159411 – [GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp

Bug 159411 - [GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp

Summary: [GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectio...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-04 22:56 PDT by Fujii Hironori
Modified:	2016-07-23 14:06 PDT (History)
CC List:	2 users (show)

See Also:	153060

Attachments
Patch (3.53 KB, patch) 2016-07-04 23:08 PDT, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2016-07-04 22:56:45 PDT

[GTK] Null Node dereference in FrameSelection::notifyAccessibilityForSelectionChange of FrameSelectionAtk.cpp

Tests:

  editing/selection/selection-in-iframe-removed-crash.html

Callstack:

> Thread 1 (Thread 0x7fbed62fea80 (LWP 37487)):
> #0  0x00007fbecfbee28d in (anonymous namespace)::Node::getFlag (this=0x0, mask=(anonymous namespace)::Node::HasRareDataFlag) at ../../Source/WebCore/dom/Node.h:623
> #1  0x00007fbecfbee2b9 in (anonymous namespace)::Node::hasRareData (this=0x0) at ../../Source/WebCore/dom/Node.h:649
> #2  0x00007fbecfbee25e in (anonymous namespace)::Node::renderer (this=0x0) at ../../Source/WebCore/dom/Node.h:430
> #3  0x00007fbed18561d3 in (anonymous namespace)::FrameSelection::notifyAccessibilityForSelectionChange (this=0x7fbeb21be230) at ../../Source/WebCore/editing/atk/FrameSelectionAtk.cpp:95
> #4  0x00007fbed0a37c17 in (anonymous namespace)::FrameSelection::updateAndRevealSelection (this=0x7fbeb21be230, intent=...) at ../../Source/WebCore/editing/FrameSelection.cpp:393
> #5  0x00007fbed0a37a7a in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:354
> #6  0x00007fbed0a407dc in (anonymous namespace)::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x7fbeb21bec08) at ../../Source/WebCore/editing/FrameSelection.cpp:1884
> #7  0x00007fbed0a3782f in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21bec08, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:326
> #8  0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21bec08, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #9  0x00007fbed0a37640 in (anonymous namespace)::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x7fbeb21be230, newSelectionPossiblyWithoutDirection=..., options=6, align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:289
> #10 0x00007fbed0a37997 in (anonymous namespace)::FrameSelection::setSelection (this=0x7fbeb21be230, selection=..., options=6, intent=..., align=(anonymous namespace)::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=(anonymous namespace)::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:335
> #11 0x00007fbed0a3654b in (anonymous namespace)::FrameSelection::moveTo (this=0x7fbeb21be230, range=0x7fbeb20ed0c0) at ../../Source/WebCore/editing/FrameSelection.cpp:162
> #12 0x00007fbed0ec679b in (anonymous namespace)::DOMSelection::addRange (this=0x7fbeb20dac08, r=0x7fbeb20ed0c0) at ../../Source/WebCore/page/DOMSelection.cpp:383
> #13 0x00007fbed1c766fd in (anonymous namespace)::jsDOMSelectionPrototypeFunctionAddRange (state=0x7ffc4de671d0) at DerivedSources/WebCore/JSDOMSelection.cpp:521
> #14 0x00007fbe71688028 in ?? ()
> #15 0x00007ffc4de67250 in ?? ()
> #16 0x00007fbec9ac1ba2 in llint_entry () from /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18


Source/WebCore/editing/atk/FrameSelectionAtk.cpp

> RenderObject* focusedNode = m_selection.end().containerNode()->renderer();

containerNode() returns null.

Comment 1 Fujii Hironori 2016-07-04 23:08:03 PDT

Created attachment 282749 [details]
Patch

Comment 2 Carlos Garcia Campos 2016-07-04 23:13:56 PDT

Comment on attachment 282749 [details]
Patch

Excellent! Thank you.

Comment 3 WebKit Commit Bot 2016-07-04 23:44:15 PDT

Comment on attachment 282749 [details]
Patch

Clearing flags on attachment: 282749

Committed r202814: <http://trac.webkit.org/changeset/202814>

Comment 4 WebKit Commit Bot 2016-07-04 23:44:19 PDT

All reviewed patches have been landed.  Closing bug.