127092 2014-01-16 02:36:15 -0800 ASSERTION FAILED: !childItemWithTarget(child->target()) in WebCore::HistoryItem::addChildItem 2016-08-03 13:45:26 -0700 1 1 1 Unclassified WebKit History 528+ (Nightly build) PC Linux RESOLVED WORKSFORME https://bugs.webkit.org/show_bug.cgi?id=51224 https://bugs.webkit.org/show_bug.cgi?id=70841 https://bugs.webkit.org/show_bug.cgi?id=99267 P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned andersca ap beidson bfulgham darin ggaren kling rniwa sam oldest_to_newest 968669 0 221352 rhodovan.u-szeged 2014-01-16 02:36:15 -0800 Created attachment 221352 Test case Test case to reproduce the issue: <embed code="foo1"> <embed code="foo1"> <iframe onload="document.designMode=&apos;on&apos;; document.execCommand(&apos;selectall&apos;); document.execCommand(&apos;italic&apos;);"></iframe> Its backtrace: ASSERTION FAILED: !childItemWithTarget(child->target()) /home/reni/Data/REPOS/webkit_sec/Source/WebCore/history/HistoryItem.cpp(494) : void WebCore::HistoryItem::addChildItem(WTF::PassRefPtr<WebCore::HistoryItem>) 1 0x7ffff5c35e44 WTFCrash 2 0x7ffff10d3f5b WebCore::HistoryItem::addChildItem(WTF::PassRefPtr<WebCore::HistoryItem>) 3 0x7ffff13bd407 WebCore::HistoryController::createItemTree(WebCore::Frame&, bool) 4 0x7ffff13bdb9a WebCore::HistoryController::updateBackForwardListClippedAtTarget(bool) 5 0x7ffff13bbdde WebCore::HistoryController::updateForStandardLoad(WebCore::HistoryController::HistoryUpdateType) 6 0x7ffff13aad01 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) 7 0x7ffff13aa227 WebCore::FrameLoader::commitProvisionalLoad() 8 0x7ffff1383455 WebCore::DocumentLoader::commitIfReady() 9 0x7ffff138530c WebCore::DocumentLoader::commitLoad(char const*, int) 10 0x7ffff13858f9 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int) 11 0x7ffff138527d WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) 12 0x7ffff1384b1d WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) 13 0x7ffff1383b17 WebCore::DocumentLoader::handleSubstituteDataLoadNow(WebCore::Timer<WebCore::DocumentLoader>*) 14 0x7ffff1383bb6 WebCore::DocumentLoader::handleSubstituteDataLoadSoon() 15 0x7ffff1387c1c WebCore::DocumentLoader::startLoadingMainResource() 16 0x7ffff13ac03e WebCore::FrameLoader::continueLoadAfterWillSubmitForm() 17 0x7ffff13aed51 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) 18 0x7ffff13a8562 19 0x7ffff13b2723 20 0x7ffff13ce45e std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const 21 0x7ffff13cecde WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) 22 0x7ffff13a8ba5 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) 23 0x7ffff13a84d4 WebCore::FrameLoader::load(WebCore::DocumentLoader*) 24 0x7ffff13a7ff4 WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) 25 0x7ffff7b4045a 26 0x7ffff7b406d8 ewk_frame_contents_set 27 0x4048cc 28 0x7ffff6978103 evas_object_smart_callback_call 29 0x7ffff7b77a1e 30 0x7ffff7b4768f 31 0x7ffff7b312b4 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff10d3f5b in WebCore::HistoryItem::addChildItem (this=0x123fbd0, child=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/history/HistoryItem.cpp:494 #2 0x00007ffff13bd407 in WebCore::HistoryController::createItemTree (this=0x7e9070, targetFrame=..., clipAtTarget=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:690 #3 0x00007ffff13bdb9a in WebCore::HistoryController::updateBackForwardListClippedAtTarget (this=0x1203eb0, doClip=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:804 #4 0x00007ffff13bbdde in WebCore::HistoryController::updateForStandardLoad (this=0x1203eb0, updateType=WebCore::HistoryController::UpdateAll) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:358 #5 0x00007ffff13aad01 in WebCore::FrameLoader::transitionToCommitted (this=0x12408a8, cachedPage=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1985 #6 0x00007ffff13aa227 in WebCore::FrameLoader::commitProvisionalLoad (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1818 #7 0x00007ffff1383455 in WebCore::DocumentLoader::commitIfReady (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:354 #8 0x00007ffff138530c in WebCore::DocumentLoader::commitLoad (this=0x127c870, data=0x1243aa0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., length=218) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:766 #9 0x00007ffff13858f9 in WebCore::DocumentLoader::dataReceived (this=0x127c870, resource=0x0, data=0x1243aa0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., length=218) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:893 #10 0x00007ffff138527d in WebCore::DocumentLoader::continueAfterContentPolicy (this=0x127c870, policy=WebCore::PolicyUse) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:753 #11 0x00007ffff1384b1d in WebCore::DocumentLoader::responseReceived (this=0x127c870, resource=0x0, response=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:656 #12 0x00007ffff1383b17 in WebCore::DocumentLoader::handleSubstituteDataLoadNow (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:476 #13 0x00007ffff1383bb6 in WebCore::DocumentLoader::handleSubstituteDataLoadSoon (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:492 #14 0x00007ffff1387c1c in WebCore::DocumentLoader::startLoadingMainResource (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1429 #15 0x00007ffff13ac03e in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2332 #16 0x00007ffff13aed51 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x12408a8, formState=..., shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2976 #17 0x00007ffff13a8562 in operator() (this=0x1227500, request=..., formState=..., shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1484 #18 0x00007ffff13b2723 in std::_Function_handler<void(const WebCore::ResourceRequest&, WTF::PassRefPtr<WebCore::FormState>, bool), WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)::<lambda(const WebCore::ResourceRequest&, WTF::PassRefPtr<WebCore::FormState>, bool)> >::_M_invoke(const std::_Any_data &, const WebCore::ResourceRequest &, WTF::PassRefPtr<WebCore::FormState>, bool) ( __functor=..., __args#0=..., __args#1=..., __args#2=true) at /usr/include/c++/4.6/functional:1778 #19 0x00007ffff13ce45e in std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (this=0x7fffffff3020, __args#0=..., __args#1=..., __args#2=true) at /usr/include/c++/4.6/functional:2161 #20 0x00007ffff13cecde in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (this=0x123d350, request=..., loader=0x127c870, formState=..., function=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:89 #21 0x00007ffff13a8ba5 in WebCore::FrameLoader::loadWithDocumentLoader (this=0x12408a8, loader=0x127c870, type=WebCore::FrameLoadTypeStandard, prpFormState=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1485 #22 0x00007ffff13a84d4 in WebCore::FrameLoader::load (this=0x12408a8, newDocumentLoader=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1421 #23 0x00007ffff13a7ff4 in WebCore::FrameLoader::load (this=0x12408a8, passedRequest=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1371 #24 0x00007ffff7b4045a in _ewk_frame_contents_set_internal (smartData=0x123cab0, ---Type <return> to continue, or q <return> to quit--- contents=0x7fffffff3ab0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., contentsSize=218, mimeType=0x40799a "text/html", encoding=0x407994 "UTF-8", baseUri=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1", unreachableUri=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:420 #25 0x00007ffff7b406d8 in ewk_frame_contents_set (ewkFrame=0x126a460, contents=0x7fffffff3ab0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., contentsSize=0, mimeType=0x40799a "text/html", encoding=0x407994 "UTF-8", baseUri=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1") at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:430 #26 0x00000000004048cc in on_load_error (user_data=0x7a97d0, webview=0x725ca0, event_info=0x7fffffff3fa0) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:345 #27 0x00007ffff6978103 in evas_object_smart_callback_call (obj=0x725ca0, event=<optimized out>, event_info=0x7fffffff3fa0) at evas_object_smart.c:610 #28 0x00007ffff7b77a1e in ewk_view_load_error (ewkView=0x725ca0, error=0x7fffffff3fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_view.cpp:3411 #29 0x00007ffff7b4768f in ewk_frame_load_error (ewkFrame=0x126a460, errorDomain=0x12057d0 "WebKitNetworkError", errorCode=302, isCancellation=true, errorDescription=0x12233b0 "Load request cancelled", failingUrl=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1") at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:1485 #30 0x00007ffff7b312b4 in WebCore::FrameLoaderClientEfl::dispatchDidFailLoad (this=0x6f6650, err=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/WebCoreSupport/FrameLoaderClientEfl.cpp:872 #31 0x00007ffff7b31181 in WebCore::FrameLoaderClientEfl::dispatchDidFailProvisionalLoad (this=0x6f6650, err=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/WebCoreSupport/FrameLoaderClientEfl.cpp:863 #32 0x00007ffff13aba97 in WebCore::FrameLoader::checkLoadCompleteForThisFrame (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2233 #33 0x00007ffff13aca2a in WebCore::FrameLoader::checkLoadComplete (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2467 #34 0x00007ffff13a56b3 in WebCore::FrameLoader::checkCompleted (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:848 #35 0x00007ffff13aded0 in WebCore::FrameLoader::receivedMainResourceError (this=0x12408a8, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2753 #36 0x00007ffff1383076 in WebCore::DocumentLoader::mainReceivedError (this=0x7ca2b0, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:266 #37 0x00007ffff1383637 in WebCore::DocumentLoader::notifyFinished (this=0x7ca2b0, resource=0x123c130) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:384 #38 0x00007ffff142849c in WebCore::CachedResource::checkNotify (this=0x123c130) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:336 #39 0x00007ffff1428670 in WebCore::CachedResource::cancelLoad (this=0x123c130) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:372 #40 0x00007ffff13e13bb in WebCore::SubresourceLoader::didCancel (this=0x123c570) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:376 #41 0x00007ffff13dce52 in WebCore::ResourceLoader::cancel (this=0x123c570, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:458 #42 0x00007ffff1388156 in WebCore::DocumentLoader::cancelMainResourceLoad (this=0x11fd300, resourceError=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1482 #43 0x00007ffff13832dc in WebCore::DocumentLoader::stopLoading (this=0x11fd300) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:328 #44 0x00007ffff13a97d9 in WebCore::FrameLoader::stopAllLoaders (this=0x1202d18, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1649 #45 0x00007ffff13acbb7 in WebCore::FrameLoader::frameDetached (this=0x1202d18) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2496 #46 0x00007ffff1129462 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x11588f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameOwnerElement.cpp:86 #47 0x00007ffff0eff7fe in WebCore::disconnectSubframes (root=..., policy=WebCore::RootAndDescendants) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:175 #48 0x00007ffff0ef8138 in WebCore::disconnectSubframesIfNeeded (root=..., policy=WebCore::RootAndDescendants) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:275 #49 0x00007ffff0ef451c in WebCore::willRemoveChild (child=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:492 #50 0x00007ffff0ef47dc in WebCore::ContainerNode::removeChild (this=0x1226620, oldChild=0x11588f0, ec=@0x7fffffff4860: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:557 #51 0x00007ffff0faf44c in WebCore::Node::remove (this=0x11588f0, ec=@0x7fffffff4860: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:463 ---Type <return> to continue, or q <return> to quit--- #52 0x00007ffff107b90a in WebCore::RemoveNodeCommand::doApply (this=0x12232b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveNodeCommand.cpp:56 #53 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1221db0, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278 #54 0x00007ffff101fa11 in WebCore::CompositeEditCommand::removeNode (this=0x1221db0, node=..., shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:416 #55 0x00007ffff107bd8f in WebCore::RemoveNodePreservingChildrenCommand::doApply (this=0x1221db0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp:51 #56 