/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 * vim: set ts=8 sts=2 et sw=2 tw=80:
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * JS number type and wrapper class.
 */

#include "jsnum.h"

#include "mozilla/Casting.h"
#include "mozilla/FloatingPoint.h"
#include "mozilla/Maybe.h"
#include "mozilla/RangedPtr.h"
#include "mozilla/TextUtils.h"
#include "mozilla/Utf8.h"

#include <algorithm>
#include <iterator>
#include <limits>
#ifdef HAVE_LOCALECONV
#  include <locale.h>
#endif
#include <math.h>
#include <string.h>  // memmove
#include <string_view>

#include "jstypes.h"

#include "double-conversion/double-conversion.h"
#include "frontend/ParserAtom.h"  // frontend::{ParserAtomsTable, TaggedParserAtomIndex}
#include "jit/InlinableNatives.h"
#include "js/CharacterEncoding.h"
#include "js/Conversions.h"
#include "js/friend/ErrorMessages.h"  // js::GetErrorMessage, JSMSG_*
#include "js/GCAPI.h"
#if !JS_HAS_INTL_API
#  include "js/LocaleSensitive.h"
#endif
#include "js/PropertyAndElement.h"  // JS_DefineFunctions
#include "js/PropertySpec.h"
#include "util/DoubleToString.h"
#include "util/Memory.h"
#include "util/StringBuffer.h"
#include "vm/BigIntType.h"
#include "vm/GlobalObject.h"
#include "vm/JSAtom.h"
#include "vm/JSContext.h"
#include "vm/JSObject.h"
#include "vm/StaticStrings.h"
#include "vm/WellKnownAtom.h"  // js_*_str

#include "vm/Compartment-inl.h"  // For js::UnwrapAndTypeCheckThis
#include "vm/GeckoProfiler-inl.h"
#include "vm/NativeObject-inl.h"
#include "vm/NumberObject-inl.h"
#include "vm/StringType-inl.h"

using namespace js;

using mozilla::Abs;
using mozilla::AsciiAlphanumericToNumber;
using mozilla::IsAsciiAlphanumeric;
using mozilla::IsAsciiDigit;
using mozilla::Maybe;
using mozilla::MinNumberValue;
using mozilla::NegativeInfinity;
using mozilla::NumberEqualsInt32;
using mozilla::PositiveInfinity;
using mozilla::RangedPtr;
using mozilla::Utf8AsUnsignedChars;
using mozilla::Utf8Unit;

using JS::AutoCheckCannotGC;
using JS::GenericNaN;
using JS::ToInt16;
using JS::ToInt32;
using JS::ToInt64;
using JS::ToInt8;
using JS::ToUint16;
using JS::ToUint32;
using JS::ToUint64;
using JS::ToUint8;

static bool EnsureDtoaState(JSContext* cx) {
  if (!cx->dtoaState) {
    cx->dtoaState = NewDtoaState();
    if (!cx->dtoaState) {
      return false;
    }
  }
  return true;
}

template <typename CharT>
static inline void AssertWellPlacedNumericSeparator(const CharT* s,
                                                    const CharT* start,
                                                    const CharT* end) {
  MOZ_ASSERT(start < end, "string is non-empty");
  MOZ_ASSERT(s > start, "number can't start with a separator");
  MOZ_ASSERT(s + 1 < end,
             "final character in a numeric literal can't be a separator");
  MOZ_ASSERT(*(s + 1) != '_',
             "separator can't be followed by another separator");
  MOZ_ASSERT(*(s - 1) != '_',
             "separator can't be preceded by another separator");
}

namespace {

template <typename CharT>
class BinaryDigitReader {
  const int base;     /* Base of number; must be a power of 2 */
  int digit;          /* Current digit value in radix given by base */
  int digitMask;      /* Mask to extract the next bit from digit */
  const CharT* cur;   /* Pointer to the remaining digits */
  const CharT* start; /* Pointer to the start of the string */
  const CharT* end;   /* Pointer to first non-digit */

 public:
  BinaryDigitReader(int base, const CharT* start, const CharT* end)
      : base(base),
        digit(0),
        digitMask(0),
        cur(start),
        start(start),
        end(end) {}

  /* Return the next binary digit from the number, or -1 if done. */
  int nextDigit() {
    if (digitMask == 0) {
      if (cur == end) {
        return -1;
      }

      int c = *cur++;
      if (c == '_') {
        AssertWellPlacedNumericSeparator(cur - 1, start, end);
        c = *cur++;
      }

      MOZ_ASSERT(IsAsciiAlphanumeric(c));
      digit = AsciiAlphanumericToNumber(c);
      digitMask = base >> 1;
    }

    int bit = (digit & digitMask) != 0;
    digitMask >>= 1;
    return bit;
  }
};

} /* anonymous namespace */

/*
 * The fast result might also have been inaccurate for power-of-two bases. This
 * happens if the addition in value * 2 + digit causes a round-down to an even
 * least significant mantissa bit when the first dropped bit is a one.  If any
 * of the following digits in the number (which haven't been added in yet) are
 * nonzero, then the correct action would have been to round up instead of
 * down.  An example occurs when reading the number 0x1000000000000081, which
 * rounds to 0x1000000000000000 instead of 0x1000000000000100.
 */
template <typename CharT>
static double ComputeAccurateBinaryBaseInteger(const CharT* start,
                                               const CharT* end, int base) {
  BinaryDigitReader<CharT> bdr(base, start, end);

  /* Skip leading zeroes. */
  int bit;
  do {
    bit = bdr.nextDigit();
  } while (bit == 0);

  MOZ_ASSERT(bit == 1);  // guaranteed by Get{Prefix,Decimal}Integer

  /* Gather the 53 significant bits (including the leading 1). */
  double value = 1.0;
  for (int j = 52; j > 0; j--) {
    bit = bdr.nextDigit();
    if (bit < 0) {
      return value;
    }
    value = value * 2 + bit;
  }

  /* bit2 is the 54th bit (the first dropped from the mantissa). */
  int bit2 = bdr.nextDigit();
  if (bit2 >= 0) {
    double factor = 2.0;
    int sticky = 0; /* sticky is 1 if any bit beyond the 54th is 1 */
    int bit3;

    while ((bit3 = bdr.nextDigit()) >= 0) {
      sticky |= bit3;
      factor *= 2;
    }
    value += bit2 & (bit | sticky);
    value *= factor;
  }

  return value;
}

template <typename CharT>
double js::ParseDecimalNumber(const mozilla::Range<const CharT> chars) {
  MOZ_ASSERT(chars.length() > 0);
  uint64_t dec = 0;
  RangedPtr<const CharT> s = chars.begin(), end = chars.end();
  do {
    CharT c = *s;
    MOZ_ASSERT('0' <= c && c <= '9');
    uint8_t digit = c - '0';
    uint64_t next = dec * 10 + digit;
    MOZ_ASSERT(next < DOUBLE_INTEGRAL_PRECISION_LIMIT,
               "next value won't be an integrally-precise double");
    dec = next;
  } while (++s < end);
  return static_cast<double>(dec);
}

template double js::ParseDecimalNumber(
    const mozilla::Range<const Latin1Char> chars);

template double js::ParseDecimalNumber(
    const mozilla::Range<const char16_t> chars);

template <typename CharT>
static bool GetPrefixIntegerImpl(const CharT* start, const CharT* end, int base,
                                 IntegerSeparatorHandling separatorHandling,
                                 const CharT** endp, double* dp) {
  MOZ_ASSERT(start <= end);
  MOZ_ASSERT(2 <= base && base <= 36);

  const CharT* s = start;
  double d = 0.0;
  for (; s < end; s++) {
    CharT c = *s;
    if (!IsAsciiAlphanumeric(c)) {
      if (c == '_' &&
          separatorHandling == IntegerSeparatorHandling::SkipUnderscore) {
        AssertWellPlacedNumericSeparator(s, start, end);
        continue;
      }
      break;
    }

    uint8_t digit = AsciiAlphanumericToNumber(c);
    if (digit >= base) {
      break;
    }

    d = d * base + digit;
  }

  *endp = s;
  *dp = d;

  /* If we haven't reached the limit of integer precision, we're done. */
  if (d < DOUBLE_INTEGRAL_PRECISION_LIMIT) {
    return true;
  }

  /*
   * Otherwise compute the correct integer from the prefix of valid digits
   * if we're computing for base ten or a power of two.  Don't worry about
   * other bases; see ES2018, 18.2.5 `parseInt(string, radix)`, step 13.
   */
  if (base == 10) {
    return false;
  }

  if ((base & (base - 1)) == 0) {
    *dp = ComputeAccurateBinaryBaseInteger(start, s, base);
  }

  return true;
}

template <typename CharT>
bool js::GetPrefixInteger(const CharT* start, const CharT* end, int base,
                          IntegerSeparatorHandling separatorHandling,
                          const CharT** endp, double* dp) {
  if (GetPrefixIntegerImpl(start, end, base, separatorHandling, endp, dp)) {
    return true;
  }

  // Can only fail for base 10.
  MOZ_ASSERT(base == 10);

