Created attachment 52721 [details] A QtWebKit test program for the crash Using this snippet of CSS as the user CSS: * { -webkit-user-select: none !important; } *[contenteditable], *[contenteditable=true] { -webkit-user-select: text !important; } and the rich text tests of browserscope at http://www.browserscope.org/richtext/test makes WebKit crash with a backtrace like #0 0xb6d98c39 in WebCore::ApplyStyleCommand::splitTextElementAtEndIfNeeded(WebCore::Position const&, WebCore::Position const&) () from WebKitBuild/Release/lib/libQtWebKit.so.4 #1 0xb6da1aa8 in WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::CSSMutableStyleDeclaration*) () from WebKitBuild/Release/lib/libQtWebKit.so.4 #2 0xb6da36c3 in WebCore::ApplyStyleCommand::doApply() () from WebKitBuild/Release/lib/libQtWebKit.so.4 #3 0xb6dba7e2 in WebCore::EditCommand::apply() () from WebKitBuild/Release/lib/libQtWebKit.so.4 #4 0xb6dbd2df in WebCore::Editor::applyStyle(WebCore::CSSStyleDeclaration*, WebCore::EditAction) () from WebKitBuild/Release/lib/libQtWebKit.so.4 #5 0xb6dc70d4 in WebCore::applyCommandToFrame(WebCore::Frame*, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSMutableStyleDeclaration*) () from WebKitBuild/Release/lib/libQtWebKit.so.4 #6 0xb6dc9735 in WebCore::executeApplyStyle(WebCore::Frame*, WebCore::EditorCommandSource, WebCore::EditAction, int, WebCore::String const&) () from WebKitBuild/Release/lib/libQtWebKit.so.4 #7 0xb6dc6fbe in WebCore::Editor::Command::execute(WebCore::String const&, WebCore::Event*) const () from WebKitBuild/Release/lib/libQtWebKit.so.4 #8 0xb6d2e7f9 in WebCore::Document::execCommand(WebCore::String const&, bool, WebCore::String const&) () from WebKitBuild/Release/lib/libQtWebKit.so.4 #9 0xb68c1a58 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*, JSC::JSObject*, JSC::JSValue, JSC::ArgList const&) ()