[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[csmith-bugs] 2.0.0: read from and write to the same location within two sequence points
Hello,
Csmith 2.0.0 generated the attached program.
If instrumented with a printf() statement before and after line 61, a
compilation on a 64-bit little-endian platform shows that line 61 is
reached, and the functions called there all terminate.
It only takes a cursory glance at func_10() to see that if it
terminates, it terminates having modified g_2.
Therefore it seems to me that line 61 contains undefined behavior, as
g_2 is accessed there multiple times for reading and for writing in
addition to the modification by func_10().
/*
* This is a RANDOMLY GENERATED PROGRAM.
*
* Generator: csmith 2.0.0
* svn version: exported
* Options: --no-volatiles --no-argc --max-array-dim 2 --max-funcs 3 --max-struct-fields 3 --bitfields
* Seed: 2230192313
*/
#include "csmith.h"
long __undefined;
/* --- Struct/Union Declarations --- */
/* --- GLOBAL VARIABLES --- */
int32_t g_2 = 2L;
int32_t g_27 = 0xE2095E04L;
/* --- FORWARD DECLARATIONS --- */
int32_t func_1(void);
int32_t func_5(uint64_t p_6, uint8_t p_7, int64_t p_8, int8_t p_9);
uint64_t func_10(uint32_t p_11, int16_t p_12, uint64_t p_13, int16_t p_14);
/* --- FUNCTIONS --- */
/* ------------------------------------------ */
/*
* reads : g_2 g_27
* writes: g_2 g_27
*/
int32_t func_1(void)
{ /* block id: 0 */
const uint8_t l_19 = 255U;
int64_t l_23 = 8L;
int32_t *l_29[7];
int32_t **l_28 = &l_29[4];
uint8_t l_33 = 6U;
int i;
for (i = 0; i < 7; i++)
l_29[i] = &g_2;
for (g_2 = 0; (g_2 < 24); g_2 = safe_add_func_int8_t_s_s(g_2, 8))
{ /* block id: 3 */
int64_t l_22[4];
int32_t *l_26[9];
int i;
for (i = 0; i < 4; i++)
l_22[i] = 0x77CCCAEAL;
for (i = 0; i < 9; i++)
l_26[i] = &g_27;
if (g_2)
break;
g_27 ^= (func_5(l_22[0], g_2, g_2, g_2) ^ l_22[0]);
}
if (g_2)
goto lbl_30;
lbl_30:
(*l_28) = &g_2;
g_2 = g_2;
(**l_28) = (g_27 <= (0L || func_10(g_2, ((safe_sub_func_uint64_t_u_u(g_27, ((**l_28) != l_33))) || (-7L)), (0x7A4860C01EF4FC6ALL & func_5(((**l_28) <= (**l_28)), g_2, (**l_28), g_27)), g_2)));
return g_2;
}
/* ------------------------------------------ */
/*
* reads : g_2
* writes:
*/
int32_t func_5(uint64_t p_6, uint8_t p_7, int64_t p_8, int8_t p_9)
{ /* block id: 5 */
return g_2;
}
/* ------------------------------------------ */
/*
* reads : g_2
* writes: g_2
*/
uint64_t func_10(uint32_t p_11, int16_t p_12, uint64_t p_13, int16_t p_14)
{ /* block id: 7 */
uint64_t l_15[7] = {2U, 0xD37A5B7DL, 0xC97412DFL, 0xD37A5B7DL, 2U, 18446744073709551615U, 2U};
int32_t *l_16 = &g_2;
int i;
for (p_13 = 0; p_13 < 7; p_13 += 1)
{
l_15[p_13] = 0x5FE46C2EL;
}
(*l_16) = (0x3FL && ((l_15[1] == (g_2 != p_12)) | (~((g_2 != g_2) != (g_2 == p_13)))));
(*l_16) = func_5(g_2, p_12, (*l_16), func_5(g_2, p_14, (*l_16), g_2));
return (*l_16);
}
/* ---------------------------------------- */
int main (void)
{
int print_hash_value = 0;
platform_main_begin();
crc32_gentab();
func_1();
transparent_crc(g_2, "g_2", print_hash_value);
transparent_crc(g_27, "g_27", print_hash_value);
platform_main_end(crc32_context ^ 0xFFFFFFFFUL);
return 0;
}
/************************ statistics *************************
XXX max struct depth: 0
breakdown:
depth: 0, occurrence: 10
XXX non-zero bitfields defined in structs: 0
XXX zero bitfields defined in structs: 0
XXX const bitfields defined in structs: 0
XXX volatile bitfields defined in structs: 0
XXX structs with bitfields in the program: 0
breakdown:
XXX full-bitfields structs in the program: 0
breakdown:
XXX times a bitfields struct's address is taken: 0
XXX times a bitfields struct on LHS: 0
XXX times a bitfields struct on RHS: 0
XXX times a single bitfield on LHS: 0
XXX times a single bitfield on RHS: 0
XXX max expression depth: 0
breakdown:
depth: 0, occurrence: 9
XXX total number of pointers: 4
XXX times a variable address is taken: 3
XXX times a pointer is dereferenced on RHS: 7
breakdown:
depth: 1, occurrence: 3
depth: 2, occurrence: 4
XXX times a pointer is dereferenced on LHS: 4
breakdown:
depth: 1, occurrence: 3
depth: 2, occurrence: 1
XXX times a pointer is compared with null: 0
XXX times a pointer is compared with address of another variable: 0
XXX times a pointer is compared with another pointer: 0
XXX times a pointer is qualified to be dereferenced: 26
XXX max dereference level: 2
breakdown:
level: 0, occurrence: 0
level: 1, occurrence: 10
level: 2, occurrence: 6
XXX number of pointers point to pointers: 1
XXX number of pointers point to scalars: 3
XXX number of pointers point to structs: 0
XXX percent of pointers has null in alias set: 0
XXX average alias set size: 1
XXX times a non-volatile is read: 60
XXX times a non-volatile is write: 12
XXX times a volatile is read: 0
XXX times read thru a pointer: 0
XXX times a volatile is write: 0
XXX times written thru a pointer: 0
XXX times a volatile is available for access: 0
XXX percentage of non-volatile access: 100
XXX forward jumps: 1
XXX backward jumps: 0
XXX stmts: 19
XXX percentage a fresh-made variable is used: 7.14
XXX percentage an existing variable is used: 92.9
********************* end of statistics **********************/