| Summary: | [GTK] New editing/selection/selection-in-iframe-removed-crash.html asserts | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ádám Kallai <kadam> |
| Component: | Tools / Tests | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bugs-noreply, leviw, mcatanzaro, ossy, rhodovan.u-szeged, rniwa, szledan, webkit-bug-importer, zan |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 79668, 87008 | ||
|
Description
Ádám Kallai
2013-03-05 09:42:17 PST
editing/selection/selection-in-iframe-removed-crash.html introduced in r144400 and https://bugs.webkit.org/show_bug.cgi?id=108696 is a security bug, so maybe it is a security issue too. It would be great to have a gdb backtrace. Also see https://bugs.webkit.org/show_bug.cgi?id=111521. Even though the title says it's about selection-invalid-offset, the crash is happening in selection-in-iframe-removed-crash.html. (In reply to comment #2) > It would be great to have a gdb backtrace. Below you have the backtrace on Qt. It crashes both with DRT and QtTestBrowser, however while DRT crashes right after the start, QtTestBrowser does so only after a refresh. #0 0x00007ffff4253e5c in WebCore::comparePositions (a=..., b=...) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/htmlediting.cpp:78 #1 0x00007ffff4295d19 in WebCore::VisibleSelection::toNormalizedRange (this=0x7a3de8) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/VisibleSelection.cpp:173 #2 0x00007ffff3a8f941 in WebCore::FrameSelection::toNormalizedRange (this=0x7a3dc0) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.h:205 #3 0x00007ffff3a976bf in WebCore::EditorClientQt::respondToChangedSelection (this=0x75ff20, frame=0x7a3790) at /home/reni/Data/REPOS/webkit/Source/WebKit/qt/WebCoreSupport/EditorClientQt.cpp:209 #4 0x00007ffff423329a in WebCore::Editor::notifyComponentsOnChangedSelection (this=0x7a3d00, oldSelection=..., options=6) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/Editor.cpp:540 #5 0x00007ffff423ffe5 in WebCore::Editor::respondToChangedSelection (this=0x7a3d00, oldSelection=..., options=6) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/Editor.cpp:2991 #6 0x00007ffff424c0a1 in WebCore::FrameSelection::setSelection (this=0x7a3dc0, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:330 #7 0x00007ffff4251cd3 in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x8fc710) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:1611 #8 0x00007ffff424c062 in WebCore::FrameSelection::setSelection (this=0x8fc710, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:328 #9 0x00007ffff424be91 in WebCore::FrameSelection::setSelection (this=0x7a3dc0, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:284 #10 0x00007ffff45d2fbf in WebCore::DOMSelection::addRange (this=0x691710, r=0x905cc0) at /home/reni/Data/REPOS/webkit/Source/WebCore/page/DOMSelection.cpp:395 #11 0x00007ffff5086ece in WebCore::jsDOMSelectionPrototypeFunctionAddRange (exec=0x7fffe43630e8) at generated/JSDOMSelection.cpp:456 There are no references to this bug in any TestExpectations. It's probable this bug was solved at some point but it wasn't marked as closed. I'm closing this bug now. If you think this bug report is still valid, please reopen it and add an entry to TestExpectations. |