On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build. Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/editing/selection/deleteFromDocument-undo-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f Asserts like: ASSERTION FAILED: m_offset + m_count <= m_node->length() ../../Source/WebCore/editing/DeleteFromTextNodeCommand.cpp(42) : WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::Ref<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) 1 0x7f445ceba3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f445ceba3d3] 2 0x7f4468b635f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7f4468b635f2] 3 0x7f446b0fabe8 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore25DeleteFromTextNodeCommandC1EON3WTF3RefINS_4TextENS1_13DumbPtrTraitsIS3_EEEEjjNS_10EditActionE+0x162) [0x7f446b0fabe8] 4 0x7f446c74fb94 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore25DeleteFromTextNodeCommand6createEON3WTF3RefINS_4TextENS1_13DumbPtrTraitsIS3_EEEEjjNS_10EditActionE+0x57) [0x7f446c74fb94] 5 0x7f446c748be8 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore20CompositeEditCommand17replaceTextInNodeERNS_4TextEjjRKN3WTF6StringE+0x4a) [0x7f446c748be8] 6 0x7f446c748e1d /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore20CompositeEditCommand25replaceSelectedTextInNodeERKN3WTF6StringE+0x13b) [0x7f446c748e1d] 7 0x7f446b15617e /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore17InsertTextCommand21performTrivialReplaceERKN3WTF6StringEb+0xf2) [0x7f446b15617e] 8 0x7f446b1565d5 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore17InsertTextCommand7doApplyEv+0xd9) [0x7f446b1565d5] 9 0x7f446c7472c2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore20CompositeEditCommand23applyCommandToCompositeEON3WTF3RefIS0_NS1_13DumbPtrTraitsIS0_EEEERKNS_16VisibleSelectionE+0xb4) [0x7f446c7472c2] 10 0x7f446b18444a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13TypingCommand28insertTextRunWithoutNewlinesERKN3WTF6StringEb+0xea) [0x7f446b18444a] 11 0x7f446b18a869 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore26TypingCommandLineOperationclEmmb+0x79) [0x7f446b18a869] 12 0x7f446b18b72f /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore19forEachLineInStringINS_26TypingCommandLineOperationEEEvRKN3WTF6StringERKT_+0x8f) [0x7f446b18b72f] 13 0x7f446b18421c /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13TypingCommand10insertTextERKN3WTF6StringEb+0x40) [0x7f446b18421c] 14 0x7f446b1842d5 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13TypingCommand32insertTextAndNotifyAccessibilityERKN3WTF6StringEb+0xb5) [0x7f446b1842d5] 15 0x7f446b183aab /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13TypingCommand7doApplyEv+0x153) [0x7f446b183aab] 16 0x7f446c746cd3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore20CompositeEditCommand5applyEv+0xf5) [0x7f446c746cd3] 17 0x7f446b179d57 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore24TextInsertionBaseCommand25applyTextInsertionCommandEPNS_5FrameERS0_RKNS_16VisibleSelectionES6_+0x67) [0x7f446b179d57] 18 0x7f446b18319e /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13TypingCommand10insertTextERNS_8DocumentERKN3WTF6StringERKNS_16VisibleSelectionEjNS0_19TextCompositionTypeE+0x342) [0x7f446b18319e] 19 0x7f446b182e54 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13TypingCommand10insertTextERNS_8DocumentERKN3WTF6StringEjNS0_19TextCompositionTypeE+0xdc) [0x7f446b182e54] 20 0x7f446b12ad33 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xcba2d33) [0x7f446b12ad33] 21 0x7f446b12e62a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore6Editor7Command7executeERKN3WTF6StringEPNS_5EventE+0xdc) [0x7f446b12e62a] 22 0x7f446af19268 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore8Document11execCommandERKN3WTF6StringEbS4_+0x56) [0x7f446af19268] 23 0x7f4469c27694 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb69f694) [0x7f4469c27694] 24 0x7f4469c411b6 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6b91b6) [0x7f4469c411b6] 25 0x7f4469c27702 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore38jsDocumentPrototypeFunctionExecCommandEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7f4469c27702] 26 0x7f44074fa16b [0x7f44074fa16b] Seems like it's handled safely, so not filing as security-sensitive.