  // If we're accumulating a decimal number and the number is >= 2^53, then the
  // fast result from the loop in GetPrefixIntegerImpl may be inaccurate. Call
  // GetDecimal to get the correct answer.
  return GetDecimal(start, *endp, dp);
}

namespace js {

template bool GetPrefixInteger(const char16_t* start, const char16_t* end,
                               int base,
                               IntegerSeparatorHandling separatorHandling,
                               const char16_t** endp, double* dp);

template bool GetPrefixInteger(const Latin1Char* start, const Latin1Char* end,
                               int base,
                               IntegerSeparatorHandling separatorHandling,
                               const Latin1Char** endp, double* dp);

}  // namespace js

template <typename CharT>
bool js::GetDecimalInteger(const CharT* start, const CharT* end, double* dp) {
  MOZ_ASSERT(start <= end);

  double d = 0.0;
  for (const CharT* s = start; s < end; s++) {
    CharT c = *s;
    if (c == '_') {
      AssertWellPlacedNumericSeparator(s, start, end);
      continue;
    }
    MOZ_ASSERT(IsAsciiDigit(c));
    int digit = c - '0';
    d = d * 10 + digit;
  }

  // If we haven't reached the limit of integer precision, we're done.
  if (d < DOUBLE_INTEGRAL_PRECISION_LIMIT) {
    *dp = d;
    return true;
  }

  // Otherwise compute the correct integer using GetDecimal.
  return GetDecimal(start, end, dp);
}

namespace js {

template bool GetDecimalInteger(const char16_t* start, const char16_t* end,
                                double* dp);

template bool GetDecimalInteger(const Latin1Char* start, const Latin1Char* end,
                                double* dp);

template <>
bool GetDecimalInteger<Utf8Unit>(const Utf8Unit* start, const Utf8Unit* end,
                                 double* dp) {
  return GetDecimalInteger(Utf8AsUnsignedChars(start), Utf8AsUnsignedChars(end),
                           dp);
}

}  // namespace js

template <typename CharT>
bool js::GetDecimal(const CharT* start, const CharT* end, double* dp) {
  MOZ_ASSERT(start <= end);

  size_t length = end - start;

  auto convert = [](auto* chars, size_t length) -> double {
    using SToDConverter = double_conversion::StringToDoubleConverter;
    SToDConverter converter(/* flags = */ 0, /* empty_string_value = */ 0.0,
                            /* junk_string_value = */ 0.0,
                            /* infinity_symbol = */ nullptr,
                            /* nan_symbol = */ nullptr);
    int lengthInt = mozilla::AssertedCast<int>(length);
    int processed = 0;
    double d = converter.StringToDouble(chars, lengthInt, &processed);
    MOZ_ASSERT(processed >= 0);
    MOZ_ASSERT(size_t(processed) == length);
    return d;
  };

  // If there are no underscores, we don't need to copy the chars.
  bool hasUnderscore = std::any_of(start, end, [](auto c) { return c == '_'; });
  if (!hasUnderscore) {
    if constexpr (std::is_same_v<CharT, char16_t>) {
      *dp = convert(reinterpret_cast<const uc16*>(start), length);
    } else {
      static_assert(std::is_same_v<CharT, Latin1Char>);
      *dp = convert(reinterpret_cast<const char*>(start), length);
    }
    return true;
  }

  Vector<char, 32, SystemAllocPolicy> chars;
  if (!chars.growByUninitialized(length)) {
    return false;
  }

  const CharT* s = start;
  size_t i = 0;
  for (; s < end; s++) {
    CharT c = *s;
    if (c == '_') {
      AssertWellPlacedNumericSeparator(s, start, end);
      continue;
    }
    MOZ_ASSERT(IsAsciiDigit(c) || c == '.' || c == 'e' || c == 'E' ||
               c == '+' || c == '-');
    chars[i++] = char(c);
  }

  *dp = convert(chars.begin(), i);
  return true;
}

namespace js {

template bool GetDecimal(const char16_t* start, const char16_t* end,
                         double* dp);

template bool GetDecimal(const Latin1Char* start, const Latin1Char* end,
                         double* dp);

template <>
bool GetDecimal<Utf8Unit>(const Utf8Unit* start, const Utf8Unit* end,
                          double* dp) {
  return GetDecimal(Utf8AsUnsignedChars(start), Utf8AsUnsignedChars(end), dp);
}

}  // namespace js

static bool num_parseFloat(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  if (args.length() == 0) {
    args.rval().setNaN();
    return true;
  }

  if (args[0].isNumber()) {
    // ToString(-0) is "0", handle it accordingly.
    if (args[0].isDouble() && args[0].toDouble() == 0.0) {
      args.rval().setInt32(0);
    } else {
      args.rval().set(args[0]);
    }
    return true;
  }

  JSString* str = ToString<CanGC>(cx, args[0]);
  if (!str) {
    return false;
  }

  if (str->hasIndexValue()) {
    args.rval().setNumber(str->getIndexValue());
    return true;
  }

  JSLinearString* linear = str->ensureLinear(cx);
  if (!linear) {
    return false;
  }

  double d;
  AutoCheckCannotGC nogc;
  if (linear->hasLatin1Chars()) {
    const Latin1Char* begin = linear->latin1Chars(nogc);
    const Latin1Char* end;
    d = js_strtod(begin, begin + linear->length(), &end);
    if (end == begin) {
      d = GenericNaN();
    }
  } else {
    const char16_t* begin = linear->twoByteChars(nogc);
    const char16_t* end;
    d = js_strtod(begin, begin + linear->length(), &end);
    if (end == begin) {
      d = GenericNaN();
    }
  }

  args.rval().setDouble(d);
  return true;
}

// ES2023 draft rev 053d34c87b14d9234d6f7f45bd61074b72ca9d69
// 19.2.5 parseInt ( string, radix )
template <typename CharT>
static bool ParseIntImpl(JSContext* cx, const CharT* chars, size_t length,
                         bool stripPrefix, int32_t radix, double* res) {
  // Step 2.
  const CharT* end = chars + length;
  const CharT* s = SkipSpace(chars, end);

  MOZ_ASSERT(chars <= s);
  MOZ_ASSERT(s <= end);

  // Steps 3-4.
  bool negative = (s != end && s[0] == '-');

  // Step 5. */
  if (s != end && (s[0] == '-' || s[0] == '+')) {
    s++;
  }

  // Step 10.
  if (stripPrefix) {
    if (end - s >= 2 && s[0] == '0' && (s[1] == 'x' || s[1] == 'X')) {
      s += 2;
      radix = 16;
    }
  }

  // Steps 11-15.
  const CharT* actualEnd;
  double d;
  if (!js::GetPrefixInteger(s, end, radix, IntegerSeparatorHandling::None,
                            &actualEnd, &d)) {
    ReportOutOfMemory(cx);
    return false;
  }

  if (s == actualEnd) {
    *res = GenericNaN();
  } else {
    *res = negative ? -d : d;
  }
  return true;
}

// ES2023 draft rev 053d34c87b14d9234d6f7f45bd61074b72ca9d69
// 19.2.5 parseInt ( string, radix )
bool js::NumberParseInt(JSContext* cx, HandleString str, int32_t radix,
                        MutableHandleValue result) {
  // Step 7.
  bool stripPrefix = true;

  // Steps 8-9.
  if (radix != 0) {
    if (radix < 2 || radix > 36) {
      result.setNaN();
      return true;
    }

    if (radix != 16) {
      stripPrefix = false;
    }
  } else {
    radix = 10;
  }
  MOZ_ASSERT(2 <= radix && radix <= 36);

  JSLinearString* linear = str->ensureLinear(cx);
  if (!linear) {
    return false;
  }

  // Steps 2-5, 10-16.
  AutoCheckCannotGC nogc;
  size_t length = linear->length();
  double number;
  if (linear->hasLatin1Chars()) {
    if (!ParseIntImpl(cx, linear->latin1Chars(nogc), length, stripPrefix, radix,
                      &number)) {
      return false;
    }
  } else {
    if (!ParseIntImpl(cx, linear->twoByteChars(nogc), length, stripPrefix,
                      radix, &number)) {
      return false;
    }
  }

  result.setNumber(number);
  return true;
}

// ES2023 draft rev 053d34c87b14d9234d6f7f45bd61074b72ca9d69
// 19.2.5 parseInt ( string, radix )
static bool num_parseInt(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  /* Fast paths and exceptional cases. */
  if (args.length() == 0) {
    args.rval().setNaN();
    return true;
  }

  if (args.length() == 1 || (args[1].isInt32() && (args[1].toInt32() == 0 ||
                                                   args[1].toInt32() == 10))) {
    if (args[0].isInt32()) {
      args.rval().set(args[0]);
      return true;
    }

