Created attachment 221249 [details] Test case The failing test: <head> <style>@charset "ISO-8859-7"; * { display:run-in; } </style></head> <frameset onload="document.designMode='on'; document.execCommand('selectall'); document.execCommand('italic'); document.execCommand('RemoveFormat');"> </frameset> The backtrace: ASSERTION FAILED: start.isNotNull() /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp(1089) : void WebCore::ApplyStyleCommand::removeInlineStyle(WebCore::EditingStyle*, const WebCore::Position&, const WebCore::Position&) 1 0x7ffff5c35e44 WTFCrash 2 0x7ffff1014810 WebCore::ApplyStyleCommand::removeInlineStyle(WebCore::EditingStyle*, WebCore::Position const&, WebCore::Position const&) 3 0x7ffff1011cf4 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle*) 4 0x7ffff100f123 WebCore::ApplyStyleCommand::doApply() 5 0x7ffff101eaf8 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) 6 0x7ffff107b595 WebCore::RemoveFormatCommand::doApply() 7 0x7ffff101e8b8 WebCore::CompositeEditCommand::apply() 8 0x7ffff101e6b0 WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>) 9 0x7ffff1042399 WebCore::Editor::removeFormattingAndStyle() 10 0x7ffff10566a8 11 0x7ffff1058205 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 12 0x7ffff0f1afaa WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 13 0x7ffff1dc34f3 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) 14 0x7fff9dc5c0e5 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff1014810 in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x1205e40, style=0x11e04e0, start=..., end=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1089 #2 0x00007ffff1011cf4 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x1205e40, style=0x11e04e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:637 #3 0x00007ffff100f123 in WebCore::ApplyStyleCommand::doApply (this=0x1205e40) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:220 #4 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1201ae0, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278 #5 0x00007ffff107b595 in WebCore::RemoveFormatCommand::doApply (this=0x1201ae0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveFormatCommand.cpp:92 #6 0x00007ffff101e8b8 in WebCore::CompositeEditCommand::apply (this=0x1201ae0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227 #7 0x00007ffff101e6b0 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182 #8 0x00007ffff1042399 in WebCore::Editor::removeFormattingAndStyle (this=0x7c8620) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:914 #9 0x00007ffff10566a8 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:985 #10 0x00007ffff1058205 in WebCore::Editor::Command::execute (this=0x7fffffffb930, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1744 #11 0x00007ffff0f1afaa in WebCore::Document::execCommand (this=0x11c8380, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4215 #12 0x00007ffff1dc34f3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8fffff40) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369 #13 0x00007fff9dc5c0e5 in ?? () #14 0x00007fff8fffff90 in ?? () #15 0x00007ffff5c233e1 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #16 0x00007fff9dc5c900 in ?? () #17 0x00000000011418b8 in ?? () #18 0x0000000001151830 in ?? () #19 0x00007fffedae29a0 in thread_context_stack () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #20 0x00000000008c9610 in ?? () #21 0x00007ffff13dd20e in WebCore::ResourceLoader::didReceiveBuffer (this=0x7fff8fffff90, buffer=..., encodedDataLength=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:513 #22 0x00007fffffffbad0 in ?? () #23 0x00007ffff59dea38 in JSC::JITCode::execute (this=0xc78948da89480000, vm=0x1b9c8458b48e0, protoCallFrame=0x758d48ff7456f5e8, topOfStack=0xc78948d68948e045) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:48 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Since the hit assertion was touched 9 years ago for the last time, I have CC-d the people who have been working on it recently.
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.