Bug 116509

Summary: Fix an assertion failure in Range::textNodeSplit by Text::splitText
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, darin, esprehn+autocc, tkent
Priority: P2 Keywords: BlinkMergeCandidate
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Ryosuke Niwa
Reported 2013-05-20 19:45:01 PDT
Merge https://chromium.googlesource.com/chromium/blink/+/a0f5a1c5a050249d3f1be10249a91d88cd18c684 Range::textNodeSplit is called in Text::splitText, and it assumes the next sibling node is still a Text node. A DOM mutation event handler can break this assumption. We had better postpone DOM mutation events dispatched in Node::insertBefore until exiting splitText to avoid inconsistent Range state.
Attachments
Patch (4.24 KB, patch)
2013-06-03 23:50 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.32 KB, patch)
2013-06-04 00:12 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Kent Tamura
Comment 1 2013-06-03 23:50:32 PDT
Created attachment 203655 [details] Patch
Kent Tamura
Comment 2 2013-06-04 00:12:04 PDT
Created attachment 203659 [details] Patch for landing ChangeLog nits
WebKit Commit Bot
Comment 3 2013-06-04 01:10:11 PDT
Comment on attachment 203659 [details] Patch for landing Clearing flags on attachment: 203659 Committed r151160: <http://trac.webkit.org/changeset/151160>
WebKit Commit Bot
Comment 4 2013-06-04 01:10:13 PDT
All reviewed patches have been landed. Closing bug.
Ahmad Saleem
Comment 5 2024-01-19 05:56:33 PST
*** Bug 116073 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.