Created attachment 41060 [details] Repro Repro: <HTML> <BODY onload="go()"></BODY> <SCRIPT> function go() { document.execCommand("selectall"); document.designMode="on"; document.execCommand("insertimage"); document.execCommand("indent"); setTimeout(go, 1); } </SCRIPT> </HTML> 1st ASSERT: "start == end" in WebCore::CompositeEditCommand::splitTreeToNode PassRefPtr<Node> CompositeEditCommand::splitTreeToNode(Node* start, Node* end, bool splitAncestor) { ASSERT(start != end); 2nd ASSERT: "this == 0" and NULL ptr read AV in WebCore::Node::document Document* document() const { ASSERT(this); ASSERT(m_document || (nodeType() == DOCUMENT_TYPE_NODE && !inDocument()));
The GoogleBug keyword indicates that this affects a Google web property. Did you mean to add that keyword?
<rdar://problem/7296904>
Sorry, could you define "Google web property"? I used the label because this affects Google Chrome. I have been filing all WebKit bugs with this label if they affect Google Chrome for a long time - is that incorrect?
The keyword is intended to indicate that the bug impacts a Google site like Gmail, Google Docs, etc.
This bug is caused by indentIntoBlockquote's trying to insert a blockquote before body element. This might be an issue with startOfParagraph because it's returning the body element when VS points at an image, which is the first child of body. This causes outerBlock = start.node() = nodeToSplitTo to be the root editable element. Obviously, inserting an element before the root editable root isn't right, not to mention before the body element. Justin, Enrica, Eric: Do you know if startOfParagraph should ever return body? I don't think this makes any sense.
This crash no longer reproduces.