42643 2010-07-20 08:09:53 -0700 Assertion failure when loading http://www.html5rocks.com 2010-07-22 16:38:40 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC Windows 7 RESOLVED FIXED P2 Major --- 1 apavlov webkit-unassigned ap darin joepeck kenneth tkent oldest_to_newest 253731 0 apavlov 2010-07-20 08:09:53 -0700 I'm observing a crash while loading certain HTML5 pages. www.html5rocks.com/ is one example. Unhandled exception at 0x571f3fee (WebKit.dll) in Safari.exe: 0xC0000005: Access violation writing location 0xbbadbeef. > WebKit.dll!WebCore::HTMLInputElement::rangeUnderflow() Line 348 + 0x87 bytes C++ WebKit.dll!WebCore::ValidityState::rangeUnderflow() Line 131 C++ WebKit.dll!WebCore::ValidityState::valid() Line 150 + 0x26 bytes C++ WebKit.dll!WebCore::HTMLFormControlElement::setNeedsValidityCheck() Line 338 + 0xf bytes C++ WebKit.dll!WebCore::HTMLInputElement::setInputType(const WebCore::String & t={...}) Line 895 C++ WebKit.dll!WebCore::HTMLInputElement::parseMappedAttribute(WebCore::Attribute * attr=0x07da56f8) Line 1112 + 0x18 bytes C++ WebKit.dll!WebCore::StyledElement::attributeChanged(WebCore::Attribute * attr=0x07da56f8, bool preserveDecls=false) Line 183 + 0x16 bytes C++ WebKit.dll!WebCore::Element::setAttribute(const WebCore::AtomicString & name={...}, const WebCore::AtomicString & value={...}, int & ec=0) Line 562 + 0x18 bytes C++ WebKit.dll!WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState * exec=0x078f0278) Line 1422 + 0x2c bytes C++ 254148 1 tkent 2010-07-21 00:31:19 -0700 The assertion was added by http://trac.webkit.org/changeset/56242. 254160 2 62152 tkent 2010-07-21 01:28:12 -0700 Created attachment 62152 Reduction 254177 3 62158 tkent 2010-07-21 02:23:32 -0700 Created attachment 62158 Patch 254284 4 62158 darin 2010-07-21 08:02:07 -0700 Comment on attachment 62158 Patch What about InputElement::updateValueIfNeeded? Is that function used anywhere? 254286 5 tkent 2010-07-21 08:07:58 -0700 (In reply to comment #4) > (From update of attachment 62158 [details]) > What about InputElement::updateValueIfNeeded? Is that function used anywhere? Yes. It is used by InputElement::parsemaxLengthAttribute(). This call is harmless because maxLength doesn't affect to type=range. I'll refactor sanitization code in dom/InputElement and html/HTMLInputElement. They are confusing. 254287 6 darin 2010-07-21 08:08:43 -0700 Retitled since an assertion failure is not a crash. 254636 7 62158 tkent 2010-07-21 20:09:14 -0700 Comment on attachment 62158 Patch Clearing flags on attachment: 62158 Committed r63876: <http://trac.webkit.org/changeset/63876> 254637 8 tkent 2010-07-21 20:09:25 -0700 All reviewed patches have been landed. Closing bug. 255058 9 ap 2010-07-22 16:38:40 -0700 *** Bug 42823 has been marked as a duplicate of this bug. *** 62152 2010-07-21 01:28:12 -0700 2010-07-21 01:28:12 -0700 Reduction range-assertion.html text/html 109 tkent PHNjcmlwdD4KdmFyIGkgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdpbnB1dCcpOwppLnZhbHVl ID0gJzopJzsKaS5zZXRBdHRyaWJ1dGUoJ3R5cGUnLCAncmFuZ2UnKTsKPC9zY3JpcHQ+Cg== 62158 2010-07-21 02:23:32 -0700 2010-07-21 20:09:14 -0700 Patch