[fastcall] Fix UB when floating point test argument is OOB

This CL hardens a test to avoid static_cast-ing doubles that don't fit
into the 32-bit integer range.

Bug: chromium:1344965
Change-Id: I1f3a05800158cda9dc582bfa4427516932db9679
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3776337
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81843}

src/d8/d8-test.cc

@@ -680,16 +680,18 @@ class FastCApiObject {
     if (args.Length() > 1 && args[1]->IsNumber()) {
       real_arg = args[1]->NumberValue(isolate->GetCurrentContext()).FromJust();
     }
-    bool in_range = args[0]->IsBoolean() && args[0]->BooleanValue(isolate);
+    bool in_range =
+        args[0]->IsBoolean() && args[0]->BooleanValue(isolate) &&
+        !std::isnan(real_arg) &&
+        real_arg <= static_cast<double>(std::numeric_limits<IntegerT>::max()) &&
+        real_arg >= static_cast<double>(std::numeric_limits<IntegerT>::min());
     if (in_range) {
       IntegerT checked_arg = std::numeric_limits<IntegerT>::max();
       if (args.Length() > 2 && args[2]->IsNumber()) {
         checked_arg =
             args[2]->NumberValue(isolate->GetCurrentContext()).FromJust();
       }
-      if (!std::isnan(real_arg)) {
-        CHECK_EQ(static_cast<IntegerT>(real_arg), checked_arg);
-      }
+      CHECK_EQ(static_cast<IntegerT>(real_arg), checked_arg);
       args.GetReturnValue().Set(Boolean::New(isolate, false));
     } else {
       args.GetIsolate()->ThrowError("Argument out of range.");

test/mjsunit/compiler/regress-crbug-1344965.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --turbo-fast-api-calls --expose-fast-api --allow-natives-syntax --turbofan
+
+const fast_c_api = new d8.test.FastCAPI();
+assertThrows(() => fast_c_api.enforce_range_compare_i32(
+  true, -9007199254740990, new Boolean(), {}));