Created attachment 227349 [details] Example - assertion The parsing for setting inline style with JS seems to differ from markup parsing. The following is interpreted as number with scientific notation: 2e500 The numbers seem not to be checked for overflow: document.getElementsByTagName('div')[0].style.marginTop = '2e500px'; causes an ASSERT: ASSERTION FAILED: std::isfinite(num) CSSPrimitiveValue.cpp(259) : WebCore::CSSPrimitiveValue::CSSPrimitiveValue(double, WebCore::CSSPrimitiveValue::UnitTypes) 1 0x1059f0a30 WTFCrash 2 0x107548bec WebCore::CSSPrimitiveValue::CSSPrimitiveValue(double, WebCore::CSSPrimitiveValue::UnitTypes) 3 0x107548af5 WebCore::CSSPrimitiveValue::CSSPrimitiveValue(double, WebCore::CSSPrimitiveValue::UnitTypes) 4 0x10744e5d1 WebCore::CSSPrimitiveValue::create(double, WebCore::CSSPrimitiveValue::UnitTypes) 5 0x107593c94 WebCore::CSSValuePool::createValue(double, WebCore::CSSPrimitiveValue::UnitTypes) 6 0x1074edef5 WebCore::parseSimpleLengthValue(WebCore::MutableStyleProperties*, WebCore::CSSPropertyID, WTF::String const&, bool, WebCore::CSSParserMode) 7 0x1074edbd0 WebCore::CSSParser::parseValue(WebCore::MutableStyleProperties*, WebCore::CSSPropertyID, WTF::String const&, bool, WebCore::CSSParserMode, WebCore::StyleSheetContents*) 8 0x108db260f WebCore::MutableStyleProperties::setProperty(WebCore::CSSPropertyID, WTF::String const&, bool, WebCore::StyleSheetContents*)