    /*
     * Step 1 is |inputString = ToString(string)|. When string >=
     * 1e21, ToString(string) is in the form "NeM". 'e' marks the end of
     * the word, which would mean the result of parseInt(string) should be |N|.
     *
     * To preserve this behaviour, we can't use the fast-path when string >=
     * 1e21, or else the result would be |NeM|.
     *
     * The same goes for values smaller than 1.0e-6, because the string would be
     * in the form of "Ne-M".
     */
    if (args[0].isDouble()) {
      double d = args[0].toDouble();
      if (DOUBLE_DECIMAL_IN_SHORTEST_LOW <= d &&
          d < DOUBLE_DECIMAL_IN_SHORTEST_HIGH) {
        args.rval().setNumber(floor(d));
        return true;
      }
      if (-DOUBLE_DECIMAL_IN_SHORTEST_HIGH < d &&
          d <= -DOUBLE_DECIMAL_IN_SHORTEST_LOW) {
        args.rval().setNumber(-floor(-d));
        return true;
      }
      if (d == 0.0) {
        args.rval().setInt32(0);
        return true;
      }
    }

    if (args[0].isString()) {
      JSString* str = args[0].toString();
      if (str->hasIndexValue()) {
        args.rval().setNumber(str->getIndexValue());
        return true;
      }
    }
  }

  // Step 1.
  RootedString inputString(cx, ToString<CanGC>(cx, args[0]));
  if (!inputString) {
    return false;
  }

  // Step 6.
  int32_t radix = 0;
  if (args.hasDefined(1)) {
    if (!ToInt32(cx, args[1], &radix)) {
      return false;
    }
  }

  // Steps 2-5, 7-16.
  return NumberParseInt(cx, inputString, radix, args.rval());
}

static const JSFunctionSpec number_functions[] = {
    JS_SELF_HOSTED_FN(js_isNaN_str, "Global_isNaN", 1, JSPROP_RESOLVING),
    JS_SELF_HOSTED_FN(js_isFinite_str, "Global_isFinite", 1, JSPROP_RESOLVING),
    JS_FS_END};

const JSClass NumberObject::class_ = {
    js_Number_str,
    JSCLASS_HAS_RESERVED_SLOTS(1) | JSCLASS_HAS_CACHED_PROTO(JSProto_Number),
    JS_NULL_CLASS_OPS, &NumberObject::classSpec_};

static bool Number(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  if (args.length() > 0) {
    // BigInt proposal section 6.2, steps 2a-c.
    if (!ToNumeric(cx, args[0])) {
      return false;
    }
    if (args[0].isBigInt()) {
      args[0].setNumber(BigInt::numberValue(args[0].toBigInt()));
    }
    MOZ_ASSERT(args[0].isNumber());
  }

  if (!args.isConstructing()) {
    if (args.length() > 0) {
      args.rval().set(args[0]);
    } else {
      args.rval().setInt32(0);
    }
    return true;
  }

  RootedObject proto(cx);
  if (!GetPrototypeFromBuiltinConstructor(cx, args, JSProto_Number, &proto)) {
    return false;
  }

  double d = args.length() > 0 ? args[0].toNumber() : 0;
  JSObject* obj = NumberObject::create(cx, d, proto);
  if (!obj) {
    return false;
  }
  args.rval().setObject(*obj);
  return true;
}

// ES2020 draft rev e08b018785606bc6465a0456a79604b149007932
// 20.1.3 Properties of the Number Prototype Object, thisNumberValue.
MOZ_ALWAYS_INLINE
static bool ThisNumberValue(JSContext* cx, const CallArgs& args,
                            const char* methodName, double* number) {
  HandleValue thisv = args.thisv();

  // Step 1.
  if (thisv.isNumber()) {
    *number = thisv.toNumber();
    return true;
  }

  // Steps 2-3.
  auto* obj = UnwrapAndTypeCheckThis<NumberObject>(cx, args, methodName);
  if (!obj) {
    return false;
  }

  *number = obj->unbox();
  return true;
}

// On-off helper function for the self-hosted Number_toLocaleString method.
// This only exists to produce an error message with the right method name.
bool js::ThisNumberValueForToLocaleString(JSContext* cx, unsigned argc,
                                          Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  double d;
  if (!ThisNumberValue(cx, args, "toLocaleString", &d)) {
    return false;
  }

  args.rval().setNumber(d);
  return true;
}

static bool num_toSource(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  double d;
  if (!ThisNumberValue(cx, args, "toSource", &d)) {
    return false;
  }

  JSStringBuilder sb(cx);
  if (!sb.append("(new Number(") ||
      !NumberValueToStringBuffer(NumberValue(d), sb) || !sb.append("))")) {
    return false;
  }

  JSString* str = sb.finishString();
  if (!str) {
    return false;
  }
  args.rval().setString(str);
  return true;
}

// Subtract one from DTOSTR_STANDARD_BUFFER_SIZE to exclude the null-character.
static_assert(
    double_conversion::DoubleToStringConverter::kMaxCharsEcmaScriptShortest ==
        DTOSTR_STANDARD_BUFFER_SIZE - 1,
    "double_conversion and dtoa both agree how large the longest string "
    "can be");

static_assert(DTOSTR_STANDARD_BUFFER_SIZE <= JS::MaximumNumberToStringLength,
              "MaximumNumberToStringLength is large enough to hold the longest "
              "string produced by a conversion");

MOZ_ALWAYS_INLINE
static JSLinearString* LookupDtoaCache(JSContext* cx, double d) {
  if (Realm* realm = cx->realm()) {
    if (JSLinearString* str = realm->dtoaCache.lookup(10, d)) {
      return str;
    }
  }

  return nullptr;
}

MOZ_ALWAYS_INLINE
static void CacheNumber(JSContext* cx, double d, JSLinearString* str) {
  if (Realm* realm = cx->realm()) {
    realm->dtoaCache.cache(10, d, str);
  }
}

MOZ_ALWAYS_INLINE
static JSLinearString* LookupInt32ToString(JSContext* cx, int32_t si) {
  if (si >= 0 && StaticStrings::hasInt(si)) {
    return cx->staticStrings().getInt(si);
  }

  return LookupDtoaCache(cx, si);
}

template <typename T>
MOZ_ALWAYS_INLINE static T* BackfillInt32InBuffer(int32_t si, T* buffer,
                                                  size_t size, size_t* length) {
  uint32_t ui = Abs(si);
  MOZ_ASSERT_IF(si == INT32_MIN, ui == uint32_t(INT32_MAX) + 1);

  RangedPtr<T> end(buffer + size - 1, buffer, size);
  *end = '\0';
  RangedPtr<T> start = BackfillIndexInCharBuffer(ui, end);
  if (si < 0) {
    *--start = '-';
  }

  *length = end - start;
  return start.get();
}

template <AllowGC allowGC>
JSLinearString* js::Int32ToString(JSContext* cx, int32_t si) {
  if (JSLinearString* str = LookupInt32ToString(cx, si)) {
    return str;
  }

  Latin1Char buffer[JSFatInlineString::MAX_LENGTH_LATIN1 + 1];
  size_t length;
  Latin1Char* start =
      BackfillInt32InBuffer(si, buffer, std::size(buffer), &length);

  mozilla::Range<const Latin1Char> chars(start, length);
  JSInlineString* str =
      NewInlineString<allowGC>(cx, chars, js::gc::Heap::Default);
  if (!str) {
    return nullptr;
  }
  if (si >= 0) {
    str->maybeInitializeIndexValue(si);
  }

  CacheNumber(cx, si, str);
  return str;
}

template JSLinearString* js::Int32ToString<CanGC>(JSContext* cx, int32_t si);

template JSLinearString* js::Int32ToString<NoGC>(JSContext* cx, int32_t si);

JSLinearString* js::Int32ToStringPure(JSContext* cx, int32_t si) {
  AutoUnsafeCallWithABI unsafe;
  return Int32ToString<NoGC>(cx, si);
}

JSAtom* js::Int32ToAtom(JSContext* cx, int32_t si) {
  if (JSLinearString* str = LookupInt32ToString(cx, si)) {
    return js::AtomizeString(cx, str);
  }

  char buffer[JSFatInlineString::MAX_LENGTH_TWO_BYTE + 1];
  size_t length;
  char* start = BackfillInt32InBuffer(
      si, buffer, JSFatInlineString::MAX_LENGTH_TWO_BYTE + 1, &length);

  Maybe<uint32_t> indexValue;
  if (si >= 0) {
    indexValue.emplace(si);
  }

  JSAtom* atom = Atomize(cx, start, length, indexValue);
  if (!atom) {
    return nullptr;
  }

  CacheNumber(cx, si, atom);
  return atom;
}

frontend::TaggedParserAtomIndex js::Int32ToParserAtom(
    FrontendContext* fc, frontend::ParserAtomsTable& parserAtoms, int32_t si) {
  char buffer[JSFatInlineString::MAX_LENGTH_TWO_BYTE + 1];
  size_t length;
  char* start = BackfillInt32InBuffer(
      si, buffer, JSFatInlineString::MAX_LENGTH_TWO_BYTE + 1, &length);

  Maybe<uint32_t> indexValue;
  if (si >= 0) {
    indexValue.emplace(si);
  }

  return parserAtoms.internAscii(fc, start, length);
}

/* Returns a non-nullptr pointer to inside `buf`. */
template <typename T>
static char* Int32ToCStringWithBase(mozilla::Range<char> buf, T i, size_t* len,
                                    int base) {
  uint32_t u;
  if constexpr (std::is_signed_v<T>) {
    u = Abs(i);
  } else {
    u = i;
  }

