Created attachment 160245 [details] Demonstrates the bug <embed> <div style="overflow:scroll;"> <div style="display:table;"></div> </div> <script type="text/javascript"> document.designMode = "on" document.execCommand("selectall") document.execCommand("inserttext",false,"iframe") document.execCommand("selectall") </script> 0012ee9c 031fbe8a chrome_1c30000!WebCoreCompositeEditCommandinsertNodeAt(class WTFPassRefPtrWebCoreNode insertChild = class WTFPassRefPtrWebCoreNode, class WebCorePosition editingPosition = 0x00000000)+0x47 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingcompositeeditcommand.cpp @ 348] 0012ef60 031db893 chrome_1c30000!WebCoreDeleteSelectionCommanddoApply(void)+0x49a [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingdeleteselectioncommand.cpp @ 821] 0012ef74 031dc668 chrome_1c30000!WebCoreCompositeEditCommandapplyCommandToComposite(class WTFPassRefPtrWebCoreEditCommand prpCommand = class WTFPassRefPtrWebCoreEditCommand)+0x23 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingcompositeeditcommand.cpp @ 257] 0012ef88 032af596 chrome_1c30000!WebCoreCompositeEditCommanddeleteSelection(bool smartDelete = false, bool mergeBlocksAfterDelete = true, bool replace = true, bool expandForSpecialElements = false)+0x48 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingcompositeeditcommand.cpp @ 549] 0012f0c0 031db583 chrome_1c30000!WebCoreInsertTextCommanddoApply(void)+0x56 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditinginserttextcommand.cpp @ 114] 0012f0d0 031fe325 chrome_1c30000!WebCoreCompositeEditCommandapplyCommandToComposite(class WTFPassRefPtrWebCoreCompositeEditCommand command = class WTFPassRefPtrWebCoreCompositeEditCommand, class WebCoreVisibleSelection selection = 0x051a84b8)+0x43 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingcompositeeditcommand.cpp @ 272] 0012f0ec 031ff392 chrome_1c30000!WebCoreTypingCommandinsertTextRunWithoutNewlines(class WTFString text = 0x051a851c, bool selectInsertedText = false)+0x55 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingtypingcommand.cpp @ 385] 0012f108 03200078 chrome_1c30000!WebCoreTypingCommandinsertText(class WTFString text = 0x051a851c, bool selectInsertedText = false)+0x92 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingtypingcommand.cpp @ 370] 0012f118 031dd81b chrome_1c30000!WebCoreTypingCommanddoApply(void)+0xa8 [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingtypingcommand.cpp @ 285] 0012f128 031df9cb chrome_1c30000!WebCoreCompositeEditCommandapply(void)+0x6b [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingcompositeeditcommand.cpp @ 205] 0012f130 031fff23 chrome_1c30000!WebCoreapplyCommand(class WTFPassRefPtrWebCoreCompositeEditCommand command = class WTFPassRefPtrWebCoreCompositeEditCommand)+0xb [cbbuildslavewinbuildsrcthird_partywebkitsourcewebcoreeditingcompositeeditcommand.cpp @ 162] ... http://crbug.com/121317
Fixed in blink: https://chromium.googlesource.com/chromium/blink/+/a40b08d61349f7cafe30322d27922277253c4ec5
@rniwa - this test case does not seems to crash when changed to JSFiddle, do it need to be in Debug mode to crash or some specific steps and also this changes seems to be not merged in Webkit. Thanks!
Yeah, this is config changed.