Created attachment 221352 [details] Test case Test case to reproduce the issue: <embed code="foo1"> <embed code="foo1"> <iframe onload="document.designMode='on'; document.execCommand('selectall'); document.execCommand('italic');"></iframe> Its backtrace: ASSERTION FAILED: !childItemWithTarget(child->target()) /home/reni/Data/REPOS/webkit_sec/Source/WebCore/history/HistoryItem.cpp(494) : void WebCore::HistoryItem::addChildItem(WTF::PassRefPtr<WebCore::HistoryItem>) 1 0x7ffff5c35e44 WTFCrash 2 0x7ffff10d3f5b WebCore::HistoryItem::addChildItem(WTF::PassRefPtr<WebCore::HistoryItem>) 3 0x7ffff13bd407 WebCore::HistoryController::createItemTree(WebCore::Frame&, bool) 4 0x7ffff13bdb9a WebCore::HistoryController::updateBackForwardListClippedAtTarget(bool) 5 0x7ffff13bbdde WebCore::HistoryController::updateForStandardLoad(WebCore::HistoryController::HistoryUpdateType) 6 0x7ffff13aad01 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) 7 0x7ffff13aa227 WebCore::FrameLoader::commitProvisionalLoad() 8 0x7ffff1383455 WebCore::DocumentLoader::commitIfReady() 9 0x7ffff138530c WebCore::DocumentLoader::commitLoad(char const*, int) 10 0x7ffff13858f9 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int) 11 0x7ffff138527d WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) 12 0x7ffff1384b1d WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&) 13 0x7ffff1383b17 WebCore::DocumentLoader::handleSubstituteDataLoadNow(WebCore::Timer<WebCore::DocumentLoader>*) 14 0x7ffff1383bb6 WebCore::DocumentLoader::handleSubstituteDataLoadSoon() 15 0x7ffff1387c1c WebCore::DocumentLoader::startLoadingMainResource() 16 0x7ffff13ac03e WebCore::FrameLoader::continueLoadAfterWillSubmitForm() 17 0x7ffff13aed51 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) 18 0x7ffff13a8562 19 0x7ffff13b2723 20 0x7ffff13ce45e std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const 21 0x7ffff13cecde WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) 22 0x7ffff13a8ba5 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) 23 0x7ffff13a84d4 WebCore::FrameLoader::load(WebCore::DocumentLoader*) 24 0x7ffff13a7ff4 WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) 25 0x7ffff7b4045a 26 0x7ffff7b406d8 ewk_frame_contents_set 27 0x4048cc 28 0x7ffff6978103 evas_object_smart_callback_call 29 0x7ffff7b77a1e 30 0x7ffff7b4768f 31 0x7ffff7b312b4 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff10d3f5b in WebCore::HistoryItem::addChildItem (this=0x123fbd0, child=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/history/HistoryItem.cpp:494 #2 0x00007ffff13bd407 in WebCore::HistoryController::createItemTree (this=0x7e9070, targetFrame=..., clipAtTarget=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:690 #3 0x00007ffff13bdb9a in WebCore::HistoryController::updateBackForwardListClippedAtTarget (this=0x1203eb0, doClip=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:804 #4 0x00007ffff13bbdde in WebCore::HistoryController::updateForStandardLoad (this=0x1203eb0, updateType=WebCore::HistoryController::UpdateAll) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/HistoryController.cpp:358 #5 0x00007ffff13aad01 in WebCore::FrameLoader::transitionToCommitted (this=0x12408a8, cachedPage=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1985 #6 0x00007ffff13aa227 in WebCore::FrameLoader::commitProvisionalLoad (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1818 #7 0x00007ffff1383455 in WebCore::DocumentLoader::commitIfReady (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:354 #8 0x00007ffff138530c in WebCore::DocumentLoader::commitLoad (this=0x127c870, data=0x1243aa0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., length=218) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:766 #9 0x00007ffff13858f9 in WebCore::DocumentLoader::dataReceived (this=0x127c870, resource=0x0, data=0x1243aa0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., length=218) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:893 #10 0x00007ffff138527d in WebCore::DocumentLoader::continueAfterContentPolicy (this=0x127c870, policy=WebCore::PolicyUse) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:753 #11 0x00007ffff1384b1d in WebCore::DocumentLoader::responseReceived (this=0x127c870, resource=0x0, response=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:656 #12 0x00007ffff1383b17 in WebCore::DocumentLoader::handleSubstituteDataLoadNow (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:476 #13 0x00007ffff1383bb6 in WebCore::DocumentLoader::handleSubstituteDataLoadSoon (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:492 #14 0x00007ffff1387c1c in WebCore::DocumentLoader::startLoadingMainResource (this=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1429 #15 0x00007ffff13ac03e in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2332 #16 0x00007ffff13aed51 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x12408a8, formState=..., shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2976 #17 0x00007ffff13a8562 in operator() (this=0x1227500, request=..., formState=..., shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1484 #18 0x00007ffff13b2723 in std::_Function_handler<void(const WebCore::ResourceRequest&, WTF::PassRefPtr<WebCore::FormState>, bool), WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)::<lambda(const