Created attachment 71511 [details] demo Crash occurs when removing format from: <div style="display: table; position: absolute;"> <div contenteditable style="display: table-cell;"><br>hello<br></div> </div> #0 0x10159164a in WebCore::CompositeEditCommand::insertNodeAt at CompositeEditCommand.cpp:161 #1 0x1019faeb4 in WebCore::InsertTextCommand::prepareForTextInsertion at InsertTextCommand.cpp:63 #2 0x1019fb42e in WebCore::InsertTextCommand::input at InsertTextCommand.cpp:167 #3 0x101592149 in WebCore::CompositeEditCommand::inputText at CompositeEditCommand.cpp:313 #4 0x101e26735 in WebCore::RemoveFormatCommand::doApply at RemoveFormatCommand.cpp:83 http://crbug.com/53392
This seems to be a bug in TextIterator. When we apply typing style back at the end of InsertLineBreakCommand, which is called by inputText, we end up moving the selection to the outer non-editable div. So when inputText calls InsertTextCommand::input, the selection is outside of the editable region and results in an assertion failure.
This bug is no longer reproducible on TOT WebKit because of http://trac.webkit.org/changeset/70283. I keep this bug open because the bug that caused this crash still exists in TextIterator.
Would it make sense to file a new bug for the remaining issue?
At this point, I don't even remember what this bug was.