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14  (test for errors, line 11)
    +PASS: g++.dg/cpp0x/constexpr-cast.C  -std=c++14  (test for errors, line 24)
    +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14 (test for excess errors)
    +XFAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14 bug c++/49171 (test for errors, line 8)
    +UNSUPPORTED: g++.dg/cpp0x/constexpr-cast.C  -std=c++98

    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:10:22: error: 'reinterpret_cast<void*>(1)' is not a constant-expression
    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:11:22: error: 'reinterpret_cast<void*>(1u)' is not a constant-expression
    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:26:   in constexpr expansion of 'f<int>()'
    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:27: error: value '4u' of type 'int*' is not a constant expression

For the -m64 multilib, it looks as follows (all PASSes):

    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:10:47: error: value '1u' of type 'void*' is not a constant expression
    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:11:22: error: 'reinterpret_cast<void*>(1ul)' is not a constant-expression
    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:26:   in constexpr expansion of 'f<int>()'
    [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:27: error: value '4u' of type 'int*' is not a constant expression

For reference:

> --- /dev/null
> +++ b/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C
> @@ -0,0 +1,24 @@
> +// Test to verify that evaluating reinterpret_cast is diagnosed in
> +// constant expressions.
> +// { dg-do compile { target c++11 } }
> +
> +int i;
> +
> +// The following is accepted due to bug 49171.
> +constexpr void *q = reinterpret_cast<void*>(&i);    // { dg-error "" "bug c++/49171" { xfail *-*-*-* } }
> +
> +constexpr void *r0 = reinterpret_cast<void*>(1);    // { dg-error "not a constant expression" }
> +constexpr void *r1 = reinterpret_cast<void*>(sizeof 'x');  // { dg-error ".reinterpret_cast<void\\*>\\(1ul\\). is not a constant-expression" }
> +
> +template <class T>
> +constexpr bool f ()
> +{
> +#if __cplusplus > 201103L
> +  T *p = reinterpret_cast<T*>(sizeof (T));
> +  return p;
> +#else
> +  return *reinterpret_cast<T*>(sizeof (T));
> +#endif
> +}
> +
> +constexpr bool b = f<int>();   // { dg-error "not a constant expression" }


Grüße
 Thomas
Martin Sebor Aug. 2, 2016, 6:15 p.m. UTC | #8 
On 08/02/2016 12:34 AM, Thomas Schwinge wrote:
> Hi!
>
> On Wed, 6 Jul 2016 16:20:44 -0600, Martin Sebor <msebor@gmail.com> wrote:
>> PR c++/60760 - arithmetic on null pointers should not be allowed in constant
>>    expressions
>> PR c++/71091 - constexpr reference bound to a null pointer dereference
>>     accepted
>>
>> [...]
>> 	* g++.dg/cpp0x/constexpr-cast.C: New test.
>
> In x86_64 GNU/Linux testing, I see that one FAIL for the -m32 multilib:
>
>      +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11  (test for errors, line 10)
>      +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11  (test for errors, line 11)
>      +PASS: g++.dg/cpp0x/constexpr-cast.C  -std=c++11  (test for errors, line 24)
>      +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11 (test for excess errors)
>      +XFAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++11 bug c++/49171 (test for errors, line 8)
>      +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14  (test for errors, line 10)
>      +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14  (test for errors, line 11)
>      +PASS: g++.dg/cpp0x/constexpr-cast.C  -std=c++14  (test for errors, line 24)
>      +FAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14 (test for excess errors)
>      +XFAIL: g++.dg/cpp0x/constexpr-cast.C  -std=c++14 bug c++/49171 (test for errors, line 8)
>      +UNSUPPORTED: g++.dg/cpp0x/constexpr-cast.C  -std=c++98
>
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:10:22: error: 'reinterpret_cast<void*>(1)' is not a constant-expression
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:11:22: error: 'reinterpret_cast<void*>(1u)' is not a constant-expression
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:26:   in constexpr expansion of 'f<int>()'
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:27: error: value '4u' of type 'int*' is not a constant expression
>
> For the -m64 multilib, it looks as follows (all PASSes):
>
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:10:47: error: value '1u' of type 'void*' is not a constant expression
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:11:22: error: 'reinterpret_cast<void*>(1ul)' is not a constant-expression
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:26:   in constexpr expansion of 'f<int>()'
>      [...]/source-gcc/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C:24:27: error: value '4u' of type 'int*' is not a constant expression

Thanks for pointing it out and for all the detail! I managed to run
into at least two problems with this change: one in the test assuming
that (void*)1 will appear in GCC diagnostics as 1ul, and another in
GCC due to the inconsistent spelling of "constant expression."  Some
errors hyphenate the words, others don't, and depending on which one
triggers a test that assumes one or the other will fail. Let me submit
a patch for this and CC you on it.

