Test: <html> <head> <script> function f() { document.designMode = 'on'; document.execCommand("selectAll", false, null); document.execCommand("indent" , false , null); } </script> </head> <body onload='f()'> <object>1</object> </body> </html>
Backtrace: #0 0x00007ffff57c170b in WTFCrash () at WebKit/Source/WTF/wtf/Assertions.cpp:329 #1 0x00007ffff0b4d710 in WebCore::CompositeEditCommand::appendNode (this=0x835d00, node=..., parent=...) at WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:399 #2 0x00007ffff0b51490 in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement (this=0x835d00, start=..., end=..., passedOuterNode=0x819f60, blockElement=0x83a250) at WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:1081 #3 0x00007ffff0b51d3b in WebCore::CompositeEditCommand::moveParagraphWithClones (this=0x835d00, startOfParagraphToMove=..., endOfParagraphToMove=..., blockElement=0x83a250, outerNode=0x819f60) at WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:1177 #4 0x00007ffff0b991b7 in WebCore::IndentOutdentCommand::indentIntoBlockquote (this=0x835d00, start=..., end=..., targetBlockquote=...) at WebKit/Source/WebCore/editing/IndentOutdentCommand.cpp:118 #5 0x00007ffff0b9a2b6 in WebCore::IndentOutdentCommand::formatRange (this=0x835d00, start=..., end=..., blockquoteForNextIndent=...) at WebKit/Source/WebCore/editing/IndentOutdentCommand.cpp:237 #6 0x00007ffff0b3ad77 in WebCore::ApplyBlockElementCommand::formatSelection (this=0x835d00, startOfSelection=..., endOfSelection=...) at WebKit/Source/WebCore/editing/ApplyBlockElementCommand.cpp:141 #7 0x00007ffff0b9a239 in WebCore::IndentOutdentCommand::formatSelection (this=0x835d00, startOfSelection=..., endOfSelection=...) at WebKit/Source/WebCore/editing/IndentOutdentCommand.cpp:227 #8 0x00007ffff0b3a298 in WebCore::ApplyBlockElementCommand::doApply (this=0x835d00) at WebKit/Source/WebCore/editing/ApplyBlockElementCommand.cpp:86 #9 0x00007ffff0b4c848 in WebCore::CompositeEditCommand::apply (this=0x835d00) at WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:227 #10 0x00007ffff0b4c637 in WebCore::applyCommand (command=...) at WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:182 #11 0x00007ffff0b85af4 in WebCore::executeIndent (frame=...) at WebKit/Source/WebCore/editing/EditorCommand.cpp:489 #12 0x00007ffff0b89107 in WebCore::Editor::Command::execute (this=0x7fffffffc800, parameter=..., triggeringEvent=0x0) at WebKit/Source/WebCore/editing/EditorCommand.cpp:1740 #13 0x00007ffff0a400a4 in WebCore::Document::execCommand (this=0x766900, commandName=..., userInterface=false, value=...) at WebKit/Source/WebCore/dom/Document.cpp:4279 #14 0x00007ffff195fc60 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffc8f0) at WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:4526 #15 0x00007fff9cee00b4 in ?? () #16 0x00007fffffffc950 in ?? () #17 0x00007ffff57aab2c in llint_entry () from WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
Created attachment 273718 [details] Test It's still valid on ToT WebKit. Validated on r197952 both with Mac and EFL builds.
This reproduces in r204037.
<rdar://problem/27701780>