[Bug c/108718] [10/11/12/13 Regression] csmith: possible bad code with -O2

[jakub at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108718

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #12 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
(In reply to Martin Liška from comment #10)
> (In reply to David Binderman from comment #9)
> > Created attachment 54463 [details]
> > C source code
> > 
> > After a further hour of reduction, a partially reduced program.
> > 
> > cvise doesn't seem able to make much further progress with it.
> 
> However, I see a segfault that happens for the code snippet now.

The reduced testcase has various flaws, i uninitialized at the start of first
loop in main, and the last loop in main iterating endlessly, main_j < 10 should
be probably the condition of the for loop.
Anyway, I think there are aliasing violations again,
*g_45 = &g_5[2][5];
is (implicitly) int while g_5[2][5] has type union { short } and e.g. func_13
stores
it through that g_45 pointer (so writes over g_5[2][5].f4 and g_5[2][6].f4,
that itself is an aliasing violation, and then reads/writes g_5[2][5].f4
through short * pointer in
((--*l_701));
The original testcase has that too:
union U0 {
   uint64_t f0;
   int32_t f1;
   uint64_t f2;
   int32_t f3;
   uint16_t f4;
};
static union U0 g_5[5][10] =
{{{1UL},{18446744073709551610UL},{0x998AB5457D670012LL},{18446744073709551612UL},{0x998AB5457D670012LL},{18446744073709551610UL},{1UL},{1UL},{18446744073709551615UL},{18446744073709551607UL}},{{1UL},{6UL},{0x7F6FB807CFAF425FLL},{0UL},{1UL},{1UL},{0UL},{0x7F6FB807CFAF425FLL},{6UL},{1UL}},{{0xF996F377CC424770LL},{6UL},{18446744073709551615UL},{0xF0488F4F368A9017LL},{18446744073709551612UL},{18446744073709551607UL},{1UL},{18446744073709551607UL},{18446744073709551612UL},{0xF0488F4F368A9017LL}},{{0xF0488F4F368A9017LL},{18446744073709551610UL},{0xF0488F4F368A9017LL},{6UL},{18446744073709551612UL},{3UL},{1UL},{0x998AB5457D670012LL},{0x998AB5457D670012LL},{1UL}},{{18446744073709551612UL},{1UL},{3UL},{3UL},{1UL},{18446744073709551612UL},{6UL},{1UL},{18446744073709551612UL},{18446744073709551615UL}}};
static int32_t *g_45 = &g_5[2][5].f3;
and in func_13
    uint16_t *l_701 = &g_5[2][5].f4;
...
            (*g_45) |= (*g_90);
...
--(*l_701)
on the penultimate line in func_13 among other things.  Though, (*g_45) |=
(*g_90);
actually isn't reached.
But, just setting awatch in -g -O0 compiled #c0, I can see it again doing UB,
e.g. func_26 does:
            l_169[3][4] = (*g_45);
            (*p_27) |= (safe_sub_func_int32_t_s_s(0x191EB41DL, p_29.f0));
where both g_45 and p_27 point to &g_5[2][5].f3 with int * type, and then
func_18 does:
            return g_5[2][5].f4;
which reads it through union as unsigned short.