Open: <body contenteditable="true">• <b>This is some linked text</b></body> Place the caret at the end of the document and left arrow backward through the text. Crash occurs when the caret is between 'm' and 'e' of 'some'. 0 com.apple.JavaScriptCore 0x001747ca WTF::fastFree(void*) + 58 1 com.apple.WebCore 0x0118b900 WebCore::DeprecatedStringData::~DeprecatedStringData [in-charge]() + 32 2 com.apple.WebCore 0x011d28dd WebCore::previousBoundary(WebCore::VisiblePosition const&, unsigned (*)(unsigned short const*, unsigned)) + 893 3 com.apple.WebCore 0x011d5be0 WebCore::startOfWord(WebCore::VisiblePosition const&, WebCore::EWordSide) + 256 4 com.apple.WebCore 0x010abba6 WebCore::Frame::respondToChangedSelection(WebCore::Selection const&, bool) + 310 5 com.apple.WebCore 0x011c669f WebCore::SelectionController::setSelection(WebCore::Selection const&, bool, bool, bool) + 895 6 com.apple.WebCore 0x011c8326 WebCore::SelectionController::moveTo(WebCore::VisiblePosition const&, bool) + 118 7 com.apple.WebCore 0x011c947d WebCore::SelectionController::modify(WebCore::SelectionController::EAlteration, WebCore::SelectionController::EDirection, WebCore::TextGranularity, bool) + 509 ... <rdar://problem/5157329> REGRESSION: Crash at WTF::fastFree() when arrowing backward through editable text
Regressed between r20814 and r20836.
Looks like r20819 caused this.
I backed out those changes in r21193. We'll revisit the bug fixed by those changes later.