WebCore::ResourceRequest&, WTF::PassRefPtr<WebCore::FormState>, bool)> >::_M_invoke(const std::_Any_data &, const WebCore::ResourceRequest &, WTF::PassRefPtr<WebCore::FormState>, bool) ( __functor=..., __args#0=..., __args#1=..., __args#2=true) at /usr/include/c++/4.6/functional:1778 #19 0x00007ffff13ce45e in std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (this=0x7fffffff3020, __args#0=..., __args#1=..., __args#2=true) at /usr/include/c++/4.6/functional:2161 #20 0x00007ffff13cecde in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (this=0x123d350, request=..., loader=0x127c870, formState=..., function=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:89 #21 0x00007ffff13a8ba5 in WebCore::FrameLoader::loadWithDocumentLoader (this=0x12408a8, loader=0x127c870, type=WebCore::FrameLoadTypeStandard, prpFormState=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1485 #22 0x00007ffff13a84d4 in WebCore::FrameLoader::load (this=0x12408a8, newDocumentLoader=0x127c870) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1421 #23 0x00007ffff13a7ff4 in WebCore::FrameLoader::load (this=0x12408a8, passedRequest=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1371 #24 0x00007ffff7b4045a in _ewk_frame_contents_set_internal (smartData=0x123cab0, ---Type <return> to continue, or q <return> to quit--- contents=0x7fffffff3ab0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., contentsSize=218, mimeType=0x40799a "text/html", encoding=0x407994 "UTF-8", baseUri=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1", unreachableUri=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:420 #25 0x00007ffff7b406d8 in ewk_frame_contents_set (ewkFrame=0x126a460, contents=0x7fffffff3ab0 "<html><body><div style=\"color:#ff0000\">ERROR!</div><br><div>Code: 302<br>Domain: WebKitNetworkError<br>Description: Load request cancelled<br>URL: file:///home/reni/fuzztests/childItemWithTarget/foo1<"..., contentsSize=0, mimeType=0x40799a "text/html", encoding=0x407994 "UTF-8", baseUri=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1") at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:430 #26 0x00000000004048cc in on_load_error (user_data=0x7a97d0, webview=0x725ca0, event_info=0x7fffffff3fa0) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:345 #27 0x00007ffff6978103 in evas_object_smart_callback_call (obj=0x725ca0, event=<optimized out>, event_info=0x7fffffff3fa0) at evas_object_smart.c:610 #28 0x00007ffff7b77a1e in ewk_view_load_error (ewkView=0x725ca0, error=0x7fffffff3fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_view.cpp:3411 #29 0x00007ffff7b4768f in ewk_frame_load_error (ewkFrame=0x126a460, errorDomain=0x12057d0 "WebKitNetworkError", errorCode=302, isCancellation=true, errorDescription=0x12233b0 "Load request cancelled", failingUrl=0x1229580 "file:///home/reni/fuzztests/childItemWithTarget/foo1") at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/ewk/ewk_frame.cpp:1485 #30 0x00007ffff7b312b4 in WebCore::FrameLoaderClientEfl::dispatchDidFailLoad (this=0x6f6650, err=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/WebCoreSupport/FrameLoaderClientEfl.cpp:872 #31 0x00007ffff7b31181 in WebCore::FrameLoaderClientEfl::dispatchDidFailProvisionalLoad (this=0x6f6650, err=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/efl/WebCoreSupport/FrameLoaderClientEfl.cpp:863 #32 0x00007ffff13aba97 in WebCore::FrameLoader::checkLoadCompleteForThisFrame (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2233 #33 0x00007ffff13aca2a in WebCore::FrameLoader::checkLoadComplete (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2467 #34 0x00007ffff13a56b3 in WebCore::FrameLoader::checkCompleted (this=0x12408a8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:848 #35 0x00007ffff13aded0 in WebCore::FrameLoader::receivedMainResourceError (this=0x12408a8, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2753 #36 0x00007ffff1383076 in WebCore::DocumentLoader::mainReceivedError (this=0x7ca2b0, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:266 #37 0x00007ffff1383637 in WebCore::DocumentLoader::notifyFinished (this=0x7ca2b0, resource=0x123c130) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:384 #38 0x00007ffff142849c in WebCore::CachedResource::checkNotify (this=0x123c130) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:336 #39 0x00007ffff1428670 in WebCore::CachedResource::cancelLoad (this=0x123c130) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:372 #40 0x00007ffff13e13bb in WebCore::SubresourceLoader::didCancel (this=0x123c570) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:376 #41 0x00007ffff13dce52 in WebCore::ResourceLoader::cancel (this=0x123c570, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:458 #42 0x00007ffff1388156 in WebCore::DocumentLoader::cancelMainResourceLoad (this=0x11fd300, resourceError=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1482 #43 0x00007ffff13832dc in WebCore::DocumentLoader::stopLoading (this=0x11fd300) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:328 #44 0x00007ffff13a97d9 in WebCore::FrameLoader::stopAllLoaders (this=0x1202d18, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1649 #45 0x00007ffff13acbb7 in WebCore::FrameLoader::frameDetached (this=0x1202d18) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2496 #46 0x00007ffff1129462 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x11588f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameOwnerElement.cpp:86 #47 0x00007ffff0eff7fe in WebCore::disconnectSubframes (root=..., policy=WebCore::RootAndDescendants) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:175 #48 0x00007ffff0ef8138 in WebCore::disconnectSubframesIfNeeded (root=..., policy=WebCore::RootAndDescendants) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:275 #49 0x00007ffff0ef451c in WebCore::willRemoveChild (child=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:492 #50 0x00007ffff0ef47dc in WebCore::ContainerNode::removeChild (this=0x1226620, oldChild=0x11588f0, ec=@0x7fffffff4860: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:557 #51 0x00007ffff0faf44c in WebCore::Node::remove (this=0x11588f0, ec=@0x7fffffff4860: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:463 ---Type <return> to continue, or q <return> to quit--- #52 0x00007ffff107b90a in WebCore::RemoveNodeCommand::doApply (this=0x12232b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveNodeCommand.cpp:56 #53 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1221db0, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278 #54 0x00007ffff101fa11 in WebCore::CompositeEditCommand::removeNode (this=0x1221db0, node=..., shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:416 #55 0x00007ffff107bd8f in WebCore::RemoveNodePreservingChildrenCommand::doApply (this=0x1221db0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp:51 #56 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1201590, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278 #57 0x00007ffff101fa9c in WebCore::CompositeEditCommand::removeNodePreservingChildren (this=0x1201590, node=..., shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:421 #58 0x00007ffff10138b0 in WebCore::ApplyStyleCommand::replaceWithSpanOrRemoveIfWithoutAttributes (this=0x1201590, elem=@0x7fffffff4af8: 0x1226620) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:919 #59 0x00007ffff1013a72 in WebCore::ApplyStyleCommand::removeImplicitlyStyledElement (this=0x1201590, style=0x1243310, element=0x1226620, mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x12341c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:937 #60 0x00007ffff10137fa in WebCore::ApplyStyleCommand::removeInlineStyleFromElement (this=0x1201590, style=0x1243310, element=..., mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x12341c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:902 #61 0x00007ffff101445f in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (this=0x1201590, style=0x1243310, targetNode=0x11588f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1058 #62 0x00007ffff1014aad in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x1201590, style=0x1243310, start=..., end=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1111 #63 0x00007ffff1011cf4 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x1201590, style=0x1243310) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:637 #64 0x00007ffff100f123 in WebCore::ApplyStyleCommand::doApply (this=0x1201590) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:220 #65 0x00007ffff101e8b8 in WebCore::CompositeEditCommand::apply (this=0x1201590) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227 #66 0x00007ffff101e6b0 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182 #67 0x00007ffff104277a in WebCore::Editor::applyStyle (this=0x7c8620, style=0x122d120, editingAction=WebCore::EditActionUnspecified) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:982 #68 0x00007ffff1052e98 in WebCore::applyCommandToFrame (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, style=0x122d120) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:110 #69 0x00007ffff1053540 in WebCore::executeToggleStyle (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, propertyID=WebCore::CSSPropertyFontStyle, offValue=0x7ffff25e5a84 "normal", onValue=0x7ffff25e5a8b "italic") at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:171 #70 0x00007ffff1056da3 in WebCore::executeToggleItalic (frame=..., source=WebCore::CommandFromDOM) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1119 #71 0x00007ffff1058205 in WebCore::Editor::Command::execute (this=0x7fffffff5300, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1744 #72 0x00007ffff0f1afaa in WebCore::Document::execCommand (this=0x11c8400, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4215 #73 0x00007ffff1dc34f3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8ffffe80) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369 #74 0x00007fff9dc5c0e5 in ?? () #75 0x00007fff8ffffed0 in ?? () #76 0x00007ffff5c233a4 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #77 0x00007fff9dc5c900 in ?? () #78 0x0000000001141868 in ?? () #79 0x0000000000000001 in ?? () #80 0x0000000000000001 in ?? () #81 0x00000000011090c0 in ?? () #82 0x0000000000000000 in ?? ()
Probably this bug is a duplicate of #51224, #70841 and #99267. However, I've reported this as a new issue, since the test cases of the old ones do not reproduce the issue anymore (and they are not minimal either).
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.