Created attachment 265184 [details] Test Load the attached test with debug MiniBrowser: <!DOCTYPE html> <dl> <dd></dd> <sup style="writing-mode: rl-tb"></sup>a </dl> <li></li> <script> document.designMode = 'on'; document.execCommand("selectAll"); document.execCommand("InsertHorizontalRule"); document.execCommand("insertOrderedList"); </script> OS: Ubuntu 15.04 x86_64 Checked build: debug EFL Checked version: 29ae33c Backtrace: ASSERTION FAILED: previousListChild != listChildNode ../../Source/WebCore/editing/InsertListCommand.cpp(280) : void WebCore::InsertListCommand::unlistifyParagraph(const WebCore::VisiblePosition&, WebCore::HTMLElement*, WebCore::Node*) 1 0x7f0e9036a89f WTFCrash 2 0x7f0e9661d957 WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) 3 0x7f0e9661d256 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) 4 0x7f0e9661c68a WebCore::InsertListCommand::doApply() 5 0x7f0e9779cf4c WebCore::CompositeEditCommand::apply() 6 0x7f0e9779ccfd WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>) 7 0x7f0e96601ab3 8 0x7f0e9660559e WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 9 0x7f0e964a9d39 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 10 0x7f0e97bdc22d WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) 11 0x7f0e2ffff0c8 Aborted (core dumped) Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f0e9036a8a4 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007f0e9036a8a4 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007f0e9661d957 in WebCore::InsertListCommand::unlistifyParagraph (this=0x7f0e77bb52d0, originalStart=..., listNode=0x7f0e77be39c0, listChildNode= 0x7f0e77be3618) at ../../Source/WebCore/editing/InsertListCommand.cpp:280 #2 0x00007f0e9661d256 in WebCore::InsertListCommand::doApplyForSingleParagraph (this=0x7f0e77bb52d0, forceCreateList=false, listTag=..., currentSelection=0x7f0e77b6f800) at ../../Source/WebCore/editing/InsertListCommand.cpp:255 #3 0x00007f0e9661c68a in WebCore::InsertListCommand::doApply (this=0x7f0e77bb52d0) at ../../Source/WebCore/editing/InsertListCommand.cpp:195 #4 0x00007f0e9779cf4c in WebCore::CompositeEditCommand::apply (this=0x7f0e77bb52d0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:227 #5 0x00007f0e9779ccfd in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:186 #6 0x00007f0e96601ab3 in WebCore::executeInsertOrderedList (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:518 #7 0x00007f0e9660559e in WebCore::Editor::Command::execute (this=0x7ffd6e20d0a0, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1703 #8 0x00007f0e964a9d39 in WebCore::Document::execCommand (this=0x7f0e77826a40, commandName=..., userInterface=false, value=...) at ../../Source/WebCore/dom/Document.cpp:4657 #9 0x00007f0e97bdc22d in WebCore::jsDocumentPrototypeFunctionExecCommand (state=0x7ffd6e20d170) at DerivedSources/WebCore/JSDocument.cpp:5066 #10 0x00007f0e2ffff0c8 in ?? () #11 0x00007ffd6e20d1e0 in ?? () #12 0x00007f0e90313036 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
This reproduces in r204037.
<rdar://problem/27711731>
I am able to hit this assert using attached test case using Minibrowser WK2 Debug build based of 259136@main and this is output: ASSERTION FAILED: previousListChild != listChildNode editing/InsertListCommand.cpp(312) : void WebCore::InsertListCommand::unlistifyParagraph(const WebCore::VisiblePosition &, WebCore::HTMLElement &, WebCore::Node *) 1 0x137c46d84 WTFCrash 2 0x280832730 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x283e57d74 WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement&, WebCore::Node*) 4 0x283e578c8 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&) 5 0x283e571d8 WebCore::InsertListCommand::doApply() 6 0x283dac198 WebCore::CompositeEditCommand::apply() 7 0x283e3da9c WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) 8 0x283e12a30 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 9 0x283a99ef0 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 10 0x280be2e5c WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) 11 0x280be2944 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 12 0x280bcda00 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) 13 0x14680c03c (null) 14 0x13836e990 llint_entry 15 0x138348eec vmEntryToJavaScript 16 0x1393a7a5c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 17 0x1393a6ff8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 18 0x139810110 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 19 0x139810254 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 20 0x283240254 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 21 0x28323fd28 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 22 0x28323fb5c WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 23 0x28324050c WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&) 24 0x283cbd164 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) 25 0x283cbb2e8 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) 26 0x284323810 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) 27 0x28432363c WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) 28 0x2842fb1f4 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 29 0x2842fb6e4 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) 30 0x2842faa9c WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 31 0x2842fa248 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)