Created attachment 215652 [details] Test case The test causing the assertion fail: <style type="text/css"></style> <body style="display: inline-table;"> <iframe onload=" document.designMode='on'; document.execCommand('selectall'); document.execCommand('inserthtml', false);" > </iframe> </body> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff14c2f1b in WebCore::CompositeEditCommand::insertNodeBefore (this=0x1214230, insertChild=..., refChild=..., shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:330 #2 0x00007ffff14c3367 in WebCore::CompositeEditCommand::insertNodeAt (this=0x1214230, insertChild=..., editingPosition=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:364 #3 0x00007ffff14d6d4e in WebCore::DeleteSelectionCommand::doApply (this=0x1214230) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/DeleteSelectionCommand.cpp:862 #4 0x00007ffff14c297c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1258dd0, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:264 #5 0x00007ffff14c4dfc in WebCore::CompositeEditCommand::deleteSelection (this=0x1258dd0, smartDelete=false, mergeBlocksAfterDelete=true, replace=true, expandForSpecialElements=false, sanitizeMarkup=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:582 #6 0x00007ffff152526c in WebCore::ReplaceSelectionCommand::doApply (this=0x1258dd0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ReplaceSelectionCommand.cpp:949 #7 0x00007ffff14c273c in WebCore::CompositeEditCommand::apply (this=0x1258dd0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:213 #8 0x00007ffff14c2534 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172 #9 0x00007ffff14f75a3 in WebCore::executeInsertFragment (frame=..., fragment=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:197 #10 0x00007ffff14f8c97 in WebCore::executeInsertHTML (frame=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:504 #11 0x00007ffff14fc0a1 in WebCore::Editor::Command::execute (this=0x7fffffff9480, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1717 #12 0x00007ffff13c2c50 in WebCore::Document::execCommand (this=0x11ef000, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4110 #13 0x00007ffff21c14a3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff945edf48) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2762 #14 0x00007fff9e53d105 in ?? () #15 0x00007fffffff95c0 in ?? () #16 0x00007ffff5d2255b in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #17 0x00007fff9e53d940 in ?? () #18 0x0000000001175b18 in ?? () #19 0x0000000000000001 in ?? () #20 0x0000000000000001 in ?? () #21 0x00000000011e3110 in ?? () #22 0x0000000000000000 in ?? ()
his issue no longer occurs under GuardMalloc or ASAN. If you believe there is still a bug, please reopen this issue with a revised test case.