  RangedPtr<char> cp = buf.end() - 1;

  char* end = cp.get();
  *cp = '\0';

  /* Build the string from behind. */
  switch (base) {
    case 10:
      cp = BackfillIndexInCharBuffer(u, cp);
      break;
    case 16:
      do {
        unsigned newu = u / 16;
        *--cp = "0123456789abcdef"[u - newu * 16];
        u = newu;
      } while (u != 0);
      break;
    default:
      MOZ_ASSERT(base >= 2 && base <= 36);
      do {
        unsigned newu = u / base;
        *--cp = "0123456789abcdefghijklmnopqrstuvwxyz"[u - newu * base];
        u = newu;
      } while (u != 0);
      break;
  }
  if constexpr (std::is_signed_v<T>) {
    if (i < 0) {
      *--cp = '-';
    }
  }

  *len = end - cp.get();
  return cp.get();
}

/* Returns a non-nullptr pointer to inside `out`. */
template <typename T, size_t Length>
static char* Int32ToCStringWithBase(char (&out)[Length], T i, size_t* len,
                                    int base) {
  // The buffer needs to be large enough to hold the largest number, including
  // the sign and the terminating null-character.
  static_assert(std::numeric_limits<T>::digits + (2 * std::is_signed_v<T>) <
                Length);

  mozilla::Range<char> buf(out, Length);
  return Int32ToCStringWithBase(buf, i, len, base);
}

/* Returns a non-nullptr pointer to inside `out`. */
template <typename T, size_t Base, size_t Length>
static char* Int32ToCString(char (&out)[Length], T i, size_t* len) {
  // The buffer needs to be large enough to hold the largest number, including
  // the sign and the terminating null-character.
  if constexpr (Base == 10) {
    static_assert(std::numeric_limits<T>::digits10 + 1 + std::is_signed_v<T> <
                  Length);
  } else {
    // Compute digits16 analog to std::numeric_limits::digits10, which is
    // defined as |std::numeric_limits::digits * std::log10(2)| for integer
    // types.
    // Note: log16(2) is 1/4.
    static_assert(Base == 16);
    static_assert(((std::numeric_limits<T>::digits + std::is_signed_v<T>) / 4 +
                   std::is_signed_v<T>) < Length);
  }

  mozilla::Range<char> buf(out, Length);
  return Int32ToCStringWithBase(buf, i, len, Base);
}

/* Returns a non-nullptr pointer to inside `cbuf`. */
template <typename T, size_t Base = 10>
static char* Int32ToCString(ToCStringBuf* cbuf, T i, size_t* len) {
  return Int32ToCString<T, Base>(cbuf->sbuf, i, len);
}

/* Returns a non-nullptr pointer to inside `cbuf`. */
template <typename T, size_t Base = 10>
static char* Int32ToCString(Int32ToCStringBuf* cbuf, T i, size_t* len) {
  return Int32ToCString<T, Base>(cbuf->sbuf, i, len);
}

template <AllowGC allowGC>
static JSString* NumberToStringWithBase(JSContext* cx, double d, int base);

static bool num_toString(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  double d;
  if (!ThisNumberValue(cx, args, "toString", &d)) {
    return false;
  }

  int32_t base = 10;
  if (args.hasDefined(0)) {
    double d2;
    if (!ToInteger(cx, args[0], &d2)) {
      return false;
    }

    if (d2 < 2 || d2 > 36) {
      JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BAD_RADIX);
      return false;
    }

    base = int32_t(d2);
  }
  JSString* str = NumberToStringWithBase<CanGC>(cx, d, base);
  if (!str) {
    return false;
  }
  args.rval().setString(str);
  return true;
}

#if !JS_HAS_INTL_API
static bool num_toLocaleString(JSContext* cx, unsigned argc, Value* vp) {
  AutoJSMethodProfilerEntry pseudoFrame(cx, "Number.prototype",
                                        "toLocaleString");
  CallArgs args = CallArgsFromVp(argc, vp);

  double d;
  if (!ThisNumberValue(cx, args, "toLocaleString", &d)) {
    return false;
  }

  RootedString str(cx, NumberToStringWithBase<CanGC>(cx, d, 10));
  if (!str) {
    return false;
  }

  /*
   * Create the string, move back to bytes to make string twiddling
   * a bit easier and so we can insert platform charset seperators.
   */
  UniqueChars numBytes = EncodeAscii(cx, str);
  if (!numBytes) {
    return false;
  }
  const char* num = numBytes.get();
  if (!num) {
    return false;
  }

  /*
   * Find the first non-integer value, whether it be a letter as in
   * 'Infinity', a decimal point, or an 'e' from exponential notation.
   */
  const char* nint = num;
  if (*nint == '-') {
    nint++;
  }
  while (*nint >= '0' && *nint <= '9') {
    nint++;
  }
  int digits = nint - num;
  const char* end = num + digits;
  if (!digits) {
    args.rval().setString(str);
    return true;
  }

  JSRuntime* rt = cx->runtime();
  size_t thousandsLength = strlen(rt->thousandsSeparator);
  size_t decimalLength = strlen(rt->decimalSeparator);

  /* Figure out how long resulting string will be. */
  int buflen = strlen(num);
  if (*nint == '.') {
    buflen += decimalLength - 1; /* -1 to account for existing '.' */
  }

  const char* numGrouping;
  const char* tmpGroup;
  numGrouping = tmpGroup = rt->numGrouping;
  int remainder = digits;
  if (*num == '-') {
    remainder--;
  }

  while (*tmpGroup != CHAR_MAX && *tmpGroup != '\0') {
    if (*tmpGroup >= remainder) {
      break;
    }
    buflen += thousandsLength;
    remainder -= *tmpGroup;
    tmpGroup++;
  }

  int nrepeat;
  if (*tmpGroup == '\0' && *numGrouping != '\0') {
    nrepeat = (remainder - 1) / tmpGroup[-1];
    buflen += thousandsLength * nrepeat;
    remainder -= nrepeat * tmpGroup[-1];
  } else {
    nrepeat = 0;
  }
  tmpGroup--;

  char* buf = cx->pod_malloc<char>(buflen + 1);
  if (!buf) {
    return false;
  }

  char* tmpDest = buf;
  const char* tmpSrc = num;

  while (*tmpSrc == '-' || remainder--) {
    MOZ_ASSERT(tmpDest - buf < buflen);
    *tmpDest++ = *tmpSrc++;
  }
  while (tmpSrc < end) {
    MOZ_ASSERT(tmpDest - buf + ptrdiff_t(thousandsLength) <= buflen);
    strcpy(tmpDest, rt->thousandsSeparator);
    tmpDest += thousandsLength;
    MOZ_ASSERT(tmpDest - buf + *tmpGroup <= buflen);
    js_memcpy(tmpDest, tmpSrc, *tmpGroup);
    tmpDest += *tmpGroup;
    tmpSrc += *tmpGroup;
    if (--nrepeat < 0) {
      tmpGroup--;
    }
  }

  if (*nint == '.') {
    MOZ_ASSERT(tmpDest - buf + ptrdiff_t(decimalLength) <= buflen);
    strcpy(tmpDest, rt->decimalSeparator);
    tmpDest += decimalLength;
    MOZ_ASSERT(tmpDest - buf + ptrdiff_t(strlen(nint + 1)) <= buflen);
    strcpy(tmpDest, nint + 1);
  } else {
    MOZ_ASSERT(tmpDest - buf + ptrdiff_t(strlen(nint)) <= buflen);
    strcpy(tmpDest, nint);
  }

  if (cx->runtime()->localeCallbacks &&
      cx->runtime()->localeCallbacks->localeToUnicode) {
    Rooted<Value> v(cx, StringValue(str));
    bool ok = !!cx->runtime()->localeCallbacks->localeToUnicode(cx, buf, &v);
    if (ok) {
      args.rval().set(v);
    }
    js_free(buf);
    return ok;
  }

  str = NewStringCopyN<CanGC>(cx, buf, buflen);
  js_free(buf);
  if (!str) {
    return false;
  }

  args.rval().setString(str);
  return true;
}
#endif /* !JS_HAS_INTL_API */

bool js::num_valueOf(JSContext* cx, unsigned argc, Value* vp) {
  CallArgs args = CallArgsFromVp(argc, vp);

  double d;
  if (!ThisNumberValue(cx, args, "valueOf", &d)) {
    return false;
  }

  args.rval().setNumber(d);
  return true;
}

static const unsigned MAX_PRECISION = 100;

static bool ComputePrecisionInRange(JSContext* cx, int minPrecision,
                                    int maxPrecision, double prec,
                                    int* precision) {
  if (minPrecision <= prec && prec <= maxPrecision) {
    *precision = int(prec);
    return true;
  }

