159883 2016-07-18 11:31:55 -0700 ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp 2016-07-18 15:21:44 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff benjamin cdumez cmarcelo commit-queue darin keith_miller mark.lam saam oldest_to_newest 1212027 0 msaboff 2016-07-18 11:31:55 -0700 The statement: let d = new Date(-0x80000000, 42); will cause the following ASSERT in a debug build: (lldb) bt * thread #1: tid = 0x773a7, 0x0000000101228824 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x0000000101228824 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323 frame #1: 0x000000010123f120 JavaScriptCore`WTF::dateToDaysFrom1970(year=-2147483645, month=6, day=1) + 192 at DateMath.cpp:310 frame #2: 0x0000000100cbc8b6 JavaScriptCore`JSC::gregorianDateTimeToMS(vm=0x000000010bbf1000, t=0x00007fff5fbfd390, milliSeconds=0, inputTimeType=LocalTime) + 70 at JSDateMath.cpp:195 frame #3: 0x0000000100580d00 JavaScriptCore`JSC::millisecondsFromComponents(exec=0x00007fff5fbfd980, args=0x00007fff5fbfd5d8, timeType=LocalTime) + 2144 at DateConstructor.cpp:143 frame #4: 0x0000000100580235 JavaScriptCore`JSC::constructDate(exec=0x00007fff5fbfd980, globalObject=0x000000010efdf900, newTarget=JSValue @ 0x00007fff5fbfd590, args=0x00007fff5fbfd5d8) + 341 at DateConstructor.cpp:167 frame #5: 0x0000000100580e63 JavaScriptCore`JSC::constructWithDateConstructor(exec=0x00007fff5fbfd980) + 115 at DateConstructor.cpp:179 frame #6: 0x0000000100e4c553 JavaScriptCore`JSC::LLInt::handleHostCall(execCallee=0x00007fff5fbfd980, pc=0x000000010f1f89f8, callee=JSValue @ 0x00007fff5fbfd758, kind=CodeForConstruct) + 947 at LLIntSlowPaths.cpp:1224 frame #7: 0x0000000100e48b07 JavaScriptCore`JSC::LLInt::setUpCall(execCallee=0x00007fff5fbfd980, pc=0x000000010f1f89f8, kind=CodeForConstruct, calleeAsValue=JSValue @ 0x00007fff5fbfd8b8, callLinkInfo=0x000000010b9d93a0) + 103 at LLIntSlowPaths.cpp:1247 frame #8: 0x0000000100e48203 JavaScriptCore`JSC::LLInt::genericCall(exec=0x00007fff5fbfda10, pc=0x000000010f1f89f8, kind=CodeForConstruct) + 227 at LLIntSlowPaths.cpp:1331 frame #9: 0x0000000100e4825f JavaScriptCore`::llint_slow_path_construct(exec=0x00007fff5fbfda10, pc=0x000000010f1f89f8) + 63 at LLIntSlowPaths.cpp:1343 frame #10: 0x0000000100e54c4b JavaScriptCore`llint_entry + 28903 frame #11: 0x0000000100e4d94e JavaScriptCore`vmEntryToJavaScript + 334 frame #12: 0x0000000100c40c97 JavaScriptCore`JSC::JITCode::execute(this=0x000000010b9a0668, vm=0x000000010bbf1000, protoCallFrame=0x00007fff5fbfdc98) + 215 at JITCode.cpp:80 frame #13: 0x0000000100bce1f5 JavaScriptCore`JSC::Interpreter::execute(this=0x000000010b9ef048, program=0x000000010eff7f70, callFrame=0x000000010efdf940, thisObj=0x000000010efa79c0) + 4277 at Interpreter.cpp:962 frame #14: 0x000000010055f05d JavaScriptCore`JSC::evaluate(exec=0x000000010efdf940, source=0x00007fff5fbff210, thisValue=JSValue @ 0x00007fff5fbff120, returnedException=0x00007fff5fbff230) + 477 at Completion.cpp:107 frame #15: 0x000000010000c845 jsc`runWithScripts(globalObject=0x000000010efdf900, scripts={ size = 1, capacity = 0 }, uncaughtExceptionName={ length = 0, contents = '' }, dump=false, module=false) + 1765 at jsc.cpp:2129 frame #16: 0x000000010000424e jsc`runJSC(vm=0x000000010bbf1000, options=CommandLine @ 0x00007fff5fbff828) + 1326 at jsc.cpp:2378 frame #17: 0x0000000100002f7a jsc`jscmain(argc=2, argv=0x00007fff5fbff930) + 138 at jsc.cpp:2431 frame #18: 0x0000000100002de6 jsc`main(argc=2, argv=0x00007fff5fbff930) + 166 at jsc.cpp:2000 frame #19: 0x00000001051f4255 libdyld.dylib`start + 1 1212028 1 msaboff 2016-07-18 11:32:17 -0700 <rdar://problem/27251135> 1212035 2 283917 msaboff 2016-07-18 11:48:52 -0700 Created attachment 283917 Patch 1212036 3 283917 fpizlo 2016-07-18 11:50:41 -0700 Comment on attachment 283917 Patch Wow 1212041 4 283917 cdumez 2016-07-18 11:57:51 -0700 Comment on attachment 283917 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283917&action=review > Source/WTF/ChangeLog:11 > + INT_MIN can underflow as a result of subtracting 1970. Since we want a doulbe result, "double" 1212116 5 283917 darin 2016-07-18 14:31:23 -0700 Comment on attachment 283917 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283917&action=review > Source/WTF/wtf/DateMath.cpp:167 > + return 365.0 * (static_cast<double>(year) - 1970) + yearsToAddBy4Rule - yearsToExcludeBy100Rule + yearsToAddBy400Rule; Another fix would be to just say 1970.0 and leave out the fast. 1212117 6 darin 2016-07-18 14:31:32 -0700 cast 1212134 7 msaboff 2016-07-18 15:16:24 -0700 (In reply to comment #4) > Comment on attachment 283917 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283917&action=review > > > Source/WTF/ChangeLog:11 > > + INT_MIN can underflow as a result of subtracting 1970. Since we want a doulbe result, > > "double" Done. 1212135 8 msaboff 2016-07-18 15:16:42 -0700 (In reply to comment #5) > Comment on attachment 283917 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283917&action=review > > > Source/WTF/wtf/DateMath.cpp:167 > > + return 365.0 * (static_cast<double>(year) - 1970) + yearsToAddBy4Rule - yearsToExcludeBy100Rule + yearsToAddBy400Rule; > > Another fix would be to just say 1970.0 and leave out the cast. Done. 1212137 9 msaboff 2016-07-18 15:21:44 -0700 Committed r203376: <http://trac.webkit.org/changeset/203376> 283917 2016-07-18 11:48:52 -0700 2016-07-18 11:50:41 -0700 Patch 159883.patch text/plain 3049 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjAzMzUxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBA CisyMDE2LTA3LTE4ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIEFTU0VSVElPTiBGQUlMRUQ6IDogKHllYXIgPj0gMTk3MCAmJiB5ZWFyZGF5ID49IDApIHx8 ICh5ZWFyIDwgMTk3MCAmJiB5ZWFyZGF5IDwgMCkgLS0gV1RGL3d0Zi9EYXRlTWF0aC5jcHAKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1OTg4MworCisg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIE5ldyB0ZXN0Lgor CisgICAgICAgICogdGVzdHMvc3RyZXNzL3JlZ3Jlc3MtMTU5ODgzLmpzOiBBZGRlZC4KKwogMjAx Ni0wNy0xOCAgS2VpdGggTWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxlLmNvbT4KIAogICAgICAg ICBGaXggYmFkIGFzc2VydGlvbnMgaW4gZ2VuZXJpY1R5cGVkQXJyYXlWaWV3UHJpdmF0ZUZ1bmNT