<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/78679>78679</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            RISCV64 backend segfault in RISC-V Merge Base Offset
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          patrick-rivos
      </td>
    </tr>
</table>

<pre>
    This program fails with -O3
```/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang red.c -O3```

Discovered/tested using 430a40d12eaa5a61792c4670955c110146902afb (not bisected)

https://godbolt.org/z/zrxq4fdME

Testcase
```c
int printf(const char *, ...);
int b, c, d;
long e, f;
char g[100][100];
long **h;
static int i;
int k, l;
static int *m = &k;
int main() {
  int n = 2;
  int **o = &m;
  int ***p = &o;
  for (c = 0; c >= 0;) {
    int *q = &n;
    *m = 0;
    **h = 0 == p;
    for (l = 1; l < 5; l++)
      if (g[l][c + 3])
 break;
    f = i--;
    e = n;
    *q = 0;
  }
  for (int j = 0;; j++) {
    b = g[d][j];
    printf("Hello\n");
 }
}
```

<details>
  <summary>Crash log (click)</summary>
 
  ```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0. Program arguments: /scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18 -cc1 -triple riscv64-unknown-linux-gnu -emit-obj -dumpdir a- -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name red.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu generic-rv64 -target-feature +m -target-feature +a -target-feature +f -target-feature +d -target-feature +c -target-feature +zicsr -target-feature -e -target-feature -h -target-feature -smaia -target-feature -ssaia -target-feature -svinval -target-feature -svnapot -target-feature -svpbmt -target-feature -v -target-feature -xcvalu -target-feature -xcvbi -target-feature -xcvbitmanip -target-feature -xcvelw -target-feature -xcvmac -target-feature -xcvmem -target-feature -xcvsimd -target-feature -xsfvcp -target-feature -xsfvfnrclipxfqf -target-feature -xsfvfwmaccqqq -target-feature -xsfvqmaccdod -target-feature -xsfvqmaccqoq -target-feature -xtheadba -target-feature -xtheadbb -target-feature -xtheadbs -target-feature -xtheadcmo -target-feature -xtheadcondmov -target-feature -xtheadfmemidx -target-feature -xtheadmac -target-feature -xtheadmemidx -target-feature -xtheadmempair -target-feature -xtheadsync -target-feature -xtheadvdot -target-feature -xventanacondops -target-feature -zawrs -target-feature -zba -target-feature -zbb -target-feature -zbc -target-feature -zbkb -target-feature -zbkc -target-feature -zbkx -target-feature -zbs -target-feature -zca -target-feature -zcb -target-feature -zcd -target-feature -zce -target-feature -zcf -target-feature -zcmp -target-feature -zcmt -target-feature -zdinx -target-feature -zfa -target-feature -zfh -target-feature -zfhmin -target-feature -zfinx -target-feature -zhinx -target-feature -zhinxmin -target-feature -zicbom -target-feature -zicbop -target-feature -zicboz -target-feature -zicntr -target-feature -zifencei -target-feature -zihintntl -target-feature -zihintpause -target-feature -zihpm -target-feature -zk -target-feature -zkn -target-feature -zknd -target-feature -zkne -target-feature -zknh -target-feature -zkr -target-feature -zks -target-feature -zksed -target-feature -zksh -target-feature -zkt -target-feature -zmmul -target-feature -zvbb -target-feature -zvbc -target-feature -zve32f -target-feature -zve32x -target-feature -zve64d -target-feature -zve64f -target-feature -zve64x -target-feature -zvfh -target-feature -zvfhmin -target-feature -zvkb -target-feature -zvkg -target-feature -zvkn -target-feature -zvknc -target-feature -zvkned -target-feature -zvkng -target-feature -zvknha -target-feature -zvknhb -target-feature -zvks -target-feature -zvksc -target-feature -zvksed -target-feature -zvksg -target-feature -zvksh -target-feature -zvkt -target-feature -zvl1024b -target-feature -zvl128b -target-feature -zvl16384b -target-feature -zvl2048b -target-feature -zvl256b -target-feature -zvl32768b -target-feature -zvl32b -target-feature -zvl4096b -target-feature -zvl512b -target-feature -zvl64b -target-feature -zvl65536b -target-feature -zvl8192b -target-feature -experimental-zacas -target-feature -experimental-zcmop -target-feature -experimental-zfbfmin -target-feature -experimental-zicfilp -target-feature -experimental-zicfiss -target-feature -experimental-zicond -target-feature -experimental-zimop -target-feature -experimental-ztso -target-feature -experimental-zvfbfmin -target-feature -experimental-zvfbfwma -target-feature +relax -target-abi lp64d -msmall-data-limit 8 -debugger-tuning=gdb -fdebug-compilation-dir=/scratch/tc-testing/llvm-fuzz-ci/triage-7-4127 -fcoverage-compilation-dir=/scratch/tc-testing/llvm-fuzz-ci/triage-7-4127 -resource-dir /scratch/tc-testing/tc-jan-17-llvm/build/lib/clang/18 -isysroot /scratch/tc-testing/tc-jan-17-llvm/build/bin/../sysroot -internal-isystem /scratch/tc-testing/tc-jan-17-llvm/build/lib/clang/18/include -internal-isystem /scratch/tc-testing/tc-jan-17-llvm/build/bin/../sysroot/usr/local/include -internal-isystem /scratch/tc-testing/tc-jan-17-llvm/build/bin/../sysroot/lib/gcc/riscv64-unknown-linux-gnu/12.2.0/../../../../riscv64-unknown-linux-gnu/include -internal-externc-isystem /scratch/tc-testing/tc-jan-17-llvm/build/bin/../sysroot/include -internal-externc-isystem /scratch/tc-testing/tc-jan-17-llvm/build/bin/../sysroot/usr/include -O3 -ferror-limit 19 -fno-signed-char -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /scratch/tmp/red-a806a3.o -x c red.c
1.      <eof> parser at end of file
2.      Code generation
3.      Running pass 'Function Pass Manager' on module 'red.c'.
4.      Running pass 'RISC-V Merge Base Offset' on function '@main'
