[Webkit-unassigned] [Bug 159411] New: [GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 4 22:56:45 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=159411

            Bug ID: 159411
           Summary: [GTK] Null Node dereference in
                    FrameSelection::notifyAccessibilityForSelectionChange
                    of FrameSelectionAtk.cpp
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com
                CC: bugs-noreply at webkitgtk.org

[GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp

Tests:

  editing/selection/selection-in-iframe-removed-crash.html

Callstack:

> Thread 1 (Thread 0x7fbed62fea80 (LWP 37487)):
> #0  0x00007fbecfbee28d in (anonymous namespace)::Node::getFlag (this=0x0, mask=(anonymous namespace)::Node::HasRareDataFlag) at ../../Source/WebCore/dom/Node.h:623
> #1  0x00007fbecfbee2b9 in (anonymous namespace)::Node::hasRareData (this=0x0) at ../../Source/WebCore/dom/Node.h:649
> #2  0x00007fbecfbee25e in (anonymous namespace)::Node::renderer (this=0x0) at ../../Source/WebCore/dom/Node.h:430
> #3  0x00007fbed18561d3 in (anonymous namespace)::FrameSelection::notifyAccessibilityForSelectionChange (this=0x7fbeb21be230) at ../../Source/WebCore/editing/atk/FrameSelectionAtk.cpp:95
> #4  0x00007fbed0a37c17 in (anonymous namespace)::FrameSelection::updateAndRevealSelection (this=0x7fbeb21be230, intent=...) at ../../Source/WebCore/editing/FrameSelection.cpp:393
> #5  0x00007fbed0a37a7a in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:354
> #6  0x00007fbed0a407dc in (anonymous namespace)::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x7fbeb21bec08) at ../../Source/WebCore/editing/FrameSelection.cpp:1884
> #7  0x00007fbed0a3782f in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21bec08, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:326
> #8  0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21bec08, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #9  0x00007fbed0a37640 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21be230, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:289
> #10 0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #11 0x00007fbed0a3654b in (anonymous namespace)::FrameSelection::moveTo (this=0x7fbeb21be230, range=0x7fbeb20ed0c0) at ../../Source/WebCore/editing/FrameSelection.cpp:162
> #12 0x00007fbed0ec679b in (anonymous namespace)::DOMSelection::addRange (this=0x7fbeb20dac08, r=0x7fbeb20ed0c0) at ../../Source/WebCore/page/DOMSelection.cpp:383
> #13 0x00007fbed1c766fd in (anonymous namespace)::jsDOMSelectionPrototypeFunctionAddRange (state=0x7ffc4de671d0) at DerivedSources/WebCore/JSDOMSelection.cpp:521
> #14 0x00007fbe71688028 in ?? ()
> #15 0x00007ffc4de67250 in ?? ()
> #16 0x00007fbec9ac1ba2 in llint_entry () from /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18


Source/WebCore/editing/atk/FrameSelectionAtk.cpp

> RenderObject* focusedNode = m_selection.end().containerNode()->renderer();

containerNode() returns null.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160705/afb4b63c/attachment.html>

More information about the webkit-unassigned mailing list