[Webkit-unassigned] [Bug 159341] New: [GTK] Null WebCore::Range deference in WebEditorClient::updateGlobalSelection

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 1 04:00:45 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=159341

            Bug ID: 159341
           Summary: [GTK] Null WebCore::Range deference in
                    WebEditorClient::updateGlobalSelection
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com
                CC: bugs-noreply at webkitgtk.org

Following tests crash with same callstack:

  editing/input/set-value-on-input-and-delete.html
  editing/selection/selection-in-iframe-removed-crash.html
  imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html
  imported/w3c/web-platform-tests/html/semantics/forms/textfieldselection/selection-after-content-change.html
  imported/w3c/web-platform-tests/html/semantics/forms/textfieldselection/selection-not-application-textarea.html
  imported/w3c/web-platform-tests/html/semantics/forms/textfieldselection/selection-not-application.html

Callstack:

> #0  0x00007fbe5f48e11c in WTF::RefPtr<WebCore::Node>::get (this=0x10) at ../../Source/WTF/wtf/RefPtr.h:64
> #1  0x00007fbe5f7f990a in (anonymous namespace)::RangeBoundaryPoint::container (this=0x10)
>     at ../../Source/WebCore/dom/RangeBoundaryPoint.h:83
> #2  0x00007fbe5f7f9928 in (anonymous namespace)::Range::startContainer (this=0x0) at ../../Source/WebCore/dom/Range.h:61
> #3  0x00007fbe6023f956 in (anonymous namespace)::Range::text (this=0x0) at ../../Source/WebCore/dom/Range.cpp:891
> #4  0x00007fbe5f9c0671 in (anonymous namespace)::WebEditorClient::updateGlobalSelection (this=0x5cf840, frame=0x7fbe40da2000)
>     at ../../Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebEditorClientGtk.cpp:180
> #5  0x00007fbe5f7cbd8d in (anonymous namespace)::WebEditorClient::respondToChangedSelection (this=0x5cf840, frame=0x7fbe40da2000)
>     at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebEditorClient.cpp:195
> #6  0x00007fbe602e63a9 in (anonymous namespace)::Editor::respondToChangedSelection (this=0x7fbe40da1000, options=6)
>     at ../../Source/WebCore/editing/Editor.cpp:3320
> #7  0x00007fbe602f7435 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbe40dbf230, 
>     newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, 
>     granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:327
> #8  0x00007fbe602f756f in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbe40dbf230, selection=..., options=6, 
>     intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, 
>     granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #9  0x00007fbe603003b4 in (anonymous namespace)::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x7fbe40dbfaf0)
>     at ../../Source/WebCore/editing/FrameSelection.cpp:1884
> #10 0x00007fbe602f7407 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbe40dbfaf0, 
>     newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, 
>     granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:326
> #11 0x00007fbe602f756f in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbe40dbfaf0, selection=..., options=6, 
>     intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, 
>     granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #12 0x00007fbe602f7218 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbe40dbf230, 
>     newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, 
>     granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:289
> #13 0x00007fbe602f756f in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbe40dbf230, selection=..., options=6, 
>     intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, 
>     granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #14 0x00007fbe602f6123 in (anonymous namespace)::FrameSelection::moveTo (this=0x7fbe40dbf230, range=0x7fbe40d3ec00)
>     at ../../Source/WebCore/editing/FrameSelection.cpp:162
> #15 0x00007fbe607870dd in (anonymous namespace)::DOMSelection::addRange (this=0x7fbe40cd8e60, r=0x7fbe40d3ec00)
>     at ../../Source/WebCore/page/DOMSelection.cpp:383
> #16 0x00007fbe61542db1 in (anonymous namespace)::jsDOMSelectionPrototypeFunctionAddRange (state=0x7ffe9af9e200)
>     at DerivedSources/WebCore/JSDOMSelection.cpp:521
> #17 0x00007fbe00288028 in ?? ()
> #18 0x00007ffe9af9e280 in ?? ()
> #19 0x00007fbe5931e48b in llint_entry () from /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
> Backtrace stopped: frame did not save the PC

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160701/af1abdd1/attachment.html>

More information about the webkit-unassigned mailing list