Bug 116088

Loading the attached file in a debug build of WebKit causes the following assertion failure: ASSERTION FAILED: static_cast<unsigned>(position.offsetInContainerNode()) <= node->length() /Users/bjonesbe/Code/webkit/svn/Source/WebCore/editing/FrameSelection.cpp(460) : void WebCore::updatePositionAfterAdoptingTextReplacement(WebCore::Position &, WebCore::CharacterData *, unsigned int, unsigned int, unsigned int) 1 0x109132a95 WebCore::updatePositionAfterAdoptingTextReplacement(WebCore::Position&, WebCore::CharacterData*, unsigned int, unsigned int, unsigned int) 2 0x10913260f WebCore::FrameSelection::textWasReplaced(WebCore::CharacterData*, unsigned int, unsigned int, unsigned int) 3 0x108bef143 WebCore::CharacterData::setDataAndUpdate(WTF::String const&, unsigned int, unsigned int, unsigned int) 4 0x108bef827 WebCore::CharacterData::deleteData(unsigned int, unsigned int, int&) 5 0x109d9ed14 WebCore::Range::processContentsBetweenOffsets(WebCore::Range::ActionType, WTF::PassRefPtr<WebCore::DocumentFragment>, WebCore::Node*, unsigned int, unsigned int, int&) 6 0x109d9e11a WebCore::Range::processContents(WebCore::Range::ActionType, int&) 7 0x109d9d98a WebCore::Range::deleteContents(int&) 8 0x1098caadc WebCore::jsRangePrototypeFunctionDeleteContents(JSC::ExecState*) 9 0x598c39c01045 10 0x107b66764 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) 11 0x107b633ed JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 12 0x10796ba7c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 13 0x1095a0212 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 14 0x1096ff47b WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) 15 0x109047eb2 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) 16 0x109047aa6 WebCore::EventTarget::fireEventListeners(WebCore::Event*) 17 0x109cd5f42 WebCore::Node::handleLocalEvents(WebCore::Event*) 18 0x1090158b1 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const 19 0x109017527 WebCore::EventDispatcher::dispatchEventAtBubbling(WebCore::WindowEventContext&) 20 0x109016be5 WebCore::EventDispatcher::dispatch() 21 0x10901891b WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const 22 0x1090160cc WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) 23 0x10a104fbc WebCore::ScopedEventQueue::dispatchEvent(WTF::PassRefPtr<WebCore::EventDispatchMediator>) const 24 0x10a104ee1 WebCore::ScopedEventQueue::enqueueEventDispatchMediator(WTF::PassRefPtr<WebCore::EventDispatchMediator>) 25 0x1090163d2 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) 26 0x109cd5fdd WebCore::Node::dispatchScopedEventDispatchMediator(WTF::PassRefPtr<WebCore::EventDispatchMediator>) 27 0x109cd5f8a WebCore::Node::dispatchScopedEvent(WTF::PassRefPtr<WebCore::Event>) 28 0x108c60132 WebCore::dispatchChildInsertionEvents(WebCore::Node*) 29 0x108c5d02c WebCore::updateTreeAfterInsertion(WebCore::ContainerNode*, WebCore::Node*, WebCore::AttachBehavior) 30 0x108c5c76a WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, WebCore::AttachBehavior) 31 0x108c5c10a WebCore::ContainerNode::insertBefore(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&, WebCore::AttachBehavior)