bug-42643-20100721182330.patch text/plain 4515 tkent ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBlMjQ4M2YzMTZmYmY2ZjU0ZWNhZGQxZjg2NmI4OWQ4NDBjYjhmYTQzLi5jZGIzZWU3 ZjQzZjlkNjdlMjlmY2NlYzI4ZjM1NjJlODI3OTRkMDY3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAK KzIwMTAtMDctMjEgIEtlbnQgVGFtdXJhICA8dGtlbnRAY2hyb21pdW0ub3JnPgorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFzc2VydGlvbiBmYWlsdXJl IGJ5IGNoYW5naW5nIHRoZSB0eXBlIG9mIGFuIGlucHV0IGVsZW1lbnQgd2l0aCBhCisgICAgICAg IG5vbi1udW1iZXIgdmFsdWUgdG8gJ3JhbmdlJy4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtp dC5vcmcvc2hvd19idWcuY2dpP2lkPTQyNjQzCisKKyAgICAgICAgKiBmYXN0L2Zvcm1zL2lucHV0 LXZhbHVlLXNhbml0aXphdGlvbi1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGZhc3Qv Zm9ybXMvaW5wdXQtdmFsdWUtc2FuaXRpemF0aW9uLmh0bWw6IEFkZGVkLgorICAgICAgICAqIGZh c3QvZm9ybXMvc2NyaXB0LXRlc3RzL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi5qczogQWRkZWQu CisKIDIwMTAtMDctMjAgIFRvbnkgQ2hhbmcgIDx0b255QGNocm9taXVtLm9yZz4KIAogICAgICAg ICBOb3QgcmV2aWV3ZWQsIGNocm9taXVtIHRlc3QgZXhwZWN0YXRpb24uCmRpZmYgLS1naXQgYS9M YXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi1leHBlY3RlZC50 eHQgYi9MYXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi1leHBl Y3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMC4uMGRlODA3MTE2OWZiMDczYzlhZDhkZTg1ZjY3MTc0MTcwMGQ0 NjIyZQotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvZm9ybXMvaW5wdXQtdmFs dWUtc2FuaXRpemF0aW9uLWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDEwIEBACitUZXN0cyBmb3Ig dmFsdWUgc2FuaXRpemF0aW9uIGFsZ29yaXRobS4KKworT24gc3VjY2VzcywgeW91IHdpbGwgc2Vl IGEgc2VyaWVzIG9mICJQQVNTIiBtZXNzYWdlcywgZm9sbG93ZWQgYnkgIlRFU1QgQ09NUExFVEUi LgorCisKK1BBU1MgaW5wdXQudmFsdWUgaXMgIjUwIgorUEFTUyBzdWNjZXNzZnVsbHlQYXJzZWQg aXMgdHJ1ZQorCitURVNUIENPTVBMRVRFCisKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3Qv Zm9ybXMvaW5wdXQtdmFsdWUtc2FuaXRpemF0aW9uLmh0bWwgYi9MYXlvdXRUZXN0cy9mYXN0L2Zv cm1zL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0Cmlu ZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjM0MDFjMTY1Nzhh Nzc5MGYzZDdhZDgyZjAwMDk4NjFhMTU5MTRmM2UKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRU ZXN0cy9mYXN0L2Zvcm1zL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi5odG1sCkBAIC0wLDAgKzEs MTMgQEAKKzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vSUVURi8vRFREIEhUTUwvL0VOIj4KKzxo dG1sPgorPGhlYWQ+Cis8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Ii4uLy4uL2Zhc3QvanMv cmVzb3VyY2VzL2pzLXRlc3Qtc3R5bGUuY3NzIj4KKzxzY3JpcHQgc3JjPSIuLi8uLi9mYXN0L2pz L3Jlc291cmNlcy9qcy10ZXN0LXByZS5qcyI+PC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4KKzxw IGlkPSJkZXNjcmlwdGlvbiI+PC9wPgorPGRpdiBpZD0iY29uc29sZSI+PC9kaXY+Cis8c2NyaXB0 IHNyYz0ic2NyaXB0LXRlc3RzL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi5qcyI+PC9zY3JpcHQ+ Cis8c2NyaXB0IHNyYz0iLi4vLi4vZmFzdC9qcy9yZXNvdXJjZXMvanMtdGVzdC1wb3N0LmpzIj48 L3NjcmlwdD4KKzwvYm9keT4KKzwvaHRtbD4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3Qv Zm9ybXMvc2NyaXB0LXRlc3RzL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi5qcyBiL0xheW91dFRl c3RzL2Zhc3QvZm9ybXMvc2NyaXB0LXRlc3RzL2lucHV0LXZhbHVlLXNhbml0aXphdGlvbi5qcwpu ZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwLi4yODUyOTJjOGRmNWI5NDAwYWU1OWU0YWRjMmMxNDFlNGVhMGQ3OTNmCi0tLSAv ZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9mb3Jtcy9zY3JpcHQtdGVzdHMvaW5wdXQt dmFsdWUtc2FuaXRpemF0aW9uLmpzCkBAIC0wLDAgKzEsMTQgQEAKK2Rlc2NyaXB0aW9uKCdUZXN0 cyBmb3IgdmFsdWUgc2FuaXRpemF0aW9uIGFsZ29yaXRobS4nKTsKKwordmFyIGlucHV0ID0gZG9j dW1lbnQuY3JlYXRlRWxlbWVudCgnaW5wdXQnKTsKKworaW5wdXQudHlwZSA9ICd0ZXh0JzsKK2lu cHV0LnZhbHVlID0gJzopJzsKKworaW5wdXQudHlwZSA9ICdyYW5nZSc7CitzaG91bGRCZSgnaW5w dXQudmFsdWUnLCAnIjUwIicpOworCisvLyBGSVhNRTogQWRkIG1vcmUgc2FuaXRpemF0aW9uIHRl c3RzLgorLy8gaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTM3MDI0CisK K3ZhciBzdWNjZXNzZnVsbHlQYXJzZWQgPSB0cnVlOwpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9DaGFu Z2VMb2cgYi9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCBlYTQ5MDc5ZGI4MmQ5ZGMzZDk0YzU0MzJi MWNiZmY2N2NiNzk3NDQ3Li4zYTUxZjdjNmNiNzBhNmE0MTQ3YTEyNDg0OWQxMGQ4MjcxYjZjMTA4 IDEwMDY0NAotLS0gYS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9XZWJDb3JlL0NoYW5nZUxvZwpA QCAtMSwzICsxLDE4IEBACisyMDEwLTA3LTIxICBLZW50IFRhbXVyYSAgPHRrZW50QGNocm9taXVt Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBB c3NlcnRpb24gZmFpbHVyZSBieSBjaGFuZ2luZyB0aGUgdHlwZSBvZiBhbiBpbnB1dCBlbGVtZW50 IHdpdGggYQorICAgICAgICBub24tbnVtYmVyIHZhbHVlIHRvICdyYW5nZScuCisgICAgICAgIGh0 dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00MjY0MworCisgICAgICAgIFRl c3Q6IGZhc3QvZm9ybXMvaW5wdXQtdmFsdWUtc2FuaXRpemF0aW9uLmh0bWwKKworICAgICAgICAq IGh0bWwvSFRNTElucHV0RWxlbWVudC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpIVE1MSW5wdXRF bGVtZW50OjpzZXRJbnB1dFR5cGUpOgorICAgICAgICBVcGRhdGUgdGhlIHZhbHVlIGJ5IEhUTUxJ bnB1dEVsZW1lbnQ6OnNhbml0aXplVmFsdWUoKSBpbiBhIGNhc2UgdGhhdAorICAgICAgICBzdG9y ZXNWYWx1ZVNlcGFyYXRlRnJvbUF0dHJpYnV0ZSgpIHN0YXRlIGlzIG5vdCBjaGFuZ2VkLgorCiAy MDEwLTA3LTIwICBTYW0gV2VpbmlnICA8c2FtQHdlYmtpdC5vcmc+CiAKICAgICAgICAgUmV2aWV3 ZWQgYnkgQnJhZHkgRWlkc29uLgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9odG1sL0hUTUxJbnB1dEVs ZW1lbnQuY3BwIGIvV2ViQ29yZS9odG1sL0hUTUxJbnB1dEVsZW1lbnQuY3BwCmluZGV4IGI3YWQx MThkNzUwNTJkMTRlNDQzODRkNTFlZTdmZTc4ZGM1ODUzMzMuLmM5ZmQ1NjAzY2QyY2NhMmEyZDUy NDc4YWY0NWNlY2FjMWIyZDUwZGUgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvaHRtbC9IVE1MSW5wdXRF bGVtZW50LmNwcAorKysgYi9XZWJDb3JlL2h0bWwvSFRNTElucHV0RWxlbWVudC5jcHAKQEAgLTg2 Myw4ICs4NjMsMTIgQEAgdm9pZCBIVE1MSW5wdXRFbGVtZW50OjpzZXRJbnB1dFR5cGUoY29uc3Qg U3RyaW5nJiB0KQogICAgICAgICAgICAgfQogICAgICAgICAgICAgaWYgKCFkaWRTdG9yZVZhbHVl ICYmIHdpbGxTdG9yZVZhbHVlKQogICAgICAgICAgICAgICAgIG1fZGF0YS5zZXRWYWx1ZShzYW5p dGl6ZVZhbHVlKGdldEF0dHJpYnV0ZSh2YWx1ZUF0dHIpKSk7Ci0gICAgICAgICAgICBlbHNlCi0g ICAgICAgICAgICAgICAgSW5wdXRFbGVtZW50Ojp1cGRhdGVWYWx1ZUlmTmVlZGVkKG1fZGF0YSwg dGhpcyk7CisgICAgICAgICAgICBlbHNlIHsKKyAgICAgICAgICAgICAgICBTdHJpbmcgb2xkVmFs dWUgPSBtX2RhdGEudmFsdWUoKTsKKyAgICAgICAgICAgICAgICBTdHJpbmcgbmV3VmFsdWUgPSBz YW5pdGl6ZVZhbHVlKG9sZFZhbHVlKTsKKyAgICAgICAgICAgICAgICBpZiAobmV3VmFsdWUgIT0g b2xkVmFsdWUpCisgICAgICAgICAgICAgICAgICAgIHNldFZhbHVlKG5ld1ZhbHVlKTsKKyAgICAg ICAgICAgIH0KIAogICAgICAgICAgICAgaWYgKHdhc1Bhc3N3b3JkRmllbGQgJiYgIWlzUGFzc3dv cmRGaWVsZCkKICAgICAgICAgICAgICAgICB1bnJlZ2lzdGVyRm9yQWN0aXZhdGlvbkNhbGxiYWNr SWZOZWVkZWQoKTsK