RESOLVED WORKSFORME 142160
ASSERTION FAILED: charactersWritten > 0 && static_cast<unsigned>(charactersWritten) < sizeof(buffer) in JSC::dateProtoFuncToISOString 
https://bugs.webkit.org/show_bug.cgi?id=142160
Summary ASSERTION FAILED: charactersWritten > 0 && static_cast<unsigned>(charactersWr...
Renata Hodovan
Reported 2015-03-02 04:05:22 PST
Created attachment 247657 [details] Test case Load this script with debug jsc: var d = new Date(0); d.setUTCFullYear(-200e6); d.toISOString(); Backtrace: ASSERTION FAILED: charactersWritten > 0 && static_cast<unsigned>(charactersWritten) < sizeof(buffer) ../../Source/JavaScriptCore/runtime/DatePrototype.cpp(542) : JSC::EncodedJSValue JSC::dateProtoFuncToISOString(JSC::ExecState*) 1 0x7ffff73f24ca /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff73f24ca] 2 0x7ffff724a1c9 /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC24dateProtoFuncToISOStringEPNS_9ExecStateE+0x410) [0x7ffff724a1c9] 3 0x7fffadfff0a8 [0x7fffadfff0a8] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73f24cf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff73f24cf in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff724a1c9 in JSC::dateProtoFuncToISOString (exec=0x7fffffffca90) at ../../Source/JavaScriptCore/runtime/DatePrototype.cpp:542 #2 0x00007fffadfff0a8 in ?? () #3 0x00007fffffffcad0 in ?? () #4 0x00007ffff73a05ef in llint_entry () from /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
Attachments
Test case (63 bytes, application/javascript)
2015-03-02 04:05 PST, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2015-03-05 13:58:43 PST
Which part of the assertion condition is untrue? That's sort of a big difference.
Renata Hodovan
Comment 2 2015-03-06 00:09:29 PST
(In reply to comment #1) > Which part of the assertion condition is untrue? That's sort of a big > difference. The second part of the condition fails, since 30 characters was written but the size if the buffer is only 28. (However, this case is handled in the next line so we don't end up in a crash in release.)
Alexey Proskuryakov
Comment 3 2015-03-09 12:54:33 PDT
I see, it's an snprintf, and we have a check later, so no buffer overrun.
Renata Hodovan
Comment 4 2015-06-27 03:48:33 PDT
Cannot repro this anymore.
Note You need to log in before you can comment on or make changes to this bug.