editing/execCommand/19455.html is affected as well. Will skip it too.

Another backtrace I got randomly browsing some pages

#0  0x00007ffff385357a in WebCore::positionBeforeNode (anchorNode=0x0) at ../../Source/WebCore/dom/Position.h:259
#1  0x00007ffff494751c in objectFocusedAndCaretOffsetUnignored (referenceObject=0x21b4970, offset=@0x7fffffffc3dc) at ../../Source/WebCore/accessibility/gtk/WebKitAccessibleWrapperAtk.cpp:1038
#2  0x00007ffff4947d16 in WebCore::FrameSelection::notifyAccessibilityForSelectionChange (this=0xfeb760) at ../../Source/WebCore/editing/gtk/FrameSelectionGtk.cpp:95
#3  0x00007ffff3bdfa83 in WebCore::FrameSelection::setSelection (this=0xfeb760, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:310
#4  0x00007ffff3be8cf1 in WebCore::FrameSelection::setSelection (this=0xfeb760, selection=..., granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.h:143
#5  0x00007ffff3bdf60d in WebCore::FrameSelection::setNonDirectionalSelectionIfNeeded (this=0xfeb760, passedNewSelection=..., granularity=WebCore::CharacterGranularity, endpointsAdjustmentMode=WebCore::FrameSelection::DoNotAdjsutEndpoints) at ../../Source/WebCore/editing/FrameSelection.cpp:241
#6  0x00007ffff3f21df4 in WebCore::EventHandler::updateSelectionForMouseDownDispatchingSelectStart (this=0xfeb868, targetNode=0x29aa4a0, newSelection=..., granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/page/EventHandler.cpp:308
#7  0x00007ffff3f229db in WebCore::EventHandler::handleMousePressEventSingleClick (this=0xfeb868, event=...) at ../../Source/WebCore/page/EventHandler.cpp:443
#8  0x00007ffff3f22dcb in WebCore::EventHandler::handleMousePressEvent (this=0xfeb868, event=...) at ../../Source/WebCore/page/EventHandler.cpp:521
#9  0x00007ffff3f263ea in WebCore::EventHandler::handleMousePressEvent (this=0xfeb868, mouseEvent=...) at ../../Source/WebCore/page/EventHandler.cpp:1504
#10 0x00007ffff379aa2a in webkit_web_view_button_press_event (widget=0xfd0090, event=0x21c4920) at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:727
#11 0x000000000047ed0a in ephy_web_view_button_press_event (widget=0xfd0090, event=0x21c4920) at ephy-web-view.c:541
#12 0x00007ffff284c608 in _gtk_marshal_BOOLEAN__BOXED (closure=0x4f5530, return_value=0x7fffffffcfb0, n_param_values=2, param_values=0x1454210, invocation_hint=0x7fffffffcfe0, marshal_data=0x47ecaa) at gtkmarshalers.c:85
#13 0x00007ffff177b39c in g_type_class_meta_marshal (closure=0x4f5530, return_value=0x7fffffffcfb0, n_param_values=2, param_values=0x1454210, invocation_hint=0x7fffffffcfe0, marshal_data=0x180) at gclosure.c:885
#14 0x00007ffff177b08a in g_closure_invoke (closure=0x4f5530, return_value=0x7fffffffcfb0, n_param_values=2, param_values=0x1454210, invocation_hint=0x7fffffffcfe0) at gclosure.c:774
#15 0x00007ffff1794eee in signal_emit_unlocked_R (node=0x4f55a0, detail=0, instance=0xfd0090, emission_return=0x7fffffffd160, instance_and_params=0x1454210) at gsignal.c:3340
#16 0x00007ffff179400f in g_signal_emit_valist (instance=0xfd0090, signal_id=28, detail=0, var_args=0x7fffffffd268) at gsignal.c:3043
#17 0x00007ffff17944da in g_signal_emit (instance=0xfd0090, signal_id=28, detail=0) at gsignal.c:3090
#18 0x00007ffff29e959d in gtk_widget_event_internal (widget=0xfd0090, event=0x21c4920) at gtkwidget.c:6154
#19 0x00007ffff29e8e2c in gtk_widget_event (widget=0xfd0090, event=0x21c4920) at gtkwidget.c:5870
#20 0x00007ffff284c4d3 in gtk_propagate_event (widget=0xfd0090, event=0x21c4920) at gtkmain.c:2423
#21 0x00007ffff284afa6 in gtk_main_do_event (event=0x21c4920) at gtkmain.c:1638
#22 0x00007ffff7f3113a in _gdk_event_emit (event=0x21c4920) at gdkevents.c:71
#23 0x00007ffff7f69828 in gdk_event_source_dispatch (source=0x5341d0, callback=0, user_data=0x0) at gdkeventsource.c:360
#24 0x00007ffff125b9e3 in g_main_dispatch (context=0x539f10) at gmain.c:2513
#25 0x00007ffff125c6a4 in g_main_context_dispatch (context=0x539f10) at gmain.c:3050
#26 0x00007ffff125c887 in g_main_context_iterate (context=0x539f10, block=1, dispatch=1, self=0x4f9af0) at gmain.c:3121
#27 0x00007ffff125c94b in g_main_context_iteration (context=0x539f10, may_block=1) at gmain.c:3182
#28 0x00007ffff187a46e in g_application_run (application=0x513000, argc=1, argv=0x7fffffffd888) at gapplication.c:1496
#29 0x0000000000430e80 in main (argc=1, argv=0x7fffffffd888) at ephy-main.c:469

Mario, looks like startNode is null here. I assume that means that firstUnignoredParent->node() is returning null...

(In reply to comment #3)
> Mario, looks like startNode is null here. I assume that means that firstUnignoredParent->node() is returning null...

Yes, you are right. I missed that check because an AccessibleObject (specially those not ignoring accessibility in a platform specific way) _usually_ have a Node associated to it, but it has not to be always that way (for instance the root a11y object, which is an AccessibilityObject with ScrollAreaRole:

 (gdb) p rootAccessibilityObject->roleValue()
 $2 = WebCore::ScrollAreaRolee()
 (gdb) p rootAccessibilityObject->node()
 $3 = (WebCore::Node *) 0x0
 (gdb) p rootAccessibilityObject->parentObject()
 $4 = (WebCore::AccessibilityObject *) 0x0

So, the check is needed. Will be attaching a patch for this right away...

Created attachment 124944 [details]
Patch proposal + unskip tests

Comment on attachment 124944 [details]
Patch proposal + unskip tests

View in context: https://bugs.webkit.org/attachment.cgi?id=124944&action=review

> Source/WebCore/accessibility/gtk/WebKitAccessibleWrapperAtk.cpp:1040
> +    // We can't do anything else if we reach this point.
> +    if (!startNode)
> +        return 0;

It might be good to explain in the comment why startNode is null here.

Committed r106472: <http://trac.webkit.org/changeset/106472>