Bug 128740 - ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
Summary: ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday <...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Dániel Bátyai
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2014-02-13 05:35 PST by Renata Hodovan
Modified: 2014-02-19 10:53 PST (History)
5 users (show)

See Also:

Attachments
Test case (127 bytes, text/plain)
2014-02-13 05:35 PST, Renata Hodovan 		no flags Details
Proposed patch (2.69 KB, patch)
2014-02-17 07:42 PST, Dániel Bátyai 		buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion (569.34 KB, application/zip)
2014-02-17 09:00 PST, Build Bot 		no flags Details
Archive of layout-test-results from webkit-ews-06 for mac-mountainlion (617.50 KB, application/zip)
2014-02-17 09:14 PST, Build Bot 		no flags Details
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 (466.82 KB, application/zip)
2014-02-17 09:32 PST, Build Bot 		no flags Details
Proposed patch (6.83 KB, patch)
2014-02-19 09:59 PST, Dániel Bátyai 		no flags Details | Formatted Diff | Diff
Proposed patch (6.88 KB, patch)
2014-02-19 10:07 PST, Dániel Bátyai 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2014-02-13 05:35:15 PST 
Created attachment 224058 [details]
Test case

The test was ran on debug efl jsc:

function function_0() {
    new Date(6501480442020679337816440, 81696082856817131586190070, 1, 1, 1, 1, 1);   
}

function_0();


The backtrace:

ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0)
/home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/DateMath.cpp(312) : double WTF::dateToDaysFrom1970(int, int, int)
1   0x7ffff740623b WTFCrash
2   0x7ffff74090e2 WTF::dateToDaysFrom1970(int, int, int)
3   0x7ffff72d98d5 JSC::gregorianDateTimeToMS(JSC::VM&, WTF::GregorianDateTime const&, double, bool)
4   0x7ffff72ab18c JSC::constructDate(JSC::ExecState*, JSC::JSGlobalObject*, JSC::ArgList const&)
5   0x7ffff72ab24d
6   0x7ffff73e88d3
7   0x7ffff73eb7fa JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)
8   0x7ffff73ebcb4 JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind)
9   0x7ffff73e8a8f
10  0x7ffff73f1664

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7406240 in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff7406240 in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff74090e2 in WTF::dateToDaysFrom1970 (year=-2147483648, month=0, day=1)
    at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/DateMath.cpp:312
#2  0x00007ffff72d98d5 in JSC::gregorianDateTimeToMS (vm=..., t=..., milliSeconds=1, inputIsUTC=false)
    at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSDateMath.cpp:193
#3  0x00007ffff72ab18c in JSC::constructDate (exec=0x7fffffffcb90, globalObject=0x7ffff7f2f970, args=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/DateConstructor.cpp:170
#4  0x00007ffff72ab24d in JSC::constructWithDateConstructor (exec=0x7fffffffcb90)
    at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/DateConstructor.cpp:180
#5  0x00007ffff73e88d3 in JSC::LLInt::handleHostCall (execCallee=0x7fffffffcb90, pc=0x680358, callee=..., kind=JSC::CodeForConstruct)
    at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1050
#6  0x00007ffff73eb7fa in JSC::LLInt::setUpCall (execCallee=0x7fffffffcb90, pc=0x680358, kind=JSC::CodeForConstruct, calleeAsValue=..., 
    callLinkInfo=0x67fee0) at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1071
#7  0x00007ffff73ebcb4 in JSC::LLInt::genericCall (exec=0x7fffffffcc10, pc=0x680358, kind=JSC::CodeForConstruct)
    at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1137
#8  0x00007ffff73e8a8f in JSC::LLInt::llint_slow_path_construct (exec=0x7fffffffcc10, pc=0x680358)
    at /home/reni2/data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1149
#9  0x00007ffff73f1664 in llint_op_construct () from /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#10 0x00007fffffffcc10 in ?? ()
#11 0x0000000000000000 in ?? ()
(gdb)
Comment 1 Dániel Bátyai 2014-02-17 07:42:07 PST 
Created attachment 224367 [details]
Proposed patch
Comment 2 Renata Hodovan 2014-02-17 07:46:06 PST 
You should add a test case demonstrating the bug and a bit more longer description about the fix.
Comment 3 Build Bot 2014-02-17 09:00:12 PST 
Comment on attachment 224367 [details]
Proposed patch

Attachment 224367 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/4958940718694400

New failing tests:
js/date-constructor.html
js/date-toisostring.html
platform/mac/fast/AppleScript/date.html
js/date-utc-timeclip.html
Comment 4 Build Bot 2014-02-17 09:00:14 PST 
Created attachment 224383 [details]
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-08  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 5 Build Bot 2014-02-17 09:14:26 PST 
Comment on attachment 224367 [details]
Proposed patch

Attachment 224367 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5059838493065216

New failing tests:
js/date-constructor.html
js/date-toisostring.html
platform/mac/fast/AppleScript/date.html
js/date-utc-timeclip.html
Comment 6 Build Bot 2014-02-17 09:14:28 PST 
Created attachment 224385 [details]
Archive of layout-test-results from webkit-ews-06 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-06  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 7 Build Bot 2014-02-17 09:32:02 PST 
Comment on attachment 224367 [details]
Proposed patch

Attachment 224367 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5575685137498112

New failing tests:
js/date-constructor.html
js/date-toisostring.html
js/date-utc-timeclip.html
Comment 8 Build Bot 2014-02-17 09:32:06 PST 
Created attachment 224387 [details]
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-14  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5
Comment 9 Dániel Bátyai 2014-02-19 09:59:04 PST 
Created attachment 224645 [details]
Proposed patch

Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
The patch makes DateConstructor check if the number fits into an Int32 before casting
Comment 10 WebKit Commit Bot 2014-02-19 10:01:17 PST 
Attachment 224645 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:151:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:152:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:153:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:154:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:155:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:156:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:157:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:230:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:231:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:232:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:233:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:234:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:235:  Missing spaces around <  [whitespace/operators] [3]
ERROR: Source/JavaScriptCore/runtime/DateConstructor.cpp:236:  Missing spaces around <  [whitespace/operators] [3]
Total errors found: 14 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 11 Dániel Bátyai 2014-02-19 10:07:20 PST 
Created attachment 224648 [details]
Proposed patch

Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
The patch makes DateConstructor check if the number fits into an Int32 before casting
Comment 12 Dániel Bátyai 2014-02-19 10:10:32 PST 
Comment on attachment 224648 [details]
Proposed patch

Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
The patch makes DateConstructor check if the number fits into an Int32 before casting
Comment 13 Geoffrey Garen 2014-02-19 10:34:34 PST 
Comment on attachment 224648 [details]
Proposed patch

r=me
Comment 14 WebKit Commit Bot 2014-02-19 10:53:12 PST 
Comment on attachment 224648 [details]
Proposed patch

Clearing flags on attachment: 224648

Committed r164373: <http://trac.webkit.org/changeset/164373>
Comment 15 WebKit Commit Bot 2014-02-19 10:53:15 PST 
All reviewed patches have been landed.  Closing bug.