[Bug sanitizer/106885] New: -(a-b) is folded to b-a before the UBSAN pass is run

[Bug sanitizer/106885] New: -(a-b) is folded to b-a before the UBSAN pass is run

[kristerw at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106885

            Bug ID: 106885
           Summary: -(a-b) is folded to b-a before the UBSAN pass is run
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: kristerw at gcc dot gnu.org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

GCC is folding -(a-b) to b-a before the UBSAN pass is run, which may hide
undefined behavior from the sanitizer.

This can be seen by the following program, which invokes undefined behavior
that is not detected by -fsanitize=undefined

int main(void)
{
  volatile int a = 0;
  volatile int b = 0x80000000;
  return -(a - b);
}

[Bug sanitizer/106885] -(a-b) is folded to b-a before the UBSAN pass is run

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106885

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2022-09-08
             Status|UNCONFIRMED                 |NEW

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
We have ugly TYPE_OVERFLOW_SANITIZED checks in folding but it would be much
better if the sanitizing would happen before any folding is invoked ...

#0  fold_unary_loc (loc=258791, code=NEGATE_EXPR, 
    type=<integer_type 0x7ffff65365e8 int>, op0=<minus_expr 0x7ffff668f848>)
    at /home/rguenther/src/trunk/gcc/fold-const.cc:9275
#1  0x0000000000f5d084 in fold (expr=<negate_expr 0x7ffff669f320>)
    at /home/rguenther/src/trunk/gcc/fold-const.cc:13421
#2  0x0000000000beca8c in c_fully_fold_internal (
    expr=<negate_expr 0x7ffff669f320>, in_init=false, 
    maybe_const_operands=0x7fffffffd5ab, maybe_const_itself=0x7fffffffd5aa, 
    for_int_const=false, lval=false)
    at /home/rguenther/src/trunk/gcc/c/c-fold.cc:494
#3  0x0000000000beab7e in c_fully_fold (expr=<negate_expr 0x7ffff669f320>, 
    in_init=false, maybe_const=0x7fffffffd5ab, lval=false)
    at /home/rguenther/src/trunk/gcc/c/c-fold.cc:125
#4  0x0000000000b7a840 in c_finish_return (loc=258791, 
    retval=<negate_expr 0x7ffff669f320>, origtype=<tree 0x0>)
    at /home/rguenther/src/trunk/gcc/c/c-typeck.cc:10927

and match.pd exempts itself:

/* -(A - B) -> B - A.  */
(simplify
 (negate (minus @0 @1))
 (if ((ANY_INTEGRAL_TYPE_P (type) && !TYPE_OVERFLOW_SANITIZED (type))
      || (FLOAT_TYPE_P (type)
          && !HONOR_SIGN_DEPENDENT_ROUNDING (type)
          && !HONOR_SIGNED_ZEROS (type)))
  (minus @1 @0)))

but fold_negate_expr_1 does not:

638         case MINUS_EXPR:
639           /* - (A - B) -> B - A  */
640           if (!HONOR_SIGN_DEPENDENT_ROUNDING (type)
641               && !HONOR_SIGNED_ZEROS (type))
642             return fold_build2_loc (loc, MINUS_EXPR, type,
643                                     TREE_OPERAND (t, 1), TREE_OPERAND (t,
0));
644           break;