Martin

>
> For reference:
>
>> --- /dev/null
>> +++ b/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C
>> @@ -0,0 +1,24 @@
>> +// Test to verify that evaluating reinterpret_cast is diagnosed in
>> +// constant expressions.
>> +// { dg-do compile { target c++11 } }
>> +
>> +int i;
>> +
>> +// The following is accepted due to bug 49171.
>> +constexpr void *q = reinterpret_cast<void*>(&i);    // { dg-error "" "bug c++/49171" { xfail *-*-*-* } }
>> +
>> +constexpr void *r0 = reinterpret_cast<void*>(1);    // { dg-error "not a constant expression" }
>> +constexpr void *r1 = reinterpret_cast<void*>(sizeof 'x');  // { dg-error ".reinterpret_cast<void\\*>\\(1ul\\). is not a constant-expression" }
>> +
>> +template <class T>
>> +constexpr bool f ()
>> +{
>> +#if __cplusplus > 201103L
>> +  T *p = reinterpret_cast<T*>(sizeof (T));
>> +  return p;
>> +#else
>> +  return *reinterpret_cast<T*>(sizeof (T));
>> +#endif
>> +}
>> +
>> +constexpr bool b = f<int>();   // { dg-error "not a constant expression" }
>
>
> Grüße
>   Thomas
>
diff mbox

Patch

PR c++/60760 - arithmetic on null pointers should not be allowed in constant
  expressions
PR c++/71091 - constexpr reference bound to a null pointer dereference
   accepted

gcc/cp/ChangeLog:
2016-07-06  Martin Sebor  <msebor@redhat.com>

        PR c++/60760
        PR c++/71091
        * constexpr.c (cxx_eval_binary_expression): Reject invalid expressions
        involving null pointers.
        (cxx_eval_component_reference): Reject null pointer dereferences.
        (cxx_eval_indirect_ref): Reject indirecting through null pointers.
        (cxx_eval_constant_expression): Reject invalid expressions involving
        null pointers.

gcc/testsuite/ChangeLog:
2016-07-06  Martin Sebor  <msebor@redhat.com>

        PR c++/60760
        PR c++/71091
	* g++.dg/cpp0x/constexpr-cast.C: New test.
        * g++.dg/cpp0x/constexpr-nullptr-2.C: New test.
        * g++.dg/cpp1y/constexpr-sfinae.C: Correct.
        * g++.dg/ubsan/pr63956.C: Correct.

diff --git a/gcc/cp/constexpr.c b/gcc/cp/constexpr.c
index ba40435..83954d8 100644
--- a/gcc/cp/constexpr.c
+++ b/gcc/cp/constexpr.c
@@ -1811,6 +1811,13 @@  cxx_eval_binary_expression (const constexpr_ctx *ctx, tree t,
 		   || null_member_pointer_value_p (rhs)))
 	r = constant_boolean_node (!is_code_eq, type);
     }
+  if (code == POINTER_PLUS_EXPR && !*non_constant_p
+      && integer_zerop (lhs) && !integer_zerop (rhs))
+    {
+      if (!ctx->quiet)
+        error ("arithmetic involving a null pointer in %qE", lhs);
+      return t;
+    }
 
   if (r == NULL_TREE)
     r = fold_binary_loc (loc, code, type, lhs, rhs);
@@ -2151,6 +2158,11 @@  cxx_eval_component_reference (const constexpr_ctx *ctx, tree t,
   tree whole = cxx_eval_constant_expression (ctx, orig_whole,
 					     lval,
 					     non_constant_p, overflow_p);
+  if (TREE_CODE (whole) == INDIRECT_REF
+      && integer_zerop (TREE_OPERAND (whole, 0))
+      && !ctx->quiet)
+    error ("dereferencing a null pointer in %qE", orig_whole);
+
   if (TREE_CODE (whole) == PTRMEM_CST)
     whole = cplus_expand_constant (whole);
   if (whole == orig_whole)
@@ -2911,6 +2923,14 @@  cxx_eval_indirect_ref (const constexpr_ctx *ctx, tree t,
       if (*non_constant_p)
 	return t;
 
