It’s obviously a bug in Csmith. Your understanding is correct.
"--max-pointer-depth" should be the one to limit indirection level for pointer
deference and other usages. From: csmith-dev-bounces@flux.utah.edu [mailto:csmith-dev-bounces@flux.utah.edu]
On Behalf Of Tahina Ramananandro Dear Csmith developers, I have been testing Csmith 2.2.0 (Git version dcef523), and I am trying to understand the meaning of the --max-pointer-depth option. If I understood well, Csmith with --max-pointer-depth N should produce a program with pointer-dereferencing expressions of length at most N+1 (i.e. without pointer dereferences of the form *..*x with N+2 stars or more.) However, with --max-pointer-depth 0, I still managed to produce the attached C program with a depth-2 pointer dereference (and similarly, with --max-pointer-depth 1 and a depth-3 pointer dereference, although in the latter case, it is
hard to generate such programs if shorter than 400 lines). Moreover, massive tests show that, with --no-checksum --no-argc --no-arrays --no-bitfields --no-structs --no-unions --max-pointer-depth 1, more than 70% of all programs generated by Csmith (regardless of their sizes) reach pointer dereference
level 3 or more (sometimes up to 8). So, is my understanding correct? - If so, is there a bug in Csmith that makes --max-pointer-depth not properly honored? - Otherwise, what should be the exact meaning of this option, and which use cases were intended? How could I control the maximum pointer dereference level in Csmith-generated programs? And then, a final question too: even though it might be possible to limit the level of pointer dereference expressions, is there a way to limit the depth of pointer types? Thank you in advance for your help. Best regards, -- Tahina Oliver Ramananandro, Ph. D. Senior Engineer, Advanced Compilers and Formal Verification Reservoir Labs, Inc. 632 Broadway, Suite 803 New York, NY 10012 USA Phone: +1 (212) 780-0527 ext. 157 Notes: [#] Here I consider that --max-pointer-depth 0 does not prevent Csmith from producing pointers at large, by contrast to --no-pointers |