editing/execCommand/19455.html is affected as well. Will skip it too.

Another backtrace I got randomly browsing some pages #0 0x00007ffff385357a in WebCore::positionBeforeNode (anchorNode=0x0) at ../../Source/WebCore/dom/Position.h:259 #1 0x00007ffff494751c in objectFocusedAndCaretOffsetUnignored (referenceObject=0x21b4970, offset=@0x7fffffffc3dc) at ../../Source/WebCore/accessibility/gtk/WebKitAccessibleWrapperAtk.cpp:1038 #2 0x00007ffff4947d16 in WebCore::FrameSelection::notifyAccessibilityForSelectionChange (this=0xfeb760) at ../../Source/WebCore/editing/gtk/FrameSelectionGtk.cpp:95 #3 0x00007ffff3bdfa83 in WebCore::FrameSelection::setSelection (this=0xfeb760, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:310 #4 0x00007ffff3be8cf1 in WebCore::FrameSelection::setSelection (this=0xfeb760, selection=..., granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.h:143 #5 0x00007ffff3bdf60d in WebCore::FrameSelection::setNonDirectionalSelectionIfNeeded (this=0xfeb760, passedNewSelection=..., granularity=WebCore::CharacterGranularity, endpointsAdjustmentMode=WebCore::FrameSelection::DoNotAdjsutEndpoints) at ../../Source/WebCore/editing/FrameSelection.cpp:241 #6 0x00007ffff3f21df4 in WebCore::EventHandler::updateSelectionForMouseDownDispatchingSelectStart (this=0xfeb868, targetNode=0x29aa4a0, newSelection=..., granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/page/EventHandler.cpp:308 #7 0x00007ffff3f229db in WebCore::EventHandler::handleMousePressEventSingleClick (this=0xfeb868, event=...) at ../../Source/WebCore/page/EventHandler.cpp:443 #8 0x00007ffff3f22dcb in WebCore::EventHandler::handleMousePressEvent (this=0xfeb868, event=...) at ../../Source/WebCore/page/EventHandler.cpp:521 #9 0x00007ffff3f263ea in WebCore::EventHandler::handleMousePressEvent (this=0xfeb868, mouseEvent=...) at ../../Source/WebCore/page/EventHandler.cpp:1504 #10 0x00007ffff379aa2a in webkit_web_view_button_press_event (widget=0xfd0090, event=0x21c4920) at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:727 #11 0x000000000047ed0a in ephy_web_view_button_press_event (widget=0xfd0090, event=0x21c4920) at ephy-web-view.c:541 #12 0x00007ffff284c608 in _gtk_marshal_BOOLEAN__BOXED (closure=0x4f5530, return_value=0x7fffffffcfb0, n_param_values=2, param_values=0x1454210, invocation_hint=0x7fffffffcfe0, marshal_data=0x47ecaa) at gtkmarshalers.c:85 #13 0x00007ffff177b39c in g_type_class_meta_marshal (closure=0x4f5530, return_value=0x7fffffffcfb0, n_param_values=2, param_values=0x1454210, invocation_hint=0x7fffffffcfe0, marshal_data=0x180) at gclosure.c:885 #14 0x00007ffff177b08a in g_closure_invoke (closure=0x4f5530, return_value=0x7fffffffcfb0, n_param_values=2, param_values=0x1454210, invocation_hint=0x7fffffffcfe0) at gclosure.c:774 #15 0x00007ffff1794eee in signal_emit_unlocked_R (node=0x4f55a0, detail=0, instance=0xfd0090, emission_return=0x7fffffffd160, instance_and_params=0x1454210) at gsignal.c:3340 #16 0x00007ffff179400f in g_signal_emit_valist (instance=0xfd0090, signal_id=28, detail=0, var_args=0x7fffffffd268) at gsignal.c:3043 #17 0x00007ffff17944da in g_signal_emit (instance=0xfd0090, signal_id=28, detail=0) at gsignal.c:3090 #18 0x00007ffff29e959d in gtk_widget_event_internal (widget=0xfd0090, event=0x21c4920) at gtkwidget.c:6154 #19 0x00007ffff29e8e2c in gtk_widget_event (widget=0xfd0090, event=0x21c4920) at gtkwidget.c:5870 #20 0x00007ffff284c4d3 in gtk_propagate_event (widget=0xfd0090, event=0x21c4920) at gtkmain.c:2423 #21 0x00007ffff284afa6 in gtk_main_do_event (event=0x21c4920) at gtkmain.c:1638 #22 0x00007ffff7f3113a in _gdk_event_emit (event=0x21c4920) at gdkevents.c:71 #23 0x00007ffff7f69828 in gdk_event_source_dispatch (source=0x5341d0, callback=0, user_data=0x0) at gdkeventsource.c:360 #24 0x00007ffff125b9e3 in g_main_dispatch (context=0x539f10) at gmain.c:2513 #25 0x00007ffff125c6a4 in g_main_context_dispatch (context=0x539f10) at gmain.c:3050 #26 0x00007ffff125c887 in g_main_context_iterate (context=0x539f10, block=1, dispatch=1, self=0x4f9af0) at gmain.c:3121 #27 0x00007ffff125c94b in g_main_context_iteration (context=0x539f10, may_block=1) at gmain.c:3182 #28 0x00007ffff187a46e in g_application_run (application=0x513000, argc=1, argv=0x7fffffffd888) at gapplication.c:1496 #29 0x0000000000430e80 in main (argc=1, argv=0x7fffffffd888) at ephy-main.c:469

Mario, looks like startNode is null here. I assume that means that firstUnignoredParent->node() is returning null...

(In reply to comment #3) > Mario, looks like startNode is null here. I assume that means that firstUnignoredParent->node() is returning null... Yes, you are right. I missed that check because an AccessibleObject (specially those not ignoring accessibility in a platform specific way) _usually_ have a Node associated to it, but it has not to be always that way (for instance the root a11y object, which is an AccessibilityObject with ScrollAreaRole: (gdb) p rootAccessibilityObject->roleValue() $2 = WebCore::ScrollAreaRolee() (gdb) p rootAccessibilityObject->node() $3 = (WebCore::Node *) 0x0 (gdb) p rootAccessibilityObject->parentObject() $4 = (WebCore::AccessibilityObject *) 0x0 So, the check is needed. Will be attaching a patch for this right away...

Created attachment 124944 [details] Patch proposal + unskip tests

Comment on attachment 124944 [details] Patch proposal + unskip tests View in context: https://bugs.webkit.org/attachment.cgi?id=124944&action=review > Source/WebCore/accessibility/gtk/WebKitAccessibleWrapperAtk.cpp:1040 > + // We can't do anything else if we reach this point. > + if (!startNode) > + return 0; It might be good to explain in the comment why startNode is null here.

Committed r106472: <http://trac.webkit.org/changeset/106472>