From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 0EC593858281; Thu, 16 Feb 2023 12:59:46 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0EC593858281 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1676552387; bh=Zq/GgZQzzqmbRKzoPBbRM90CIhW6/6y7fJBpB9z+tuo=; h=From:To:Subject:Date:In-Reply-To:References:From; b=ByqcxZ5VHmI+t+9DC1glSm4wN/LpbTRJghHzHG8U2OPmGq5MtFDBic6mDvSzU2ZSI 4fQGjgxzCxQnkxxCJA8lw0vWuJKBPeyD9NrgudxJjNm2d8wjVX+6r2U39Qr40i8A0G bVTB9c7NFWp7wAUCmJplmSVz7jtaZlp0e/uH+LbA= From: "jakub at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/108718] [10/11/12/13 Regression] csmith: possible bad code with -O2 Date: Thu, 16 Feb 2023 12:59:46 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: wrong-code X-Bugzilla-Severity: normal X-Bugzilla-Who: jakub at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: 10.5 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108718 Jakub Jelinek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #12 from Jakub Jelinek --- (In reply to Martin Li=C5=A1ka from comment #10) > (In reply to David Binderman from comment #9) > > Created attachment 54463 [details] > > C source code > >=20 > > After a further hour of reduction, a partially reduced program. > >=20 > > cvise doesn't seem able to make much further progress with it. >=20 > However, I see a segfault that happens for the code snippet now. The reduced testcase has various flaws, i uninitialized at the start of fir= st loop in main, and the last loop in main iterating endlessly, main_j < 10 sh= ould be probably the condition of the for loop. Anyway, I think there are aliasing violations again, *g_45 =3D &g_5[2][5]; is (implicitly) int while g_5[2][5] has type union { short } and e.g. func_= 13 stores it through that g_45 pointer (so writes over g_5[2][5].f4 and g_5[2][6].f4, that itself is an aliasing violation, and then reads/writes g_5[2][5].f4 through short * pointer in ((--*l_701)); The original testcase has that too: union U0 { uint64_t f0; int32_t f1; uint64_t f2; int32_t f3; uint16_t f4; }; static union U0 g_5[5][10] =3D {{{1UL},{18446744073709551610UL},{0x998AB5457D670012LL},{184467440737095516= 12UL},{0x998AB5457D670012LL},{18446744073709551610UL},{1UL},{1UL},{18446744= 073709551615UL},{18446744073709551607UL}},{{1UL},{6UL},{0x7F6FB807CFAF425FL= L},{0UL},{1UL},{1UL},{0UL},{0x7F6FB807CFAF425FLL},{6UL},{1UL}},{{0xF996F377= CC424770LL},{6UL},{18446744073709551615UL},{0xF0488F4F368A9017LL},{18446744= 073709551612UL},{18446744073709551607UL},{1UL},{18446744073709551607UL},{18= 446744073709551612UL},{0xF0488F4F368A9017LL}},{{0xF0488F4F368A9017LL},{1844= 6744073709551610UL},{0xF0488F4F368A9017LL},{6UL},{18446744073709551612UL},{= 3UL},{1UL},{0x998AB5457D670012LL},{0x998AB5457D670012LL},{1UL}},{{184467440= 73709551612UL},{1UL},{3UL},{3UL},{1UL},{18446744073709551612UL},{6UL},{1UL}= ,{18446744073709551612UL},{18446744073709551615UL}}}; static int32_t *g_45 =3D &g_5[2][5].f3; and in func_13 uint16_t *l_701 =3D &g_5[2][5].f4; ... (*g_45) |=3D (*g_90); ... --(*l_701) on the penultimate line in func_13 among other things. Though, (*g_45) |=3D (*g_90); actually isn't reached. But, just setting awatch in -g -O0 compiled #c0, I can see it again doing U= B, e.g. func_26 does: l_169[3][4] =3D (*g_45); (*p_27) |=3D (safe_sub_func_int32_t_s_s(0x191EB41DL, p_29.f0)); where both g_45 and p_27 point to &g_5[2][5].f3 with int * type, and then func_18 does: return g_5[2][5].f4; which reads it through union as unsigned short.=