Force call to ToNumber in Math.max and Math.min (#6851)

According to the spec, Math.max and Math.min should convert all args to numbers (See ToNumber).
CC takes a shortcut by just returning NaN as soon as it finds a NaN arg.
Therefore, possibly missing calls to valueOf of a later arg.

Fix #6519

Author: ShortDevelopment

lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h

@@ -6,7 +6,7 @@
 // NOTE: If there is a merge conflict the correct fix is to make a new GUID.
 // This file was generated with tools/regenByteCode.py
 
-// {caa01c1a-6c67-45c2-8c3c-382b84ca34c4}
+// {5659e34b-2f03-4880-bed4-7a688cd73df1}
 const GUID byteCodeCacheReleaseFileVersion =
-{ 0xcaa01c1a, 0x6c67, 0x45c2, {0x8c, 0x3c, 0x38, 0x2b, 0x84, 0xca, 0x34, 0xc4 } };
+{ 0x5659e34b, 0x2f03, 0x4880, {0xbe, 0xd4, 0x7a, 0x68, 0x8c, 0xd7, 0x3d, 0xf1 } };
 

lib/Runtime/Library/InJavascript/JsBuiltIn.bc.32b.h

@@ -1,6 +1,6 @@
 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
-// Copyright (c) 2021 ChakraCore Project Contributors. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 
@@ -18,13 +18,15 @@
         // If no arguments are given, the result is positive infinity
         // If any value is NaN, the result is NaN. 
         // The comparison of values to determine the smallest value is done using the Abstract Relational Comparison algorithm except that +0 is considered to be larger than -0.
-        if (arguments.length === 0 ) {
+        if (arguments.length === 0) {
             return __chakraLibrary.positiveInfinity;
         }
-        
+
+        let returnNaN = false;
+
         value1 = +value1;
         if (value1 !== value1) {
-            return NaN;
+            returnNaN = true;
         }
 
         if (arguments.length === 1) {
@@ -33,10 +35,10 @@
 
         if (arguments.length === 2) {
             value2 = +value2;
-            if (value2 !== value2) {
+            if (value2 !== value2 || returnNaN) {
                 return NaN;
             }
-            if ((value1 < value2) || (value1 === value2 && value1 === 0 && 1/value1 < 1/value2)) { // checks for -0 and +0
+            if ((value1 < value2) || (value1 === value2 && value1 === 0 && 1 / value1 < 1 / value2)) { // checks for -0 and +0
                 return value1;
             }
             else {
@@ -48,15 +50,17 @@
         let nextVal;
 
         for (let i = 1; i < arguments.length; i++) {
-            nextVal = +arguments[i];
-            if (nextVal !== nextVal) {
-                return NaN;
+            nextVal = +arguments[i]; // Force conversion for all args (ensure call to valueOf)
+            if (returnNaN) { } // Skip check if possible
+            else if (nextVal !== nextVal) {
+                returnNaN = true;
+                min = NaN;
             }
-            else if ((min > nextVal) || (min === nextVal && min === 0 && 1/min > 1/nextVal)) { // checks for -0 and +0
+            else if ((min > nextVal) || (min === nextVal && min === 0 && 1 / min > 1 / nextVal)) { // checks for -0 and +0
                 min = nextVal;
             }
         }
-        
+
         return min;
     });
 
@@ -69,10 +73,12 @@
         if (arguments.length === 0) {
             return __chakraLibrary.negativeInfinity;
         }
-        
+
+        let returnNaN = false;
+
         value1 = +value1;
         if (value1 !== value1) {
-            return NaN;
+            returnNaN = true;
         }
 
         if (arguments.length === 1) {
@@ -81,10 +87,10 @@
 
         if (arguments.length === 2) {
             value2 = +value2;
-            if (value2 !== value2) {
+            if (value2 !== value2 || returnNaN) {
                 return NaN;
             }
-            if ((value1 > value2) || (value1 === value2 && value1 === 0 && 1/value1 > 1/value2)) { // checks for -0 and +0
+            if ((value1 > value2) || (value1 === value2 && value1 === 0 && 1 / value1 > 1 / value2)) { // checks for -0 and +0
                 return value1;
             }
             else {
@@ -96,15 +102,17 @@
         let nextVal;
 
         for (let i = 1; i < arguments.length; i++) {
-            nextVal = +arguments[i];
-            if (nextVal !== nextVal) {
-                return NaN;
+            nextVal = +arguments[i]; // Force conversion for all args (ensure call to valueOf)
+            if (returnNaN) { } // Skip check if possible
+            else if (nextVal !== nextVal) {
+                returnNaN = true;
+                max = NaN;
             }
-            else if ((max < nextVal) || (max === nextVal && max === 0 && 1/max < 1/nextVal)) { // checks for -0 and +0
+            else if ((max < nextVal) || (max === nextVal && max === 0 && 1 / max < 1 / nextVal)) { // checks for -0 and +0
                 max = nextVal;
-            } 
+            }
         }
-        
+
         return max;
     });
 });

