Critical chunk of our firmware has been misbehaving in the field. After some headscratching, we located the trouble. Here’s a precis:
unsigned int C;
if (A < (B - C))
// do what’s required (does not function reliably)
In v8.61, the result of (B - C) is implicitly converted to an unsigned integer, and an unsigned compare is then performed between it and A. The code fails to act as intended when A is negative, because when the comparison treats A as an unsigned integer, A is unintentially larger than (B - C).
All the warnings have been enabled in the compiler, but no warning is generated with regard to this behaviour during the compile.
A better coder than me tells me that the compiler behaviour would be undefined in this scenario. Would love to hear opinons on the subject. This little gem caused two industrial facilities to shut down while false temperature alarms annunciated by our equipment were investigated.