From fd76e71934aa7e4c9ff7de042ed457b97fccdbd0 Mon Sep 17 00:00:00 2001
From: Daniel Bertalan <dani@danielbertalan.dev>
Date: Fri, 6 Aug 2021 18:35:05 +0200
Subject: [PATCH] LibJS: Fix UB in `Math.clz32`

If the argument to this function is greater then or equal to 2^32, the
`double` => `u32` cast produces undefined behavior, which Clang catches.
To fix this, we now use `ToUint32` for getting the integer argument, as
specified by ECMA-262.
---
 Userland/Libraries/LibJS/Runtime/MathObject.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Userland/Libraries/LibJS/Runtime/MathObject.cpp b/Userland/Libraries/LibJS/Runtime/MathObject.cpp
index 23bff0b243e..7f28068c329 100644
--- a/Userland/Libraries/LibJS/Runtime/MathObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/MathObject.cpp
@@ -341,12 +341,12 @@ JS_DEFINE_NATIVE_FUNCTION(MathObject::sign)
 // 21.3.2.11 Math.clz32 ( x ), https://tc39.es/ecma262/#sec-math.clz32
 JS_DEFINE_NATIVE_FUNCTION(MathObject::clz32)
 {
-    auto number = vm.argument(0).to_number(global_object);
+    auto number = vm.argument(0).to_u32(global_object);
     if (vm.exception())
         return {};
-    if (!number.is_finite_number() || (unsigned)number.as_double() == 0)
+    if (number == 0)
         return Value(32);
-    return Value(__builtin_clz((unsigned)number.as_double()));
+    return Value(__builtin_clz(number));
 }
 
 // 21.3.2.2 Math.acos ( x ), https://tc39.es/ecma262/#sec-math.acos