+      if (integer_zerop (op0))
+	{
+	  if (!ctx->quiet)
+	    error ("dereferencing a null pointer");
+	  *non_constant_p = true;
+	  return t;
+	}
+
       r = cxx_fold_indirect_ref (EXPR_LOCATION (t), TREE_TYPE (t), op0,
 				 &empty_base);
       if (r == NULL_TREE)
@@ -3559,10 +3579,22 @@  cxx_eval_constant_expression (const constexpr_ctx *ctx, tree t,
 	  if (!flag_permissive || ctx->quiet)
 	    *overflow_p = true;
 	}
+
+      if (TREE_CODE (t) == INTEGER_CST
+          && TREE_CODE (TREE_TYPE (t)) == POINTER_TYPE
+          && !integer_zerop (t))
+        {
+          if (!ctx->quiet)
+            error ("value %qE of type %qT is not a constant expression",
+		   t, TREE_TYPE (t));
+	  *non_constant_p = true;
+        }
+
       return t;
     }
 
-  switch (TREE_CODE (t))
+  tree_code tcode = TREE_CODE (t);
+  switch (tcode)
     {
     case RESULT_DECL:
       if (lval)
@@ -3973,7 +4005,6 @@  cxx_eval_constant_expression (const constexpr_ctx *ctx, tree t,
     case NOP_EXPR:
     case UNARY_PLUS_EXPR:
       {
-	enum tree_code tcode = TREE_CODE (t);
 	tree oldop = TREE_OPERAND (t, 0);
 
 	tree op = cxx_eval_constant_expression (ctx, oldop,
@@ -3999,15 +4030,48 @@  cxx_eval_constant_expression (const constexpr_ctx *ctx, tree t,
 		return t;
 	      }
 	  }
-	if (POINTER_TYPE_P (type)
-	    && TREE_CODE (op) == INTEGER_CST
-	    && !integer_zerop (op))
-	  {
-	    if (!ctx->quiet)
-	      error_at (EXPR_LOC_OR_LOC (t, input_location),
-			"reinterpret_cast from integer to pointer");
-	    *non_constant_p = true;
-	    return t;
+
+	if (POINTER_TYPE_P (type) && TREE_CODE (op) == INTEGER_CST)
+          {
+	    if (integer_zerop (op))
+	      {
+		if (TREE_CODE (type) == REFERENCE_TYPE)
+		  {
+		    if (!ctx->quiet)
+		      error_at (EXPR_LOC_OR_LOC (t, input_location),
+				"dereferencing a null pointer");
+		    *non_constant_p = true;
+		    return t;
+		  }
+		else if (TREE_CODE (TREE_TYPE (op)) == POINTER_TYPE)
+		  {
+		    tree from = TREE_TYPE (op);
+
+		    if (!can_convert (type, from, tf_none))
+		      {
+			if (!ctx->quiet)
+			  error_at (EXPR_LOC_OR_LOC (t, input_location),
+				    "conversion of %qT null pointer to %qT "
+				    "is not a constant expression",
+				    from, type);
+			*non_constant_p = true;
+			return t;
+		      }
+		  }
+	      }
+            else
+	      {
+		/* This detects for example:
+		     reinterpret_cast<void*>(sizeof 0)
+		*/
+		if (!ctx->quiet)
+		  error_at (EXPR_LOC_OR_LOC (t, input_location),
+			    "%<reinterpret_cast<%T>(%E)%> is not "
+			    "a constant-expression",
+			    type, op);
+		*non_constant_p = true;
+		return t;
+	      }
 	  }
 	if (op == oldop && tcode != UNARY_PLUS_EXPR)
 	  /* We didn't fold at the top so we could check for ptr-int
diff --git a/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C b/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C
new file mode 100644
index 0000000..8e11193
--- /dev/null
+++ b/gcc/testsuite/g++.dg/cpp0x/constexpr-cast.C
@@ -0,0 +1,24 @@ 
+// Test to verify that evaluating reinterpret_cast is diagnosed in
+// constant expressions.
+// { dg-do compile { target c++11 } }
+
+int i;
+
+// The following is accepted due to bug 49171.
+constexpr void *q = reinterpret_cast<void*>(&i);    // { dg-error "" "bug c++/49171" { xfail *-*-*-* } }
+
+constexpr void *r0 = reinterpret_cast<void*>(1);    // { dg-error "not a constant expression" }
+constexpr void *r1 = reinterpret_cast<void*>(sizeof 'x');  // { dg-error ".reinterpret_cast<void\\*>\\(1ul\\). is not a constant-expression" }
+
+template <class T>
+constexpr bool f ()
+{
+#if __cplusplus > 201103L
+  T *p = reinterpret_cast<T*>(sizeof (T));
+  return p;
+#else
+  return *reinterpret_cast<T*>(sizeof (T));
+#endif
+}
+
+constexpr bool b = f<int>();   // { dg-error "not a constant expression" }
diff --git a/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-1.C b/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-1.C
index 420a04b..fbf1362 100644
--- a/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-1.C
+++ b/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-1.C
@@ -6,7 +6,7 @@ 
 // c++/67376 on gcc-patches for additional background.
 