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1201590, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278 #57 0x00007ffff101fa9c in WebCore::CompositeEditCommand::removeNodePreservingChildren (this=0x1201590, node=..., shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:421 #58 0x00007ffff10138b0 in WebCore::ApplyStyleCommand::replaceWithSpanOrRemoveIfWithoutAttributes (this=0x1201590, elem=@0x7fffffff4af8: 0x1226620) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:919 #59 0x00007ffff1013a72 in WebCore::ApplyStyleCommand::removeImplicitlyStyledElement (this=0x1201590, style=0x1243310, element=0x1226620, mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x12341c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:937 #60 0x00007ffff10137fa in WebCore::ApplyStyleCommand::removeInlineStyleFromElement (this=0x1201590, style=0x1243310, element=..., mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x12341c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:902 #61 0x00007ffff101445f in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (this=0x1201590, style=0x1243310, targetNode=0x11588f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1058 #62 0x00007ffff1014aad in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x1201590, style=0x1243310, start=..., end=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1111 #63 0x00007ffff1011cf4 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x1201590, style=0x1243310) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:637 #64 0x00007ffff100f123 in WebCore::ApplyStyleCommand::doApply (this=0x1201590) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:220 #65 0x00007ffff101e8b8 in WebCore::CompositeEditCommand::apply (this=0x1201590) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227 #66 0x00007ffff101e6b0 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182 #67 0x00007ffff104277a in WebCore::Editor::applyStyle (this=0x7c8620, style=0x122d120, editingAction=WebCore::EditActionUnspecified) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:982 #68 0x00007ffff1052e98 in WebCore::applyCommandToFrame (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, style=0x122d120) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:110 #69 0x00007ffff1053540 in WebCore::executeToggleStyle (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, propertyID=WebCore::CSSPropertyFontStyle, offValue=0x7ffff25e5a84 "normal", onValue=0x7ffff25e5a8b "italic") at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:171 #70 0x00007ffff1056da3 in WebCore::executeToggleItalic (frame=..., source=WebCore::CommandFromDOM) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1119 #71 0x00007ffff1058205 in WebCore::Editor::Command::execute (this=0x7fffffff5300, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1744 #72 0x00007ffff0f1afaa in WebCore::Document::execCommand (this=0x11c8400, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4215 #73 0x00007ffff1dc34f3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8ffffe80) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369 #74 0x00007fff9dc5c0e5 in ?? () #75 0x00007fff8ffffed0 in ?? () #76 0x00007ffff5c233a4 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #77 0x00007fff9dc5c900 in ?? () #78 0x0000000001141868 in ?? () #79 0x0000000000000001 in ?? () #80 0x0000000000000001 in ?? () #81 0x00000000011090c0 in ?? () #82 0x0000000000000000 in ?? () 968678 1 rhodovan.u-szeged 2014-01-16 03:04:10 -0800 Probably this bug is a duplicate of #51224, #70841 and #99267. However, I've reported this as a new issue, since the test cases of the old ones do not reproduce the issue anymore (and they are not minimal either). 1217131 2 bfulgham 2016-08-03 13:39:54 -0700 This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case. 221352 2014-01-16 02:36:15 -0800 2014-01-16 02:36:15 -0800 Test case lastCrash.html text/html 198 rhodovan.u-szeged PGVtYmVkIGNvZGU9ImZvbzEiPgo8ZW1iZWQgY29kZT0iZm9vMSI+CjxpZnJhbWUgb25sb2FkPSJk b2N1bWVudC5kZXNpZ25Nb2RlPSZhcG9zO29uJmFwb3M7OwoJCQkJZG9jdW1lbnQuZXhlY0NvbW1h bmQoJmFwb3M7c2VsZWN0YWxsJmFwb3M7KTsKCQkJCWRvY3VtZW50LmV4ZWNDb21tYW5kKCZhcG9z O2l0YWxpYyZhcG9zOyk7Ij48L2lmcmFtZT4K