darwin: use saturatingSub() instead of double cast for memory underflow fix

Author: Dmitrii Esin

darwin/Platform.c

@@ -434,20 +434,19 @@ void Platform_setMemoryValues(Meter* mtr) {
    mtr->values[MEMORY_CLASS_WIRED]       = page_K * vm->wire_count;
 
    /*
-    * Guard against unsigned underflow: on macOS, external_page_count
-    * (file-backed pages) can exceed active_count, causing the unsigned
-    * subtraction to wrap around to ~4 billion pages (~64 TB on 16K-page
-    * ARM64 systems). Cast to double before subtracting to use signed
-    * arithmetic, and clamp the result to zero.
+    * Use saturatingSub() to prevent unsigned underflow: on macOS,
+    * external_page_count (file-backed pages) can exceed active_count,
+    * causing the result to wrap around to ~4 billion pages (~64 TB on
+    * 16K-page ARM64 systems).
     */
    if (settings->showCachedMemory) {
       mtr->values[MEMORY_CLASS_SPECULATIVE] = page_K * vm->speculative_count;
-      mtr->values[MEMORY_CLASS_ACTIVE]      = MAXIMUM(0, page_K * ((double)vm->active_count - (double)vm->purgeable_count - (double)external_page_count));
+      mtr->values[MEMORY_CLASS_ACTIVE]      = page_K * saturatingSub(vm->active_count, (unsigned long long)vm->purgeable_count + external_page_count);
       mtr->values[MEMORY_CLASS_PURGEABLE]   = page_K * vm->purgeable_count;
    }
    else {
       mtr->values[MEMORY_CLASS_SPECULATIVE] = 0;
-      mtr->values[MEMORY_CLASS_ACTIVE]      = MAXIMUM(0, page_K * ((double)vm->speculative_count + (double)vm->active_count - (double)external_page_count));
+      mtr->values[MEMORY_CLASS_ACTIVE]      = page_K * saturatingSub((unsigned long long)vm->speculative_count + vm->active_count, external_page_count);
       mtr->values[MEMORY_CLASS_PURGEABLE]   = 0;
    }
    mtr->values[MEMORY_CLASS_COMPRESSED]  = page_K * compressor_page_count;