 // { dg-do compile { target c++11 } }
-// { dg-options "-fdump-tree-optimized" }
+// { dg-options "-fdump-tree-optimized -ftrack-macro-expansion=0" }
 
 // Runtime assert.  Used for potentially invalid expressions.
 #define RA(e)  ((e) ? (void)0 : __builtin_abort ())
diff --git a/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-2.C b/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-2.C
new file mode 100644
index 0000000..4777b53
--- /dev/null
+++ b/gcc/testsuite/g++.dg/cpp0x/constexpr-nullptr-2.C
@@ -0,0 +1,303 @@ 
+// PR c++/60760 - arithmetic on null pointers should not be allowed
+//     in constant expressions
+// PR c++/71091 - constexpr reference bound to a null pointer dereference
+//     accepted
+// { dg-do compile { target c++11 } }
+// { dg-additional-options "-Wno-pointer-arith" }
+
+// Generate a null poiinter.
+constexpr int* null () { return 0; }
+
+// Test case from comment #0 in c++/60760.
+namespace PR_60760_comment_0 {
+
+constexpr int* ptr = nullptr;
+constexpr int* ptr2 = ptr + 1;   // { dg-error "null pointer|not a constant" }
+
+}
+
+// Test case from comment #1 in c++/60760.
+namespace PR_60760_comment_1 {
+
+constexpr int* ptr = nullptr;
+
+constexpr int zero = 0;
+constexpr int* ptr2 = ptr + zero;   // Adding zero is valid.
+constexpr int* ptr3 = ptr - zero;   // As is subtracting zero.
+
+}
+
+// Test case from c++/71091.
+namespace PR_71091 {
+
+constexpr int *p = 0;
+constexpr const int &r = *p;   // { dg-error "dereferencing a null pointer" }
+
+}
+
+// Other test cases.
+namespace C {
+
+struct S { int a, b[1]; } s;
+
+constexpr S *p0 = &s;
+constexpr S *p1 = nullptr;
+constexpr int *r0 = p1->b;   // { dg-error "null pointer|constant expression" }
+
+// Adding and subtracting zero from and to a null pointer is valid.
+constexpr S* r1 = p1 + 0;
+constexpr S* r2 = r1 - 0;
+
+constexpr int zero = 0;
+
+constexpr S* r3 = r2 + zero;
+constexpr S* r4 = r3 - zero;
+
+static_assert (r4 == nullptr, "r4 == nullptr");
+
+constexpr const S *pcs = p0;
+constexpr int d1 = pcs - p0;
+constexpr int d2 = p0 - pcs;
+
+constexpr bool b = !p1 && !pcs;
+}
+
+namespace D {
+
+struct A { int i; const A *pa1; const A *pa0; };
+
+constexpr A a1 = { 0, 0, 0  };
+constexpr A a2 = { 1, &a1, 0 };
+
+constexpr const A *pa2 = &a2;
+constexpr int i0 = pa2->i;
+constexpr int i1 = pa2->pa1->i;
+constexpr int i2 = pa2->pa1->pa0->i;            // { dg-error "null pointer|not a constant" }
+
+constexpr const A *pa3 = &*pa2->pa1->pa0;
+constexpr const A *pa4 = pa2->pa1->pa0 + 1;     // { dg-error "null pointer|not a constant" }
+
+constexpr const int *pi0 = &pa2->pa1->pa0->i;   // { dg-error "null pointer|not a constant" }
+
+constexpr const A *pa5 = 0;
+constexpr const int *pi1 = &pa5->i;             // { dg-error "null pointer|not a constant" }
+
+}
+
+
+namespace SimpleTests {
+
+constexpr int* p0 = nullptr;
+constexpr int* q0 = p0;
+constexpr int* r0 = null ();
+
+// Conversion to cv-qualified void* is valid.
+constexpr void* pv0 = p0;
+constexpr const void* pv1 = p0;
+constexpr volatile void* pv2 = p0;
+constexpr const volatile void* pv3 = p0;
+constexpr void* pv4 = static_cast<void*>(p0);
+constexpr const void* pv5 = static_cast<const void*>(p0);
+
+// The following should be rejected but isn't because of bug c++/49171
+// - [C++0x][constexpr] Constant expressions support reinterpret_cast
+constexpr void* pv6 = reinterpret_cast<void*>(p0);   // { dg-error "" "bug c++/49171" { xfail *-*-* } }
+
+// Adding or subtracting zero from a null pointer is valid in C++.
+constexpr int* p1 = p0 + 0;
+constexpr int* p2 = p0 - 0;
+constexpr int* p3 = 0 + p0;