  ToCStringBuf cbuf;
  char* numStr = NumberToCString(&cbuf, prec);
  MOZ_ASSERT(numStr);
  JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_PRECISION_RANGE,
                            numStr);
  return false;
}

static constexpr size_t DoubleToStrResultBufSize = 128;

template <typename Op>
[[nodiscard]] static bool DoubleToStrResult(JSContext* cx, const CallArgs& args,
                                            Op op) {
  char buf[DoubleToStrResultBufSize];

  const auto& converter =
      double_conversion::DoubleToStringConverter::EcmaScriptConverter();
  double_conversion::StringBuilder builder(buf, sizeof(buf));

  bool ok = op(converter, builder);
  MOZ_RELEASE_ASSERT(ok);

  size_t numStrLen = builder.position();
  const char* numStr = builder.Finalize();
  MOZ_ASSERT(numStr == buf);
  MOZ_ASSERT(numStrLen == strlen(numStr));

  JSString* str = NewStringCopyN<CanGC>(cx, numStr, numStrLen);
  if (!str) {
    return false;
  }

  args.rval().setString(str);
  return true;
}

// ES 2021 draft 21.1.3.3.
static bool num_toFixed(JSContext* cx, unsigned argc, Value* vp) {
  AutoJSMethodProfilerEntry pseudoFrame(cx, "Number.prototype", "toFixed");
  CallArgs args = CallArgsFromVp(argc, vp);

  // Step 1.
  double d;
  if (!ThisNumberValue(cx, args, "toFixed", &d)) {
    return false;
  }

  // Steps 2-5.
  int precision;
  if (args.length() == 0) {
    precision = 0;
  } else {
    double prec = 0;
    if (!ToInteger(cx, args[0], &prec)) {
      return false;
    }

    if (!ComputePrecisionInRange(cx, 0, MAX_PRECISION, prec, &precision)) {
      return false;
    }
  }

  // Step 6.
  if (std::isnan(d)) {
    args.rval().setString(cx->names().NaN);
    return true;
  }
  if (std::isinf(d)) {
    if (d > 0) {
      args.rval().setString(cx->names().Infinity);
      return true;
    }

    args.rval().setString(cx->names().NegativeInfinity);
    return true;
  }

  // Steps 7-10 for very large numbers.
  if (d <= -1e21 || d >= 1e+21) {
    JSString* s = NumberToString<CanGC>(cx, d);
    if (!s) {
      return false;
    }

    args.rval().setString(s);
    return true;
  }

  // Steps 7-12.

  // DoubleToStringConverter::ToFixed is documented as requiring a buffer size
  // of:
  //
  //   1 + kMaxFixedDigitsBeforePoint + 1 + kMaxFixedDigitsAfterPoint + 1
  //   (one additional character for the sign, one for the decimal point,
  //      and one for the null terminator)
  //
  // We already ensured there are at most 21 digits before the point, and
  // MAX_PRECISION digits after the point.
  static_assert(1 + 21 + 1 + MAX_PRECISION + 1 <= DoubleToStrResultBufSize);

  // The double-conversion library by default has a kMaxFixedDigitsAfterPoint of
  // 60. Assert our modified version supports at least MAX_PRECISION (100).
  using DToSConverter = double_conversion::DoubleToStringConverter;
  static_assert(DToSConverter::kMaxFixedDigitsAfterPoint >= MAX_PRECISION);

  return DoubleToStrResult(cx, args, [&](auto& converter, auto& builder) {
    return converter.ToFixed(d, precision, &builder);
  });
}

// ES 2021 draft 21.1.3.2.
static bool num_toExponential(JSContext* cx, unsigned argc, Value* vp) {
  AutoJSMethodProfilerEntry pseudoFrame(cx, "Number.prototype",
                                        "toExponential");
  CallArgs args = CallArgsFromVp(argc, vp);

  // Step 1.
  double d;
  if (!ThisNumberValue(cx, args, "toExponential", &d)) {
    return false;
  }

  // Step 2.
  double prec = 0;
  if (args.hasDefined(0)) {
    if (!ToInteger(cx, args[0], &prec)) {
      return false;
    }
  }

  // Step 3.
  MOZ_ASSERT_IF(!args.hasDefined(0), prec == 0);

  // Step 4.
  if (std::isnan(d)) {
    args.rval().setString(cx->names().NaN);
    return true;
  }
  if (std::isinf(d)) {
    if (d > 0) {
      args.rval().setString(cx->names().Infinity);
      return true;
    }

    args.rval().setString(cx->names().NegativeInfinity);
    return true;
  }

  // Step 5.
  int precision = 0;
  if (!ComputePrecisionInRange(cx, 0, MAX_PRECISION, prec, &precision)) {
    return false;
  }

  // Steps 6-15.

  // DoubleToStringConverter::ToExponential is documented as adding at most 8
  // characters on top of the requested digits: "the sign, the digit before the
  // decimal point, the decimal point, the exponent character, the exponent's
  // sign, and at most 3 exponent digits". In addition, the buffer must be able
  // to hold the trailing '\0' character.
  static_assert(MAX_PRECISION + 8 + 1 <= DoubleToStrResultBufSize);

  return DoubleToStrResult(cx, args, [&](auto& converter, auto& builder) {
    int requestedDigits = args.hasDefined(0) ? precision : -1;
    return converter.ToExponential(d, requestedDigits, &builder);
  });
}

// ES 2021 draft 21.1.3.5.
static bool num_toPrecision(JSContext* cx, unsigned argc, Value* vp) {
  AutoJSMethodProfilerEntry pseudoFrame(cx, "Number.prototype", "toPrecision");
  CallArgs args = CallArgsFromVp(argc, vp);

  // Step 1.
  double d;
  if (!ThisNumberValue(cx, args, "toPrecision", &d)) {
    return false;
  }

  // Step 2.
  if (!args.hasDefined(0)) {
    JSString* str = NumberToStringWithBase<CanGC>(cx, d, 10);
    if (!str) {
      return false;
    }
    args.rval().setString(str);
    return true;
  }

  // Step 3.
  double prec = 0;
  if (!ToInteger(cx, args[0], &prec)) {
    return false;
  }

  // Step 4.
  if (std::isnan(d)) {
    args.rval().setString(cx->names().NaN);
    return true;
  }
  if (std::isinf(d)) {
    if (d > 0) {
      args.rval().setString(cx->names().Infinity);
      return true;
    }

    args.rval().setString(cx->names().NegativeInfinity);
    return true;
  }

  // Step 5.
  int precision = 0;
  if (!ComputePrecisionInRange(cx, 1, MAX_PRECISION, prec, &precision)) {
    return false;
  }

  // Steps 6-14.

  // DoubleToStringConverter::ToPrecision is documented as adding at most 7
  // characters on top of the requested digits: "the sign, the decimal point,
  // the exponent character, the exponent's sign, and at most 3 exponent
  // digits". In addition, the buffer must be able to hold the trailing '\0'
  // character.
  static_assert(MAX_PRECISION + 7 + 1 <= DoubleToStrResultBufSize);

  return DoubleToStrResult(cx, args, [&](auto& converter, auto& builder) {
    return converter.ToPrecision(d, precision, &builder);
  });
}

static const JSFunctionSpec number_methods[] = {
    JS_FN(js_toSource_str, num_toSource, 0, 0),
    JS_INLINABLE_FN(js_toString_str, num_toString, 1, 0, NumberToString),
#if JS_HAS_INTL_API
    JS_SELF_HOSTED_FN(js_toLocaleString_str, "Number_toLocaleString", 0, 0),
#else
    JS_FN(js_toLocaleString_str, num_toLocaleString, 0, 0),
#endif
    JS_FN(js_valueOf_str, num_valueOf, 0, 0),
    JS_FN("toFixed", num_toFixed, 1, 0),
    JS_FN("toExponential", num_toExponential, 1, 0),
    JS_FN("toPrecision", num_toPrecision, 1, 0),
    JS_FS_END};

bool js::IsInteger(double d) {
  return std::isfinite(d) && JS::ToInteger(d) == d;
}

static const JSFunctionSpec number_static_methods[] = {
    JS_SELF_HOSTED_FN("isFinite", "Number_isFinite", 1, 0),
    JS_SELF_HOSTED_FN("isInteger", "Number_isInteger", 1, 0),
    JS_SELF_HOSTED_FN("isNaN", "Number_isNaN", 1, 0),
    JS_SELF_HOSTED_FN("isSafeInteger", "Number_isSafeInteger", 1, 0),
    JS_FS_END};

static const JSPropertySpec number_static_properties[] = {
    JS_DOUBLE_PS("POSITIVE_INFINITY", mozilla::PositiveInfinity<double>(),
                 JSPROP_READONLY | JSPROP_PERMANENT),
    JS_DOUBLE_PS("NEGATIVE_INFINITY", mozilla::NegativeInfinity<double>(),
                 JSPROP_READONLY | JSPROP_PERMANENT),
    JS_DOUBLE_PS("MAX_VALUE", 1.7976931348623157E+308,
                 JSPROP_READONLY | JSPROP_PERMANENT),
    JS_DOUBLE_PS("MIN_VALUE", MinNumberValue<double>(),
                 JSPROP_READONLY | JSPROP_PERMANENT),
    /* ES6 (April 2014 draft) 20.1.2.6 */
    JS_DOUBLE_PS("MAX_SAFE_INTEGER", 9007199254740991,
                 JSPROP_READONLY | JSPROP_PERMANENT),
    /* ES6 (April 2014 draft) 20.1.2.10 */
    JS_DOUBLE_PS("MIN_SAFE_INTEGER", -9007199254740991,
                 JSPROP_READONLY | JSPROP_PERMANENT),
    /* ES6 (May 2013 draft) 15.7.3.7 */
    JS_DOUBLE_PS("EPSILON", 2.2204460492503130808472633361816e-16,
                 JSPROP_READONLY | JSPROP_PERMANENT),
    JS_PS_END};

