Repro: <html><head><script> function go() { document.execCommand("SelectAll", false, "ur"); document.designMode = "on"; document.execCommand("InsertOrderedList", false, "-.8"); document.execCommand("insertparagraph", false, "04"); document.execCommand("InsertImage", false, "///("); document.execCommand("SelectAll", false, "ur"); document.execCommand("strikethrough", false, null); } </script></head><body onload="go()"></body></html> stack: chrome.dll!WebCore::Node::shadowAncestorNode chrome.dll!WebCore::comparePositions chrome.dll!WebCore::isNodeVisiblyContainedWithin chrome.dll!WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle chrome.dll!(unknown) chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::Editor::applyStyle chrome.dll!WebCore::executeToggleStyleInList chrome.dll!WebCore::executeStrikethrough chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback ...
Created attachment 72242 [details] fixes the bug
Comment on attachment 72242 [details] fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=72242&action=review > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:7 > + layoutTestController.waitUntilDone(); Does the crash trigger if you don't have the waitUntilDone? I think DRT makes sure that onload runs. > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:18 > + document.execCommand("SelectAll", false, "ur"); > + document.designMode = "on"; > + document.execCommand("InsertOrderedList", false, "-.8"); > + document.execCommand("insertparagraph", false, "04"); > + document.execCommand("InsertImage", false, "///("); > + document.execCommand("SelectAll", false, "ur"); > + document.execCommand("strikethrough", false, null); > + document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; Are all these calls necessary?
(In reply to comment #2) > (From update of attachment 72242 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=72242&action=review > > > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:7 > > + layoutTestController.waitUntilDone(); > > Does the crash trigger if you don't have the waitUntilDone? I think DRT makes sure that onload runs. The test becomes flaky last time I tried. > > LayoutTests/editing/style/fix-range-from-root-editable-crash.html:18 > > + document.execCommand("SelectAll", false, "ur"); > > + document.designMode = "on"; > > + document.execCommand("InsertOrderedList", false, "-.8"); > > + document.execCommand("insertparagraph", false, "04"); > > + document.execCommand("InsertImage", false, "///("); > > + document.execCommand("SelectAll", false, "ur"); > > + document.execCommand("strikethrough", false, null); > > + document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; > > Are all these calls necessary? Yes. But everything before the second SelectAll doesn't need to be done in script. So it'll simplify it to: function go() { document.designMode = "on"; document.execCommand("SelectAll", false, "ur"); document.execCommand("strikethrough", false, null); document.body.innerHTML = 'This tests ApplyStyleCommand::fixRangeAndApplyInlineStyle does not crash when startNode is body.<br>PASS'; layoutTestController.notifyDone(); } </script> </head> <body onload="go()"><div><img></div></body>
Committed r70821: <http://trac.webkit.org/changeset/70821>