+
+// While the text of the C++ standard still doesn't allow it, CWG
+// issue 232 implies that dererencing a null pointer is intended
+// to be permitted in contexts where the result isn't evaluated.
+// For compatibility with C that should at a minimum include
+// expressions like &*p that are valid there.
+constexpr int* p4 = &*p0;
+constexpr int* p5 = p0 + 1;       // { dg-error "null pointer|not a constant" }
+constexpr int* p6 = 1 + p0;       // { dg-error "null pointer|not a constant" }
+constexpr int* p7 = p0 - 1;       // { dg-error "null pointer|not a constant" }
+constexpr int* p8 = &p0 [0];
+constexpr int* p9 = &0 [p0];
+
+constexpr int* p10 = null () + 2; // { dg-error "null pointer|not a constant" }
+constexpr int* p11 = 3 + null (); // { dg-error "null pointer|not a constant" }
+constexpr int* p12 = null () - 4; // { dg-error "null pointer|not a constant" }
+constexpr int* p13 = &null ()[4]; // { dg-error "null pointer|not a constant" }
+constexpr int* p14 = &3[null ()]; // { dg-error "null pointer|not a constant" }
+
+constexpr int* q1 = q0 + 0;
+constexpr int* q2 = q0 - 0;
+constexpr int* q3 = q0 + 1;       // { dg-error "null pointer|not a constant" }
+constexpr int* q4 = q0 + 2;       // { dg-error "null pointer|not a constant" }
+constexpr int* q5 = &q0 [0];
+
+// Subtracting null pointers from one another is valid.
+constexpr int i0 = p0 - (int*)0;
+constexpr int i1 = p0 - static_cast<int*>(0);
+constexpr int i2 = p0 - (int*)nullptr;
+constexpr int i3 = p0 - static_cast<int*>(nullptr);
+constexpr int i4 = p0 - p0;
+constexpr int i5 = p0 - q0;
+constexpr int i6 = p0 - r0;
+constexpr int i7 = (int*)0 - p0;
+constexpr int i8 = static_cast<int*>(0) - p0;
+constexpr int i9 = (int*)nullptr - p0;
+constexpr int i10 = static_cast<int*>(nullptr) - p0;
+constexpr int i11 = q0 - p0;
+constexpr int i12 = r0 - p0;
+
+}
+
+namespace IncompleteTypeTests {
+
+// The type must be complete.
+struct X;
+constexpr X *px0 = nullptr;
+constexpr X *px1 = px0 + 0;     // { dg-error "invalid use of incomplete type"  }
+constexpr X *px2 = px0 - 0;     // { dg-error "invalid use of incomplete type"  }
+constexpr X *px3 = px0 - px0;   // { dg-error "invalid use of incomplete type"  }
+
+constexpr void *pv0 = px0;
+constexpr void *pv1 = pv0;
+constexpr const void *pv2 = pv0;
+constexpr void *pv3 = pv2;      // { dg-error "invalid conversion|not a constant expression" }
+constexpr const void *pv4 = pv2;
+
+constexpr X *px4 = pv0;         // { dg-error "invalid conversion|not a constant expression" }
+
+}
+
+namespace IndirectTests {
+
+struct S { int i, j; struct SA { struct SB { int *pi; } sb; } sa; };
+
+constexpr S* ps = (S*)0;
+
+// Comparing null pointers is valid.
+constexpr bool b0 = ps == ps;
+constexpr bool b1 = ps != ps;
+constexpr bool b2 = ps <  ps;
+constexpr bool b3 = ps <= ps;
+constexpr bool b4 = ps >  ps;
+constexpr bool b5 = ps >= ps;
+
+constexpr bool b6 = ps == (S*)0;
+constexpr bool b7 = ps != (S*)0;
+constexpr bool b8 = ps <  (S*)0;
+constexpr bool b9 = ps <= (S*)0;
+constexpr bool b10 = ps >  (S*)0;
+constexpr bool b11 = ps >= (S*)0;
+
+constexpr S* ps1 = ps;
+constexpr S* ps2 = ps1;
+
+// The following aren't diagnosed due to a bug.
+// constexpr int* pi0 = &((S*)0)->i;
+// constexpr int* pi1 = &((S*)nullptr)->i;
+
+constexpr int* pj0 = &((S*)0)->j;        // { dg-error "not a constant expression" }
+constexpr int* pj1 = &((S*)nullptr)->j;  // { dg-error "not a constant expression" }
+
+constexpr int* psi = &ps->i;            // { dg-error "null pointer|not a constant" }
+constexpr int* psj = &ps->j;            // { dg-error "null pointer|not a constant" }
