c++: constexpr caching deleted pointer [PR119162]

In this testcase, we pass the checks for mismatched new/delete because the
pointer is deleted before it is returned.  And then a subsequent evaluation
uses the cached value, but the deleted heap var isn't in
ctx->global->heap_vars anymore, so cxx_eval_outermost_constant_expr doesn't
run find_heap_var_refs, and ends up with garbage.

Fixed by not caching a reference to deleted.

I considered rejecting such a reference immediately as non-constant, but I
don't think that's valid; an invalid pointer value isn't UB until we try to
do something with it or it winds up in the final result of constant
evaluation.

I also considered not caching other heap references (i.e. using
find_heap_var_refs instead of adding find_deleted_heap_var), which would
include heap pointers passed in from the caller, but those don't have the
same heap_vars problem.  We might want cxx_eval_outermost_constant_expr to
prune constexpr_call entries that refer to objects created during the
evaluation, but that applies to local variables and temporaries just as much
as heap "variables".

	PR c++/119162

gcc/cp/ChangeLog:

	* constexpr.cc (find_deleted_heap_var): New.
	(cxx_eval_call_expression): Don't cache a
	reference to heap_deleted.

gcc/testsuite/ChangeLog:

	* g++.dg/cpp2a/constexpr-new26.C: New test.

2 files changed, 40 insertions, 2 deletions

diff --git a/gcc/cp/constexpr.cc b/gcc/cp/constexpr.cc
index 381e5e2..76a9176 100644
--- a/gcc/cp/constexpr.cc
+++ b/gcc/cp/constexpr.cc
@@ -1124,8 +1124,9 @@ struct GTY((for_user)) constexpr_call {
   tree bindings;
   /* Result of the call.
        NULL means the call is being evaluated.
-       error_mark_node means that the evaluation was erroneous;
-       otherwise, the actuall value of the call.  */
+       error_mark_node means that the evaluation was erroneous or otherwise
+       uncacheable (e.g. because it depends on the caller).
+       Otherwise, the actual value of the call.  */
   tree result;
   /* The hash of this call; we remember it here to avoid having to
      recalculate it when expanding the hash table.  */
@@ -1520,6 +1521,7 @@ static tree cxx_eval_bare_aggregate (const constexpr_ctx *, tree,
 static tree cxx_fold_indirect_ref (const constexpr_ctx *, location_t, tree, tree,
 				   bool * = NULL);
 static tree find_heap_var_refs (tree *, int *, void *);
+static tree find_deleted_heap_var (tree *, int *, void *);
 
 /* Attempt to evaluate T which represents a call to a builtin function.
    We assume here that all builtin functions evaluate to scalar types
@@ -3414,6 +3416,11 @@ cxx_eval_call_expression (const constexpr_ctx *ctx, tree t,
 		      cacheable = false;
 		      break;
 		    }
+	      /* And don't cache a ref to a deleted heap variable (119162).  */
+	      if (cacheable
+		  && (cp_walk_tree_without_duplicates
+		      (&result, find_deleted_heap_var, NULL)))
+		cacheable = false;
 	    }
 
 	    /* Rewrite all occurrences of the function's RESULT_DECL with the
@@ -8965,6 +8972,20 @@ find_heap_var_refs (tree *tp, int *walk_subtrees, void */*data*/)
   return NULL_TREE;
 }
 
+/* Look for deleted heap variables in the expression *TP.  */
+
+static tree
+find_deleted_heap_var (tree *tp, int *walk_subtrees, void */*data*/)
+{
+  if (VAR_P (*tp)
+      && DECL_NAME (*tp) == heap_deleted_identifier)
+    return *tp;
+
+  if (TYPE_P (*tp))
+    *walk_subtrees = 0;
+  return NULL_TREE;
+}
+
 /* Find immediate function decls in *TP if any.  */
 
 static tree
diff --git a/gcc/testsuite/g++.dg/cpp2a/constexpr-new26.C b/gcc/testsuite/g++.dg/cpp2a/constexpr-new26.C
new file mode 100644
index 0000000..c82bd43
--- /dev/null
+++ b/gcc/testsuite/g++.dg/cpp2a/constexpr-new26.C
@@ -0,0 +1,17 @@
+// PR c++/119162
+// { dg-do compile { target c++20 } }
+
+constexpr int *
+f7 ()
+{
+  int *p = new int (2);	// { dg-error "is not a constant expression because it refers to a result of" }
+  delete p;
+  return p;
+}
+
+void
+g ()
+{
+  constexpr auto v7 = f7 ();
+}
+