lib/Runtime/Library/InJavascript/JsBuiltIn.bc.64b.h

@@ -1,5 +1,6 @@
 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 #include "RuntimeLibraryPch.h"
@@ -737,28 +738,35 @@ namespace Js
         else
         {
             double current = JavascriptConversion::ToNumber(args[1], scriptContext);
+
+            bool returnNaN = false;
             if (JavascriptNumber::IsNan(current))
             {
-                return scriptContext->GetLibrary()->GetNaN();
+                returnNaN = true;
             }
 
             for (uint idxArg = 2; idxArg < args.Info.Count; idxArg++)
             {
                 double compare = JavascriptConversion::ToNumber(args[idxArg], scriptContext);
-                if (JavascriptNumber::IsNan(compare))
+                if (JavascriptNumber::IsNan(compare) || returnNaN) // Call ToNumber for all args
                 {
-                    return scriptContext->GetLibrary()->GetNaN();
+                    returnNaN = true;
                 }
 
                 // In C++, -0.0f == 0.0f; however, in ES, -0.0f < 0.0f. Thus, use additional library 
                 // call to test this comparison.
-                if ((compare == 0 && JavascriptNumber::IsNegZero(current)) ||
+                else if ((compare == 0 && JavascriptNumber::IsNegZero(current)) ||
                     current < compare)
                 {
                     current = compare;
                 }
             }
 
+            if (returnNaN)
+            {
+                return scriptContext->GetLibrary()->GetNaN();
+            }
+
             return JavascriptNumber::ToVarNoCheck(current, scriptContext);
         }
     }
@@ -817,28 +825,35 @@ namespace Js
         else
         {
             double current = JavascriptConversion::ToNumber(args[1], scriptContext);
+
+            bool returnNaN = false;
             if (JavascriptNumber::IsNan(current))
             {
-                return scriptContext->GetLibrary()->GetNaN();
+                returnNaN = true;
             }
 
             for (uint idxArg = 2; idxArg < args.Info.Count; idxArg++)
             {
                 double compare = JavascriptConversion::ToNumber(args[idxArg], scriptContext);
-                if (JavascriptNumber::IsNan(compare))
+                if (JavascriptNumber::IsNan(compare) || returnNaN) // Call ToNumber for all args
                 {
-                    return scriptContext->GetLibrary()->GetNaN();
+                    returnNaN = true;
                 }
 
                 // In C++, -0.0f == 0.0f; however, in ES, -0.0f < 0.0f. Thus, use additional library 
                 // call to test this comparison.
-                if ((current == 0 && JavascriptNumber::IsNegZero(compare)) ||
+                else if ((current == 0 && JavascriptNumber::IsNegZero(compare)) ||
                     current > compare)
                 {
                     current = compare;
                 }
             }
 
+            if (returnNaN)
+            {
+                return scriptContext->GetLibrary()->GetNaN();
+            }
+
             return JavascriptNumber::ToVarNoCheck(current, scriptContext);
         }
     }

lib/Runtime/Library/InJavascript/JsBuiltIn.nojit.bc.32b.h

@@ -0,0 +1,36 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+// @ts-check
+
+function AssertNaN(value) {
+    if (!isNaN(value))
+        throw new Error("Expected NaN as value");
+}
+
+let valueOfCounter = 0;
+const obj = {
+    valueOf: function () {
+        valueOfCounter++;
+        return 1;
+    }
+};
+
+AssertNaN(Math.max(NaN, obj));
+AssertNaN(Math.max(NaN, NaN));
+AssertNaN(Math.max(NaN, NaN, obj));
+AssertNaN(Math.max(NaN, NaN, NaN));
+
+AssertNaN(Math.min(NaN, obj));
+AssertNaN(Math.min(NaN, NaN));
+AssertNaN(Math.min(NaN, NaN, obj));
+AssertNaN(Math.min(NaN, NaN, NaN));
+
+const expectedCount = 4;
+if (valueOfCounter != expectedCount)
+    throw new Error(`Expected "valueOf" to be called ${expectedCount}x; got ${valueOfCounter}`);
+
+console.log("pass");

lib/Runtime/Library/InJavascript/JsBuiltIn.nojit.bc.64b.h

@@ -42,4 +42,15 @@
       <baseline>clz32.baseline</baseline>
     </default>
   </test>
+  <test>
+    <default>
+      <files>max2.js</files>
+    </default>
+  </test>
+  <test>
+    <default>
+      <files>max2.js</files>
+      <compile-flags>-JsBuiltin-</compile-flags>
+    </default>
+  </test>
 </regress-exe>