Bug 111451 - [GTK] New editing/selection/selection-in-iframe-removed-crash.html asserts
Summary: [GTK] New editing/selection/selection-in-iframe-removed-crash.html asserts
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tools / Tests (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 79668 87008
  Show dependency treegraph
 
Reported: 2013-03-05 09:42 PST by Ádám Kallai
Modified: 2017-03-11 11:15 PST (History)
8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Csaba Osztrogonác 2013-03-06 08:36:19 PST 
editing/selection/selection-in-iframe-removed-crash.html introduced 
in r144400 and https://bugs.webkit.org/show_bug.cgi?id=108696 is a 
security bug, so maybe it is a security issue too.
Comment 2 Csaba Osztrogonác 2013-03-06 08:37:11 PST 
It would be great to have a gdb backtrace.
Comment 3 Ryosuke Niwa 2013-03-06 12:02:31 PST 
Also see https://bugs.webkit.org/show_bug.cgi?id=111521. Even though the title says it's about selection-invalid-offset, the crash is happening in selection-in-iframe-removed-crash.html.
Comment 4 Renata Hodovan 2013-03-07 00:59:37 PST 
(In reply to comment #2)
> It would be great to have a gdb backtrace.

Below you have the backtrace on Qt. It crashes both with DRT and QtTestBrowser, however while DRT crashes right after the start, QtTestBrowser does so only after a refresh.

#0  0x00007ffff4253e5c in WebCore::comparePositions (a=..., b=...) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/htmlediting.cpp:78
#1  0x00007ffff4295d19 in WebCore::VisibleSelection::toNormalizedRange (this=0x7a3de8)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/VisibleSelection.cpp:173
#2  0x00007ffff3a8f941 in WebCore::FrameSelection::toNormalizedRange (this=0x7a3dc0)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.h:205
#3  0x00007ffff3a976bf in WebCore::EditorClientQt::respondToChangedSelection (this=0x75ff20, frame=0x7a3790)
    at /home/reni/Data/REPOS/webkit/Source/WebKit/qt/WebCoreSupport/EditorClientQt.cpp:209
#4  0x00007ffff423329a in WebCore::Editor::notifyComponentsOnChangedSelection (this=0x7a3d00, oldSelection=..., options=6)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/Editor.cpp:540
#5  0x00007ffff423ffe5 in WebCore::Editor::respondToChangedSelection (this=0x7a3d00, oldSelection=..., options=6)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/Editor.cpp:2991
#6  0x00007ffff424c0a1 in WebCore::FrameSelection::setSelection (this=0x7a3dc0, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:330
#7  0x00007ffff4251cd3 in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x8fc710)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:1611
#8  0x00007ffff424c062 in WebCore::FrameSelection::setSelection (this=0x8fc710, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:328
#9  0x00007ffff424be91 in WebCore::FrameSelection::setSelection (this=0x7a3dc0, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/FrameSelection.cpp:284
#10 0x00007ffff45d2fbf in WebCore::DOMSelection::addRange (this=0x691710, r=0x905cc0) at /home/reni/Data/REPOS/webkit/Source/WebCore/page/DOMSelection.cpp:395
#11 0x00007ffff5086ece in WebCore::jsDOMSelectionPrototypeFunctionAddRange (exec=0x7fffe43630e8) at generated/JSDOMSelection.cpp:456