bool js::InitRuntimeNumberState(JSRuntime* rt) {
  // XXX If JS_HAS_INTL_API becomes true all the time at some point,
  //     js::InitRuntimeNumberState is no longer fallible, and we should
  //     change its return type.
#if !JS_HAS_INTL_API
  /* Copy locale-specific separators into the runtime strings. */
  const char* thousandsSeparator;
  const char* decimalPoint;
  const char* grouping;
#  ifdef HAVE_LOCALECONV
  struct lconv* locale = localeconv();
  thousandsSeparator = locale->thousands_sep;
  decimalPoint = locale->decimal_point;
  grouping = locale->grouping;
#  else
  thousandsSeparator = getenv("LOCALE_THOUSANDS_SEP");
  decimalPoint = getenv("LOCALE_DECIMAL_POINT");
  grouping = getenv("LOCALE_GROUPING");
#  endif
  if (!thousandsSeparator) {
    thousandsSeparator = "'";
  }
  if (!decimalPoint) {
    decimalPoint = ".";
  }
  if (!grouping) {
    grouping = "\3\0";
  }

  /*
   * We use single malloc to get the memory for all separator and grouping
   * strings.
   */
  size_t thousandsSeparatorSize = strlen(thousandsSeparator) + 1;
  size_t decimalPointSize = strlen(decimalPoint) + 1;
  size_t groupingSize = strlen(grouping) + 1;

  char* storage = js_pod_malloc<char>(thousandsSeparatorSize +
                                      decimalPointSize + groupingSize);
  if (!storage) {
    return false;
  }

  js_memcpy(storage, thousandsSeparator, thousandsSeparatorSize);
  rt->thousandsSeparator = storage;
  storage += thousandsSeparatorSize;

  js_memcpy(storage, decimalPoint, decimalPointSize);
  rt->decimalSeparator = storage;
  storage += decimalPointSize;

  js_memcpy(storage, grouping, groupingSize);
  rt->numGrouping = grouping;
#endif /* !JS_HAS_INTL_API */
  return true;
}

void js::FinishRuntimeNumberState(JSRuntime* rt) {
#if !JS_HAS_INTL_API
  /*
   * The free also releases the memory for decimalSeparator and numGrouping
   * strings.
   */
  char* storage = const_cast<char*>(rt->thousandsSeparator.ref());
  js_free(storage);
#endif  // !JS_HAS_INTL_API
}

JSObject* NumberObject::createPrototype(JSContext* cx, JSProtoKey key) {
  NumberObject* numberProto =
      GlobalObject::createBlankPrototype<NumberObject>(cx, cx->global());
  if (!numberProto) {
    return nullptr;
  }
  numberProto->setPrimitiveValue(0);
  return numberProto;
}

static bool NumberClassFinish(JSContext* cx, HandleObject ctor,
                              HandleObject proto) {
  Handle<GlobalObject*> global = cx->global();

  if (!JS_DefineFunctions(cx, global, number_functions)) {
    return false;
  }

  // Number.parseInt should be the same function object as global parseInt.
  RootedId parseIntId(cx, NameToId(cx->names().parseInt));
  JSFunction* parseInt =
      DefineFunction(cx, global, parseIntId, num_parseInt, 2, JSPROP_RESOLVING);
  if (!parseInt) {
    return false;
  }
  parseInt->setJitInfo(&jit::JitInfo_NumberParseInt);

  RootedValue parseIntValue(cx, ObjectValue(*parseInt));
  if (!DefineDataProperty(cx, ctor, parseIntId, parseIntValue, 0)) {
    return false;
  }

  // Number.parseFloat should be the same function object as global
  // parseFloat.
  RootedId parseFloatId(cx, NameToId(cx->names().parseFloat));
  JSFunction* parseFloat = DefineFunction(cx, global, parseFloatId,
                                          num_parseFloat, 1, JSPROP_RESOLVING);
  if (!parseFloat) {
    return false;
  }
  RootedValue parseFloatValue(cx, ObjectValue(*parseFloat));
  if (!DefineDataProperty(cx, ctor, parseFloatId, parseFloatValue, 0)) {
    return false;
  }

  RootedValue valueNaN(cx, JS::NaNValue());
  RootedValue valueInfinity(cx, JS::InfinityValue());

  if (!DefineDataProperty(
          cx, ctor, cx->names().NaN, valueNaN,
          JSPROP_PERMANENT | JSPROP_READONLY | JSPROP_RESOLVING)) {
    return false;
  }

  // ES5 15.1.1.1, 15.1.1.2
  if (!NativeDefineDataProperty(
          cx, global, cx->names().NaN, valueNaN,
          JSPROP_PERMANENT | JSPROP_READONLY | JSPROP_RESOLVING) ||
      !NativeDefineDataProperty(
          cx, global, cx->names().Infinity, valueInfinity,
          JSPROP_PERMANENT | JSPROP_READONLY | JSPROP_RESOLVING)) {
    return false;
  }

  return true;
}

const ClassSpec NumberObject::classSpec_ = {
    GenericCreateConstructor<Number, 1, gc::AllocKind::FUNCTION,
                             &jit::JitInfo_Number>,
    NumberObject::createPrototype,
    number_static_methods,
    number_static_properties,
    number_methods,
    nullptr,
    NumberClassFinish};

static char* FracNumberToCString(ToCStringBuf* cbuf, double d, size_t* len) {
#ifdef DEBUG
  {
    int32_t _;
    MOZ_ASSERT(!NumberEqualsInt32(d, &_));
  }
#endif

  /*
   * This is V8's implementation of the algorithm described in the
   * following paper:
   *
   *   Printing floating-point numbers quickly and accurately with integers.
   *   Florian Loitsch, PLDI 2010.
   */
  const double_conversion::DoubleToStringConverter& converter =
      double_conversion::DoubleToStringConverter::EcmaScriptConverter();
  double_conversion::StringBuilder builder(cbuf->sbuf, std::size(cbuf->sbuf));
  converter.ToShortest(d, &builder);

  *len = builder.position();
  return builder.Finalize();
}

void JS::NumberToString(double d, char (&out)[MaximumNumberToStringLength]) {
  int32_t i;
  if (NumberEqualsInt32(d, &i)) {
    Int32ToCStringBuf cbuf;
    size_t len;
    char* loc = ::Int32ToCString(&cbuf, i, &len);
    memmove(out, loc, len);
    out[len] = '\0';
  } else {
    const double_conversion::DoubleToStringConverter& converter =
        double_conversion::DoubleToStringConverter::EcmaScriptConverter();

    double_conversion::StringBuilder builder(out, sizeof(out));
    converter.ToShortest(d, &builder);

#ifdef DEBUG
    char* result =
#endif
        builder.Finalize();
    MOZ_ASSERT(out == result);
  }
}

char* js::NumberToCString(ToCStringBuf* cbuf, double d, size_t* length) {
  int32_t i;
  size_t len;
  char* s = NumberEqualsInt32(d, &i) ? ::Int32ToCString(cbuf, i, &len)
                                     : FracNumberToCString(cbuf, d, &len);
  MOZ_ASSERT(s);
  if (length) {
    *length = len;
  }
  return s;
}

char* js::Int32ToCString(Int32ToCStringBuf* cbuf, int32_t value,
                         size_t* length) {
  size_t len;
  char* s = ::Int32ToCString(cbuf, value, &len);
  MOZ_ASSERT(s);
  if (length) {
    *length = len;
  }
  return s;
}

char* js::Uint32ToCString(Int32ToCStringBuf* cbuf, uint32_t value,
                          size_t* length) {
  size_t len;
  char* s = ::Int32ToCString(cbuf, value, &len);
  MOZ_ASSERT(s);
  if (length) {
    *length = len;
  }
  return s;
}

char* js::Uint32ToHexCString(Int32ToCStringBuf* cbuf, uint32_t value,
                             size_t* length) {
  size_t len;
  char* s = ::Int32ToCString<uint32_t, 16>(cbuf, value, &len);
  MOZ_ASSERT(s);
  if (length) {
    *length = len;
  }
  return s;
}

template <AllowGC allowGC>
static JSString* NumberToStringWithBase(JSContext* cx, double d, int base) {
  MOZ_ASSERT(2 <= base && base <= 36);

