[runtime] Add Arguments::positive_smi_value_at(int index) helper

Drive-by-fix:
- Use explicit casts to HeapNumber in NumberToXXX methods

Bug: v8:11263
Change-Id: If99af3ccee33a299d9f42cd39b87b6935a555f83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3512618Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79438}

src/execution/arguments-inl.h

@@ -31,6 +31,13 @@ int Arguments<T>::smi_value_at(int index) const {
   return value;
 }
 
+template <ArgumentsType T>
+uint32_t Arguments<T>::positive_smi_value_at(int index) const {
+  int value = smi_value_at(index);
+  DCHECK_LE(0, value);
+  return value;
+}
+
 template <ArgumentsType T>
 int Arguments<T>::tagged_index_value_at(int index) const {
   return static_cast<int>(TaggedIndex::cast((*this)[index]).value());

src/execution/arguments.h

@@ -59,6 +59,7 @@ class Arguments {
   V8_INLINE Handle<S> at(int index) const;
 
   V8_INLINE int smi_value_at(int index) const;
+  V8_INLINE uint32_t positive_smi_value_at(int index) const;
 
   V8_INLINE int tagged_index_value_at(int index) const;
 

src/numbers/conversions-inl.h

@@ -193,12 +193,12 @@ bool DoubleToUint32IfEqualToSelf(double value, uint32_t* uint32_value) {
 
 int32_t NumberToInt32(Object number) {
   if (number.IsSmi()) return Smi::ToInt(number);
-  return DoubleToInt32(number.Number());
+  return DoubleToInt32(HeapNumber::cast(number).value());
 }
 
 uint32_t NumberToUint32(Object number) {
   if (number.IsSmi()) return Smi::ToInt(number);
-  return DoubleToUint32(number.Number());
+  return DoubleToUint32(HeapNumber::cast(number).value());
 }
 
 uint32_t PositiveNumberToUint32(Object number) {
@@ -207,8 +207,7 @@ uint32_t PositiveNumberToUint32(Object number) {
     if (value <= 0) return 0;
     return value;
   }
-  DCHECK(number.IsHeapNumber());
-  double value = number.Number();
+  double value = HeapNumber::cast(number).value();
   // Catch all values smaller than 1 and use the double-negation trick for NANs.
   if (!(value >= 1)) return 0;
   uint32_t max = std::numeric_limits<uint32_t>::max();
@@ -218,7 +217,7 @@ uint32_t PositiveNumberToUint32(Object number) {
 
 int64_t NumberToInt64(Object number) {
   if (number.IsSmi()) return Smi::ToInt(number);
-  double d = number.Number();
+  double d = HeapNumber::cast(number).value();
   if (std::isnan(d)) return 0;
   if (d >= static_cast<double>(std::numeric_limits<int64_t>::max())) {
     return std::numeric_limits<int64_t>::max();
@@ -235,8 +234,7 @@ uint64_t PositiveNumberToUint64(Object number) {
     if (value <= 0) return 0;
     return value;
   }
-  DCHECK(number.IsHeapNumber());
-  double value = number.Number();
+  double value = HeapNumber::cast(number).value();
   // Catch all values smaller than 1 and use the double-negation trick for NANs.
   if (!(value >= 1)) return 0;
   uint64_t max = std::numeric_limits<uint64_t>::max();
@@ -257,7 +255,6 @@ bool TryNumberToSize(Object number, size_t* result) {
     }
     return false;
   } else {
-    DCHECK(number.IsHeapNumber());
     double value = HeapNumber::cast(number).value();
     // If value is compared directly to the limit, the limit will be
     // casted to a double and could end up as limit + 1,

src/runtime/runtime-internal.cc

@@ -330,8 +330,7 @@ RUNTIME_FUNCTION(Runtime_StackGuard) {
 RUNTIME_FUNCTION(Runtime_StackGuardWithGap) {
   SealHandleScope shs(isolate);
   DCHECK_EQ(args.length(), 1);
-  uint32_t gap = 0;
-  CHECK(args[0].ToUint32(&gap));
+  uint32_t gap = args.positive_smi_value_at(0);
   TRACE_EVENT0("v8.execute", "V8.StackGuard");
 
   // First check if this is a real stack overflow.

