Steps to reproduce: 1. Open Bug 6390 Comment #8. http://bugzilla.opendarwin.org/show_bug.cgi?id=6390#c8 2. Click the "[reply]" link for Bug 6390 Comment #8. 3. Hit Delete four times. (Cursor should start at the end of the quoted reply text before deleting.) Expected results: Four characters should be deleted from the textarea. Actual results: WebKit crashes. Regression: Works as expected on production Safari 2.0.4 (419.3) in Mac OS X 10.4.7 (8J135/PowerPC). Notes: Tested on locally-built debug build of WebKit r15636 on OS X noted above.
Created attachment 9710 [details] Crash log
I was also able to reproduce this on WebKit nightly r15636, a release build.
Created attachment 9717 [details] Reduction
I noticed that the render tree for <textarea> </textarea> is different from the render tree I get if I start with an empty textarea and press return several times (this may also relate to bug 10105).
*** Bug 10784 has been marked as a duplicate of this bug. ***
radar 4787081
Fixed with r17697. Of course, the crash still occurs in Debug builds because we still hit an assertion in editing. See http://bugs.webkit.org/show_bug.cgi?id=10144