Created attachment 140798 [details] Layout test to reproduce problem Attempting to get the insertion point line number of a readonly textarea that happens to be at the top of the document causes an assertion failure in dom/Position.cpp:95. See full stack track and attached layout test to reproduce. Crash is easy to reproduce using both Mac and Chromium ports. I think the problem is when AccessibilityObject::lineForPosition calls previousLinePosition with a visible position that's already essentially the topmost visible position in the document. I'm not familiar enough with the visible position code to know what the right fix should be. Should previousLinePosition be returning the equivalent of null, or should AccessibilityObject be checking some conditions before calling previousLinePosition? ASSERTION FAILED: !((anchorType == PositionIsBeforeChildren || anchorType == PositionIsAfterChildren) && (m_anchorNode->isTextNode() || editingIgnoresContent(m_anchorNode.get()))) /Users/dmazzoni/src/WebKit/Source/WebCore/dom/Position.cpp(95) : WebCore::Position::Position(WTF::PassRefPtr<WebCore::Node>, WebCore::Position::AnchorType) 1 0x101545762 WebCore::firstPositionInNode(WebCore::Node*) 2 0x101c88293 WebCore::previousLinePosition(WebCore::VisiblePosition const&, int, WebCore::EditableType) 3 0x10149d67e WebCore::AccessibilityObject::lineForPosition(WebCore::VisiblePosition const&) const 4 0x101ca1fb7 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] 5 0x100008e26 AccessibilityUIElement::insertionPointLineNumber() 6 0x1000038b4 getInsertionPointLineNumberCallback(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSString*, OpaqueJSValue const**)