src/runtime/runtime-test.cc

@@ -1508,8 +1508,7 @@ RUNTIME_FUNCTION(Runtime_NewRegExpWithBacktrackLimit) {
 
   Handle<String> pattern = args.at<String>(0);
   Handle<String> flags_string = args.at<String>(1);
-  uint32_t backtrack_limit = 0;
-  CHECK(args[2].ToUint32(&backtrack_limit));
+  uint32_t backtrack_limit = args.positive_smi_value_at(2);
 
   JSRegExp::Flags flags =
       JSRegExp::FlagsFromString(isolate, flags_string).value();

src/runtime/runtime-wasm.cc

@@ -133,8 +133,7 @@ RUNTIME_FUNCTION(Runtime_WasmMemoryGrow) {
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
   // {delta_pages} is checked to be a positive smi in the WasmMemoryGrow builtin
   // which calls this runtime function.
-  uint32_t delta_pages = 0;
-  CHECK(args[1].ToUint32(&delta_pages));
+  uint32_t delta_pages = args.positive_smi_value_at(1);
 
   int ret = WasmMemoryObject::Grow(
       isolate, handle(instance->memory_object(), isolate), delta_pages);
@@ -405,8 +404,7 @@ RUNTIME_FUNCTION(Runtime_WasmRefFunc) {
   HandleScope scope(isolate);
   DCHECK_EQ(2, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t function_index = 0;
-  CHECK(args[1].ToUint32(&function_index));
+  uint32_t function_index = args.positive_smi_value_at(1);
 
   return *WasmInstanceObject::GetOrCreateWasmInternalFunction(isolate, instance,
                                                               function_index);
@@ -417,10 +415,8 @@ RUNTIME_FUNCTION(Runtime_WasmFunctionTableGet) {
   HandleScope scope(isolate);
   DCHECK_EQ(3, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t table_index = 0;
-  CHECK(args[1].ToUint32(&table_index));
-  uint32_t entry_index = 0;
-  CHECK(args[2].ToUint32(&entry_index));
+  uint32_t table_index = args.positive_smi_value_at(1);
+  uint32_t entry_index = args.positive_smi_value_at(2);
   DCHECK_LT(table_index, instance->tables().length());
   auto table = handle(
       WasmTableObject::cast(instance->tables().get(table_index)), isolate);
@@ -443,10 +439,8 @@ RUNTIME_FUNCTION(Runtime_WasmFunctionTableSet) {
   HandleScope scope(isolate);
   DCHECK_EQ(4, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t table_index = 0;
-  CHECK(args[1].ToUint32(&table_index));
-  uint32_t entry_index = 0;
-  CHECK(args[2].ToUint32(&entry_index));
+  uint32_t table_index = args.positive_smi_value_at(1);
+  uint32_t entry_index = args.positive_smi_value_at(2);
   Object element_raw = args[3];
   // TODO(wasm): Manually box because parameters are not visited yet.
   Handle<Object> element(element_raw, isolate);
@@ -472,19 +466,14 @@ RUNTIME_FUNCTION(Runtime_WasmTableInit) {
   HandleScope scope(isolate);
   DCHECK_EQ(6, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t table_index = 0;
-  CHECK(args[1].ToUint32(&table_index));
-  uint32_t elem_segment_index = 0;
-  CHECK(args[2].ToUint32(&elem_segment_index));
+  uint32_t table_index = args.positive_smi_value_at(1);
+  uint32_t elem_segment_index = args.positive_smi_value_at(2);
   static_assert(
       wasm::kV8MaxWasmTableSize < kSmiMaxValue,
       "Make sure clamping to Smi range doesn't make an invalid call valid");
-  uint32_t dst = 0;
-  CHECK(args[3].ToUint32(&dst));
-  uint32_t src = 0;
-  CHECK(args[4].ToUint32(&src));
-  uint32_t count = 0;
-  CHECK(args[5].ToUint32(&count));
+  uint32_t dst = args.positive_smi_value_at(3);
+  uint32_t src = args.positive_smi_value_at(4);
+  uint32_t count = args.positive_smi_value_at(5);
 
   DCHECK(!isolate->context().is_null());
 
