diff --git a/gcc/cp/cp-gimplify.cc b/gcc/cp/cp-gimplify.cc
index 28a92ad547b7e1c8ee32d3c5575d8abd8ed3d4f7..2eea7a6c0cf9d86df74d46841cb1203990a7d92a 100644
--- a/gcc/cp/cp-gimplify.cc
+++ b/gcc/cp/cp-gimplify.cc
@@ -2567,7 +2567,14 @@ cp_fold (tree x, fold_flags_t flags)
     fold_cache = hash_map<tree, tree>::create_ggc (101);
 
   if (tree *cached = fold_cache->get (x))
-    return *cached;
+    {
+      /* unshare_expr doesn't recurse into SAVE_EXPRs.  If SAVE_EXPR's
+	 argument has been folded into a tree invariant, make sure it is
+	 unshared.  See PR112727.  */
+      if (TREE_CODE (x) == SAVE_EXPR && *cached != x)
+	return unshare_expr (*cached);
+      return *cached;
+    }
 
   uid_sensitive_constexpr_evaluation_checker c;
 
diff --git a/gcc/testsuite/c-c++-common/ubsan/pr112727.c b/gcc/testsuite/c-c++-common/ubsan/pr112727.c
new file mode 100644
index 0000000000000000000000000000000000000000..cc8b3e2a565ef4ac7c8a57c9c2cbd2a29e16035f
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/ubsan/pr112727.c
@@ -0,0 +1,17 @@
+/* PR sanitizer/112727 */
+/* { dg-do compile } */
+/* { dg-options "-O2 -fsanitize=shift-exponent,bounds-strict -Wuninitialized" } */
+
+#ifndef __cplusplus
+#define bool _Bool
+#endif
+
+struct S { bool s[8]; };
+
+void
+foo (const struct S *x)
+{
+  unsigned n = 0;
+  for (unsigned j = 0; j < 8; j++)
+    n |= ((!x->s[j]) ? 1 : 0) << (16 + j);
+}