RESOLVED FIXED 159883
ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp 
https://bugs.webkit.org/show_bug.cgi?id=159883
Summary ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday...
Michael Saboff
Reported 2016-07-18 11:31:55 PDT
The statement: let d = new Date(-0x80000000, 42); will cause the following ASSERT in a debug build: (lldb) bt * thread #1: tid = 0x773a7, 0x0000000101228824 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x0000000101228824 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323 frame #1: 0x000000010123f120 JavaScriptCore`WTF::dateToDaysFrom1970(year=-2147483645, month=6, day=1) + 192 at DateMath.cpp:310 frame #2: 0x0000000100cbc8b6 JavaScriptCore`JSC::gregorianDateTimeToMS(vm=0x000000010bbf1000, t=0x00007fff5fbfd390, milliSeconds=0, inputTimeType=LocalTime) + 70 at JSDateMath.cpp:195 frame #3: 0x0000000100580d00 JavaScriptCore`JSC::millisecondsFromComponents(exec=0x00007fff5fbfd980, args=0x00007fff5fbfd5d8, timeType=LocalTime) + 2144 at DateConstructor.cpp:143 frame #4: 0x0000000100580235 JavaScriptCore`JSC::constructDate(exec=0x00007fff5fbfd980, globalObject=0x000000010efdf900, newTarget=JSValue @ 0x00007fff5fbfd590, args=0x00007fff5fbfd5d8) + 341 at DateConstructor.cpp:167 frame #5: 0x0000000100580e63 JavaScriptCore`JSC::constructWithDateConstructor(exec=0x00007fff5fbfd980) + 115 at DateConstructor.cpp:179 frame #6: 0x0000000100e4c553 JavaScriptCore`JSC::LLInt::handleHostCall(execCallee=0x00007fff5fbfd980, pc=0x000000010f1f89f8, callee=JSValue @ 0x00007fff5fbfd758, kind=CodeForConstruct) + 947 at LLIntSlowPaths.cpp:1224 frame #7: 0x0000000100e48b07 JavaScriptCore`JSC::LLInt::setUpCall(execCallee=0x00007fff5fbfd980, pc=0x000000010f1f89f8, kind=CodeForConstruct, calleeAsValue=JSValue @ 0x00007fff5fbfd8b8, callLinkInfo=0x000000010b9d93a0) + 103 at LLIntSlowPaths.cpp:1247 frame #8: 0x0000000100e48203 JavaScriptCore`JSC::LLInt::genericCall(exec=0x00007fff5fbfda10, pc=0x000000010f1f89f8, kind=CodeForConstruct) + 227 at LLIntSlowPaths.cpp:1331 frame #9: 0x0000000100e4825f JavaScriptCore`::llint_slow_path_construct(exec=0x00007fff5fbfda10, pc=0x000000010f1f89f8) + 63 at LLIntSlowPaths.cpp:1343 frame #10: 0x0000000100e54c4b JavaScriptCore`llint_entry + 28903 frame #11: 0x0000000100e4d94e JavaScriptCore`vmEntryToJavaScript + 334 frame #12: 0x0000000100c40c97 JavaScriptCore`JSC::JITCode::execute(this=0x000000010b9a0668, vm=0x000000010bbf1000, protoCallFrame=0x00007fff5fbfdc98) + 215 at JITCode.cpp:80 frame #13: 0x0000000100bce1f5 JavaScriptCore`JSC::Interpreter::execute(this=0x000000010b9ef048, program=0x000000010eff7f70, callFrame=0x000000010efdf940, thisObj=0x000000010efa79c0) + 4277 at Interpreter.cpp:962 frame #14: 0x000000010055f05d JavaScriptCore`JSC::evaluate(exec=0x000000010efdf940, source=0x00007fff5fbff210, thisValue=JSValue @ 0x00007fff5fbff120, returnedException=0x00007fff5fbff230) + 477 at Completion.cpp:107 frame #15: 0x000000010000c845 jsc`runWithScripts(globalObject=0x000000010efdf900, scripts={ size = 1, capacity = 0 }, uncaughtExceptionName={ length = 0, contents = '' }, dump=false, module=false) + 1765 at jsc.cpp:2129 frame #16: 0x000000010000424e jsc`runJSC(vm=0x000000010bbf1000, options=CommandLine @ 0x00007fff5fbff828) + 1326 at jsc.cpp:2378 frame #17: 0x0000000100002f7a jsc`jscmain(argc=2, argv=0x00007fff5fbff930) + 138 at jsc.cpp:2431 frame #18: 0x0000000100002de6 jsc`main(argc=2, argv=0x00007fff5fbff930) + 166 at jsc.cpp:2000 frame #19: 0x00000001051f4255 libdyld.dylib`start + 1
Attachments
Patch (2.98 KB, patch)
2016-07-18 11:48 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2016-07-18 11:32:17 PDT
<rdar://problem/27251135>
Michael Saboff
Comment 2 2016-07-18 11:48:52 PDT
Created attachment 283917 [details] Patch
Filip Pizlo
Comment 3 2016-07-18 11:50:41 PDT
Comment on attachment 283917 [details] Patch Wow
Chris Dumez
Comment 4 2016-07-18 11:57:51 PDT
Comment on attachment 283917 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283917&action=review > Source/WTF/ChangeLog:11 > + INT_MIN can underflow as a result of subtracting 1970. Since we want a doulbe result, "double"
Darin Adler
Comment 5 2016-07-18 14:31:23 PDT
Comment on attachment 283917 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283917&action=review > Source/WTF/wtf/DateMath.cpp:167 > + return 365.0 * (static_cast<double>(year) - 1970) + yearsToAddBy4Rule - yearsToExcludeBy100Rule + yearsToAddBy400Rule; Another fix would be to just say 1970.0 and leave out the fast.
Darin Adler
Comment 6 2016-07-18 14:31:32 PDT
cast
Michael Saboff
Comment 7 2016-07-18 15:16:24 PDT
(In reply to comment #4) > Comment on attachment 283917 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283917&action=review > > > Source/WTF/ChangeLog:11 > > + INT_MIN can underflow as a result of subtracting 1970. Since we want a doulbe result, > > "double" Done.
Michael Saboff
Comment 8 2016-07-18 15:16:42 PDT
(In reply to comment #5) > Comment on attachment 283917 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283917&action=review > > > Source/WTF/wtf/DateMath.cpp:167 > > + return 365.0 * (static_cast<double>(year) - 1970) + yearsToAddBy4Rule - yearsToExcludeBy100Rule + yearsToAddBy400Rule; > > Another fix would be to just say 1970.0 and leave out the cast. Done.
Michael Saboff
Comment 9 2016-07-18 15:21:44 PDT
Committed r203376: <http://trac.webkit.org/changeset/203376>
Note You need to log in before you can comment on or make changes to this bug.