@@ -499,19 +488,14 @@ RUNTIME_FUNCTION(Runtime_WasmTableCopy) {
   HandleScope scope(isolate);
   DCHECK_EQ(6, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t table_dst_index = 0;
-  CHECK(args[1].ToUint32(&table_dst_index));
-  uint32_t table_src_index = 0;
-  CHECK(args[2].ToUint32(&table_src_index));
+  uint32_t table_dst_index = args.positive_smi_value_at(1);
+  uint32_t table_src_index = args.positive_smi_value_at(2);
   static_assert(
       wasm::kV8MaxWasmTableSize < kSmiMaxValue,
       "Make sure clamping to Smi range doesn't make an invalid call valid");
-  uint32_t dst = 0;
-  CHECK(args[3].ToUint32(&dst));
-  uint32_t src = 0;
-  CHECK(args[4].ToUint32(&src));
-  uint32_t count = 0;
-  CHECK(args[5].ToUint32(&count));
+  uint32_t dst = args.positive_smi_value_at(3);
+  uint32_t src = args.positive_smi_value_at(4);
+  uint32_t count = args.positive_smi_value_at(5);
 
   DCHECK(!isolate->context().is_null());
 
@@ -526,13 +510,11 @@ RUNTIME_FUNCTION(Runtime_WasmTableGrow) {
   HandleScope scope(isolate);
   DCHECK_EQ(4, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t table_index = 0;
-  CHECK(args[1].ToUint32(&table_index));
+  uint32_t table_index = args.positive_smi_value_at(1);
   Object value_raw = args[2];
   // TODO(wasm): Manually box because parameters are not visited yet.
   Handle<Object> value(value_raw, isolate);
-  uint32_t delta = 0;
-  CHECK(args[3].ToUint32(&delta));
+  uint32_t delta = args.positive_smi_value_at(3);
 
   Handle<WasmTableObject> table(
       WasmTableObject::cast(instance->tables().get(table_index)), isolate);
@@ -546,15 +528,12 @@ RUNTIME_FUNCTION(Runtime_WasmTableFill) {
   HandleScope scope(isolate);
   DCHECK_EQ(5, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t table_index = 0;
-  CHECK(args[1].ToUint32(&table_index));
-  uint32_t start = 0;
-  CHECK(args[2].ToUint32(&start));
+  uint32_t table_index = args.positive_smi_value_at(1);
+  uint32_t start = args.positive_smi_value_at(2);
   Object value_raw = args[3];
   // TODO(wasm): Manually box because parameters are not visited yet.
   Handle<Object> value(value_raw, isolate);
-  uint32_t count = 0;
-  CHECK(args[4].ToUint32(&count));
+  uint32_t count = args.positive_smi_value_at(4);
 
   Handle<WasmTableObject> table(
       WasmTableObject::cast(instance->tables().get(table_index)), isolate);
@@ -676,13 +655,10 @@ RUNTIME_FUNCTION(Runtime_WasmArrayCopy) {
   HandleScope scope(isolate);
   DCHECK_EQ(5, args.length());
   Handle<WasmArray> dst_array = args.at<WasmArray>(0);
-  uint32_t dst_index = 0;
-  CHECK(args[1].ToUint32(&dst_index));
+  uint32_t dst_index = args.positive_smi_value_at(1);
   Handle<WasmArray> src_array = args.at<WasmArray>(2);
-  uint32_t src_index = 0;
-  CHECK(args[3].ToUint32(&src_index));
-  uint32_t length = 0;
-  CHECK(args[4].ToUint32(&length));
+  uint32_t src_index = args.positive_smi_value_at(3);
+  uint32_t length = args.positive_smi_value_at(4);
   DCHECK_GT(length, 0);
   bool overlapping_ranges =
       dst_array->ptr() == src_array->ptr() &&
@@ -722,12 +698,9 @@ RUNTIME_FUNCTION(Runtime_WasmArrayInitFromData) {
   HandleScope scope(isolate);
   DCHECK_EQ(5, args.length());
   Handle<WasmInstanceObject> instance = args.at<WasmInstanceObject>(0);
-  uint32_t data_segment = 0;
-  CHECK(args[1].ToUint32(&data_segment));
-  uint32_t offset = 0;
-  CHECK(args[2].ToUint32(&offset));
-  uint32_t length = 0;
-  CHECK(args[3].ToUint32(&length));
+  uint32_t data_segment = args.positive_smi_value_at(1);
+  uint32_t offset = args.positive_smi_value_at(2);
+  uint32_t length = args.positive_smi_value_at(3);
   Handle<Map> rtt = args.at<Map>(4);
   uint32_t element_size = WasmArray::DecodeElementSizeFromMap(*rtt);
   uint32_t length_in_bytes = length * element_size;