Created attachment 265064 [details] Test Load the attached test with debug MiniBrowser: a<big> <style> * { -webkit-nbsp-mode:space; } </style> <video controls ></video> <object data="aaaaaaaaaaaaaaaaa"></object> <script> document.designMode = 'on'; document.execCommand("selectAll", false, null); document.execCommand("indent" , true , null); </script> OS: Ubuntu 15.04 x86_64 Checked build: debug EFL Checked version: 009fb33 Backtrace: ASSERTION FAILED: inDocument() ../../Source/WebCore/html/HTMLFrameOwnerElement.cpp(57) : void WebCore::HTMLFrameOwnerElement::setContentFrame(WebCore::Frame*) 1 0x7f2c881fff97 WTFCrash 2 0x7f2c8e5702fb WebCore::HTMLFrameOwnerElement::setContentFrame(WebCore::Frame*) 3 0x7f2c8e8c55e6 WebCore::Frame::Frame(WebCore::Page&, WebCore::HTMLFrameOwnerElement*, WebCore::FrameLoaderClient&) 4 0x7f2c8e8c5805 WebCore::Frame::create(WebCore::Page*, WebCore::HTMLFrameOwnerElement*, WebCore::FrameLoaderClient*) 5 0x7f2c8df60aac WebKit::WebFrame::createSubframe(WebKit::WebPage*, WTF::String const&, WebCore::HTMLFrameOwnerElement*) 6 0x7f2c8df2f120 WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) 7 0x7f2c8e7da9d9 WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) 8 0x7f2c8e7da716 WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) 9 0x7f2c8e7d9e77 WebCore::SubframeLoader::requestObject(WebCore::HTMLPlugInImageElement&, WTF::String const&, WTF::AtomicString const&, WTF::String const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&) 10 0x7f2c8e5c8975 WebCore::HTMLPlugInImageElement::requestObject(WTF::String const&, WTF::String const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&) 11 0x7f2c8e5bb2e9 WebCore::HTMLObjectElement::updateWidget(WebCore::PluginCreationOption) 12 0x7f2c8e5c5773 WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary() 13 0x7f2c8e5c537f 14 0x7f2c8e5c8b58 15 0x7f2c8db15a82 std::function<void ()>::operator()() const 16 0x7f2c8edce28d WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() 17 0x7f2c8e332428 WebCore::Document::recalcStyle(WebCore::Style::Change) 18 0x7f2c8e332713 WebCore::Document::updateStyleIfNeeded() 19 0x7f2c8e332810 WebCore::Document::updateLayout() 20 0x7f2c8e332992 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) 21 0x7f2c8e22d4eb WebCore::AccessibilityObject::updateBackingStore() 22 0x7f2c8eedd13c 23 0x7f2c8223af70 24 0x7f2c8455594b g_object_get_property 25 0x7f2c8223a05b 26 0x7f2c8454cf15 g_closure_invoke 27 0x7f2c8455ef6b 28 0x7f2c84568198 g_signal_emit_valist 29 0x7f2c845683ff g_signal_emit 30 0x7f2c845516c5 31 0x7f2c84553c71 g_object_notify Aborted (core dumped) Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f2c881fff9c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007f2c881fff9c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007f2c8e5702fb in WebCore::HTMLFrameOwnerElement::setContentFrame (this=0x7f2c6f6a9708, frame=0x7f2c24aec000) at ../../Source/WebCore/html/HTMLFrameOwnerElement.cpp:57 #2 0x00007f2c8e8c55e6 in WebCore::Frame::Frame (this=0x7f2c24aec000, page=..., ownerElement=0x7f2c6f6a9708, frameLoaderClient=...) at ../../Source/WebCore/page/Frame.cpp:188 #3 0x00007f2c8e8c5805 in WebCore::Frame::create (page=0x7f2c6f403bc0, ownerElement=0x7f2c6f6a9708, client=0x210d7b0) at ../../Source/WebCore/page/Frame.cpp:212 #4 0x00007f2c8df60aac in WebKit::WebFrame::createSubframe (page=0x7f2c6f403440, frameName=..., ownerElement=0x7f2c6f6a9708) at ../../Source/WebKit2/WebProcess/WebPage/WebFrame.cpp:129 #5 0x00007f2c8df2f120 in WebKit::WebFrameLoaderClient::createFrame (this=0x1df8eb0, url=..., name=..., ownerElement=0x7f2c6f6a9708, referrer=...) