Fix undefined behaviour in saturating addition.

jcarrano · jcarrano · commit 26c6889526b7 · 2019-05-31T23:37:11.000+02:00
Found by Frama-C/WP.
diff --git a/include/fixed_point/inline/fixed_point.h b/include/fixed_point/inline/fixed_point.h
@@ -493,15 +493,16 @@ FXP_DECLARATION(frac f_clip (frac x, frac limit))
  */
 FXP_DECLARATION(dfrac df_addsat(dfrac x1, dfrac x2))
 {
-	dfrac_base result = x1.v + x2.v;
 	dfrac r;
 
-	if (x1.v > 0 && x2.v > 0)
-		r.v = ((result < x1.v) ? DFRAC_MAX_V : result);
-	else if (x1.v < 0 && x2.v < 0)
-		r.v = ((result > x1.v) ? DFRAC_MIN_V : result);
+	/* The compiler does not seem to generate nice code for the
+	 * implementation below: */
+
+	if (x1.v >= 0)
+		r.v = (x2.v > DFRAC_MAX_V - x1.v)? DFRAC_MAX_V : x1.v + x2.v;
 	else
-		r.v = result;
+		r.v = (x2.v < DFRAC_MIN_V - x1.v) ? DFRAC_MIN_V : x1.v + x2.v;
+
 
 	return r;
 }