 #0 0x0000558363cb3810 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x1ba8810)
 #1 0x0000558363cb0dde SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f59cea42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #3 0x0000558362e7189b (anonymous namespace)::RISCVMergeBaseOffsetOpt::runOnMachineFunction(llvm::MachineFunction&) RISCVMergeBaseOffset.cpp:0:0
 #4 0x00005583632103b0 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (.part.0) MachineFunctionPass.cpp:0:0
 #5 0x000055836378e67a llvm::FPPassManager::runOnFunction(llvm::Function&) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x168367a)
 #6 0x000055836378e804 llvm::FPPassManager::runOnModule(llvm::Module&) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x1683804)
 #7 0x000055836378f244 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x1684244)
 #8 0x0000558363ef8502 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>, clang::BackendConsumer*) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x1ded502)
 #9 0x000055836449fb91 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x2394b91)
#10 0x0000558365ddc009 clang::ParseAST(clang::Sema&, bool, bool) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x3cd1009)
#11 0x00005583647317f1 clang::FrontendAction::Execute() (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x26267f1)
#12 0x00005583646b04b9 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x25a54b9)
#13 0x00005583647f3ad3 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0x26e8ad3)
#14 0x0000558362d21503 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0xc16503)
#15 0x0000558362d19bed ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) driver.cpp:0:0
#16 0x0000558362d1d78a clang_main(int, char**, llvm::ToolContext const&) (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0xc1278a)
#17 0x0000558362c683db main (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0xb5d3db)
#18 0x00007f59cea29d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x00007f59cea29e40 call_init ./csu/../csu/libc-start.c:128:20
#20 0x00007f59cea29e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#21 0x0000558362d19065 _start (/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang-18+0xc0e065)
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 18.0.0git (https://github.com/llvm/llvm-project.git 430a40d12eaa5a61792c4670955c110146902afb)
Target: riscv64-unknown-linux-gnu
Thread model: posix
InstalledDir: /scratch/tc-testing/tc-jan-17-llvm/build/bin
clang: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /scratch/tmp/red-796f4b.c
clang: note: diagnostic msg: /scratch/tmp/red-796f4b.sh
clang: note: diagnostic msg:

********************
 ```
</details>

[tmp.zip](https://github.com/llvm/llvm-project/files/13985885/tmp.zip)

```
