[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[csmith-bugs] Uninitialized field of union



Hello,

this is a continuation to a thread about accessing at CRC-time
members of unions through which an initialization
has not occurred. The last message in the thread was
http://www.flux.utah.edu/listarchives/csmith-dev/msg00232.html .

The example below is very similar to the program that started that thread:
an union is initialized through a particular member, and at CRC-time,
the union is read from through another, wider member.

The example was generated with the last version as of now:

/*
 * This is a RANDOMLY GENERATED PROGRAM.
 *
 * Generator: csmith 2.1.0
 * Git version: b911750
 * Options:   --max-pointer-depth 3 --max-funcs 2 --max-array-dim 2 --max-array-len-per-dim 3 --max-struct-fields 5 --no-volatiles --no-argc --unions
 * Seed:      2541560484
 */

Line 230 reads on the first iteration 32 bits from the beginning of g_17, whereas only 11 bits have been initialized through f0.

Should we start providing platform.info with bug reports,
since it influences the generation of programs? Here's mine:

integer size = 4
pointer size = 8

Pascal

/*
 * This is a RANDOMLY GENERATED PROGRAM.
 *
 * Generator: csmith 2.1.0
 * Git version: b911750
 * Options:   --max-pointer-depth 3 --max-funcs 2 --max-array-dim 2 --max-array-len-per-dim 3 --max-struct-fields 5 --no-volatiles --no-argc --unions
 * Seed:      2541560484
 */

#include "csmith.h"


static long __undefined;

/* --- Struct/Union Declarations --- */
union U0 {
   int64_t  f0;
   const uint32_t  f1;
   signed f2 : 3;
   uint32_t  f3;
};

union U1 {
   unsigned f0 : 11;
   signed : 0;
   uint8_t  f1;
   uint32_t  f2;
};

/* --- GLOBAL VARIABLES --- */
static union U1 g_13 = {9UL};
static uint8_t g_14 = 0xD2L;
static union U1 g_17[3] = {{0xB5AF9F7CL}, {0xB5AF9F7CL}, {0xB5AF9F7CL}};
static int32_t g_19 = 0x3EDB3952L;
static union U0 g_23 = {0L};
static union U0 *g_22 = &g_23;
static uint64_t g_32 = 0xDAE89405DBD55ADBLL;
static uint32_t g_49 = 1UL;
static int16_t g_53 = (-1L);
static int32_t g_55 = 0xA1AEA078L;
static int32_t g_79 = 0xEDED6215L;
static uint32_t g_80 = 4294967295UL;
static int16_t g_96 = 0xBBA7L;
static uint16_t g_97 = 65535UL;
static uint64_t g_135 = 0x7413A7E429369BD4LL;
static uint16_t g_162 = 3UL;
static int16_t *g_168 = &g_53;
static int16_t **g_167 = &g_168;
static uint64_t g_210 = 0x1DA4DADB69EBD4F2LL;
static int32_t g_252 = 0x61819A6AL;
static uint8_t g_253[3] = {0x8EL, 0x8EL, 0x8EL};
static uint64_t g_256 = 9UL;
static uint16_t g_262 = 65527UL;
static int64_t g_271 = 9L;
static uint32_t g_272 = 0xF87870E3L;
static int32_t *g_284[3] = {&g_79, &g_79, &g_79};
static int16_t g_290[2] = {0x9871L, 0x9871L};
static int32_t g_314[2] = {0x8D991BF4L, 0x8D991BF4L};
static union U1 g_331 = {0x7DE6D6B8L};
static union U1 g_344 = {4294967295UL};
static int32_t **g_365[3][2] = {{(void*)0, (void*)0}, {(void*)0, (void*)0}, {(void*)0, (void*)0}};
static int32_t ** const *g_364 = &g_365[2][1];
static int32_t ** const **g_363 = &g_364;
static uint64_t g_418 = 1UL;
static int32_t g_426 = 1L;


/* --- FORWARD DECLARATIONS --- */
static int32_t  func_1(void);
static uint64_t  func_4(uint32_t  p_5, union U1  p_6, uint64_t  p_7, uint8_t  p_8, union U1  p_9);


