[runtime] Checked math in date calculations which may overflow (#242)

## Summary

The fuzzer caught assertion failures due to overflow during some date
calculations. Specifically callers to `make_day` could cause an overflow
if the year argument is high enough. We can fix this by using checked
operations in all functions that could potentially overflow.

This could only cause a crash due to the year argument - months and days
already have their ranges validated or controlled. I also audited the
rest of the date calculations and this was the only potential overflow I
found. All other cases operate on f64s or validate the range of their
inputs. The primary functions that rely on callers to validate inputs to
prevent overflow have been annotated with this fact.

## Tests

Added regression test for failing date calculations in the common cases
I could trigger it.

Author: Hans-Halverson

src/js/runtime/intrinsics/date_object.rs

@@ -235,36 +235,48 @@ pub fn make_full_year(year: f64) -> f64 {
     }
 }
 
-// Floor division - round towards negative infintiy
-fn floor_div(a: i64, b: i64) -> i64 {
+/// Floor division - round towards negative infinity
+///
+/// Returns None on overflow.
+fn floor_div(a: i64, b: i64) -> Option<i64> {
     if a >= 0 {
-        a / b
+        a.checked_div(b)
     } else {
-        ((a + 1) / b) - 1
+        a.checked_add(1)?.checked_div(b)?.checked_sub(1)
     }
 }
 
 fn is_leap_year(year: i64) -> bool {
     year % 4 == 0 && (year % 100 != 0 || year % 400 == 0)
 }
 
-// Calculate number of leap years after year 0 but before the given year
-fn leap_years_before_year(year: i64) -> i64 {
-    let year = year - 1;
-    floor_div(year, 4) - floor_div(year, 100) + floor_div(year, 400)
+/// Calculate number of leap years after year 0 but before the given year.
+///
+/// Returns None on overflow.
+fn leap_years_before_year(year: i64) -> Option<i64> {
+    let year = year.checked_sub(1)?;
+    floor_div(year, 4)?
+        .checked_sub(floor_div(year, 100)?)?
+        .checked_add(floor_div(year, 400)?)
 }
 
-// Calculate number of leap years in a time period between two years
-fn leap_years_between_years(start_year: i64, end_year: i64) -> i64 {
-    leap_years_before_year(end_year) - leap_years_before_year(start_year)
+/// Calculate number of leap years in a time period between two years
+///
+/// Returns None on overflow.
+fn leap_years_between_years(start_year: i64, end_year: i64) -> Option<i64> {
+    leap_years_before_year(end_year)?.checked_sub(leap_years_before_year(start_year)?)
 }
 
-fn year_to_days_since_unix_epoch(year: i64) -> i64 {
-    let years_since_epoch = year - 1970;
+fn year_to_days_since_unix_epoch(year: i64) -> Option<i64> {
+    let years_since_epoch = year.checked_sub(1970)?;
     if years_since_epoch >= 0 {
-        years_since_epoch * 365 + leap_years_between_years(1970, year)
+        years_since_epoch
+            .checked_mul(365)?
+            .checked_add(leap_years_between_years(1970, year)?)
     } else {
-        years_since_epoch * 365 - leap_years_between_years(year, 1970)
+        years_since_epoch
+            .checked_mul(365)?
+            .checked_sub(leap_years_between_years(year, 1970)?)
     }
 }
 
@@ -300,8 +312,11 @@ fn year_month_day_to_days_since_year_start(year: i64, month: i64, day: i64) -> i
 
 /// Year + month + day to the number of days since the Unix epoch. Months and days are 1-indexed.
 /// Month must be between 1 and 12, day is not constrained.
-pub fn year_month_day_to_days_since_unix_epoch(year: i64, month: i64, day: i64) -> i64 {
-    year_to_days_since_unix_epoch(year) + year_month_day_to_days_since_year_start(year, month, day)
+///
+/// Returns None on overflow.
+pub fn year_month_day_to_days_since_unix_epoch(year: i64, month: i64, day: i64) -> Option<i64> {
+    year_to_days_since_unix_epoch(year)?
+        .checked_add(year_month_day_to_days_since_year_start(year, month, day))
 }
 
 /// MakeDay (https://tc39.es/ecma262/#sec-makeday)
@@ -327,10 +342,13 @@ pub fn make_day(year: f64, month: f64, date: f64) -> f64 {
     let calculated_year = calculated_year as i64;
     let calculated_month = calculated_month as i64 + 1;
 
-    let num_days_until_month_start =
-        year_month_day_to_days_since_unix_epoch(calculated_year, calculated_month, 1) as f64;
+    let Some(num_days_until_month_start) =
+        year_month_day_to_days_since_unix_epoch(calculated_year, calculated_month, 1)
+    else {
+        return f64::NAN;
+    };
 
-    num_days_until_month_start + date - 1.0
+    (num_days_until_month_start as f64) + date - 1.0
 }
 
 /// MakeDate (https://tc39.es/ecma262/#sec-makedate)

src/js/runtime/string_parsing.rs

@@ -804,6 +804,7 @@ fn parse_string_to_iso_date(mut lexer: StringLexer) -> Option<f64> {
             return None;
         }
 
+        // Unchecked operations since ranges have already been validated
         sign * (timezone_hour * MS_PER_HOUR as i64 + timezone_minute * MS_PER_MINUTE as i64)
     } else if has_time {
         // TODO: Use current time zone offset
@@ -829,6 +830,8 @@ fn parse_string_to_iso_date(mut lexer: StringLexer) -> Option<f64> {
     )
 }
 
+/// Callers must ensure that the date parts are in valid ranges so that overflow does not occur
+/// when calculating the time value.
 fn utc_time_from_full_date_parts(
     year: i64,
     month: i64,
@@ -840,7 +843,7 @@ fn utc_time_from_full_date_parts(
     timezone_offset_milliseconds: i64,
 ) -> Option<f64> {
     let date_part_milliseconds =
-        year_month_day_to_days_since_unix_epoch(year, month, day) * MS_PER_DAY as i64;
+        year_month_day_to_days_since_unix_epoch(year, month, day).unwrap() * MS_PER_DAY as i64;
 
     let time_part_milliseconds = hour * MS_PER_HOUR as i64
         + minute * MS_PER_MINUTE as i64
@@ -935,6 +938,7 @@ fn parse_string_to_utc_or_default_date(mut lexer: StringLexer) -> Option<f64> {
             return None;
         }
 
+        // Unchecked operations since ranges have already been validated
         sign * (timezone_hour * MS_PER_HOUR as i64 + timezone_minute * MS_PER_MINUTE as i64)
     };
 

tests/integration/regression/000007.js

@@ -0,0 +1,8 @@
+/*---
+description: Crash due to overflow during date calculations.
+---*/
+
+assert.sameValue(new Date(1.0e+308, 0).toString(), "Invalid Date");
+assert(Number.isNaN(Date.UTC(1.0e+308)));
+assert(Number.isNaN(new Date().setFullYear(1.0e+308)));
+assert(Number.isNaN(new Date().setUTCFullYear(1.0e+308)));