/scratch/tc-testing/tc-jan-17-llvm/build/bin/clang red.c -O3 -emit-llvm -c -o foo.bc
/scratch/tc-testing/tc-jan-17-llvm/build/build-llvm-linux/bin/llc foo.bc -relocation-model=pic
/scratch/tc-testing/tc-jan-17-llvm/build/build-llvm-linux/bin/bugpoint -run-llc foo.bc --tool-args -relocation-model=pic
```
[bugpoint-reduced-simplified.zip](https://github.com/llvm/llvm-project/files/13985980/bugpoint-reduced-simplified.zip)

This is my first LLVM bug so please let me know if I'm missing anything :smile: 

This bug was found with csmith which is a c-level fuzzer that I've been using on GCC for a while now. If you're interested or want more info here's the repo (Still in the process of adapting my scripts for LLVM fuzzing/reducing):
https://github.com/patrick-rivos/gcc-fuzz-ci
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8W19z2yrT_zTKDYNHQpYsX-TCceLTzrRvOk2e81xmECCbGoECyEn86d8ByX9k49OeHj9nJrXlZdn9sbusxGqLjeFLydhtlN1F2f0Nbu1K6dsGW83JGmq-UeamVPTj9nnFDWi0WmpcgwpzYcAbtysAH9Movo_iWZTH_R9aGKKxJasILSyBlhnL5bL78QNLmEygEJs6Qouy5YK6by4jtCACyyXQjI6IF7sX2Mn3n_fcELVhmrlpTjKjoDVcLsE4jfE4pgliGGc4TyZTRMb5JJ5mGUmSOBnn0xjhqgQRKqSyoOSGEevkTI8VrKxtTJTOIrSI0GKpaKmEHSnt8G_dP_3-Oq7o14fjSc_MWIINO7EE6X5zaUGjubRVhAqipLGArLAGEZpFaA5Go5HDkN4duEtHJ-6D7ulCySVgjlbtaV7MMsrukjiOsvvDxWCS1zNb7YnGYssJcIr4QO3aSRchvgjNahCl9yBC-Xowp8bOd0WEpiCa9HTg50g_Ae25wU5ShGZqJ6wODkdo1uw41BFHpZzVCuLH4ii9A-7yYffrBMRe4utOljySBQ6Lik_JzlzdiPt0F82ApcchPE_icLjLOcj8ZYTu_N_0MAEAXrkZzlei8xQBEboDqfux5yw1w-uhJq-CQzigMk89W83r2Wqiyf2J7ZxJfhz40jvwY493aLzScznEtEP84ziyHMc-qCOEPjEhVJTNZYTQcTgfIBwuQhs7SueUWZdXnEN38NO5aesa648ofZhrbFZAqKUPAcHJ2uuZu3yzZ9op3QkYqvr25WH29ABMW9bcAgzK1uWbRmkLrAInW5_bVVuOiHKJqs9X7gs2Wv1gxEZowY1pmYnQAmBJAZdEtJQBu2KAeKwlJmurMfG7ttGs0YowYxgFRrW6I7uZ2BhFOHa5TLcSGKJ5Y0cd5CeLyRrQtm4cMk-KR-Bbn4ixXrY1k9bBBv8s8cKkAJCQBECreSMY0NyQTT6GrVxL9Sah4LJ9h0vZAshqbqEqfwDogFGuAYYAUm5wKRisNGMAEsGwhthYWLJKaQadNZikBz5vzQ3TvOJMezLBmsINFi2DEtfMAOjSC6y46Ai7m0OtmVAEW64krBVlAjScANhwAgXbMAFQ94Mb2HAGYF1pXDPYKC4t01F6L5VkAFY1tivItJYKwKpqIFHS-ctG6b2SAFZSQa1aSblcQscLYO3zt26JVRpiwbFxKKtWvnFJoXXrMlF6jwC0WC-ZhaRpwZJJpjmBepOP9wMVw7bVzGWBOkTEIWIVItIQkYSIW06MPhuA7Jy0OieZGvNzUNCYMHnD5QaL0IDEjbKhgaasA_TNOemduCAJ0kt-gWxrLHkTHGTiLUiv8bkVPZ2de8zRDa_PfQHfTbUhIcWm2lRSE8Gb9-r13LMdw1uNCXl9fQ0Pv7pRqi5o9aOvKjTXrhimZcBv_Uh5ccRcGiG1ujikJK1VyJF-uKpZzen7peGwG7qhv57I6gbzQMB3w-ZDXhS8oaEQfd8wabHEbj2qCVhii990iByy9DZk5G0ZgLQt10HWdZg3YI9tyG1bEkJFQqpIIMK2JJA3tiQQyFtSB-J_S0K7fUu5DC2gCmGtAmlqW61qLkP0sODVZXJYDielCux_Tw8t09G3Qbq0gdjc8opJwgJpbMtXXFppA0m1G2pwa0I-4asmBHgdooVWvJYh969lSNdahnyyDi10HYrJtXs8CpGDYkMBVNdtyEKb4HbbBPfbhqUoFMeOHgqWDcvHIdSOHpaTj4NyggG9uRTRm2Ba2KyXQWpYQigFOnLQC5u1vCB7Fdqejh5GGPL8Zm3CWMIRsVmbMJZgpGyCobIRSYzGQYgiQcWFgTwtLsxB8fjCJJTl4YEUTfILc1IUpo_j6QVhWXJhSn4BcJ5l6QVZRTINCWPvDdPcnTmwgFtMcMCVQx5Sh9LikKcqq2CID7k4qbj4qSzHZX6Kirt7-E-ZfgG6NYHHniHL5teW59je6uBzv2YCHxIGLjkQjU85tamxEJBii6Hg7lRbAEhZ2S6XTEPbSncATO-XtASw8nRIVN1w0R2eKHenocsHR39Eq9rtFhLuxjTHSwYncJygCYCVL8U5yvVkatadjZ2Y3znRCl7uTrQRWrgzLTcfRitlf_98PBq5qb0U6M-QEgsv2LL6GigjtNiVD64i_xx3hBat0U61Ilj8K_q6RS4JidDiYjHBLR-N0CjezT_5-KuJ50tg7-6CXH0p_56mzkl7fY8pgBXTWul-eyfTri7h6_YU-gowrJayJXDDtOFKRun9eIRGid-fQmlIOV5KZSwnBsANI1ZpvmVQKH-EORCMy60VplQbvgTw_uXlj_n85dPsz4eX-__Ovi_Qy3zx-WX29DVK7xMA1cma68a5i1GIizjH6UgB-A5IV7LpClfJqKuFRumcqSpKH0CDtWEaYAuYpEBVoOKir6KjnnmuKOsqKD69dINpP_i9lS7DgQYbAyI0WbSSOC7wzRG-YomXTEdoApQEtaKtcNl00kFCk77ENr4g7Pvnpzn8E3xlesnAHTYMPFaVYbaXV-10RWgSjeOuED7ZFSBRGoP4PY7jOMuKNE9JmRZJDHwIpLMonZkP011801xaX-Z77mqFxYFJ47cXZaxmuI5QHqE54NL6Si0q_nG5L0J38XtS4qJI4kMNOkJpcoI8ppSBJ76UWHzCkgpn0qIH0pHNiDRNlM5i_28vCPWCJlU2JQyPUYbiHnqXHN6L_CUfDza14CUZGTXKPTw_ZQAuPQaH2CQppv6dDpZKftSqNcCXDhtvymlnRufJP70fnRs7Lz42trdxKx_lV0xWXLJd_AyccDaWu4WHZIatMB6YEyVxWh4Hwol4F7lHwIKITqBEqBg1WFuXRKcgIC-MKxvgmhQsn-AjXItvbupuD_1tRFcKz7xI8wkeREB-iruIx7-A-6vf_0PP9qTrYy7i8QDz5ARzhcbHmAVbYvLR54MD-s91I_Yr-HeQj9F4iLwYIGdVkcUIdE8uHslDze1dV9p_bG3TWv92Zj98f7j5PMgll6zPY0csnximTD8xrMnqsXFRZIAvs5-zupvBH0z-hOvZPyb_hOkLlssQy8HGT1ZzufzOqiF5Z_rZicDeCLN-HxxP-Sytbg3fsO-smkv7zeoonR-GN1W_4xdcsCf_PBGlD06EsbQbaSV_bdlLczLT3R-aN80te9ndJY4mUVbhVtgXygSz7CcT04de5_mS5kqatnZZf3bdcKOMZjEahNv0ONzG42lVTpO_gtRFkL8rPWssTXcI-Y_kJ3E4e3qeK2nZu732pkHpdFxOk0MfAUqTwb0_o5TE8fR4Fd_cc8_s6XmI8YnVuI_CUilx-L4i2pTQJI6nA7SD-_14kiaTamDzhXaW24d2t-3fGWkt2736v5oxc5RPqqEx0QBeXsbjcjpMCu7wyfRnaSyWhA0A7rZjcXk9146HDGfjcmjhdGjhKsU0HSTRDuxhJZv-9eYQ-NlKr7whUc4KTNMB9MHTC6IoyeIUEJK89J0fh5wy0xp_uHSZzv2xpM-qs11eGdDQHGwUp9deAUnyLB4uIBsuIJmWjIKdwefJs99hR8t4qrEQf_pTUXf_Dazm5E7hZPTZ5eheMgVU8w3T509fDlZ-AotOCtyFxM6y_gm7s9uuLeZXlF7RlmhS4IEtB48xiORFSkvfAnQ9rWVGU1oOtBbDYwSa0mkMXl7cSeHFWKztC8FCeLMBd5ompj06WFPWmAgtZGNFf7w4nTRaReksK6J0luQHrdNTrWwcAz-HS25PFXWXTjr00kfEiUNOKDp4HcUhoYOlhFYRFJ5O3OkmO8hOTgM9zjPQSb1iUMQszrO9e3bJCfgahbtoJS4FA1YB1u0xQFRdY-meScATW_pqpz83-4cT38yjNPMtLkfdeOeCu_bAqs_dO6m-F5FRQFuv0_jjqBPqX4VtPI0xwI8y6rEG0BdNQFKM4lG85B7Q3-sEGrlZv9p-uFffPaS6hV0ucXWMK80wBb7PxbE3yvD3bsjfB4Rg9J7rf9ABNDS4VO5ZcQYOZSNQm-W--2jfofc7f0cNX30v1uz5eTb_BJ4_PYDF45cvj__9_H9_gMXnLw9P4PnRk-_-8wf4_vDt8fvzHsO3UC9VYVz2u9hPtWfQDPjmIUYBtnuRP1_-pXLXZJpX43JX4_rHcszqb_rjSl457ZXrOutOe_L6z-zO1s1oyxvfvvg390uEFhUXvnEuSadFVhRZZwgvcNiOewrqSr3FfQubYwWQAKhApdSoJL-vxX13HW1---4VC0F62QCedq1F6X3D_wc6y3bpW90A1K2ExwigVUpArJfmJ2hOzJ7d7WRCzWhLGIWG143gFWf0WnEwLeIj8JcUDePDt6VzA-oPUHFtLPjy5c-vvq_TKNAIhg0DgllQM-CSK-AV-ByhSQ1qbnzbOJYfduUuonRmai78VjvT4AS-YQMq1UraNb4TU7uvtxUnK4cAg13zYdVut0wDu8LWK9swUDIm-z51JcEf87lvx8VutmBAqrcR-FyBD9X66jTwbxm65nalwRuWFtTK0ysFVkyzCE2MbzTVrFHujvVkuRCAS0_scyNQFcAUNy6OnIG6PGi8am8mB7SLMW9rfzndJ5a_cObg_wd073h2b_Ru6G1Kp-kU37DbZBJneZaguLhZ3SZomqVlWRYJTklS0WJSpTSpEkLGEzal6IbfohiN4ySZxoV7QhpN4iqpJlk1phNC0yKPxjGrMRcjF0QjpZc3vgH3dlLkk-mNwCUTxv9HBoQkewN-MEIoyu5v9K0PvLJdmmgcC26sOUix3Ap26-u5-Rjs2lQNW3YPKFyCS28Cblotbn-_bdgD__8AAAD__-p50w8">