https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106696
--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> --- Undefined code at runtime means exactly that if you don't invoke undefined code you won't have a security issue. There are other bugs recording this same issue. Also the trunk changes behavior for -O0 to explicitly trapping so you can find the undefined code while debugging. Again also -fsanitize=undefined will detect it too.