142160 2015-03-02 04:05:22 -0800 ASSERTION FAILED: charactersWritten > 0 && static_cast<unsigned>(charactersWritten) < sizeof(buffer) in JSC::dateProtoFuncToISOString 2015-06-27 03:48:33 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned ap benjamin ggaren mark.lam oldest_to_newest 1073275 0 247657 rhodovan.u-szeged 2015-03-02 04:05:22 -0800 Created attachment 247657 Test case Load this script with debug jsc: var d = new Date(0); d.setUTCFullYear(-200e6); d.toISOString(); Backtrace: ASSERTION FAILED: charactersWritten > 0 && static_cast<unsigned>(charactersWritten) < sizeof(buffer) ../../Source/JavaScriptCore/runtime/DatePrototype.cpp(542) : JSC::EncodedJSValue JSC::dateProtoFuncToISOString(JSC::ExecState*) 1 0x7ffff73f24ca /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff73f24ca] 2 0x7ffff724a1c9 /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC24dateProtoFuncToISOStringEPNS_9ExecStateE+0x410) [0x7ffff724a1c9] 3 0x7fffadfff0a8 [0x7fffadfff0a8] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73f24cf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73f24cf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff724a1c9 in JSC::dateProtoFuncToISOString (exec=0x7fffffffca90) at ../../Source/JavaScriptCore/runtime/DatePrototype.cpp:542 #2 0x00007fffadfff0a8 in ?? () #3 0x00007fffffffcad0 in ?? () #4 0x00007ffff73a05ef in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 1074680 1 ap 2015-03-05 13:58:43 -0800 Which part of the assertion condition is untrue? That's sort of a big difference. 1074863 2 rhodovan.u-szeged 2015-03-06 00:09:29 -0800 (In reply to comment #1) > Which part of the assertion condition is untrue? That's sort of a big > difference. The second part of the condition fails, since 30 characters was written but the size if the buffer is only 28. (However, this case is handled in the next line so we don't end up in a crash in release.) 1075723 3 ap 2015-03-09 12:54:33 -0700 I see, it's an snprintf, and we have a check later, so no buffer overrun. 1105168 4 rhodovan.u-szeged 2015-06-27 03:48:33 -0700 Cannot repro this anymore. 247657 2015-03-02 04:05:22 -0800 2015-03-02 04:05:22 -0800 Test case crash.js application/javascript 63 rhodovan.u-szeged dmFyIGQgPSBuZXcgRGF0ZSgwKTsKZC5zZXRVVENGdWxsWWVhcigtMjAwZTYpOwpkLnRvSVNPU3Ry aW5nKCk7