JIT: fix flags lossage in morph comma/ind interchange (dotnet#68082)

Morph may transform `IND(COMMA(..., z))` into `COMMA(... , IND(z))`
and when doing so it was not computing appropriately conservative
flags for the new `IND`. In particular it was losing `GTF_GLOB_REF`.

This allowed subsequent opts to reorder operands in an unsafe manner.

Fixes dotnet#68049.

src/coreclr/jit/morph.cpp

@@ -12279,10 +12279,22 @@ GenTree* Compiler::fgMorphSmpOp(GenTree* tree, MorphAddrContext* mac)
                 GenTree* addr = commaNode->AsOp()->gtOp2;
                 // TODO-1stClassStructs: we often create a struct IND without a handle, fix it.
                 op1 = gtNewIndir(typ, addr);
-                // This is very conservative
-                op1->gtFlags |= treeFlags & ~GTF_ALL_EFFECT & ~GTF_IND_NONFAULTING;
+
+                // Determine flags on the indir.
+                //
+                op1->gtFlags |= treeFlags & ~GTF_ALL_EFFECT;
                 op1->gtFlags |= (addr->gtFlags & GTF_ALL_EFFECT);
 
+                // if this was a non-faulting indir, clear GTF_EXCEPT,
+                // unless we inherit it from the addr.
+                //
+                if (((treeFlags & GTF_IND_NONFAULTING) != 0) && ((addr->gtFlags & GTF_EXCEPT) == 0))
+                {
+                    op1->gtFlags &= ~GTF_EXCEPT;
+                }
+
+                op1->gtFlags |= treeFlags & GTF_GLOB_REF;
+
 #ifdef DEBUG
                 op1->gtDebugFlags |= GTF_DEBUG_NODE_MORPHED;
 #endif

src/tests/JIT/Regression/JitBlue/Runtime_68049/Runtime_68049_0.cs

@@ -0,0 +1,70 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+// Generated by Fuzzlyn v1.5 on 2022-04-13 11:38:00
+// Run on X64 Linux
+// Seed: 1784259920377383051
+// Reduced from 110.5 KiB to 0.9 KiB in 00:00:57
+// Debug: Outputs 1
+// Release: Outputs 0
+
+public struct S0
+{
+    public uint F0;
+    public long F1;
+    public S0(uint f0): this()
+    {
+        F0 = f0;
+    }
+
+    public ulong M5()
+    {
+        var vr1 = new ushort[]{0};
+        M6(vr1);
+        return 1;
+    }
+
+    public void M6(ushort[] arg0)
+    {
+        this = new S0(0);
+    }
+}
+
+public class Runtime_68049_0
+{
+    public static long s_result;
+    public static IRuntime s_rt;
+    public static int Main()
+    {
+        s_rt = new Runtime();
+        var vr4 = new S0[]{new S0(1)};
+        var vr5 = new short[]{0};
+        bool vr6 = M1(vr4, vr5) <= 1;
+        return (int)s_result;
+    }
+
+    public static short M1(S0[] arg0, short[] arg1)
+    {
+        long var3 = arg0[0].F1;
+        var3 = (arg0[0].F0 & (byte)arg0[0].M5());
+        s_rt.WriteLine(var3);
+        return arg1[0];
+    }
+}
+
+public interface IRuntime
+{
+    void WriteLine<T>(T value);
+}
+
+public class Runtime : IRuntime
+{
+    public void WriteLine<T>(T value)
+    {
+        System.Console.WriteLine(value);
+        if (typeof(T) == typeof(long))
+        {
+            Runtime_68049_0.s_result = ((long)(object)value) + 99;
+        }
+    }
+}

src/tests/JIT/Regression/JitBlue/Runtime_68049/Runtime_68049_0.csproj

@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <Optimize>True</Optimize>
+  </PropertyGroup>
+  <ItemGroup>
+    <Compile Include="$(MSBuildProjectName).cs" />
+  </ItemGroup>
+</Project>