/* --- FUNCTIONS --- */
/* ------------------------------------------ */
/* 
 * reads : g_14 g_17 g_19 g_23.f1 g_290 g_256 g_167 g_168 g_53 g_96 g_23.f3 g_13.f0 g_271 g_79 g_210 g_252 g_17.f0 g_284 g_135
 * writes: g_13 g_32 g_23.f3 g_314 g_210 g_79 g_135 g_284
 */
static int32_t  func_1(void)
{ /* block id: 0 */
    uint16_t l_10 = 65529UL;
    union U1 l_11 = {0xA86BA47CL};
    union U1 *l_12[2][1];
    uint64_t *l_291[1];
    int32_t l_292[1];
    int16_t ***l_332[1][2];
    int32_t l_399 = (-10L);
    int32_t *l_455 = (void*)0;
    int32_t **l_457 = &l_455;
    int i, j;
    for (i = 0; i < 2; i++)
    {
        for (j = 0; j < 1; j++)
            l_12[i][j] = &l_11;
    }
    for (i = 0; i < 1; i++)
        l_291[i] = &g_256;
    for (i = 0; i < 1; i++)
        l_292[i] = (-1L);
    for (i = 0; i < 1; i++)
    {
        for (j = 0; j < 2; j++)
            l_332[i][j] = (void*)0;
    }
    if (((safe_mul_func_int16_t_s_s(((func_4(l_10, (g_13 = l_11), g_14, (~(safe_lshift_func_int16_t_s_s(l_10, 9))), g_17[0]) >= ((safe_mod_func_int16_t_s_s(6L, l_11.f0)) & (safe_unary_minus_func_uint64_t_u((g_32 = (l_292[0] = (((((safe_div_func_uint8_t_u_u(g_23.f1, 0x6CL)) & l_10) < l_11.f0) != l_10) | g_290[0]))))))) >= 0xDBL), 0xF744L)) , l_292[0]))
    { /* block id: 182 */
        int32_t l_301 = (-1L);
        union U1 l_312 = {0xF488365CL};
        int32_t l_313 = 0x5124B50EL;
        int32_t *l_315[1][2];
        int i, j;
        for (i = 0; i < 1; i++)
        {
            for (j = 0; j < 2; j++)
                l_315[i][j] = &g_55;
        }
        l_292[0] |= ((safe_mod_func_int32_t_s_s(((((safe_sub_func_int64_t_s_s(((g_314[1] = (safe_mod_func_int8_t_s_s((safe_lshift_func_int16_t_s_s(l_301, ((safe_add_func_int64_t_s_s((g_256 < (**g_167)), g_96)) , (safe_lshift_func_int8_t_s_s(l_301, (((safe_lshift_func_int8_t_s_u((l_313 = (safe_sub_func_int64_t_s_s(func_4(l_301, g_17[0], ((func_4((g_23.f3++), (l_301 , g_17[0]), g_13.f0, l_301, l_312) , g_13.f0) >= l_301), l_11.f0, l_312), 0L))), 0)) <= 18446744073709551615UL) , g_271)))))), g_79))) < g_210), g_210)) <= 8UL) < g_252) ^ l_312.f0), 4294967290UL)) > l_301);
    }
    else
    { /* block id: 187 */
        int32_t **l_317 = &g_284[0];
        int32_t ***l_316 = &l_317;
        uint32_t *l_318 = &g_23.f3;
        union U1 l_319 = {2UL};
        union U0 l_328 = {0x62EA837A7E7F28E2LL};
        int16_t *l_370 = &g_290[1];
        int32_t l_401 = 0x3495B4D9L;
        int32_t l_402[3][3] = {{0xAAABA1ACL, (-9L), 0xAAABA1ACL}, {0xAAABA1ACL, (-9L), 0xAAABA1ACL}, {0xAAABA1ACL, (-9L), 0xAAABA1ACL}};
        uint32_t l_435 = 0xDA92B66BL;
        uint8_t l_440 = 255UL;
        uint32_t l_452 = 0x952C124EL;
        union U1 **l_456 = &l_12[0][0];
        int i, j;
        (***l_316) &= ((func_4(((*l_318) = (0x39L != (0x54731B12L && ((void*)0 != l_316)))), l_319, (g_210 = g_19), g_17[0].f0, l_319) <= 0x0DADL) < (**g_167));
        for (g_135 = 0; (g_135 <= 1); g_135 += 1)
        { /* block id: 193 */
            int32_t *l_329 = &g_314[0];
            union U1 l_330 = {4294967295UL};
            uint8_t *l_333 = &l_319.f1;
            int32_t l_373[2][1];
            int32_t l_400 = 0x88DAA7BDL;
            uint32_t l_403 = 4294967291UL;
            uint64_t l_425 = 18446744073709551606UL;
            uint64_t l_432 = 18446744073709551607UL;
            int32_t l_451 = 4L;
            int i, j;
            for (i = 0; i < 2; i++)
            {
                for (j = 0; j < 1; j++)
                    l_373[i][j] = 0L;
            }
        }
        (**l_316) = &l_292[0];
        (*l_456) = &g_344;
    }
    (*l_457) = &l_292[0];
    return g_256;
}


