Bug 42643

Summary: Assertion failure when loading http://www.html5rocks.com
Product: WebKit Reporter: Alexander Pavlov (apavlov) <apavlov>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: ap, darin, joepeck, kenneth, tkent
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows 7   
Attachments:
Description Flags
Reduction
none
Patch none

Description Alexander Pavlov (apavlov) 2010-07-20 08:09:53 PDT 
I'm observing a crash while loading certain HTML5 pages. www.html5rocks.com/ is one example.

Unhandled exception at 0x571f3fee (WebKit.dll) in Safari.exe: 0xC0000005: Access violation writing location 0xbbadbeef.

>	WebKit.dll!WebCore::HTMLInputElement::rangeUnderflow()  Line 348 + 0x87 bytes	C++
 	WebKit.dll!WebCore::ValidityState::rangeUnderflow()  Line 131	C++
 	WebKit.dll!WebCore::ValidityState::valid()  Line 150 + 0x26 bytes	C++
 	WebKit.dll!WebCore::HTMLFormControlElement::setNeedsValidityCheck()  Line 338 + 0xf bytes	C++
 	WebKit.dll!WebCore::HTMLInputElement::setInputType(const WebCore::String & t={...})  Line 895	C++
 	WebKit.dll!WebCore::HTMLInputElement::parseMappedAttribute(WebCore::Attribute * attr=0x07da56f8)  Line 1112 + 0x18 bytes	C++
 	WebKit.dll!WebCore::StyledElement::attributeChanged(WebCore::Attribute * attr=0x07da56f8, bool preserveDecls=false)  Line 183 + 0x16 bytes	C++
 	WebKit.dll!WebCore::Element::setAttribute(const WebCore::AtomicString & name={...}, const WebCore::AtomicString & value={...}, int & ec=0)  Line 562 + 0x18 bytes	C++
 	WebKit.dll!WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState * exec=0x078f0278)  Line 1422 + 0x2c bytes	C++
Comment 1 Kent Tamura 2010-07-21 00:31:19 PDT 
The assertion was added by http://trac.webkit.org/changeset/56242.
Comment 2 Kent Tamura 2010-07-21 01:28:12 PDT 
Created attachment 62152 [details]
Reduction
Comment 3 Kent Tamura 2010-07-21 02:23:32 PDT 
Created attachment 62158 [details]
Patch
Comment 4 Darin Adler 2010-07-21 08:02:07 PDT 
Comment on attachment 62158 [details]
Patch

What about InputElement::updateValueIfNeeded? Is that function used anywhere?
Comment 5 Kent Tamura 2010-07-21 08:07:58 PDT 
(In reply to comment #4)
> (From update of attachment 62158 [details])
> What about InputElement::updateValueIfNeeded? Is that function used anywhere?

Yes.  It is used by InputElement::parsemaxLengthAttribute().  This call is harmless because maxLength doesn't affect to type=range.

I'll refactor sanitization code in dom/InputElement and html/HTMLInputElement.  They are confusing.
Comment 6 Darin Adler 2010-07-21 08:08:43 PDT 
Retitled since an assertion failure is not a crash.
Comment 7 Kent Tamura 2010-07-21 20:09:14 PDT 
Comment on attachment 62158 [details]
Patch

Clearing flags on attachment: 62158

Committed r63876: <http://trac.webkit.org/changeset/63876>
Comment 8 Kent Tamura 2010-07-21 20:09:25 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 9 Alexey Proskuryakov 2010-07-22 16:38:40 PDT 
*** Bug 42823 has been marked as a duplicate of this bug. ***