When Mail is run against WebKit r56989 or newer attempting to delete a block level element via the block deletion UI will crash. This can be reproduced by doing the following: 1) Run Mail against ToT WebKit. 2) Reply to a webkit-changes email message. 3) Place the caret in a diff hunk so that the block deletion UI appears. 4) Click on the delete button. You’ll see a crash like so: Thread 0 Crashed: 0 com.apple.WebCore 0x00000001008f9118 WebCore::Position::isCandidate() const + 16 (PositionIterator.h:49) 1 com.apple.WebCore 0x0000000100901728 WebCore::Frame::styleForSelectionStart(WebCore::Node*&) const + 196 (Frame.cpp:1305) 2 com.apple.WebCore 0x0000000100901542 WebCore::Editor::fontForSelection(bool&) const + 52 (Editor.cpp:411) 3 com.apple.WebKit 0x0000000100461f6a -[WebHTMLView(WebInternal) _updateFontPanel] + 170 (WebHTMLView.mm:5042) 4 com.apple.WebKit 0x00000001004649aa -[WebHTMLView(WebInternal) _selectionChanged] + 42 (WebHTMLView.mm:5022) 5 com.apple.WebKit 0x000000010046475e WebEditorClient::respondToChangedSelection() + 28 (WebEditorClient.mm:284) 6 com.apple.WebCore 0x00000001009014f1 WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&) + 69 (OwnPtr.h:63) 7 com.apple.WebCore 0x00000001008fe05d WebCore::Frame::respondToChangedSelection(WebCore::VisibleSelection const&, bool) + 1525 (Frame.cpp:1745) 8 com.apple.WebCore 0x0000000100f58c23 WebCore::SelectionController::setSelection(WebCore::VisibleSelection const&, bool, bool, bool, WebCore::TextGranularity) + 395 (SelectionController.cpp:162)
r56989 was a change related to bug 36741.
*** Bug 37119 has been marked as a duplicate of this bug. ***
Created attachment 52596 [details] Roll out r56989
Created attachment 52597 [details] Test case
Landed in r57110 and r57111.
http://trac.webkit.org/changeset/57110 might have broken SnowLeopard Intel Release (Tests)
http://trac.webkit.org/changeset/57111 might have broken SnowLeopard Intel Release (Tests)