/* ------------------------------------------ */
/* 
 * reads : g_19
 * writes:
 */
static uint64_t  func_4(uint32_t  p_5, union U1  p_6, uint64_t  p_7, uint8_t  p_8, union U1  p_9)
{ /* block id: 2 */
    const int32_t * const l_18 = &g_19;
    const int32_t *l_21[3][1];
    const int32_t **l_20 = &l_21[2][0];
    uint32_t l_50[3][1];
    int32_t l_67 = (-7L);
    uint16_t l_87 = 0xA32DL;
    int8_t l_138 = 0x84L;
    int32_t l_160 = 7L;
    int32_t l_161 = 0x768F058CL;
    uint32_t l_201 = 0x8CC48AF1L;
    int32_t l_260[2];
    int64_t l_261[2];
    int i, j;
    for (i = 0; i < 3; i++)
    {
        for (j = 0; j < 1; j++)
            l_21[i][j] = (void*)0;
    }
    for (i = 0; i < 3; i++)
    {
        for (j = 0; j < 1; j++)
            l_50[i][j] = 5UL;
    }
    for (i = 0; i < 2; i++)
        l_260[i] = 0x68F17BB5L;
    for (i = 0; i < 2; i++)
        l_261[i] = (-1L);
    (*l_20) = l_18;
    for (p_9.f1 = 0; (p_9.f1 <= 2); p_9.f1 += 1)
    { /* block id: 6 */
        union U0 *l_26 = &g_23;
        int32_t *l_27 = &g_19;
        int32_t l_63[1][2];
        int16_t **l_170 = &g_168;
        uint32_t l_283 = 1UL;
        int i, j;
        for (i = 0; i < 1; i++)
        {
            for (j = 0; j < 2; j++)
                l_63[i][j] = (-5L);
        }
    }
    l_67 &= p_5;
    return (*l_18);
}




/* ---------------------------------------- */
int main (void)
{
    int i, j;
    int print_hash_value = 0;
    platform_main_begin();
    crc32_gentab();
    func_1();
    transparent_crc(g_13.f0, "g_13.f0", print_hash_value);
    transparent_crc(g_14, "g_14", print_hash_value);
    for (i = 0; i < 3; i++)
    {
        transparent_crc(g_17[i].f0, "g_17[i].f0", print_hash_value);
        transparent_crc(g_17[i].f2, "g_17[i].f2", print_hash_value);
        if (print_hash_value) printf("index = [%d]\n", i);

    }
    transparent_crc(g_19, "g_19", print_hash_value);
    transparent_crc(g_23.f1, "g_23.f1", print_hash_value);
    transparent_crc(g_23.f2, "g_23.f2", print_hash_value);
    transparent_crc(g_23.f3, "g_23.f3", print_hash_value);
    transparent_crc(g_32, "g_32", print_hash_value);
    transparent_crc(g_49, "g_49", print_hash_value);
    transparent_crc(g_53, "g_53", print_hash_value);
    transparent_crc(g_55, "g_55", print_hash_value);
    transparent_crc(g_79, "g_79", print_hash_value);
    transparent_crc(g_80, "g_80", print_hash_value);
    transparent_crc(g_96, "g_96", print_hash_value);
    transparent_crc(g_97, "g_97", print_hash_value);
    transparent_crc(g_135, "g_135", print_hash_value);
    transparent_crc(g_162, "g_162", print_hash_value);
    transparent_crc(g_210, "g_210", print_hash_value);
    transparent_crc(g_252, "g_252", print_hash_value);
    for (i = 0; i < 3; i++)
    {
        transparent_crc(g_253[i], "g_253[i]", print_hash_value);
        if (print_hash_value) printf("index = [%d]\n", i);

