Detailed report: https://cluster-fuzz.appspot.com/testcase?key=15992978 Uploader: skylined@chromium.org Crash Type: UNKNOWN Crash Address: 0x000000000024 Crash State: - crash stack - WebCore::Range::getBorderAndTextQuads WebCore::Range::boundingRect WebCore::Range::getBoundingClientRect Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881 Minimized Testcase (1.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94sYtyY7GIxx6IaywhcjimvW1hTKDKblRUvsoU_E-sx8mxItU3CF_jlHEjEXOcSHtmTFe8pDGTsyjWWbllly3tEyYJmA9eIInB-90Z3cIcfU8oY935-hLScNr7EbUCRsFBWHrp6QmbtpR9NJgNeo1SvnfJnXw
Simplified reduction: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <style></style> <script> <![CDATA[ window.onload = function () { document.execCommand("SelectAll", false); var range = null; document.addEventListener("DOMNodeRemovedFromDocument", function () { range = getSelection().getRangeAt(0); },true); getSelection().getRangeAt(0).extractContents(); range.getBoundingClientRect(); } ]]> </script> <input/> </html>
Created attachment 139520 [details] Fixes the crash
Comment on attachment 139520 [details] Fixes the crash Seems totally reasonable.
Comment on attachment 139520 [details] Fixes the crash Clearing flags on attachment: 139520 Committed r115686: <http://trac.webkit.org/changeset/115686>
All reviewed patches have been landed. Closing bug.