[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[csmith-bugs] Git version: function returning address of parameter
On Thu, May 19, 2011 at 3:53 PM, Eric Eide <eeide@cs.utah.edu> wrote:
> Pascal> csmith-project-csmith-git-conversion-HEAD-34-g1e0418a.tar.gz
> Pascal>
> Pascal> However, I am not sure how I should go about reporting bugs
> Pascal> against this snapshot
>
> Recent (post 2.0.0) versions of Csmith output the "short hash" of the latest
> git commit from which they are built. For example:
>
> /*
> * This is a RANDOMLY GENERATED PROGRAM.
> *
> * Generator: csmith 2.1.0
> * Git version: 4f53cd0
Hmm, I built Csmith in the usual way (configure, make) and I get headers like:
/*
* This is a RANDOMLY GENERATED PROGRAM.
*
* Generator: csmith 2.1.0
* Git version: exported
* Options: --no-volatiles --no-argc --max-array-dim 2 --max-funcs 3
--max-struct-fields 3 --bitfields
* Seed: 1385513962
*/
I'm afraid this is because I downloaded a .tar.gz from the github website,
which is about the level of github involvement I hoped would suffice.
Anyway, the .tar.gz file is still the aforementioned
csmith-project-csmith-git-conversion-HEAD-34-g1e0418a.tar.gz
and it generated the attached program.
I modified it only by inserting the line that contains "DANGLING CHECK".
When I compile it as a little-endian 64-bit program with gcc, I get:
DANGLING CHECK: &p_5:0x7fffaceb008c, returning:0x7fffaceb008c
checksum = E94CCCEA
We have had this discussion with John before, but I would
argue that passing the result of func_4() to func_2() counts
as "read[ing]" in:
"The value of a pointer becomes indeterminate when the object it
points to reaches the end of its lifetime. (6.2.4 §2)"
"indeterminate value: either an unspecified value or a trap
representation (3.7.12)"
"Certain object representations need not represent a value of the
object type. If the stored value of an object has such a
representation and is read by an lvalue expression that does not have
character type, the behavior is undefined. [...] Such a representation
is called a trap representation. (6.2.6.1 §5)."
Pascal
/*
* This is a RANDOMLY GENERATED PROGRAM.
*
* Generator: csmith 2.1.0
* Git version: exported
* Options: --no-volatiles --no-argc --max-array-dim 2 --max-funcs 3 --max-struct-fields 3 --bitfields
* Seed: 1385513962
*/
#include "csmith.h"
static long __undefined;
/* --- Struct/Union Declarations --- */
struct S0 {
int32_t f0;
const int32_t f1;
};
/* --- GLOBAL VARIABLES --- */
static int32_t g_13 = 1L;
static int32_t *g_16 = &g_13;
static int32_t **g_42[7][6] = {{&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}, {&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}, {&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}, {&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}, {&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}, {&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}, {&g_16, &g_16, &g_16, &g_16, &g_16, &g_16}};