+
+constexpr int* ps1i = &ps1->i;          // { dg-error "null pointer|not a constant" }
+constexpr int* ps2i = &ps1->i;          // { dg-error "null pointer|not a constant" }
+
+constexpr int* ps1j = &ps1->j;          // { dg-error "null pointer|not a constant" }
+constexpr int* ps2j = &ps1->j;          // { dg-error "null pointer|not a constant" }
+
+}
+
+namespace BaseAndDerivedTests {
+
+struct A { };
+struct B: A { };
+struct C: B { };
+struct D: B, C { };                     // { dg-warning "inaccessible" }
+
+constexpr D *pd0 = 0;
+constexpr C *pc0 = 0;
+constexpr B *pb0 = 0;
+
+constexpr A *pa0 = pb0;
+constexpr A *pa1 = static_cast<A*>(pb0);
+constexpr A *pa2 = pc0;
+constexpr A *pa3 = pd0;                   // { dg-error "ambiguous base" }
+constexpr A *pa4 = static_cast<A*>(pd0);  // { dg-error "ambiguous base" }
+
+constexpr B *pb1 = pa0;                   // { dg-error "invalid conversion|not a constant expression" }
+constexpr B *pb2 = static_cast<B*>(pa0);  // { dg-error "not a constant expression" }
+
+constexpr C *pc1 = pa0;                   // { dg-error "invalid conversion|not a constant expression" }
+constexpr D *pd1 = pa0;                   // { dg-error "ambiguous base|invalid conversion" }
+
+struct E: private A { };
+
+constexpr E *pe0 = 0;
+constexpr A *pa5 = pe0;                 // { dg-error "inaccessible base of" }
+
+struct VA { virtual ~VA (); };
+struct VB: virtual VA { };
+struct VC: virtual VA { };
+struct VD: VB, VC { };
+
+constexpr VD *pvd0 = 0;
+constexpr VC *pvc0 = 0;
+constexpr VB *pvb0 = 0;
+
+constexpr VA *pva0 = pvb0;
+constexpr VA *pva1 = pvc0;
+constexpr VA *pva2 = pvd0;
+
+constexpr VB *pvb1 = pva0;              // { dg-error "invalid conversion|cannot convert from pointer to base class" }
+
+}
+
+namespace FunctionTests {
+
+typedef void Func ();
+
+// Arithmetic on member function pointers is diagnosed with -Wpointer-arith.
+// With constexpr, only zero may be added or subtracted.
+constexpr Func *pf0 = 0;
+constexpr Func *pf1 = pf0 + 0;  // triggers -Wpointer-arith
+constexpr Func *pf2 = pf0 - 0;  // triggers -Wpointer-arith
+constexpr Func *pf3 = 0 + pf0;  // triggers -Wpointer-arith
+constexpr Func *pf4 = pf0 + 1;  // { dg-error "null pointer|not a constant" }
+constexpr Func *pf5 = 2 + pf0;  // { dg-error "null pointer|not a constant" }
+constexpr Func *pf6 = pf0 - 3;  // { dg-error "null pointer|not a constant" }
+
+struct S;
+typedef void (S::*MemFuncPtr)();
+
+// Arithmetic on member function pointers is rejected with a hard error.
+constexpr MemFuncPtr pmf0 = nullptr;
+constexpr MemFuncPtr pmf1 = pmf0 + 0;   // { dg-error "invalid operands" }
+constexpr MemFuncPtr pmf2 = 0 + pmf0;   // { dg-error "invalid operands" }
+constexpr MemFuncPtr pmf3 = pmf0 + 1;   // { dg-error "invalid operands" }
+constexpr MemFuncPtr pmf4 = 1 + pmf0;   // { dg-error "invalid operands" }
+constexpr MemFuncPtr pmf5 = pmf0 - 1;   // { dg-error "invalid operands" }
+
+}
+
+namespace ConversionTest {
+
+struct A {
+  int *p;
+};
+
+constexpr const int* f (const int *p) { return p; }
+
+void f ()
+{
+  static_assert (!f (0), "f (a.p)");
+  static_assert (!f (nullptr), "f (a.p)");
+
+  constexpr A a = A ();
+
+  static_assert (!f (a.p), "f (a.p)");
+}
+
+}
diff --git a/gcc/testsuite/g++.dg/cpp1y/constexpr-sfinae.C b/gcc/testsuite/g++.dg/cpp1y/constexpr-sfinae.C
index a83d7f4..4a7deb8 100644
--- a/gcc/testsuite/g++.dg/cpp1y/constexpr-sfinae.C
+++ b/gcc/testsuite/g++.dg/cpp1y/constexpr-sfinae.C
@@ -90,22 +90,28 @@  namespace NullPointerArithmetic {
 constexpr int i = 0;
 constexpr const int* a[] = { 0, &i };
 
