Bug 42643 - Assertion failure when loading http://www.html5rocks.com
Summary: Assertion failure when loading http://www.html5rocks.com
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows 7
: P2 Major
Assignee: Nobody
URL:
Keywords:
: 42823 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-07-20 08:09 PDT by Alexander Pavlov (apavlov)
Modified: 2010-07-22 16:38 PDT (History)
5 users (show)

See Also:


Attachments
Reduction (109 bytes, text/html)
2010-07-21 01:28 PDT, Kent Tamura
no flags Details
Patch (4.41 KB, patch)
2010-07-21 02:23 PDT, Kent Tamura
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Pavlov (apavlov) 2010-07-20 08:09:53 PDT
I'm observing a crash while loading certain HTML5 pages. www.html5rocks.com/ is one example.

Unhandled exception at 0x571f3fee (WebKit.dll) in Safari.exe: 0xC0000005: Access violation writing location 0xbbadbeef.

>	WebKit.dll!WebCore::HTMLInputElement::rangeUnderflow()  Line 348 + 0x87 bytes	C++
 	WebKit.dll!WebCore::ValidityState::rangeUnderflow()  Line 131	C++
 	WebKit.dll!WebCore::ValidityState::valid()  Line 150 + 0x26 bytes	C++
 	WebKit.dll!WebCore::HTMLFormControlElement::setNeedsValidityCheck()  Line 338 + 0xf bytes	C++
 	WebKit.dll!WebCore::HTMLInputElement::setInputType(const WebCore::String & t={...})  Line 895	C++
 	WebKit.dll!WebCore::HTMLInputElement::parseMappedAttribute(WebCore::Attribute * attr=0x07da56f8)  Line 1112 + 0x18 bytes	C++
 	WebKit.dll!WebCore::StyledElement::attributeChanged(WebCore::Attribute * attr=0x07da56f8, bool preserveDecls=false)  Line 183 + 0x16 bytes	C++
 	WebKit.dll!WebCore::Element::setAttribute(const WebCore::AtomicString & name={...}, const WebCore::AtomicString & value={...}, int & ec=0)  Line 562 + 0x18 bytes	C++
 	WebKit.dll!WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState * exec=0x078f0278)  Line 1422 + 0x2c bytes	C++
Comment 1 Kent Tamura 2010-07-21 00:31:19 PDT
The assertion was added by http://trac.webkit.org/changeset/56242.
Comment 2 Kent Tamura 2010-07-21 01:28:12 PDT
Created attachment 62152 [details]
Reduction
Comment 3 Kent Tamura 2010-07-21 02:23:32 PDT
Created attachment 62158 [details]
Patch
Comment 4 Darin Adler 2010-07-21 08:02:07 PDT
Comment on attachment 62158 [details]
Patch

What about InputElement::updateValueIfNeeded? Is that function used anywhere?
Comment 5 Kent Tamura 2010-07-21 08:07:58 PDT
(In reply to comment #4)
> (From update of attachment 62158 [details])
> What about InputElement::updateValueIfNeeded? Is that function used anywhere?

Yes.  It is used by InputElement::parsemaxLengthAttribute().  This call is harmless because maxLength doesn't affect to type=range.

I'll refactor sanitization code in dom/InputElement and html/HTMLInputElement.  They are confusing.
Comment 6 Darin Adler 2010-07-21 08:08:43 PDT
Retitled since an assertion failure is not a crash.
Comment 7 Kent Tamura 2010-07-21 20:09:14 PDT
Comment on attachment 62158 [details]
Patch

Clearing flags on attachment: 62158

Committed r63876: <http://trac.webkit.org/changeset/63876>
Comment 8 Kent Tamura 2010-07-21 20:09:25 PDT
All reviewed patches have been landed.  Closing bug.
Comment 9 Alexey Proskuryakov 2010-07-22 16:38:40 PDT
*** Bug 42823 has been marked as a duplicate of this bug. ***