  Realm* realm = cx->realm();

  int32_t i;
  if (NumberEqualsInt32(d, &i)) {
    bool isBase10Int = (base == 10);
    if (isBase10Int) {
      static_assert(StaticStrings::INT_STATIC_LIMIT > 10 * 10);
      if (StaticStrings::hasInt(i)) {
        return cx->staticStrings().getInt(i);
      }
    } else if (unsigned(i) < unsigned(base)) {
      if (i < 10) {
        return cx->staticStrings().getInt(i);
      }
      char16_t c = 'a' + i - 10;
      MOZ_ASSERT(StaticStrings::hasUnit(c));
      return cx->staticStrings().getUnit(c);
    } else if (unsigned(i) < unsigned(base * base)) {
      static constexpr char digits[] = "0123456789abcdefghijklmnopqrstuvwxyz";
      char chars[] = {digits[i / base], digits[i % base]};
      JSString* str = cx->staticStrings().lookup(chars, 2);
      MOZ_ASSERT(str);
      return str;
    }

    if (JSLinearString* str = realm->dtoaCache.lookup(base, d)) {
      return str;
    }

    // Plus three to include the largest number, the sign, and the terminating
    // null character.
    constexpr size_t MaximumLength = std::numeric_limits<int32_t>::digits + 3;

    char buf[MaximumLength] = {};
    size_t numStrLen;
    char* numStr = Int32ToCStringWithBase(buf, i, &numStrLen, base);
    MOZ_ASSERT(numStrLen == strlen(numStr));

    JSLinearString* s = NewStringCopyN<allowGC>(cx, numStr, numStrLen);
    if (!s) {
      return nullptr;
    }

    if (isBase10Int && i >= 0) {
      s->maybeInitializeIndexValue(i);
    }

    realm->dtoaCache.cache(base, d, s);
    return s;
  }

  if (JSLinearString* str = realm->dtoaCache.lookup(base, d)) {
    return str;
  }

  JSLinearString* s;
  if (base == 10) {
    // We use a faster algorithm for base 10.
    ToCStringBuf cbuf;
    size_t numStrLen;
    char* numStr = FracNumberToCString(&cbuf, d, &numStrLen);
    MOZ_ASSERT(numStr);
    MOZ_ASSERT(numStrLen == strlen(numStr));

    s = NewStringCopyN<allowGC>(cx, numStr, numStrLen);
    if (!s) {
      return nullptr;
    }
  } else {
    if (!EnsureDtoaState(cx)) {
      if constexpr (allowGC) {
        ReportOutOfMemory(cx);
      }
      return nullptr;
    }

    UniqueChars numStr(js_dtobasestr(cx->dtoaState, base, d));
    if (!numStr) {
      if constexpr (allowGC) {
        ReportOutOfMemory(cx);
      }
      return nullptr;
    }

    s = NewStringCopyZ<allowGC>(cx, numStr.get());
    if (!s) {
      return nullptr;
    }
  }

  realm->dtoaCache.cache(base, d, s);
  return s;
}

template <AllowGC allowGC>
JSString* js::NumberToString(JSContext* cx, double d) {
  return NumberToStringWithBase<allowGC>(cx, d, 10);
}

template JSString* js::NumberToString<CanGC>(JSContext* cx, double d);

template JSString* js::NumberToString<NoGC>(JSContext* cx, double d);

JSString* js::NumberToStringPure(JSContext* cx, double d) {
  AutoUnsafeCallWithABI unsafe;
  return NumberToString<NoGC>(cx, d);
}

JSAtom* js::NumberToAtom(JSContext* cx, double d) {
  int32_t si;
  if (NumberEqualsInt32(d, &si)) {
    return Int32ToAtom(cx, si);
  }

  if (JSLinearString* str = LookupDtoaCache(cx, d)) {
    return AtomizeString(cx, str);
  }

  ToCStringBuf cbuf;
  size_t length;
  char* numStr = FracNumberToCString(&cbuf, d, &length);
  MOZ_ASSERT(numStr);
  MOZ_ASSERT(std::begin(cbuf.sbuf) <= numStr && numStr < std::end(cbuf.sbuf));
  MOZ_ASSERT(length == strlen(numStr));

  JSAtom* atom = Atomize(cx, numStr, length);
  if (!atom) {
    return nullptr;
  }

  CacheNumber(cx, d, atom);

  return atom;
}

frontend::TaggedParserAtomIndex js::NumberToParserAtom(
    FrontendContext* fc, frontend::ParserAtomsTable& parserAtoms, double d) {
  int32_t si;
  if (NumberEqualsInt32(d, &si)) {
    return Int32ToParserAtom(fc, parserAtoms, si);
  }

  ToCStringBuf cbuf;
  size_t length;
  char* numStr = FracNumberToCString(&cbuf, d, &length);
  MOZ_ASSERT(numStr);
  MOZ_ASSERT(std::begin(cbuf.sbuf) <= numStr && numStr < std::end(cbuf.sbuf));
  MOZ_ASSERT(length == strlen(numStr));

  return parserAtoms.internAscii(fc, numStr, length);
}

JSLinearString* js::IndexToString(JSContext* cx, uint32_t index) {
  if (StaticStrings::hasUint(index)) {
    return cx->staticStrings().getUint(index);
  }

  Realm* realm = cx->realm();
  if (JSLinearString* str = realm->dtoaCache.lookup(10, index)) {
    return str;
  }

  Latin1Char buffer[JSFatInlineString::MAX_LENGTH_LATIN1 + 1];
  RangedPtr<Latin1Char> end(buffer + JSFatInlineString::MAX_LENGTH_LATIN1,
                            buffer, JSFatInlineString::MAX_LENGTH_LATIN1 + 1);
  *end = '\0';
  RangedPtr<Latin1Char> start = BackfillIndexInCharBuffer(index, end);

  mozilla::Range<const Latin1Char> chars(start.get(), end - start);
  JSInlineString* str =
      NewInlineString<CanGC>(cx, chars, js::gc::Heap::Default);
  if (!str) {
    return nullptr;
  }

  realm->dtoaCache.cache(10, index, str);
  return str;
}

JSString* js::Int32ToStringWithBase(JSContext* cx, int32_t i, int32_t base) {
  return NumberToStringWithBase<CanGC>(cx, double(i), base);
}

bool js::NumberValueToStringBuffer(const Value& v, StringBuffer& sb) {
  /* Convert to C-string. */
  ToCStringBuf cbuf;
  const char* cstr;
  size_t cstrlen;
  if (v.isInt32()) {
    cstr = ::Int32ToCString(&cbuf, v.toInt32(), &cstrlen);
  } else {
    cstr = NumberToCString(&cbuf, v.toDouble(), &cstrlen);
  }
  MOZ_ASSERT(cstr);
  MOZ_ASSERT(cstrlen == strlen(cstr));

  MOZ_ASSERT(cstrlen < std::size(cbuf.sbuf));
  return sb.append(cstr, cstrlen);
}

template <typename CharT>
inline double CharToNumber(CharT c) {
  if ('0' <= c && c <= '9') {
    return c - '0';
  }
  if (unicode::IsSpace(c)) {
    return 0.0;
  }
  return GenericNaN();
}

template <typename CharT>
inline bool CharsToNonDecimalNumber(const CharT* start, const CharT* end,
                                    double* result) {
  MOZ_ASSERT(end - start >= 2);
  MOZ_ASSERT(start[0] == '0');

  int radix = 0;
  if (start[1] == 'b' || start[1] == 'B') {
    radix = 2;
  } else if (start[1] == 'o' || start[1] == 'O') {
    radix = 8;
  } else if (start[1] == 'x' || start[1] == 'X') {
    radix = 16;
  } else {
    return false;
  }

  // It's probably a non-decimal number. Accept if there's at least one digit
  // after the 0b|0o|0x, and if no non-whitespace characters follow all the
  // digits.
  const CharT* endptr;
  double d;
  MOZ_ALWAYS_TRUE(GetPrefixIntegerImpl(
      start + 2, end, radix, IntegerSeparatorHandling::None, &endptr, &d));
  if (endptr == start + 2 || SkipSpace(endptr, end) != end) {
    *result = GenericNaN();
  } else {
    *result = d;
  }
  return true;
}

template <typename CharT>
double js::CharsToNumber(const CharT* chars, size_t length) {
  if (length == 1) {
    return CharToNumber(chars[0]);
  }

  const CharT* end = chars + length;
  const CharT* start = SkipSpace(chars, end);

  // ECMA doesn't allow signed non-decimal numbers (bug 273467).
  if (end - start >= 2 && start[0] == '0') {
    double d;
    if (CharsToNonDecimalNumber(start, end, &d)) {
      return d;
    }
  }

  /*
   * Note that ECMA doesn't treat a string beginning with a '0' as
   * an octal number here. This works because all such numbers will
   * be interpreted as decimal by js_strtod.  Also, any hex numbers
   * that have made it here (which can only be negative ones) will
   * be treated as 0 without consuming the 'x' by js_strtod.
   */
  const CharT* ep;
  double d = js_strtod(start, end, &ep);
  if (SkipSpace(ep, end) != end) {
    return GenericNaN();
  }
  return d;
}

template double js::CharsToNumber(const Latin1Char* chars, size_t length);

template double js::CharsToNumber(const char16_t* chars, size_t length);

double js::LinearStringToNumber(JSLinearString* str) {
  if (str->hasIndexValue()) {
    return str->getIndexValue();
  }

