[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
JSTests:
* bigIntTests.yaml:
* stress/big-int-constructor.js:
* stress/big-int-prototype-to-string-cast-overflow.js: Added.
(assert):
(assertThrowRangeError):
* stress/number-prototype-to-string-cast-overflow.js: Added.
(assert):
(assertThrowRangeError):
Source/JavaScriptCore:
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size, according C++
spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractRadixFromArgs): Deleted.
(JSC::extractToStringRadixArgument): Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226937
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
git://git.webkit.org / WebKit-https.git / commit