<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp"
   href="https://bugs.webkit.org/show_bug.cgi?id=159411">159411</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Nightly Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>WebKit Gtk
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>Hironori.Fujii&#64;sony.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>bugs-noreply&#64;webkitgtk.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>[GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp

Tests:

  editing/selection/selection-in-iframe-removed-crash.html

Callstack:

<span class="quote">&gt; Thread 1 (Thread 0x7fbed62fea80 (LWP 37487)):
&gt; #0  0x00007fbecfbee28d in (anonymous namespace)::Node::getFlag (this=0x0, mask=(anonymous namespace)::Node::HasRareDataFlag) at ../../Source/WebCore/dom/Node.h:623
&gt; #1  0x00007fbecfbee2b9 in (anonymous namespace)::Node::hasRareData (this=0x0) at ../../Source/WebCore/dom/Node.h:649
&gt; #2  0x00007fbecfbee25e in (anonymous namespace)::Node::renderer (this=0x0) at ../../Source/WebCore/dom/Node.h:430
&gt; #3  0x00007fbed18561d3 in (anonymous namespace)::FrameSelection::notifyAccessibilityForSelectionChange (this=0x7fbeb21be230) at ../../Source/WebCore/editing/atk/FrameSelectionAtk.cpp:95
&gt; #4  0x00007fbed0a37c17 in (anonymous namespace)::FrameSelection::updateAndRevealSelection (this=0x7fbeb21be230, intent=...) at ../../Source/WebCore/editing/FrameSelection.cpp:393
&gt; #5  0x00007fbed0a37a7a in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:354
&gt; #6  0x00007fbed0a407dc in (anonymous namespace)::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x7fbeb21bec08) at ../../Source/WebCore/editing/FrameSelection.cpp:1884
&gt; #7  0x00007fbed0a3782f in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21bec08, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:326
&gt; #8  0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21bec08, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
&gt; #9  0x00007fbed0a37640 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21be230, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:289
&gt; #10 0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
&gt; #11 0x00007fbed0a3654b in (anonymous namespace)::FrameSelection::moveTo (this=0x7fbeb21be230, range=0x7fbeb20ed0c0) at ../../Source/WebCore/editing/FrameSelection.cpp:162
&gt; #12 0x00007fbed0ec679b in (anonymous namespace)::DOMSelection::addRange (this=0x7fbeb20dac08, r=0x7fbeb20ed0c0) at ../../Source/WebCore/page/DOMSelection.cpp:383
&gt; #13 0x00007fbed1c766fd in (anonymous namespace)::jsDOMSelectionPrototypeFunctionAddRange (state=0x7ffc4de671d0) at DerivedSources/WebCore/JSDOMSelection.cpp:521
&gt; #14 0x00007fbe71688028 in ?? ()
&gt; #15 0x00007ffc4de67250 in ?? ()
&gt; #16 0x00007fbec9ac1ba2 in llint_entry () from /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18</span >


Source/WebCore/editing/atk/FrameSelectionAtk.cpp

<span class="quote">&gt; RenderObject* focusedNode = m_selection.end().containerNode()-&gt;renderer();</span >

containerNode() returns null.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>