static int32_t g_46[3][9] = {{0x78A42286L, 0x78A42286L, 0x98A7B986L, 1L, 0L, 1L, 0x98A7B986L, 0x78A42286L, 0x78A42286L}, {0x78A42286L, 0x78A42286L, 0x98A7B986L, 1L, 0L, 1L, 0x98A7B986L, 0x78A42286L, 0x78A42286L}, {0x78A42286L, 0x78A42286L, 0x98A7B986L, 1L, 0L, 1L, 0x98A7B986L, 0x78A42286L, 0x78A42286L}};
static int32_t g_56 = 1L;
static int32_t g_58 = 1L;
static int32_t g_59 = 1L;
static struct S0 g_70 = {0L,0x7D00C9FBL};
static const uint8_t g_119 = 1U;
static struct S0 *g_145 = &g_70;
static struct S0 **g_144 = &g_145;
static uint32_t g_162 = 8U;
/* --- FORWARD DECLARATIONS --- */
static int16_t func_1(void);
static int32_t * func_2(int32_t * const p_3);
static int32_t * func_4(int32_t p_5, uint8_t p_6, int32_t p_7, uint16_t p_8, int8_t p_9);
/* --- FUNCTIONS --- */
/* ------------------------------------------ */
/*
* reads : g_13 g_16 g_42 g_46 g_59 g_58 g_70.f1 g_56 g_70.f0
* writes: g_16 g_13 g_46 g_56 g_58 g_59 g_70.f0
*/
static int16_t func_1(void)
{ /* block id: 0 */
int32_t l_12 = 0x31551DA6L;
int32_t **l_55 = &g_16;
int32_t l_117[6][9] = {{(-1L), 0x40C694B4L, (-2L), (-2L), 0x40C694B4L, (-1L), 0x40C694B4L, (-2L), (-2L)}, {(-1L), 0x40C694B4L, (-2L), (-2L), 0x40C694B4L, (-1L), 0x40C694B4L, (-2L), (-2L)}, {(-1L), 0x40C694B4L, (-2L), (-2L), 0x40C694B4L, (-1L), 0x40C694B4L, (-2L), (-2L)}, {(-1L), 0x40C694B4L, (-2L), (-2L), 0x40C694B4L, (-1L), 0x40C694B4L, (-2L), (-2L)}, {(-1L), 0x40C694B4L, (-2L), (-2L), 0x40C694B4L, (-1L), 0x40C694B4L, (-2L), (-2L)}, {(-1L), 0x40C694B4L, (-2L), (-2L), 0x40C694B4L, (-1L), 0x40C694B4L, (-2L), (-2L)}};
int32_t *l_168 = 0;
int32_t *l_169 = &g_58;
int8_t l_170 = 0x75L;
int i, j;
lbl_91:
(*l_55) = func_2(func_4((safe_div_func_uint32_t_u_u(1U, l_12)), g_13, l_12, g_13, l_12));
lbl_101:
for (g_13 = 5; (g_13 >= 1); g_13 -= 1)
{ /* block id: 86 */
uint32_t l_65 = 0x82D269A6L;
int32_t *l_78 = &g_56;
(*l_55) = (*l_55);
for (l_12 = 5; (l_12 >= 0); l_12 -= 1)
{ /* block id: 90 */
uint8_t l_63 = 0xE2L;
int32_t *l_72 = &g_46[1][4];
for (g_56 = 5; (g_56 >= 0); g_56 -= 1)
{ /* block id: 93 */
int32_t *l_57 = &g_46[0][4];
struct S0 *l_69[6];
int i, j;
for (i = 0; i < 6; i++)
l_69[i] = &g_70;
(*l_55) = l_57;
for (g_58 = 0; (g_58 <= 2); g_58 += 1)
{ /* block id: 97 */
int8_t l_62 = 0x53L;
uint8_t l_64[1][4];
const int32_t *l_67 = &g_46[1][4];
const int32_t **l_66 = &l_67;
struct S0 **l_71 = &l_69[4];
int i, j;
for (i = 0; i < 1; i++)
{
for (j = 0; j < 4; j++)
l_64[i][j] = 0xE9L;
}
for (g_59 = 0; (g_59 <= 5); g_59 += 1)
{ /* block id: 100 */
return g_59;
}
if ((safe_rshift_func_int8_t_s_u((((g_46[0][4] < g_13) < l_62) != l_63), 4)))
{ /* block id: 103 */
int i, j;
g_46[g_58][(l_12 + 2)] = l_62;
l_65 ^= (18446744073709551609U & l_64[0][1]);
}
else
{ /* block id: 106 */
const int32_t ***l_68 = &l_66;
(*g_16) &= l_65;
(*l_68) = l_66;
}
(*l_71) = l_69[1];
}
if ((*g_16))
break;
}
for (g_70.f0 = 5; (g_70.f0 >= 0); g_70.f0 -= 1)