    }
    transparent_crc(g_256, "g_256", print_hash_value);
    transparent_crc(g_262, "g_262", print_hash_value);
    transparent_crc(g_271, "g_271", print_hash_value);
    transparent_crc(g_272, "g_272", print_hash_value);
    for (i = 0; i < 2; i++)
    {
        transparent_crc(g_290[i], "g_290[i]", print_hash_value);
        if (print_hash_value) printf("index = [%d]\n", i);

    }
    for (i = 0; i < 2; i++)
    {
        transparent_crc(g_314[i], "g_314[i]", print_hash_value);
        if (print_hash_value) printf("index = [%d]\n", i);

    }
    transparent_crc(g_331.f0, "g_331.f0", print_hash_value);
    transparent_crc(g_344.f0, "g_344.f0", print_hash_value);
    transparent_crc(g_418, "g_418", print_hash_value);
    transparent_crc(g_426, "g_426", print_hash_value);
    platform_main_end(crc32_context ^ 0xFFFFFFFFUL, print_hash_value);
    return 0;
}

/************************ statistics *************************
XXX max struct depth: 0
breakdown:
   depth: 0, occurrence: 121
XXX total union variables: 11

XXX non-zero bitfields defined in structs: 3
XXX zero bitfields defined in structs: 1
XXX const bitfields defined in structs: 0
XXX volatile bitfields defined in structs: 0
XXX structs with bitfields in the program: 16
breakdown:
   indirect level: 0, occurrence: 11
   indirect level: 1, occurrence: 3
   indirect level: 2, occurrence: 2
XXX full-bitfields structs in the program: 0
breakdown:
XXX times a bitfields struct's address is taken: 4
XXX times a bitfields struct on LHS: 1
XXX times a bitfields struct on RHS: 32
XXX times a single bitfield on LHS: 1
XXX times a single bitfield on RHS: 26

XXX max expression depth: 34
breakdown:
   depth: 1, occurrence: 14
   depth: 2, occurrence: 2
   depth: 13, occurrence: 1
   depth: 21, occurrence: 1
   depth: 34, occurrence: 1

XXX total number of pointers: 141

XXX times a variable address is taken: 37
XXX times a pointer is dereferenced on RHS: 34
breakdown:
   depth: 1, occurrence: 25
   depth: 2, occurrence: 5
   depth: 3, occurrence: 4
XXX times a pointer is dereferenced on LHS: 72
breakdown:
   depth: 1, occurrence: 59
   depth: 2, occurrence: 10
   depth: 3, occurrence: 3
XXX times a pointer is compared with null: 6
XXX times a pointer is compared with address of another variable: 1
XXX times a pointer is compared with another pointer: 2
XXX times a pointer is qualified to be dereferenced: 1450

XXX max dereference level: 4
breakdown:
   level: 0, occurrence: 0
   level: 1, occurrence: 160
   level: 2, occurrence: 30
   level: 3, occurrence: 18
   level: 4, occurrence: 7
XXX number of pointers point to pointers: 26
XXX number of pointers point to scalars: 111
XXX number of pointers point to structs: 0
XXX percent of pointers has null in alias set: 16.3
XXX average alias set size: 1.13

XXX times a non-volatile is read: 349
XXX times a non-volatile is write: 225
XXX times a volatile is read: 0
XXX    times read thru a pointer: 0
XXX times a volatile is write: 0
XXX    times written thru a pointer: 0
XXX times a volatile is available for access: 0
XXX percentage of non-volatile access: 100

XXX forward jumps: 0
XXX backward jumps: 2

XXX stmts: 12
XXX max block depth: 1
breakdown:
   depth: 0, occurrence: 7
   depth: 1, occurrence: 5

XXX percentage a fresh-made variable is used: 18.2
XXX percentage an existing variable is used: 81.8
FYI: the random generator makes assumptions about the integer size. See platform.info for more details.
********************* end of statistics **********************/