sanitizer: missing signed integer overflow errors [PR109107]

Here we're failing to detect a signed overflow with -O because match.pd,
since r8-1516, transforms

  c = (a + 1) - (int) (short int) b;

into

  c = (int) ((unsigned int) a + 4294946117);

wrongly eliding the overflow.  This kind of problems is usually
avoided by using TYPE_OVERFLOW_SANITIZED in the appropriate place.
The first match.pd hunk in the patch fixes it.  I've constructed
a testcase for each of the surrounding cases as well.  Then I
noticed that fold_binary_loc/associate has the same problem, so I've
added a TYPE_OVERFLOW_SANITIZED there as well (it may be too coarse,
sorry).  Then I found yet another problem, but instead of fixing it
now I've opened 109134.  I could probably go on and find a dozen more.

	PR sanitizer/109107

gcc/ChangeLog:

	* fold-const.cc (fold_binary_loc): Use TYPE_OVERFLOW_SANITIZED
	when associating.
	* match.pd: Use TYPE_OVERFLOW_SANITIZED.

gcc/testsuite/ChangeLog:

	* c-c++-common/ubsan/pr109107-1.c: New test.
	* c-c++-common/ubsan/pr109107-2.c: New test.
	* c-c++-common/ubsan/pr109107-3.c: New test.
	* c-c++-common/ubsan/pr109107-4.c: New test.

1 files changed, 2 insertions, 1 deletions

diff --git a/gcc/fold-const.cc b/gcc/fold-const.cc
index 5b9982e..3b397ae 100644
--- a/gcc/fold-const.cc
+++ b/gcc/fold-const.cc
@@ -11320,7 +11320,8 @@ fold_binary_loc (location_t loc, enum tree_code code, tree type,
 	 And, we need to make sure type is not saturating.  */
 
       if ((! FLOAT_TYPE_P (type) || flag_associative_math)
-	  && !TYPE_SATURATING (type))
+	  && !TYPE_SATURATING (type)
+	  && !TYPE_OVERFLOW_SANITIZED (type))
 	{
 	  tree var0, minus_var0, con0, minus_con0, lit0, minus_lit0;
 	  tree var1, minus_var1, con1, minus_con1, lit1, minus_lit1;