{ /* block id: 116 */
int64_t l_73 = 0x5992B028A4BD3C15LL;
int32_t l_77 = 0x76A2755EL;
(*l_55) = l_72;
if ((0x1B451AF0014B0E7ALL ^ (~((l_73 >= ((**l_55) ^ (**l_55))) || (safe_rshift_func_int16_t_s_s(l_65, 12))))))
{ /* block id: 118 */
uint64_t l_76 = 0x0432F2B5FAC05FCALL;
for (g_58 = 5; (g_58 >= 0); g_58 -= 1)
{ /* block id: 121 */
int i, j;
(*g_16) = (**l_55);
l_77 &= l_76;
(*l_55) = (*l_55);
(*l_72) = (**l_55);
}
if ((**l_55))
continue;
if (g_59)
goto lbl_167;
(*l_55) = l_72;
(*l_55) = l_78;
}
else
{ /* block id: 130 */
int8_t l_81 = (-4L);
int32_t *l_89 = &g_58;
struct S0 *l_90 = &g_70;
if (((safe_sub_func_uint8_t_u_u(0x11L, g_70.f1)) || g_46[0][4]))
{ /* block id: 131 */
(*g_16) |= l_81;
(*l_55) = (*l_55);
}
else
{ /* block id: 134 */
const int32_t *l_82 = &g_70.f1;
const int32_t **l_83 = &l_82;
(*l_55) = (*l_55);
(*l_83) = l_82;
return (*l_72);
}
if (((safe_div_func_uint32_t_u_u(((g_59 < g_13) | (&g_42[4][1] != &g_42[6][4])), (*l_78))) < l_77))
{ /* block id: 139 */
return (**l_55);
}
else
{ /* block id: 141 */
const uint8_t l_88[2][6] = {{0U, 0x79L, 0x84L, 0x84L, 0x79L, 0U}, {0U, 0x79L, 0x84L, 0x84L, 0x79L, 0U}};
int i, j;
(*g_16) = (*g_16);
(*l_72) = ((((g_13 && (l_73 ^ (safe_mod_func_uint16_t_u_u((*l_78), g_13)))) < (0xA6D2L || g_46[2][2])) && l_88[0][1]) > (**l_55));
(*l_55) = l_89;
(*l_89) = (*g_16);
}
(**l_55) = (l_77 >= (l_90 != 0));
if ((*l_89))
continue;
}
}
if (l_65)
goto lbl_91;
(*l_55) = (*l_55);
}
}
lbl_167:
for (g_13 = (-29); (g_13 < 13); g_13 = safe_add_func_uint16_t_u_u(g_13, 1))
{ /* block id: 157 */
int32_t *l_94 = 0;
int32_t *l_95 = &g_56;
int32_t l_124[1];
int64_t l_136 = 3L;
int i;
for (i = 0; i < 1; i++)
l_124[i] = 0L;
(*l_95) = (-9L);
(*l_55) = l_95;
for (g_56 = (-1); (g_56 != 19); g_56 = safe_add_func_uint8_t_u_u(g_56, 1))
{ /* block id: 162 */
int32_t l_110 = 0xE50EEE4FL;
int32_t *l_112[3][5];
struct S0 **l_143 = 0;
int32_t * const l_160 = &g_13;
int32_t *l_166 = &l_12;
int i, j;
for (i = 0; i < 3; i++)
{
for (j = 0; j < 5; j++)
l_112[i][j] = &g_46[0][4];
}
for (g_70.f0 = 0; (g_70.f0 == 17); g_70.f0 = safe_add_func_int16_t_s_s(g_70.f0, 1))
{ /* block id: 165 */
int8_t l_100[6] = {(-1L), 0xB2L, 8L, 8L, 0xB2L, (-1L)};
int8_t l_111 = 0x2CL;
int i;
l_100[5] = (**l_55);
if (g_56)
goto lbl_101;
l_111 = (0x5118C22CL > (((**l_55) || (safe_mul_func_uint16_t_u_u(((safe_add_func_uint8_t_u_u(l_100[2], g_56)) < 2U), (-1L)))) > (safe_mul_func_uint16_t_u_u(g_59, (safe_add_func_int8_t_s_s((g_59 & (g_70.f0 != l_110)), ((**l_55) & g_59)))))));
if ((**l_55))
continue;
}
}
(*l_95) |= (-1L);
}
(*l_169) |= (((l_117[5][0] && 0xBB65L) <= 9L) != g_59);
return l_170;
}
/* ------------------------------------------ */
/*
* reads : g_46 g_13
* writes: g_13 g_46
*/
static int32_t * func_2(int32_t * const p_3)
{ /* block id: 73 */
int32_t *l_50 = &g_46[1][2];
int32_t *l_52 = 0;
int32_t *l_53[5];
uint64_t l_54 = 0x2894906A58E0DE0CLL;
int i;
for (i = 0; i < 5; i++)
l_53[i] = 0;
