Created attachment 242207 [details] Test case Load this test with debug WebKit: <q></q> <object></object> <body> <li></li> <audio controls> <source type="vnd.music-niff"></source> </audio> </body> <style> :before { transition-duration:1ms; } * { border-spacing: 1; } </style> <script> document.designMode = 'on'; document.execCommand("selectAll", false, null); document.execCommand("removeFormat" , false , null); </script> Notes: a) Don't remove the newline after the <q> tag. b) Supplying the doctype definition "solves" the issue. Backtrace: ASSERTION FAILED: hostElement ../../Source/WebCore/dom/EventDispatcher.cpp(210) : WebCore::EventTarget& WebCore::eventTargetRespectingTargetRules(WebCore::Node&) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff98c4e700 (LWP 1600)] 0x00007fffedc7ea89 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007fffedc7ea89 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff3155dc1 in WebCore::eventTargetRespectingTargetRules (referenceNode=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:210 #2 0x00007ffff3154245 in WebCore::EventDispatcher::dispatchEvent (origin=0x8e8d10, prpEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:353 #3 0x00007ffff318f892 in WebCore::Node::dispatchEvent (this=0x8e8d10, event=...) at ../../Source/WebCore/dom/Node.cpp:2043 #4 0x00007ffff37878c8 in WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle (this=0x83cb70) at ../../Source/WebCore/page/animation/AnimationController.cpp:180 #5 0x00007ffff378773e in WebCore::AnimationControllerPrivate::updateStyleIfNeededDispatcherFired (this=0x83cb70) at ../../Source/WebCore/page/animation/AnimationController.cpp:164 #6 0x00007ffff378f6b5 in std::_Mem_fn<void (WebCore::AnimationControllerPrivate::*)()>::operator()<, void>(WebCore::AnimationControllerPrivate*) const (this=0x83cd30, __object=0x83cb70) at /usr/include/c++/4.8/functional:601 #7 0x00007ffff378ed62 in std::_Bind<std::_Mem_fn<void (WebCore::AnimationControllerPrivate::*)()> (WebCore::AnimationControllerPrivate*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (this=0x83cd30, __args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x30b6f2c1, DIE 0x30c9315a>) at /usr/include/c++/4.8/functional:1296 #8 0x00007ffff378dfbe in std::_Bind<std::_Mem_fn<void (WebCore::AnimationControllerPrivate::*)()> (WebCore::AnimationControllerPrivate*)>::operator()<, void>() (this=0x83cd30) at /usr/include/c++/4.8/functional:1355 #9 0x00007ffff378cb3b in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::AnimationControllerPrivate::*)()> (WebCore::AnimationControllerPrivate*)> >::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/4.8/functional:2071 #10 0x00007ffff279f32a in std::function<void ()>::operator()() const (this=0x83cc28) at /usr/include/c++/4.8/functional:2464 #11 0x00007ffff279cca0 in WebCore::Timer::fired (this=0x83cbf0) at ../../Source/WebCore/platform/Timer.h:132 #12 0x00007ffff37f11eb in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x64d0d0) at ../../Source/WebCore/platform/ThreadTimers.cpp:132 #13 0x00007ffff37f1099 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:107 #14 0x00007ffff31640d0 in std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/4.8/functional:2071 #15 0x00007ffff279f32a in std::function<void ()>::operator()() const (this=0x7fffffffd558) at /usr/include/c++/4.8/functional:2464 #16 0x00007fffedcc82f6 in WTF::GMainLoopSource::voidCallback (this=0x7ffff7dd39a0 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:365 #17 0x00007fffedcc8a67 in WTF::GMainLoopSource::voidSourceCallback (source=0x7ffff7dd39a0 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:456 #18 0x00007fffedcc7473 in WTF::__lambda0::operator() (__closure=0x0, source=0x58a180, callback=0x7fffedcc8a44 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)>, userData=0x7ffff7dd39a0 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:248 #19 0x00007fffedcc74e1 in WTF::__lambda0::_FUN (source=0x58a180, callback=0x7fffedcc8a44 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)>, userData=0x7ffff7dd39a0 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:252 #20 0x00007fffeaafea2d in g_main_dispatch (context=0x478020) at gmain.c:3064 #21 g_main_context_dispatch (context=context@entry=0x478020) at gmain.c:3663 #22 0x00007fffeaafed98 in g_main_context_iterate (context=0x478020, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734 #23 0x00007fffeaaff05a in g_main_loop_run (loop=0x9015f0) at gmain.c:3928 #24 0x00007ffff464b42e in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #25 0x00007ffff2bb8250 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd968) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #26 0x00007ffff2bb80b5 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd968) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #27 0x0000000000400891 in main (argc=2, argv=0x7fffffffd968) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44
This issue no longer happens in r204037 under GuardMalloc or ASAN. If you believe there is still an issue, please reopen this bug with a revised test case.