Bug 127092

Summary: ASSERTION FAILED: !childItemWithTarget(child->target()) in WebCore::HistoryItem::addChildItem
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: HistoryAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: andersca, ap, beidson, bfulgham, darin, ggaren, kling, rniwa, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=51224
https://bugs.webkit.org/show_bug.cgi?id=70841
https://bugs.webkit.org/show_bug.cgi?id=99267
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case none

Description Renata Hodovan 2014-01-16 02:36:15 PST
Created attachment 221352 [details]
Test case

Test case to reproduce the issue:

<embed code="foo1">
<embed code="foo1">
<iframe onload="document.designMode=&apos;on&apos;;
				document.execCommand(&apos;selectall&apos;);
				document.execCommand(&apos;italic&apos;);"></iframe>

Its backtrace:


ASSERTION FAILED: !childItemWithTarget(child->target())
/home/reni/Data/REPOS/webkit_sec/Source/WebCore/history/HistoryItem.cpp(494) : void WebCore::HistoryItem::addChildItem(WTF::PassRefPtr<WebCore::HistoryItem>)
1   0x7ffff5c35e44 WTFCrash
2   0x7ffff10d3f5b WebCore::HistoryItem::addChildItem(WTF::PassRefPtr<WebCore::HistoryItem>)
3   0x7ffff13bd407 WebCore::HistoryController::createItemTree(WebCore::Frame&, bool)
4   0x7ffff13bdb9a WebCore::HistoryController::updateBackForwardListClippedAtTarget(bool)
5   0x7ffff13bbdde WebCore::HistoryController::updateForStandardLoad(WebCore::HistoryController::HistoryUpdateType)
6   0x7ffff13aad01 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*)
7   0x7ffff13aa227 WebCore::FrameLoader::commitProvisionalLoad()
8   0x7ffff1383455 WebCore::DocumentLoader::commitIfReady()
9   0x7ffff138530c WebCore::DocumentLoader::commitLoad(char const*, int)
10  0x7ffff13858f9 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int)
11  0x7ffff138527d WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction)
12  0x7ffff1384b1d WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&)
13  0x7ffff1383b17 WebCore::DocumentLoader::handleSubstituteDataLoadNow(WebCore::Timer<WebCore::DocumentLoader>*)
14  0x7ffff1383bb6 WebCore::DocumentLoader::handleSubstituteDataLoadSoon()
15  0x7ffff1387c1c WebCore::DocumentLoader::startLoadingMainResource()
16  0x7ffff13ac03e WebCore::FrameLoader::continueLoadAfterWillSubmitForm()
17  0x7ffff13aed51 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)
18  0x7ffff13a8562
19  0x7ffff13b2723
20  0x7ffff13ce45e std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const
21  0x7ffff13cecde WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)
22  0x7ffff13a8ba5 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)
23  0x7ffff13a84d4 WebCore::FrameLoader::load(WebCore::DocumentLoader*)
24  0x7ffff13a7ff4 WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&)
25  0x7ffff7b4045a
26  0x7ffff7b406d8 ewk_frame_contents_set
27  0x4048cc
28  0x7ffff6978103 evas_object_smart_callback_call
29  0x7ffff7b77a1e
30  0x7ffff7b4768f
31  0x7ffff7b312b4

