[GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp Tests: editing/selection/selection-in-iframe-removed-crash.html Callstack: > Thread 1 (Thread 0x7fbed62fea80 (LWP 37487)): > #0 0x00007fbecfbee28d in (anonymous namespace)::Node::getFlag (this=0x0, mask=(anonymous namespace)::Node::HasRareDataFlag) at ../../Source/WebCore/dom/Node.h:623 > #1 0x00007fbecfbee2b9 in (anonymous namespace)::Node::hasRareData (this=0x0) at ../../Source/WebCore/dom/Node.h:649 > #2 0x00007fbecfbee25e in (anonymous namespace)::Node::renderer (this=0x0) at ../../Source/WebCore/dom/Node.h:430 > #3 0x00007fbed18561d3 in (anonymous namespace)::FrameSelection::notifyAccessibilityForSelectionChange (this=0x7fbeb21be230) at ../../Source/WebCore/editing/atk/FrameSelectionAtk.cpp:95 > #4 0x00007fbed0a37c17 in (anonymous namespace)::FrameSelection::updateAndRevealSelection (this=0x7fbeb21be230, intent=...) at ../../Source/WebCore/editing/FrameSelection.cpp:393 > #5 0x00007fbed0a37a7a in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:354 > #6 0x00007fbed0a407dc in (anonymous namespace)::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x7fbeb21bec08) at ../../Source/WebCore/editing/FrameSelection.cpp:1884 > #7 0x00007fbed0a3782f in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21bec08, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:326 > #8 0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21bec08, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335 > #9 0x00007fbed0a37640 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21be230, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:289 > #10 0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335 > #11 0x00007fbed0a3654b in (anonymous namespace)::FrameSelection::moveTo (this=0x7fbeb21be230, range=0x7fbeb20ed0c0) at ../../Source/WebCore/editing/FrameSelection.cpp:162 > #12 0x00007fbed0ec679b in (anonymous namespace)::DOMSelection::addRange (this=0x7fbeb20dac08, r=0x7fbeb20ed0c0) at ../../Source/WebCore/page/DOMSelection.cpp:383 > #13 0x00007fbed1c766fd in (anonymous namespace)::jsDOMSelectionPrototypeFunctionAddRange (state=0x7ffc4de671d0) at DerivedSources/WebCore/JSDOMSelection.cpp:521 > #14 0x00007fbe71688028 in ?? () > #15 0x00007ffc4de67250 in ?? () > #16 0x00007fbec9ac1ba2 in llint_entry () from /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18 Source/WebCore/editing/atk/FrameSelectionAtk.cpp > RenderObject* focusedNode = m_selection.end().containerNode()->renderer(); containerNode() returns null.