[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
authorticaiolima@gmail.com <ticaiolima@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 20 Jan 2018 12:53:52 +0000 (12:53 +0000)
committerticaiolima@gmail.com <ticaiolima@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 20 Jan 2018 12:53:52 +0000 (12:53 +0000)
commit3d3bbb4e6175fe367bccfceb5e14c4d9eb8a41a9
tree08ce8dd6cbd3696f29f66985d6f4881a3712cd04
parentbc415c6444208d93da80aef1f8afef28ac54f5bf
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182

Reviewed by Darin Adler.

JSTests:

* stress/big-int-prototype-to-string-cast-overflow.js: Added.
* stress/big-int-prototype-to-string-exception.js: Added.
* stress/big-int-prototype-to-string-wrong-values.js: Added.
* stress/number-prototype-to-string-cast-overflow.js: Added.
* stress/number-prototype-to-string-exception.js: Added.
* stress/number-prototype-to-string-wrong-values.js: Added.

Source/JavaScriptCore:

Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size,
according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined
behavior.

[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion

* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractToStringRadixArgument):
(JSC::extractRadixFromArgs): Deleted.
* runtime/NumberPrototype.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227271 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/big-int-prototype-to-string-cast-overflow.js [new file with mode: 0644]
JSTests/stress/big-int-prototype-to-string-exception.js [new file with mode: 0644]
JSTests/stress/big-int-prototype-to-string-wrong-values.js [new file with mode: 0644]
JSTests/stress/number-prototype-to-string-cast-overflow.js [new file with mode: 0644]
JSTests/stress/number-prototype-to-string-exception.js [new file with mode: 0644]
JSTests/stress/number-prototype-to-string-wrong-values.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/BigIntPrototype.cpp
Source/JavaScriptCore/runtime/NumberPrototype.cpp
Source/JavaScriptCore/runtime/NumberPrototype.h