  AutoCheckCannotGC nogc;
  return str->hasLatin1Chars()
             ? CharsToNumber(str->latin1Chars(nogc), str->length())
             : CharsToNumber(str->twoByteChars(nogc), str->length());
}

bool js::StringToNumber(JSContext* cx, JSString* str, double* result) {
  JSLinearString* linearStr = str->ensureLinear(cx);
  if (!linearStr) {
    return false;
  }

  *result = LinearStringToNumber(linearStr);
  return true;
}

bool js::StringToNumberPure(JSContext* cx, JSString* str, double* result) {
  // IC Code calls this directly.
  AutoUnsafeCallWithABI unsafe;

  if (!StringToNumber(cx, str, result)) {
    cx->recoverFromOutOfMemory();
    return false;
  }
  return true;
}

JS_PUBLIC_API bool js::ToNumberSlow(JSContext* cx, HandleValue v_,
                                    double* out) {
  MOZ_ASSERT(cx->isMainThreadContext());

  RootedValue v(cx, v_);
  MOZ_ASSERT(!v.isNumber());

  if (!v.isPrimitive()) {
    if (!ToPrimitive(cx, JSTYPE_NUMBER, &v)) {
      return false;
    }

    if (v.isNumber()) {
      *out = v.toNumber();
      return true;
    }
  }
  if (v.isString()) {
    return StringToNumber(cx, v.toString(), out);
  }
  if (v.isBoolean()) {
    *out = v.toBoolean() ? 1.0 : 0.0;
    return true;
  }
  if (v.isNull()) {
    *out = 0.0;
    return true;
  }
  if (v.isUndefined()) {
    *out = GenericNaN();
    return true;
  }
#ifdef ENABLE_RECORD_TUPLE
  if (v.isExtendedPrimitive()) {
    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
                              JSMSG_RECORD_TUPLE_TO_NUMBER);
    return false;
  }
#endif

  MOZ_ASSERT(v.isSymbol() || v.isBigInt());
  unsigned errnum = JSMSG_SYMBOL_TO_NUMBER;
  if (v.isBigInt()) {
    errnum = JSMSG_BIGINT_TO_NUMBER;
  }
  JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, errnum);
  return false;
}

// BigInt proposal section 3.1.6
bool js::ToNumericSlow(JSContext* cx, MutableHandleValue vp) {
  MOZ_ASSERT(cx->isMainThreadContext());
  MOZ_ASSERT(!vp.isNumeric());

  // Step 1.
  if (!vp.isPrimitive()) {
    if (!ToPrimitive(cx, JSTYPE_NUMBER, vp)) {
      return false;
    }
  }

  // Step 2.
  if (vp.isBigInt()) {
    return true;
  }

  // Step 3.
  return ToNumber(cx, vp);
}

/*
 * Convert a value to an int8_t, according to the WebIDL rules for byte
 * conversion. Return converted value in *out on success, false on failure.
 */
JS_PUBLIC_API bool js::ToInt8Slow(JSContext* cx, const HandleValue v,
                                  int8_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToInt8(d);
  return true;
}

/*
 * Convert a value to an uint8_t, according to the ToUInt8() function in ES6
 * ECMA-262, 7.1.10. Return converted value in *out on success, false on
 * failure.
 */
JS_PUBLIC_API bool js::ToUint8Slow(JSContext* cx, const HandleValue v,
                                   uint8_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToUint8(d);
  return true;
}

/*
 * Convert a value to an int16_t, according to the WebIDL rules for short
 * conversion. Return converted value in *out on success, false on failure.
 */
JS_PUBLIC_API bool js::ToInt16Slow(JSContext* cx, const HandleValue v,
                                   int16_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToInt16(d);
  return true;
}

/*
 * Convert a value to an int64_t, according to the WebIDL rules for long long
 * conversion. Return converted value in *out on success, false on failure.
 */
JS_PUBLIC_API bool js::ToInt64Slow(JSContext* cx, const HandleValue v,
                                   int64_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToInt64(d);
  return true;
}

/*
 * Convert a value to an uint64_t, according to the WebIDL rules for unsigned
 * long long conversion. Return converted value in *out on success, false on
 * failure.
 */
JS_PUBLIC_API bool js::ToUint64Slow(JSContext* cx, const HandleValue v,
                                    uint64_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToUint64(d);
  return true;
}

JS_PUBLIC_API bool js::ToInt32Slow(JSContext* cx, const HandleValue v,
                                   int32_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToInt32(d);
  return true;
}

bool js::ToInt32OrBigIntSlow(JSContext* cx, MutableHandleValue vp) {
  MOZ_ASSERT(!vp.isInt32());
  if (vp.isDouble()) {
    vp.setInt32(ToInt32(vp.toDouble()));
    return true;
  }

  if (!ToNumeric(cx, vp)) {
    return false;
  }

  if (vp.isBigInt()) {
    return true;
  }

  vp.setInt32(ToInt32(vp.toNumber()));
  return true;
}

JS_PUBLIC_API bool js::ToUint32Slow(JSContext* cx, const HandleValue v,
                                    uint32_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else {
    if (!ToNumberSlow(cx, v, &d)) {
      return false;
    }
  }
  *out = ToUint32(d);
  return true;
}

JS_PUBLIC_API bool js::ToUint16Slow(JSContext* cx, const HandleValue v,
                                    uint16_t* out) {
  MOZ_ASSERT(!v.isInt32());
  double d;
  if (v.isDouble()) {
    d = v.toDouble();
  } else if (!ToNumberSlow(cx, v, &d)) {
    return false;
  }
  *out = ToUint16(d);
  return true;
}

// ES2017 draft 7.1.17 ToIndex
bool js::ToIndexSlow(JSContext* cx, JS::HandleValue v,
                     const unsigned errorNumber, uint64_t* index) {
  MOZ_ASSERT_IF(v.isInt32(), v.toInt32() < 0);

  // Step 1.
  if (v.isUndefined()) {
    *index = 0;
    return true;
  }

  // Step 2.a.
  double integerIndex;
  if (!ToInteger(cx, v, &integerIndex)) {
    return false;
  }

  // Inlined version of ToLength.
  // 1. Already an integer.
  // 2. Step eliminates < 0, +0 == -0 with SameValueZero.
  // 3/4. Limit to <= 2^53-1, so everything above should fail.
  if (integerIndex < 0 || integerIndex >= DOUBLE_INTEGRAL_PRECISION_LIMIT) {
    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, errorNumber);
    return false;
  }

  // Step 3.
  *index = uint64_t(integerIndex);
  return true;
}

template <typename CharT>
double js_strtod(const CharT* begin, const CharT* end, const CharT** dEnd) {
  const CharT* s = SkipSpace(begin, end);
  size_t length = end - s;

  {
    // StringToDouble can make indirect calls but can't trigger a GC.
    JS::AutoSuppressGCAnalysis nogc;

    using SToDConverter = double_conversion::StringToDoubleConverter;
    SToDConverter converter(SToDConverter::ALLOW_TRAILING_JUNK,
                            /* empty_string_value = */ 0.0,
                            /* junk_string_value = */ GenericNaN(),
                            /* infinity_symbol = */ nullptr,
                            /* nan_symbol = */ nullptr);
    int lengthInt = mozilla::AssertedCast<int>(length);
    double d;
    int processed = 0;
    if constexpr (std::is_same_v<CharT, char16_t>) {
      d = converter.StringToDouble(reinterpret_cast<const uc16*>(s), lengthInt,
                                   &processed);
    } else {
      static_assert(std::is_same_v<CharT, Latin1Char>);
      d = converter.StringToDouble(reinterpret_cast<const char*>(s), lengthInt,
                                   &processed);
    }
    MOZ_ASSERT(processed >= 0);
    MOZ_ASSERT(processed <= lengthInt);

    if (processed > 0) {
      *dEnd = s + processed;
      return d;
    }
  }

  // Try to parse +Infinity, -Infinity or Infinity. Note that we do this here
  // instead of using StringToDoubleConverter's infinity_symbol because it's
  // faster: the code below is less generic and not on the fast path for regular
  // doubles.
  static constexpr std::string_view Infinity = "Infinity";
  if (length >= Infinity.length()) {
    const CharT* afterSign = s;
    bool negative = (*afterSign == '-');
    if (negative || *afterSign == '+') {
      afterSign++;
    }
    MOZ_ASSERT(afterSign < end);
    if (*afterSign == 'I' && size_t(end - afterSign) >= Infinity.length() &&
        EqualChars(afterSign, Infinity.data(), Infinity.length())) {
      *dEnd = afterSign + Infinity.length();
      return negative ? NegativeInfinity<double>() : PositiveInfinity<double>();
    }
  }

  *dEnd = begin;
  return 0.0;
}

template double js_strtod(const char16_t* begin, const char16_t* end,
                          const char16_t** dEnd);

template double js_strtod(const Latin1Char* begin, const Latin1Char* end,
                          const Latin1Char** dEnd);