-// Well-defined core constant expressoons involving null pointers.
+// Well-defined core constant expressions involving null pointers.
 constexpr __PTRDIFF_TYPE__ d00 = a [0] - a [0];
 constexpr __PTRDIFF_TYPE__ d11 = a [1] - a [1];
 
-// Undefined core constant expressoons involving null pointers.
+// Undefined core constant expressions involving null pointers.
 // constexpr __PTRDIFF_TYPE__ d01 = a [0] - a [1];
 // constexpr __PTRDIFF_TYPE__ d10 = a [1] - a [0];
 
-constexpr bool nullptr_sub_0 (int i, int j) { return 1 + a [i != 0] - a [j]; }
+// Valid when i == j.
+constexpr bool
+nullptr_sub_0 (bool i, bool j) { return 1 + a [!i] - a [!j]; }
 
-constexpr bool nullptr_sub_1 (int i, int j) { return 1 + a [i == 0] - a [j]; }
+// Valid when i != j.
+constexpr bool
+nullptr_sub_1 (bool i, bool j) { return 1 + a [i] - a [!j]; }
 
-template <int I>
+// Selected when I == 0.
+template <bool I>
 constexpr int f (int (*)[nullptr_sub_0 (I, 0)] = 0) { return 0; }
 
-template <int I>
+// Selected when I != 0.
+template <bool I>
 constexpr int f (int (*)[nullptr_sub_1 (I, 0)] = 0) { return 1; }
 
 constexpr int n0 = f<0>();
diff --git a/gcc/testsuite/g++.dg/ubsan/pr63956.C b/gcc/testsuite/g++.dg/ubsan/pr63956.C
index 25db8a4..ac01fa4 100644
--- a/gcc/testsuite/g++.dg/ubsan/pr63956.C
+++ b/gcc/testsuite/g++.dg/ubsan/pr63956.C
@@ -92,7 +92,7 @@  constexpr int
 fn6 (const int &a, int b)
 {
   if (b != 2)
-    b = a;  // { dg-error "is not a constant expression" }
+    b = a;
   return b;
 }
 
@@ -106,7 +106,7 @@  fn7 (const int *a, int b)
 
 constexpr int n1 = 7;
 constexpr int n2 = fn7 (&n1, 5);
-constexpr int n3 = fn7 ((const int *) 0, 8);
+constexpr int n3 = fn7 ((const int *) 0, 8);  // { dg-error "null pointer" }
 
 constexpr int
 fn8 (int i)