[Webkit-unassigned] [Bug 225795] REGRESSION(r277425): Crash in FrameSelection::selectFrameElementInParentIfFullySelected

Fri May 14 00:48:56 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=225795

--- Comment #8 from Frédéric Wang (:fredw) <fred.wang at free.fr> ---
(In reply to Fujii Hironori from comment #6)
> (In reply to Frédéric Wang (:fredw) from comment #5)
> > (In reply to Fujii Hironori from comment #0)
> > > > void FrameSelection::selectFrameElementInParentIfFullySelected()
> > > > {
> > > >     // Find the parent frame; if there is none, then we have nothing to do.
> > > >     Frame* parent = m_document->frame()->tree().parent();
> > > 
> > > m_document->frame()->tree() returned null.
> > 
> > mmh, this is not a pointer and its lifetime is the same as Frame. Isn't the
> > problem that m_document->frame() is nullptr? That would be more consistent
> > with comment 1...
> 
> Yes, m_document->frame() was nullptr.

OK that makes more sense.

> > Do you hit a debug failure if you add
> > 
> > ASSERT(m_document->frame()); at
> > 
> > https://webkit-search.igalia.com/webkit/rev/
> > 62e5b564774e1365c69e8a92909b0c6e340a27b9/Source/WebCore/editing/
> > FrameSelection.cpp#379
> > 
> > ?
> 
> Yes, it hit.

Thanks.

> 
> > If so, what are the values of the selection* booleans? And what about
> > m_document/newSelection.document()/newSelection.document()->frame()?
> 
> selection* booleans were all false.
> m_document were non-null.
> m_anchor, m_focus and m_base of newSelection were empty.

OK, r277425 was claiming selectionEndpointsBelongToMultipleDocuments || selectionIsInAnotherDocument || selectionIsInDetachedDocument is equivalent to !m_document->frame(), can you investigate/explain why this is not the case?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210514/e882cc33/attachment.htm>