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:1388 #6 0x00007f2c8e7da9d9 in WebCore::SubframeLoader::loadSubframe (this=0x1df9ed0, ownerElement=..., url=..., name=..., referrer=...) at ../../Source/WebCore/loader/SubframeLoader.cpp:326 #7 0x00007f2c8e7da716 in WebCore::SubframeLoader::loadOrRedirectSubframe (this=0x1df9ed0, ownerElement=..., url=..., frameName=..., lockHistory=WebCore::LockHistory::Yes, lockBackForwardList=WebCore::LockBackForwardList::Yes) at ../../Source/WebCore/loader/SubframeLoader.cpp:290 #8 0x00007f2c8e7d9e77 in WebCore::SubframeLoader::requestObject (this=0x1df9ed0, ownerElement=..., url=..., frameName=..., mimeType=..., paramNames=..., paramValues=...) at ../../Source/WebCore/loader/SubframeLoader.cpp:233 #9 0x00007f2c8e5c8975 in WebCore::HTMLPlugInImageElement::requestObject (this=0x7f2c6f6a9708, url=..., mimeType=..., paramNames=..., paramValues=...) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:764 #10 0x00007f2c8e5bb2e9 in WebCore::HTMLObjectElement::updateWidget (this=0x7f2c6f6a9708, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at ../../Source/WebCore/html/HTMLObjectElement.cpp:331 #11 0x00007f2c8e5c5773 in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (this=0x7f2c6f6a9708) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:287 #12 0x00007f2c8e5c537f in WebCore::HTMLPlugInImageElement::<lambda()>::operator()(void) const (__closure=0x210dbd0) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:250 #13 0x00007f2c8e5c8b58 in std::_Function_handler<void(), WebCore::HTMLPlugInImageElement::didAttachRenderers()::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...) at /usr/include/c++/4.9/functional:2039 #14 0x00007f2c8db15a82 in std::function<void ()>::operator()() const (this=0x7f2c6f644220) at /usr/include/c++/4.9/functional:2439 #15 0x00007f2c8edce28d in WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler (this=0x7fff26af1cbd, __in_chrg=<optimized out>) at ../../Source/WebCore/style/StyleResolveTree.cpp:966 #16 0x00007f2c8e332428 in WebCore::Document::recalcStyle (this=0x7f2c6f426a40, change=WebCore::Style::NoChange) at ../../Source/WebCore/dom/Document.cpp:1849 #17 0x00007f2c8e332713 in WebCore::Document::updateStyleIfNeeded (this=0x7f2c6f426a40) at ../../Source/WebCore/dom/Document.cpp:1892 #18 0x00007f2c8e332810 in WebCore::Document::updateLayout (this=0x7f2c6f426a40) at ../../Source/WebCore/dom/Document.cpp:1911 #19 0x00007f2c8e332992 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7f2c6f426a40, runPostLayoutTasks=WebCore::Document::RunPostLayoutTasks::Asynchronously) at ../../Source/WebCore/dom/Document.cpp:1949 #20 0x00007f2c8e22d4eb in WebCore::AccessibilityObject::updateBackingStore (this=0x7f2c6f7e5cc0) at ../../Source/WebCore/accessibility/AccessibilityObject.cpp:1591 #21 0x00007f2c8eedd13c in webkitAccessibleGetParent (object=0x20b0060) at ../../Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp:301 #22 0x00007f2c8223af70 in atk_object_real_get_property (object=0x20b0060, prop_id=3, value=0x7fff26af1f60, pspec=0x1deed30) at atkobject.c:1365 #23 0x00007f2c8455594b in object_get_property (value=<optimized out>, pspec=<optimized out>, object=<optimized out>) at gobject.c:1370 #24 g_object_get_property (object=0x20b0060, property_name=0x7fff26af1f60 "0\363\340\001", value=0x7fff26af1f60) at gobject.c:2438 #25 0x00007f2c8223a05b in atk_object_notify (obj=0x20b0060, pspec=0x1deed30) at atkobject.c:1531 #26 0x00007f2c8454cf15 in g_closure_invoke (closure=0x1dddb30, return_value=0x0, n_param_values=2, param_values=0x7fff26af2170, invocation_hint=0x7fff26af2110) at gclosure.c:768 #27 0x00007f2c8455ef6b in signal_emit_unlocked_R (node=node@entry=0x1dddbc0, detail=detail@entry=199, instance=instance@entry=0x20b0060, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fff26af2170) at gsignal.c:3483 #28 0x00007f2c84568198 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fff26af2300) at gsignal.c:3309 #29 0x00007f2c845683ff in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3365 #30 0x00007f2c845516c5 in g_object_dispatch_properties_changed (object=0x0, n_pspecs=0, pspecs=0x1d755f8) at gobject.c:1056 #31 0x00007f2c84553c71 in g_object_notify_by_spec_internal (pspec=<optimized out>, object=0x20b0060) at gobject.c:1149 #32 g_object_notify (object=0x20b0060, property_name=<optimized out>) at gobject.c:1197 #33 0x00007f2c8e0b82fd in webPageAccessibilityObjectRefresh (accessible=0x1e7fcf0) at ../../Source/WebKit2/WebProcess/WebPage/atk/WebPageAccessibilityObjectAtk.cpp:146 #34 0x00007f2c8e0b84f2 in WebKit::WebPage::updateAccessibilityTree (this=0x7f2c6f403440) at ../../Source/WebKit2/WebProcess/WebPage/efl/WebPageEfl.cpp:76 #35 0x00007f2c8df301b7 in WebKit::WebFrameLoaderClient::dispatchDidClearWindowObjectInWorld (this=0x1df8eb0, world=...) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:1581 #36 0x00007f2c8e7a6a27 in WebCore::FrameLoader::dispatchDidClearWindowObjectInWorld (this=0x7f2c6f6e4098, world=...) at ../../Source/WebCore/loader/FrameLoader.cpp:3359 #37 0x00007f2c8e2a52a2 in WebCore::ScriptController::initScript (this=0x7f2c6f7fcc80, world=...) at ../../Source/WebCore/bindings/js/ScriptController.cpp:270 #38 0x00007f2c8debf833 in WebCore::ScriptController::windowShell (this=0x7f2c6f7fcc80, world=...) at ../../Source/WebCore/bindings/js/ScriptController.h:90 #39 0x00007f2c8debf8bd in WebCore::ScriptController::globalObject (this=0x7f2c6f7fcc80, world=...) at ../../Source/WebCore/bindings/js/ScriptController.h:99 #40 0x00007f2c8e59cd1b in WebCore::HTMLMediaElement::ensureMediaControlsInjectedScript (this=0x7f2c6f55e740) at ../../Source/WebCore/html/HTMLMediaElement.cpp:6226 #41 0x00007f2c8e59d166 in WebCore::HTMLMediaElement::didAddUserAgentShadowRoot (this=0x7f2c6f55e740, root=0x7f2c24bee578) at ../../Source/WebCore/html/HTMLMediaElement.cpp:6266 #42 0x00007f2c8e3a44e6 in WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot>&&) (this=0x7f2c6f55e740, newShadowRoot=<unknown type in webkit/WebKitBuild/Debug/lib/libewebkit2.so.1, CU 0x15efcef9, DIE 0x1614a574>) at ../../Source/WebCore/dom/Element.cpp:1655 #43 0x00007f2c8e3a4a5f in WebCore::Element::ensureUserAgentShadowRoot (this=0x7f2c6f55e740) at ../../Source/WebCore/dom/Element.cpp:1737 #44 0x00007f2c8e59aa16 in WebCore::HTMLMediaElement::configureMediaControls (this=0x7f2c6f55e740) at ../../Source/WebCore/html/HTMLMediaElement.cpp:5601 #45 0x00007f2c8e5869c5 in WebCore::HTMLMediaElement::insertedInto (this=0x7f2c6f55e740, insertionPoint=...) at ../../Source/WebCore/html/HTMLMediaElement.cpp:740 #46 0x00007f2c8e31c8d1 in WebCore::notifyNodeInsertedIntoDocument (insertionPoint=..., node=..., postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:71 #47 0x00007f2c8e31c677 in WebCore::notifyDescendantInsertedIntoDocument (insertionPoint=..., node=..., postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:45 #48 0x00007f2c8e31c920 in WebCore::notifyNodeInsertedIntoDocument (insertionPoint=..., node=..., postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:74 #49 0x00007f2c8e31cae4 in WebCore::notifyChildNodeInserted (insertionPoint=..., node=..., postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:97 #50 0x00007f2c8e30df43 in WebCore::ContainerNode::notifyChildInserted (this=0x7f2c6f7e36e8, child=..., source=WebCore::ContainerNode::ChildChangeSourceAPI) at ../../Source/WebCore/dom/ContainerNode.cpp:339 #51 0x00007f2c8e3109ae in WebCore::ContainerNode::updateTreeAfterInsertion (this=0x7f2c6f7e36e8, child=...) at ../../Source/WebCore/dom/ContainerNode.cpp:823 #52 0x00007f2c8e30f910 in WebCore::ContainerNode::appendChild(WTF::Ref<WebCore::Node>&&, int&) (this=0x7f2c6f7e36e8, newChild=<unknown type in webkit/WebKitBuild/Debug/lib/libewebkit2.so.1, CU 0x15745c20, DIE 0x1590b3c5>, ec=@0x7fff26af2df0: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:704 #53 0x00007f2c8fc949b7 in WebCore::AppendNodeCommand::doApply (this=0x7f2c24bf1288) at ../../Source/WebCore/editing/AppendNodeCommand.cpp:70 #54 0x00007f2c8f62d6c4 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x7f2c6f6cc738, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:278 #55 0x00007f2c8f62e884 in WebCore::CompositeEditCommand::appendNode (this=0x7f2c6f6cc738, node=..., parent=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:399 #56 0x00007f2c8f62e123 in WebCore::CompositeEditCommand::insertNodeAfter (this=0x7f2c6f6cc738, insertChild=..., refChild=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:358 #57 0x00007f2c8f6343b6 in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement (this=0x7f2c6f6cc738, start=..., end=..., passedOuterNode=0x7f2c6f7f6a00, blockElement=0x7f2c6f7e36e8) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:1105 #58 0x00007f2c8f634ceb in WebCore::CompositeEditCommand::moveParagraphWithClones (this=0x7f2c6f6cc738, startOfParagraphToMove=..., endOfParagraphToMove=..., blockElement=0x7f2c6f7e36e8, outerNode=0x7f2c6f7f6a00) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:1178 #59 0x00007f2c8e4aca33 in WebCore::IndentOutdentCommand::indentIntoBlockquote (this=0x7f2c6f6cc738, start=..., end=..., targetBlockquote=...) at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:117 #60 0x00007f2c8e4ae2d6 in WebCore::IndentOutdentCommand::formatRange (this=0x7f2c6f6cc738, start=..., end=..., blockquoteForNextIndent=...) at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:236 #61 0x00007f2c8f617f9b in WebCore::ApplyBlockElementCommand::formatSelection (this=0x7f2c6f6cc738, startOfSelection=..., endOfSelection=...) at ../../Source/WebCore/editing/ApplyBlockElementCommand.cpp:141 #62 0x00007f2c8e4ae259 in WebCore::IndentOutdentCommand::formatSelection (this=0x7f2c6f6cc738, startOfSelection=..., endOfSelection=...) at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:226 #63 0x00007f2c8f61723e in WebCore::ApplyBlockElementCommand::doApply (this=0x7f2c6f6cc738) at ../../Source/WebCore/editing/ApplyBlockElementCommand.cpp:86 #64 0x00007f2c8f62d3f0 in WebCore::CompositeEditCommand::apply (this=0x7f2c6f6cc738) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:227 #65 0x00007f2c8f62d1a1 in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:186 #66 0x00007f2c8e494432 in WebCore::executeIndent (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:456 #67 0x00007f2c8e49862a in WebCore::Editor::Command::execute (this=0x7fff26af3bd0, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1703 #68 0x00007f2c8e33e3b5 in WebCore::Document::execCommand (this=0x7f2c6f426a40, commandName=..., userInterface=true, value=...) at ../../Source/WebCore/dom/Document.cpp:4657 #69 0x00007f2c8fa6c119 in WebCore::jsDocumentPrototypeFunctionExecCommand (state=0x7fff26af3ca0) at DerivedSources/WebCore/JSDocument.cpp:5066 #70 0x00007f2c27fff0c8 in ?? () #71 0x00007fff26af3d20 in ?? () #72 0x00007f2c881a8764 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
Reproduces in r204037.
<rdar://problem/27711444>
Can't reproduce the crash anymore.