I'm observing a crash while loading certain HTML5 pages. www.html5rocks.com/ is one example. Unhandled exception at 0x571f3fee (WebKit.dll) in Safari.exe: 0xC0000005: Access violation writing location 0xbbadbeef. > WebKit.dll!WebCore::HTMLInputElement::rangeUnderflow() Line 348 + 0x87 bytes C++ WebKit.dll!WebCore::ValidityState::rangeUnderflow() Line 131 C++ WebKit.dll!WebCore::ValidityState::valid() Line 150 + 0x26 bytes C++ WebKit.dll!WebCore::HTMLFormControlElement::setNeedsValidityCheck() Line 338 + 0xf bytes C++ WebKit.dll!WebCore::HTMLInputElement::setInputType(const WebCore::String & t={...}) Line 895 C++ WebKit.dll!WebCore::HTMLInputElement::parseMappedAttribute(WebCore::Attribute * attr=0x07da56f8) Line 1112 + 0x18 bytes C++ WebKit.dll!WebCore::StyledElement::attributeChanged(WebCore::Attribute * attr=0x07da56f8, bool preserveDecls=false) Line 183 + 0x16 bytes C++ WebKit.dll!WebCore::Element::setAttribute(const WebCore::AtomicString & name={...}, const WebCore::AtomicString & value={...}, int & ec=0) Line 562 + 0x18 bytes C++ WebKit.dll!WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState * exec=0x078f0278) Line 1422 + 0x2c bytes C++
The assertion was added by http://trac.webkit.org/changeset/56242.
Created attachment 62152 [details] Reduction
Created attachment 62158 [details] Patch
Comment on attachment 62158 [details] Patch What about InputElement::updateValueIfNeeded? Is that function used anywhere?
(In reply to comment #4) > (From update of attachment 62158 [details]) > What about InputElement::updateValueIfNeeded? Is that function used anywhere? Yes. It is used by InputElement::parsemaxLengthAttribute(). This call is harmless because maxLength doesn't affect to type=range. I'll refactor sanitization code in dom/InputElement and html/HTMLInputElement. They are confusing.
Retitled since an assertion failure is not a crash.
Comment on attachment 62158 [details] Patch Clearing flags on attachment: 62158 Committed r63876: <http://trac.webkit.org/changeset/63876>
All reviewed patches have been landed. Closing bug.
*** Bug 42823 has been marked as a duplicate of this bug. ***