It would be nice to have an attribute that one can add to an unsigned integer type that makes overflow trap. typedef unsigned int __attribute__ ((__overflow__)) positive_int;
Huh? Is this thinking about being added to the C standard? I suspect this will be abused just as clang's "unsigned overflow" ubsan has been abused and incorrect bug reports to library developers has happened (e.g. one to libstdc++ for some psedu-random code where it uses wrapping).
That opens the door of issues how you can actually subtract those things validly. Would x - y and x + (-y) then behave differently for it?
It came up as a possibility in various discussions, including on the kernel mailing list or inside WG14. I personally use signed type if I want to detect overflow and unsigned only if I want modulo behavior, and I am relatively happy with this. But others like to (or have code that does) use unsigned types also for positive numbers such as sizes or indices where wraparound often leads to bugs. I don't see the risk of misuse as much as with the sanitizer, as it would be opt-in for specific types, so can be introduced on where it is clear that wraparound is not intended. I would say x - y would be different than x + (-y) and the later should trap. Although I guess (-y) could already be diagnosed in the FE, so for middle end this would not matter.
-y is OK when y == 0 I hope you are not suggesting that it's UB to overflow though. The attribute should make the frontend to lower operations according to semantics and leave everything in the middle-end unaffected.
I agree this could be done completely in the FE.