for (g_13 = 0; (g_13 != (-25)); g_13 = safe_sub_func_int16_t_s_s(g_13, 6))
{ /* block id: 76 */
int32_t **l_51[2][7];
int i, j;
for (i = 0; i < 2; i++)
{
for (j = 0; j < 7; j++)
l_51[i][j] = &g_16;
}
l_50 = l_50;
if ((*l_50))
break;
}
l_54 |= (*l_50);
(*l_50) = (*l_50);
return l_53[4];
}
/* ------------------------------------------ */
/*
* reads : g_13 g_16 g_42
* writes: g_16 g_13 g_46
*/
static int32_t * func_4(int32_t p_5, uint8_t p_6, int32_t p_7, uint16_t p_8, int8_t p_9)
{ /* block id: 1 */
int32_t **l_19 = &g_16;
int8_t l_32[9][6] = {{0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}, {0x9AL, 8L, 0x9AL, 8L, 0x9AL, 8L}};
int32_t *l_45 = &g_46[0][4];
int32_t *l_47[4][1];
int i, j;
for (i = 0; i < 4; i++)
{
for (j = 0; j < 1; j++)
l_47[i][j] = &g_46[1][7];
}
if ((&g_13 == 0))
{ /* block id: 2 */
int32_t *l_15 = &g_13;
int32_t **l_14[4];
int i;
for (i = 0; i < 4; i++)
l_14[i] = &l_15;
g_16 = &g_13;
}
else
{ /* block id: 4 */
int8_t l_29 = 0x51L;
int32_t l_34[2];
int i;
for (i = 0; i < 2; i++)
l_34[i] = 0x0B2B0402L;
p_5 = (safe_mod_func_uint64_t_u_u((l_19 == &g_16), (safe_lshift_func_uint8_t_u_s((safe_lshift_func_int8_t_s_s((0 != &p_5), 5)), (safe_rshift_func_int16_t_s_u(p_7, 4))))));
(*l_19) = &g_13;
for (p_6 = (-13); (p_6 < 31); p_6 = safe_add_func_int32_t_s_s(p_6, 9))
{ /* block id: 9 */
int32_t *l_28 = &g_13;
l_28 = &p_5;
if (p_9)
{ /* block id: 11 */
(*g_16) = (((g_13 <= (g_13 | (!(g_13 <= g_13)))) < l_29) > ((((p_9 & (p_9 == p_8)) || (*l_28)) | ((*g_16) >= 0x540F213EL)) != (~((0L || p_6) <= 0x3C3FL))));
g_16 = &g_13;
}
else
{ /* block id: 14 */
(*l_19) = &g_13;
for (p_5 = (-8); (p_5 > 10); p_5 = safe_add_func_int32_t_s_s(p_5, 1))
{ /* block id: 18 */
int32_t l_33 = 5L;
for (l_29 = 5; (l_29 >= 0); l_29 -= 1)
{ /* block id: 21 */
(*g_16) = (*l_28);
}
l_33 = 0xCF3E4C99L;
}
}
l_34[1] = (*l_28);
(**l_19) = (*g_16);
}
for (g_13 = 0; (g_13 <= 5); g_13 += 1)
{ /* block id: 32 */
int32_t *l_40 = &l_34[1];
int32_t *l_41 = &g_13;
for (p_5 = 5; (p_5 >= 0); p_5 -= 1)
{ /* block id: 35 */
int32_t l_35 = 0x726B4FF5L;
int i, j;
(*l_19) = (*l_19);
if (l_32[(g_13 + 1)][p_5])
{ /* block id: 37 */
int i, j;
l_35 |= l_32[(p_5 + 2)][p_5];
if ((safe_add_func_int16_t_s_s(g_13, p_5)))
{ /* block id: 39 */
int32_t *l_38 = &l_35;
(*l_38) &= (**l_19);
(*l_19) = &p_5;
(*l_38) = (g_13 <= p_6);
(*l_38) &= l_32[(p_5 + 2)][p_5];
}
else
{ /* block id: 44 */
int32_t *l_39 = &l_34[1];
printf("DANGLING CHECK: &p_5:%p, returning:%p\n", &p_5, *l_19);
return (*l_19);
}
(*l_40) &= p_9;
(*l_40) = (*g_16);
}
else
{ /* block id: 49 */
for (p_6 = 1; (p_6 <= 5); p_6 += 1)
{ /* block id: 52 */
(*l_19) = l_41;
(*l_19) = &p_5;
return &g_13;
}
}
}
(*l_40) = (*g_16);
(*l_19) = &g_13;
(*l_40) = (0 != g_42[6][4]);
for (p_9 = 0; (p_9 <= 5); p_9 += 1)
{ /* block id: 64 */
(*l_40) = (*l_41);
}
}
}
(*l_45) ^= (safe_sub_func_int64_t_s_s((p_9 ^ 0x76E5L), (**l_19)));
(*l_19) = &p_7;
(*l_19) = &p_7;
return l_47[0][0];
}
