[Bug sanitizer/81281] [6/7/8 Regression] UBSAN: false positive, dropped promotion to long type.
jakub at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Mon Dec 4 17:19:00 GMT 2017
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81281
--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Even the
(T)P - (T)(P + A) -> -(T) A
transformation looks wrong, consider A being 0U+INT_MIN, and P -1U.
(int)-1U - (int)(-1U+INT_MIN) is INT_MIN without overflow, while -(int)INT_MIN
overflows. Note it doesn't look like fold-const.c, at least the removed spot
from it, was doing what the match.pd is doing at least for non-pointers.
Note r251651 was actually the right fix, just not for this issue, but for the
general issue that through performing say (int) (long_long_a - long_long_b)
to (int) ((unsigned) long_long_a - (unsigned) long_long_b)) optimization we
won't be able to detect UB user code had, but the optimized form doesn't.
That just means that the sanitizer is less useful in finding bugs in the
compiler transformations. Perhaps we could have a debug counter or param or
something similar where we'd accept detecting fewer UBs on user code but gain
the possibility to detect more invalid transformations like this one.
More information about the Gcc-bugs
mailing list