dWJhcnJheUNyZWF0ZQpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9y ZWdyZXNzLTE1OTg4My5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvdGVz dHMvc3RyZXNzL3JlZ3Jlc3MtMTU5ODgzLmpzCShub25leGlzdGVudCkKKysrIFNvdXJjZS9KYXZh U2NyaXB0Q29yZS90ZXN0cy9zdHJlc3MvcmVncmVzcy0xNTk4ODMuanMJKHdvcmtpbmcgY29weSkK QEAgLTAsMCArMSw1IEBACisvLyBSZWdyZXNzaW9uIHRlc3QgZm9yIDE1OTg4My4gIFRoaXMgdGVz dCBzaG91bGQgbm90IGNyYXNoIG9yIHRocm93IGFuIGV4Y2VwdGlvbi4KKworZCA9IG5ldyBEYXRl KC0weDgwMDAwMDAwLCA0Mik7CitpZiAoZC50b1N0cmluZygpICE9ICJJbnZhbGlkIERhdGUiKQor ICAgIHRocm93ICJFeHBlY3RlZCBcIkludmFsaWQgRGF0ZVwiLCBidXQgZ290IDpcIiIgKyBkICsg IlwiIjsKSW5kZXg6IFNvdXJjZS9XVEYvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9X VEYvQ2hhbmdlTG9nCShyZXZpc2lvbiAyMDMzNDgpCisrKyBTb3VyY2UvV1RGL0NoYW5nZUxvZwko d29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBACisyMDE2LTA3LTE4ICBNaWNoYWVsIFNhYm9m ZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAgICAgIEFTU0VSVElPTiBGQUlMRUQ6IDogKHll YXIgPj0gMTk3MCAmJiB5ZWFyZGF5ID49IDApIHx8ICh5ZWFyIDwgMTk3MCAmJiB5ZWFyZGF5IDwg MCkgLS0gV1RGL3d0Zi9EYXRlTWF0aC5jcHAKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTE1OTg4MworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorCisgICAgICAgIFRoZSBmdW5jdGlvbiBkYXlzRnJvbTE5NzBUb1llYXIoKSB0YWtl cyBhbiBpbnRlZ2VyIHllYXIgYW5kIHJldHVybnMgYSBkb3VibGUgcmVzdWx0LgorICAgICAgICBU aGUgY2FsY3VsYXRpb24gdXNlcyAxOTcwIGFzIGEgYmFzZWxpbmUgeWVhciBhbmQgc3VidHJhY3Rz IDE5NzAgZnJvbSB0aGUgYXJndW1lbnQgeWVhci4KKyAgICAgICAgSXQgZG9lcyB0aGF0IHN1YnRy YWN0aW9uIHVzaW5nIGludGVnZXIgYXJpdGhtZXRpYywgd2hpY2ggZ2l2ZW4gbmVnYXRpdmUgeWVh cnMgY2xvc2UgdG8KKyAgICAgICAgSU5UX01JTiBjYW4gdW5kZXJmbG93IGFzIGEgcmVzdWx0IG9m IHN1YnRyYWN0aW5nIDE5NzAuICBTaW5jZSB3ZSB3YW50IGEgZG91bGJlIHJlc3VsdCwKKyAgICAg ICAgdGhlIGZpeCBpcyB0byBjYXN0IHllYXIgYXMgYSBkb3VibGUgYmVmb3JlIHRoZSBzdWJ0cmFj dGlvbiwgd2hpY2ggZWxpbWluYXRlcyB0aGUgdW5kZXJmbG93LgorCisgICAgICAgICogd3RmL0Rh dGVNYXRoLmNwcDoKKyAgICAgICAgKFdURjo6ZGF5c0Zyb20xOTcwVG9ZZWFyKToKKwogMjAxNi0w Ny0xNyAgTXlsZXMgQy4gTWF4ZmllbGQgIDxtbWF4ZmllbGRAYXBwbGUuY29tPgogCiAgICAgICAg IFN1cHBvcnQgbmV3IGVtb2ppIGdyb3VwIGNhbmRpZGF0ZXMKSW5kZXg6IFNvdXJjZS9XVEYvd3Rm L0RhdGVNYXRoLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV1RGL3d0Zi9EYXRlTWF0aC5jcHAJ KHJldmlzaW9uIDIwMzM0OCkKKysrIFNvdXJjZS9XVEYvd3RmL0RhdGVNYXRoLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtMTY0LDcgKzE2NCw3IEBAIHN0YXRpYyBpbmxpbmUgZG91YmxlIGRheXNGcm9t MTk3MFRvWWVhcigKICAgICBjb25zdCBkb3VibGUgeWVhcnNUb0V4Y2x1ZGVCeTEwMFJ1bGUgPSBm bG9vcih5ZWFyTWludXNPbmUgLyAxMDAuMCkgLSBleGNsdWRlZExlYXBEYXlzQmVmb3JlMTk3MUJ5 MTAwUnVsZTsKICAgICBjb25zdCBkb3VibGUgeWVhcnNUb0FkZEJ5NDAwUnVsZSA9IGZsb29yKHll YXJNaW51c09uZSAvIDQwMC4wKSAtIGxlYXBEYXlzQmVmb3JlMTk3MUJ5NDAwUnVsZTsKIAotICAg IHJldHVybiAzNjUuMCAqICh5ZWFyIC0gMTk3MCkgKyB5ZWFyc1RvQWRkQnk0UnVsZSAtIHllYXJz VG9FeGNsdWRlQnkxMDBSdWxlICsgeWVhcnNUb0FkZEJ5NDAwUnVsZTsKKyAgICByZXR1cm4gMzY1 LjAgKiAoc3RhdGljX2Nhc3Q8ZG91YmxlPih5ZWFyKSAtIDE5NzApICsgeWVhcnNUb0FkZEJ5NFJ1 bGUgLSB5ZWFyc1RvRXhjbHVkZUJ5MTAwUnVsZSArIHllYXJzVG9BZGRCeTQwMFJ1bGU7CiB9CiAK IGRvdWJsZSBtc1RvRGF5cyhkb3VibGUgbXMpCg==