/* ---------------------------------------- */
int main (void)
{
int i, j;
int print_hash_value = 0;
platform_main_begin();
crc32_gentab();
func_1();
transparent_crc(g_13, "g_13", print_hash_value);
for (i = 0; i < 3; i++)
{
for (j = 0; j < 9; j++)
{
transparent_crc(g_46[i][j], "g_46[i][j]", print_hash_value);
if (print_hash_value) printf("index = [%d][%d]\n", i, j);
}
}
transparent_crc(g_56, "g_56", print_hash_value);
transparent_crc(g_58, "g_58", print_hash_value);
transparent_crc(g_59, "g_59", print_hash_value);
transparent_crc(g_70.f0, "g_70.f0", print_hash_value);
transparent_crc(g_70.f1, "g_70.f1", print_hash_value);
transparent_crc(g_119, "g_119", print_hash_value);
transparent_crc(g_162, "g_162", print_hash_value);
platform_main_end(crc32_context ^ 0xFFFFFFFFUL, print_hash_value);
return 0;
}
/************************ statistics *************************
XXX max struct depth: 1
breakdown:
depth: 0, occurrence: 82
depth: 1, occurrence: 1
XXX non-zero bitfields defined in structs: 0
XXX zero bitfields defined in structs: 0
XXX const bitfields defined in structs: 0
XXX volatile bitfields defined in structs: 0
XXX structs with bitfields in the program: 0
breakdown:
XXX full-bitfields structs in the program: 0
breakdown:
XXX times a bitfields struct's address is taken: 0
XXX times a bitfields struct on LHS: 0
XXX times a bitfields struct on RHS: 0
XXX times a single bitfield on LHS: 0
XXX times a single bitfield on RHS: 0
XXX max expression depth: 2
breakdown:
depth: 0, occurrence: 91
depth: 1, occurrence: 10
depth: 2, occurrence: 1
XXX total number of pointers: 40
XXX times a variable address is taken: 24
XXX times a pointer is dereferenced on RHS: 56
breakdown:
depth: 1, occurrence: 39
depth: 2, occurrence: 17
XXX times a pointer is dereferenced on LHS: 52
breakdown:
depth: 1, occurrence: 49
depth: 2, occurrence: 3
XXX times a pointer is compared with null: 4
XXX times a pointer is compared with address of another variable: 3
XXX times a pointer is compared with another pointer: 1
XXX times a pointer is qualified to be dereferenced: 513
XXX max dereference level: 2
breakdown:
level: 0, occurrence: 0
level: 1, occurrence: 220
level: 2, occurrence: 52
XXX number of pointers point to pointers: 12
XXX number of pointers point to scalars: 25
XXX number of pointers point to structs: 3
XXX percent of pointers has null in alias set: 20
XXX average alias set size: 1.3
XXX times a non-volatile is read: 269
XXX times a non-volatile is write: 154
XXX times a volatile is read: 0
XXX times read thru a pointer: 0
XXX times a volatile is write: 0
XXX times written thru a pointer: 0
XXX times a volatile is available for access: 0
XXX percentage of non-volatile access: 100
XXX forward jumps: 1
XXX backward jumps: 3
XXX stmts: 220
XXX percentage a fresh-made variable is used: 16.4
XXX percentage an existing variable is used: 83.6
********************* end of statistics **********************/