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff10d3f5b in WebCore::HistoryItem::addChildItem (this=0x123fbd0, child=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/history/HistoryItem.cpp:494
#2  0x00007ffff13bd407 in WebCore::HistoryController::createItemTree (this=0x7e9070, targetFrame=..., clipAtTarget=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:690
#3  0x00007ffff13bdb9a in WebCore::HistoryController::updateBackForwardListClippedAtTarget (this=0x1203eb0, doClip=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:804
#4  0x00007ffff13bbdde in WebCore::HistoryController::updateForStandardLoad (this=0x1203eb0, updateType=WebCore::HistoryController::UpdateAll)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:358
#5  0x00007ffff13aad01 in WebCore::FrameLoader::transitionToCommitted (this=0x12408a8, cachedPage=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1985
#6  0x00007ffff13aa227 in WebCore::FrameLoader::commitProvisionalLoad (this=0x12408a8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1818
#7  0x00007ffff1383455 in WebCore::DocumentLoader::commitIfReady (this=0x127c870)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:354
#8  0x00007ffff138530c in WebCore::DocumentLoader::commitLoad (this=0x127c870, 
    data=0x1243aa0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., length=218)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:766
#9  0x00007ffff13858f9 in WebCore::DocumentLoader::dataReceived (this=0x127c870, resource=0x0, 
    data=0x1243aa0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., length=218)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:893
#10 0x00007ffff138527d in WebCore::DocumentLoader::continueAfterContentPolicy (this=0x127c870, policy=WebCore::PolicyUse)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:753
#11 0x00007ffff1384b1d in WebCore::DocumentLoader::responseReceived (this=0x127c870, resource=0x0, response=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:656
#12 0x00007ffff1383b17 in WebCore::DocumentLoader::handleSubstituteDataLoadNow (this=0x127c870)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:476
#13 0x00007ffff1383bb6 in WebCore::DocumentLoader::handleSubstituteDataLoadSoon (this=0x127c870)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:492
#14 0x00007ffff1387c1c in WebCore::DocumentLoader::startLoadingMainResource (this=0x127c870)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1429
#15 0x00007ffff13ac03e in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x12408a8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2332
#16 0x00007ffff13aed51 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x12408a8, formState=..., shouldContinue=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2976
#17 0x00007ffff13a8562 in operator() (this=0x1227500, request=..., formState=..., shouldContinue=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1484
#18 0x00007ffff13b2723 in std::_Function_handler<void(const WebCore::ResourceRequest&, WTF::PassRefPtr<WebCore::FormState>, bool), WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)::<lambda(const WebCore::ResourceRequest&, WTF::PassRefPtr<WebCore::FormState>, bool)> >::_M_invoke(const std::_Any_data &, const WebCore::ResourceRequest &, WTF::PassRefPtr<WebCore::FormState>, bool) (
    __functor=..., __args#0=..., __args#1=..., __args#2=true) at /usr/include/c++/4.6/functional:1778
#19 0x00007ffff13ce45e in std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (this=0x7fffffff3020, __args#0=..., __args#1=..., __args#2=true)
    at /usr/include/c++/4.6/functional:2161
#20 0x00007ffff13cecde in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (this=0x123d350, request=..., loader=0x127c870, 
    formState=..., function=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:89
#21 0x00007ffff13a8ba5 in WebCore::FrameLoader::loadWithDocumentLoader (this=0x12408a8, loader=0x127c870, type=WebCore::FrameLoadTypeStandard, 
    prpFormState=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1485
#22 0x00007ffff13a84d4 in WebCore::FrameLoader::load (this=0x12408a8, newDocumentLoader=0x127c870)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1421
#23 0x00007ffff13a7ff4 in WebCore::FrameLoader::load (this=0x12408a8, passedRequest=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1371
#24 0x00007ffff7b4045a in _ewk_frame_contents_set_internal (smartData=0x123cab0, 
---Type <return> to continue, or q <return> to quit---
    contents=0x7fffffff3ab0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., contentsSize=218, mimeType=0x40799a "text/html", encoding=0x407994 "UTF-8", 
    baseUri=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1", unreachableUri=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:420
#25 0x00007ffff7b406d8 in ewk_frame_contents_set (ewkFrame=0x126a460, 
    contents=0x7fffffff3ab0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., contentsSize=0, mimeType=0x40799a "text/html", encoding=0x407994 "UTF-8", 
    baseUri=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1") at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:430
#26 0x00000000004048cc in on_load_error (user_data=0x7a97d0, webview=0x725ca0, event_info=0x7fffffff3fa0)
    at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:345
#27 0x00007ffff6978103 in evas_object_smart_callback_call (obj=0x725ca0, event=<optimized out>, event_info=0x7fffffff3fa0) at evas_object_smart.c:610
#28 0x00007ffff7b77a1e in ewk_view_load_error (ewkView=0x725ca0, error=0x7fffffff3fa0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_view.cpp:3411
#29 0x00007ffff7b4768f in ewk_frame_load_error (ewkFrame=0x126a460, errorDomain=0x12057d0 "WebKitNetworkError", errorCode=302, isCancellation=true, 
    errorDescription=0x12233b0 "Load request cancelled", failingUrl=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1")
    at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:1485
#30 0x00007ffff7b312b4 in WebCore::FrameLoaderClientEfl::dispatchDidFailLoad (this=0x6f6650, err=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/WebCoreSupport/FrameLoaderClientEfl.cpp:872
#31 0x00007ffff7b31181 in WebCore::FrameLoaderClientEfl::dispatchDidFailProvisionalLoad (this=0x6f6650, err=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/WebCoreSupport/FrameLoaderClientEfl.cpp:863
#32 0x00007ffff13aba97 in WebCore::FrameLoader::checkLoadCompleteForThisFrame (this=0x12408a8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2233
#33 0x00007ffff13aca2a in WebCore::FrameLoader::checkLoadComplete (this=0x12408a8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2467
#34 0x00007ffff13a56b3 in WebCore::FrameLoader::checkCompleted (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:848
#35 0x00007ffff13aded0 in WebCore::FrameLoader::receivedMainResourceError (this=0x12408a8, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2753
