<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/55480>55480</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Missed report of signed overflow (signed-integer-overflow)
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            compiler-rt:ubsan
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          JonPsson
      </td>
    </tr>
</table>

<pre>
    ```
int printf ( const char * format, ... );
int a = -1181091070, b, c;
short e;

int f(int g, int h) {
  return g > 2147483647 - h || h < g < -h ? g : g + h;
}

int main() {
  int i = a;
  b = f(i, &e != 0);
  c = i > 0 && b > 2147483647 - i || b - i ? b : i;
  printf("%d\n", c);
}

```
The above program contains a signed subtraction which will overflow (2147483647 - i, which is SINT32_MAX plus something), but the sanitizer does not report this. I compiled with:

clang -O3  -march=arch13 -o -  -fsanitize=undefined

and see in the output assembly:

```
.LBB1_4:                                # %lor.lhs.false
        srk     %r12, %r0, %r13
        jo      .LBB1_7
...
.LBB1_7:                                # %handler.sub_overflow2
        llgfr   %r3, %r0
        larl    %r2, .L__unnamed_4
        lgr     %r4, %r13
        brasl   %r14, __ubsan_handle_sub_overflow@PLT
```
I suspect this is a "Jump if Ordered" to the block where the sanitizer handles the sub overflow, but since the SRK actually overflows it does not go there. So the branch looks to me like having the wrong condition.

Before ISel I see:

```
land.lhs.true:                                    ; preds = %f.exit.thread, %lor.lhs.false.i
  %cond.i11 = phi i32 [ 2147483647, %f.exit.thread ], [ %4, %lor.lhs.false.i ]
  %5 = trunc i64 %1 to i32
  %6 = sub nuw nsw i32 2147483647, %5
  %cmp1 = icmp ugt i32 %cond.i11, %6
  br i1 %cmp1, label %cond.end, label %lor.lhs.false

lor.lhs.false:                                    ; preds = %land.lhs.true, %lor.lhs.false.i
  %7 = phi i32 [ %cond.i11, %land.lhs.true ], [ %4, %lor.lhs.false.i ]
  %8 = trunc i64 %1 to i32
  %9 = tail call { i32, i1 } @llvm.ssub.with.overflow.i32(i32 %7, i32 %8), !nosanitize !4
  %10 = extractvalue { i32, i1 } %9, 0, !nosanitize !4
  %11 = extractvalue { i32, i1 } %9, 1, !nosanitize !4
  br i1 %11, label %handler.sub_overflow2, label %cont3, !prof !5, !nosanitize !4
```
%5 is the loaded value of a (-1181091070). The icmp is skipping the sanitizer block if SINT32_MAX is greater than the result of the sub, which it is. This looks like the needed check is missed due to a broken condition around it, or?

 
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJydV0lz2zYU_jXS5Y04XLUcdLDsZsZp0nTqHHrTgCRIIoYIDQBaSX99P4CkRMlukkZDk1je8j28Bc-5Kr9tZ8tweMKHWXgnWktHjXdFs3hNhWqNpaJhGtM7qpQ-MDuL7ykIAqxsZsnuwsdoljzQIorWUbiJwlXoCHP3Ks50plHaEj_PL9wV9Llv7RjcoIF8mq0GQiLNbadbqqHlN4qjdJWuk2W6ogU1ILvH4wbJvae4p4WbvPOTO_eOd5B4Vrt6uNV_YKIFhBulbkd4u9iZmSj3Kx6xQzuLlxyvyC2G01MhKjyl8JhDR4jHs9-YIEYT8n4C5LlHLibCesd4kPEszspZdt_6oTvhidob625c_LnhxHL1wiFP1ZodnJctrDfwoBF1y0syXW41K6xQLZ0aUTR0ElISmHQl1cnFxjV8h6EnFIaeHv_4nMT7j3d_01F2how6cNuItnYgXUx0lixQGNYKK_7hmkrFDbXKwslHFyCgNgE9AtnhKCQAnYSF9-6mZhWStTUtPiVEiwPTBfYf3CdKaKGAiRbVqAA7XVvySsC2qQjWwlTO4WWPR3X2CGjMGH7I5bcbfTfHGHzY7aJ96nz0g98sTvCXSaUD2ZigYtLw0aX9z-jngTLTUdyHVKbDcRAl1-RfVP_tIawGPEEwBbb6eWANjkFyHcDp-9HD8bVGKetKDwCTC75rGqblaIS3Ifiw33dtyw68xDld09b6bHD6X2bmmhk5noqngrwcPt33iPdTwLM0_PPD5zc99YhwNkde9GHlAhSVKo7fd4cjiYo-6ZJrxEUck1U-DnKpimeEM5Zv4rRXbPrVLj8nxBjVRrRFz_P01--EBOqYlN_OZFBuL7Fee22aB_Q06NWsRQZJpZ6Nw3LgJMUzh9YXJI8nOWmFERK2FC45g2mA7jjqM6fHJy6ROojr7wcw0qf0AWl1x38iWry_kh2qBi-NL2twTBXwr8IGttGclYMjrwI9EKNTseNwByKKPPexESSSmGbZblILBxlXckHy4NdBib30bT2e6qIr80pgW1uQWKZuKXKHCpUTqqWncq5suxO15uQhvYKTTY04HHsDBEbU1ba34mLdwLM83xaaRDRyuk3Jcrho5OBtebX4Rp0YHHa18YsOu_b6jxy2euWp13ZeSfwlV61_ylWbnooJSQWyyt3SnsK1CzjeFcxLQylfDoGBPwN3YwRj4gWecD04ynt1GK-HOwnXd6vGRHezdKI6Cr1u_tVfii9MOkNfqwdGNw1_LC_6P_Ki78s7h1d0HVxvl_Wb8LNDNY_QC7iWL8q-p-ymgvgsE301lIqVuKd7WyDKldj1VS-4Cci1Hj5rwGSexfE4lrVLhe1rL8rypIkAdY06YLFtYZXn0Nx00jpNQy2edCDISOOUga-vpb6KOrqWc4eyaLhTYuggcNeXVAIz4o3hLNUzby_1lZhW6Bwg0olXGn3ZNCNpXm6TcpNs2NwKK_n2Yy9v6GIAbuinpo1Tv7RAK8drrheXK2Qz77TcNtYejavc8Ts8NaIYwYw-CBMX3MNnAX99wZWGKVR23GCQZek6nDfbqmJxlRarJGbrahXly3gTRuW6yjgWq8167gPAbJGjuPSGFksvtIVWf7-6njJ7mIttHMZxmEVZlKZhuAmqJGRJHm3CVVyGLAyRbxxtswx81ildz_XWg8u72rhkFMaayyb6Kmc694ohn3UW_w1s36v2T2NUO_eGbL0V_wJDLogE">