#36 0x00007ffff1383076 in WebCore::DocumentLoader::mainReceivedError (this=0x7ca2b0, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:266
#37 0x00007ffff1383637 in WebCore::DocumentLoader::notifyFinished (this=0x7ca2b0, resource=0x123c130)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:384
#38 0x00007ffff142849c in WebCore::CachedResource::checkNotify (this=0x123c130)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:336
#39 0x00007ffff1428670 in WebCore::CachedResource::cancelLoad (this=0x123c130)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:372
#40 0x00007ffff13e13bb in WebCore::SubresourceLoader::didCancel (this=0x123c570)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:376
#41 0x00007ffff13dce52 in WebCore::ResourceLoader::cancel (this=0x123c570, error=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:458
#42 0x00007ffff1388156 in WebCore::DocumentLoader::cancelMainResourceLoad (this=0x11fd300, resourceError=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1482
#43 0x00007ffff13832dc in WebCore::DocumentLoader::stopLoading (this=0x11fd300)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:328
#44 0x00007ffff13a97d9 in WebCore::FrameLoader::stopAllLoaders (this=0x1202d18, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1649
#45 0x00007ffff13acbb7 in WebCore::FrameLoader::frameDetached (this=0x1202d18) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2496
#46 0x00007ffff1129462 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x11588f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameOwnerElement.cpp:86
#47 0x00007ffff0eff7fe in WebCore::disconnectSubframes (root=..., policy=WebCore::RootAndDescendants)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:175
#48 0x00007ffff0ef8138 in WebCore::disconnectSubframesIfNeeded (root=..., policy=WebCore::RootAndDescendants)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:275
#49 0x00007ffff0ef451c in WebCore::willRemoveChild (child=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:492
#50 0x00007ffff0ef47dc in WebCore::ContainerNode::removeChild (this=0x1226620, oldChild=0x11588f0, ec=@0x7fffffff4860: 0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:557
#51 0x00007ffff0faf44c in WebCore::Node::remove (this=0x11588f0, ec=@0x7fffffff4860: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:463
---Type <return> to continue, or q <return> to quit---
#52 0x00007ffff107b90a in WebCore::RemoveNodeCommand::doApply (this=0x12232b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveNodeCommand.cpp:56
#53 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1221db0, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278
#54 0x00007ffff101fa11 in WebCore::CompositeEditCommand::removeNode (this=0x1221db0, node=..., 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:416
#55 0x00007ffff107bd8f in WebCore::RemoveNodePreservingChildrenCommand::doApply (this=0x1221db0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp:51
#56 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1201590, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278
#57 0x00007ffff101fa9c in WebCore::CompositeEditCommand::removeNodePreservingChildren (this=0x1201590, node=..., 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:421
#58 0x00007ffff10138b0 in WebCore::ApplyStyleCommand::replaceWithSpanOrRemoveIfWithoutAttributes (this=0x1201590, elem=@0x7fffffff4af8: 0x1226620)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:919
#59 0x00007ffff1013a72 in WebCore::ApplyStyleCommand::removeImplicitlyStyledElement (this=0x1201590, style=0x1243310, element=0x1226620, 
    mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x12341c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:937
#60 0x00007ffff10137fa in WebCore::ApplyStyleCommand::removeInlineStyleFromElement (this=0x1201590, style=0x1243310, element=..., 
    mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x12341c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:902
#61 0x00007ffff101445f in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (this=0x1201590, style=0x1243310, targetNode=0x11588f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1058
#62 0x00007ffff1014aad in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x1201590, style=0x1243310, start=..., end=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1111
#63 0x00007ffff1011cf4 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x1201590, style=0x1243310)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:637
#64 0x00007ffff100f123 in WebCore::ApplyStyleCommand::doApply (this=0x1201590)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:220
#65 0x00007ffff101e8b8 in WebCore::CompositeEditCommand::apply (this=0x1201590)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227
#66 0x00007ffff101e6b0 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182
#67 0x00007ffff104277a in WebCore::Editor::applyStyle (this=0x7c8620, style=0x122d120, editingAction=WebCore::EditActionUnspecified)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:982
#68 0x00007ffff1052e98 in WebCore::applyCommandToFrame (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, style=0x122d120)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:110
#69 0x00007ffff1053540 in WebCore::executeToggleStyle (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, 
    propertyID=WebCore::CSSPropertyFontStyle, offValue=0x7ffff25e5a84 "normal", onValue=0x7ffff25e5a8b "italic")
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:171
#70 0x00007ffff1056da3 in WebCore::executeToggleItalic (frame=..., source=WebCore::CommandFromDOM)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1119
#71 0x00007ffff1058205 in WebCore::Editor::Command::execute (this=0x7fffffff5300, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1744
#72 0x00007ffff0f1afaa in WebCore::Document::execCommand (this=0x11c8400, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4215
#73 0x00007ffff1dc34f3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8ffffe80)
    at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369
#74 0x00007fff9dc5c0e5 in ?? ()
#75 0x00007fff8ffffed0 in ?? ()
#76 0x00007ffff5c233a4 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#77 0x00007fff9dc5c900 in ?? ()
#78 0x0000000001141868 in ?? ()
#79 0x0000000000000001 in ?? ()
#80 0x0000000000000001 in ?? ()
#81 0x00000000011090c0 in ?? ()
#82 0x0000000000000000 in ?? ()
Comment 1 Renata Hodovan 2014-01-16 03:04:10 PST
Probably this bug is a duplicate of #51224, #70841 and #99267. However, I've reported this as a new issue, since the test cases of the old ones do not reproduce the issue anymore (and they are not minimal either).
Comment 2 Brent Fulgham 2016-08-03 13:39:54 PDT
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.